Overview

overview

8

Static

static

3

2024-07-23...ye.exe

windows7-x64

8

2024-07-23...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-23_4684babdb01ef1d3f1c8555badc89330_goldeneye.exe

  • Size

    168KB

  • MD5

    4684babdb01ef1d3f1c8555badc89330

  • SHA1

    172dd95c54ef7a917ec346b00624cf4ba31bb009

  • SHA256

    ab2528996230ed8a4f039700999852f152f9f981cfc48a7a77355fe833a6c687

  • SHA512

    2853bc1c2a9750c9b96501f2bab388be775fce1d5b74436107a878d91a2b4abca55bb8ee8d452cea89b6fa0968b325275bf4e8214ef141f63ce056ecc2235fcc

  • SSDEEP

    1536:1EGh0oAli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAliOPOe2MUVg3Ve+rX

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-23_4684babdb01ef1d3f1c8555badc89330_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-23_4684babdb01ef1d3f1c8555badc89330_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\{22491388-5986-48a6-ADCA-6EDF4C2DDC52}.exe
      C:\Windows\{22491388-5986-48a6-ADCA-6EDF4C2DDC52}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\{FB98BAF6-65FA-4454-85F7-0D45ED372DE7}.exe
        C:\Windows\{FB98BAF6-65FA-4454-85F7-0D45ED372DE7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\{2EAC2AFD-5A9F-4262-99C8-A3626B6D2C1B}.exe
          C:\Windows\{2EAC2AFD-5A9F-4262-99C8-A3626B6D2C1B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\{5472C77F-5604-4b61-BE81-894A0724E8F0}.exe
            C:\Windows\{5472C77F-5604-4b61-BE81-894A0724E8F0}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1448
            • C:\Windows\{E4C8EC0A-9640-446c-A552-537E3B3E23B1}.exe
              C:\Windows\{E4C8EC0A-9640-446c-A552-537E3B3E23B1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\{01794EB1-0352-4876-B291-B31C53C49266}.exe
                C:\Windows\{01794EB1-0352-4876-B291-B31C53C49266}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\{55464572-5B4E-41cf-9F07-8F4ED7FBBB25}.exe
                  C:\Windows\{55464572-5B4E-41cf-9F07-8F4ED7FBBB25}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1272
                  • C:\Windows\{A8E4FEEB-ECC1-436f-8881-70BAF4C86B8F}.exe
                    C:\Windows\{A8E4FEEB-ECC1-436f-8881-70BAF4C86B8F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2860
                    • C:\Windows\{1B435D96-0B3E-49d8-BD9F-4F1D567E0C3B}.exe
                      C:\Windows\{1B435D96-0B3E-49d8-BD9F-4F1D567E0C3B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1776
                      • C:\Windows\{FEA2629A-6803-417c-A2BB-1E00FFB15C12}.exe
                        C:\Windows\{FEA2629A-6803-417c-A2BB-1E00FFB15C12}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2184
                        • C:\Windows\{B9114DA1-E402-43ec-AAC1-CD8FB5BA0D5A}.exe
                          C:\Windows\{B9114DA1-E402-43ec-AAC1-CD8FB5BA0D5A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FEA26~1.EXE > nul
                          12⤵
                            PID:1496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1B435~1.EXE > nul
                          11⤵
                            PID:2140
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A8E4F~1.EXE > nul
                          10⤵
                            PID:264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{55464~1.EXE > nul
                          9⤵
                            PID:1792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{01794~1.EXE > nul
                          8⤵
                            PID:544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C8E~1.EXE > nul
                          7⤵
                            PID:1528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5472C~1.EXE > nul
                          6⤵
                            PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2EAC2~1.EXE > nul
                          5⤵
                            PID:1016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FB98B~1.EXE > nul
                          4⤵
                            PID:3040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{22491~1.EXE > nul
                          3⤵
                            PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2772

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{01794EB1-0352-4876-B291-B31C53C49266}.exe
                        Filesize

                        168KB

                        MD5

                        989ec008e22064ebc9516947ca0f815d

                        SHA1

                        747cc44b04717afc2d3de6fa33b901bd95d6b98d

                        SHA256

                        ab28ffbdbc223fafa4bb0e45b4ae91205662d0db40e79a83b91dd3fbe3334a89

                        SHA512

                        f7bc5a7ef31690157bd3b157cf3043d1e9e6f5adce5ae7aaf05e7cc35e68dc36505a6c2872d89fead199332a52b7168f1fcdc28f53db5306c2121dda3e301939

                        Download Submit

                      • C:\Windows\{1B435D96-0B3E-49d8-BD9F-4F1D567E0C3B}.exe
                        Filesize

                        168KB

                        MD5

                        20c05ac778d842b2de1813e5c82a5613

                        SHA1

                        6be6536cee87bdd5b05b18ed0c7a5d66a9b3a52c

                        SHA256

                        bc859b07482e19ebb1cb20879725797412392a9029f7c09fc6539773ee634cb6

                        SHA512

                        77ed350038220de623abf6cb6d65698aa0b1d2669b27ba00607039414ab027545327178b87fe54809f7699acd97e47c9273c70fccc32a10a59b1266b727d9d33

                        Download Submit

                      • C:\Windows\{22491388-5986-48a6-ADCA-6EDF4C2DDC52}.exe
                        Filesize

                        168KB

                        MD5

                        4c747f7c64a68d3182eedf4f4774cc4f

                        SHA1

                        2ebeea78b027d8879dc37935391f40df7c5dbd46

                        SHA256

                        5ce12623d93b6a669b5fc0a73ce8c5b63713aac23b06898c837fda13182858d1

                        SHA512

                        3ade272ea59d686b53b0c0938160ff95198df3fbd35ab6d5ffd9bc835d2ed29f0b82ae8aec2324f83cf3ea75e6b15aac5606414307d328cf335a4d484ed46f6a

                        Download Submit

                      • C:\Windows\{2EAC2AFD-5A9F-4262-99C8-A3626B6D2C1B}.exe
                        Filesize

                        168KB

                        MD5

                        edab6e525eae39fd89d37f1f4f01243d

                        SHA1

                        fcc2f033a7a83a89b66ab4eb7596225c00347ce4

                        SHA256

                        cb63876fd9806b0cd818d4691278893504a97d1bcc195e448b5a76045a03a617

                        SHA512

                        d3139d1e49a5281d1d7181bb6134231b54175b4948486f9e89b4ebd983d83787f4e24a5d26fd4757fbefcd2aabd92bcf6b35496b5fc5b15818fcd935b5faef59

                        Download Submit

                      • C:\Windows\{5472C77F-5604-4b61-BE81-894A0724E8F0}.exe
                        Filesize

                        168KB

                        MD5

                        ea9efecee5f36da5f073ae9cebd5ecca

                        SHA1

                        ce6098ffae34878a9fcb3e2b0656e589958712e3

                        SHA256

                        48f1be5a088928ceed957a0e5cd32201f1cddef722a36459efad61326cacd320

                        SHA512

                        4bfbd74e79c347aed3cc4773127e2810a80bc3b758da49ba254c611ed752aa30db44b0e9a41466481588e6a2f2745199d8976c020011212741496974d9effdc8

                        Download Submit

                      • C:\Windows\{55464572-5B4E-41cf-9F07-8F4ED7FBBB25}.exe
                        Filesize

                        168KB

                        MD5

                        c2ae8f206af2fab4270de34fd63159c4

                        SHA1

                        1aeee71dd14332fb0f28cdf154a3aa012a457779

                        SHA256

                        7649003b124c01c337411a54a465f124f34bc03e0388494ecb1912dad8506a39

                        SHA512

                        41e566b739847d22e4aff1f9739cc4776412e22f63e2f0cb0e1919de945f86e46ebc2b45d485d23389be0553ac0f9163ca961647bdb449f615128e476c2e0472

                        Download Submit

                      • C:\Windows\{A8E4FEEB-ECC1-436f-8881-70BAF4C86B8F}.exe
                        Filesize

                        168KB

                        MD5

                        fff301821b9cb6506a714b9130a0b407

                        SHA1

                        e20fe82bdac0eb1859411af5114063330fa19c46

                        SHA256

                        1e2843a887f484d7d57fff85b3aa10764cebbef577705cc9a6466d81b4877aec

                        SHA512

                        b04dcf46d99da61ac35461b032ee86aaf2a034600296ec7cb60dc6575f59d484751660bc8134a83f6562f641265f32bf09c4ebdc2e925775b04ffdcd9a344e11

                        Download Submit

                      • C:\Windows\{B9114DA1-E402-43ec-AAC1-CD8FB5BA0D5A}.exe
                        Filesize

                        168KB

                        MD5

                        dab993e900750bd1b8a667b69d8a61bb

                        SHA1

                        db22a76a7f05da3433c4aeaabc90baec54578256

                        SHA256

                        665c6c5150528efeab7e06171390bb0dffa1d1fa31f32865e5b9a4f7781e495b

                        SHA512

                        059899b2a4293d60331fb84849e42d355d55ab9033add60178d7a057ae9b231a3030229f9b3463c7259841dc03d184ebc9f9bd04e9e9369956a7e393cc690f27

                        Download Submit

                      • C:\Windows\{E4C8EC0A-9640-446c-A552-537E3B3E23B1}.exe
                        Filesize

                        168KB

                        MD5

                        a1d1703fecedffe033ad0f94e417bd46

                        SHA1

                        46cd7820b5160ef0e24aa14ac8c5e02f4e837c6c

                        SHA256

                        06a8a4cdc52e675aa40c7ab133e0b27881ccbeda4043b358e4bdf55386ab5cc8

                        SHA512

                        776bbd578e3f781cd8c93fccae74ebdf98d109da2d2b1dd6d743ee3aaba118e789dbb6fcfd9c16efe1b9210e7f39bd8c1e9cb086e22621864164b24624143a2a

                        Download Submit

                      • C:\Windows\{FB98BAF6-65FA-4454-85F7-0D45ED372DE7}.exe
                        Filesize

                        168KB

                        MD5

                        8bd47ede5ffc28cf2ca1686ca7c0a0ca

                        SHA1

                        27221a5d02fe51d474962f4a3b00f78a6953697d

                        SHA256

                        4c400d97e7f920f8a715f7f2691594c351604b65ff3209d5e71c6643369bdb68

                        SHA512

                        edb32241ccef69ccb0ab3b726b9d98a8136d5ad845375630ac3d4aaa778ae16032840a7f370bb3983532e2a0b65685874fb010de35d734de2f3c6a9db3cfe27e

                        Download Submit

                      • C:\Windows\{FEA2629A-6803-417c-A2BB-1E00FFB15C12}.exe
                        Filesize

                        168KB

                        MD5

                        d3d7e7691e1238767299f7bae6b5529c

                        SHA1

                        dc40b2dc5359cf3cc8c4cacc003b415bbac3d021

                        SHA256

                        75a0e1d4bac4230fa3f99a8c9e45844fba1f20d3d21c41f14859ad65466b5304

                        SHA512

                        3aeea3d295ce902e698664da70f30491693a364ff2379a3775965e82a0d566ef9c4342fabf2f57cfda728216f0d405ba7f84849ca133a60327ca0fcd1642bcfb

                        Download Submit