Overview

overview

8

Static

static

3

2024-07-23...ye.exe

windows7-x64

8

2024-07-23...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe

  • Size

    197KB

  • MD5

    636a990fb1e379e3e3040850d4051c85

  • SHA1

    46e15982169a5abece2ef00c8d54f5cb0e97b020

  • SHA256

    948e9189acdf78f1322f86ea95ca77bb45d9f39ec19cdc8cdf3caaf6618123b5

  • SHA512

    6458b541cd286796bf43a70428bdf76301be24d9294c83300a955036d10a486dd54bb6caffc920c3b7754fae09be9f8b38c0be33f575143498132b7c9b2b541d

  • SSDEEP

    3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGalEeKcAEca

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-23_636a990fb1e379e3e3040850d4051c85_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\{1854C5FD-4FE7-4a58-A2C1-CEE24E4F94EC}.exe
      C:\Windows\{1854C5FD-4FE7-4a58-A2C1-CEE24E4F94EC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\{1637F82B-6D09-4d5f-A169-35A621F52EA9}.exe
        C:\Windows\{1637F82B-6D09-4d5f-A169-35A621F52EA9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\{114F3409-4A28-4eff-A542-A3D4817CE865}.exe
          C:\Windows\{114F3409-4A28-4eff-A542-A3D4817CE865}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\{C242975F-B735-4798-8C34-771952CA1940}.exe
            C:\Windows\{C242975F-B735-4798-8C34-771952CA1940}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\{791C884A-1D88-435a-8F7E-139F8C371BA0}.exe
              C:\Windows\{791C884A-1D88-435a-8F7E-139F8C371BA0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2204
              • C:\Windows\{7190E1D0-DB9B-4d70-9893-C59CEE8AF177}.exe
                C:\Windows\{7190E1D0-DB9B-4d70-9893-C59CEE8AF177}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\{77A0D099-3EC1-4093-88FA-DF055794844A}.exe
                  C:\Windows\{77A0D099-3EC1-4093-88FA-DF055794844A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2868
                  • C:\Windows\{498A4987-1D23-4806-9A27-491A276A6845}.exe
                    C:\Windows\{498A4987-1D23-4806-9A27-491A276A6845}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:608
                    • C:\Windows\{DE0F8D78-C962-4395-A401-B5A1AFEFB2BC}.exe
                      C:\Windows\{DE0F8D78-C962-4395-A401-B5A1AFEFB2BC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2068
                      • C:\Windows\{1786AAF6-C0EA-43c1-AD74-2B4FCB790B8A}.exe
                        C:\Windows\{1786AAF6-C0EA-43c1-AD74-2B4FCB790B8A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1268
                        • C:\Windows\{CF20663C-1D5E-4425-9CEF-92A2E4AF3F5D}.exe
                          C:\Windows\{CF20663C-1D5E-4425-9CEF-92A2E4AF3F5D}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1786A~1.EXE > nul
                          12⤵
                            PID:2264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DE0F8~1.EXE > nul
                          11⤵
                            PID:876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{498A4~1.EXE > nul
                          10⤵
                            PID:1316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{77A0D~1.EXE > nul
                          9⤵
                            PID:1904
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7190E~1.EXE > nul
                          8⤵
                            PID:680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{791C8~1.EXE > nul
                          7⤵
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C2429~1.EXE > nul
                          6⤵
                            PID:2164
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{114F3~1.EXE > nul
                          5⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1637F~1.EXE > nul
                          4⤵
                            PID:2964
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1854C~1.EXE > nul
                          3⤵
                            PID:2804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1916

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{114F3409-4A28-4eff-A542-A3D4817CE865}.exe
                        Filesize

                        197KB

                        MD5

                        0d656f0bc5f3ce79e64adb4bd9388656

                        SHA1

                        928000d28c37c8a04df386ccfd02156c255735d9

                        SHA256

                        ffc264610d14e12f35389a8220f8f5025fd71687380241d48a24dc6a3fc86ba7

                        SHA512

                        9ee1e3137f15328829b7e71891feb0fd935f476b4aa6839699e1d2263876ac3b371b8be8110472de19c2df4b08eb470ef58ea3a72ea884621f69ce99b8fec21e

                        Download Submit

                      • C:\Windows\{1637F82B-6D09-4d5f-A169-35A621F52EA9}.exe
                        Filesize

                        197KB

                        MD5

                        f244a40e8cee6da2ceb65724c59cd2a3

                        SHA1

                        fabc1e98eaa1e083d510529f1db92bcc56bc5586

                        SHA256

                        d2b1272be7259d9d9c827a536351ecbba722b70c2e72da2df23f9d2d67f178fd

                        SHA512

                        6c31e945adb7e7ae5edbe5365d70d330f5f25f8336d7bd1ca51149fa93813c86da300e4328fbd5fbbb3587ac7d502f44df4ed205ef9dfe27fce3e33312404968

                        Download Submit

                      • C:\Windows\{1786AAF6-C0EA-43c1-AD74-2B4FCB790B8A}.exe
                        Filesize

                        197KB

                        MD5

                        48329801155be2ec3f6961798d280c34

                        SHA1

                        90ddb79d561495fbd6d0f7fb3a69bb4a75b2bba6

                        SHA256

                        341e154cca0eea146a4d23143cf8efedee24cee2a226e9926c083c95dbf75841

                        SHA512

                        7188a145864c2f8fbc91eb2d91b57c196df45177b6b46d8e69c424bb0d49f5f738e63aae6129d6a873ff9d358bea6af4697197eadcc0db03d6349c412cfedea8

                        Download Submit

                      • C:\Windows\{1854C5FD-4FE7-4a58-A2C1-CEE24E4F94EC}.exe
                        Filesize

                        197KB

                        MD5

                        4122d6452ec551e751a91a505c505059

                        SHA1

                        366bc2dc6d101d1a0ba2826839281f083c15c11f

                        SHA256

                        bac57fbd4efca4c94549d6e87411dd3ea755c07e65f6386088def2cabe681c9a

                        SHA512

                        30eae00a8f625655ec75e7deef98a15feb9ed89cc9bacccfcbe9e6a039779eb3d86c8522e4b2bd767166beac05db309f1cb4af77796a3bb42e2106457d5dbda7

                        Download Submit

                      • C:\Windows\{498A4987-1D23-4806-9A27-491A276A6845}.exe
                        Filesize

                        197KB

                        MD5

                        d3d9f6d31890fa4beaf0db2bf1e6ecb8

                        SHA1

                        141a9c54833d0cbf15b2cf348b4fe0e96f898eac

                        SHA256

                        c320922efd70c5cf7792950bc51087d770831c313a733ae1cd5e96fc7dc54495

                        SHA512

                        341baa097294d1b9a39676e36ace05f3277c20ecddb4856657eea4fb62841b18c3ec0038639a6706774dc2d22878978e583a9d6866fc759f2854a94ea0a55b58

                        Download Submit

                      • C:\Windows\{7190E1D0-DB9B-4d70-9893-C59CEE8AF177}.exe
                        Filesize

                        197KB

                        MD5

                        89f700a9194ca894c0bdf28e4313b919

                        SHA1

                        e19143efe140b0c4623d7b641df2b19c9cd51cd6

                        SHA256

                        5e00e14cf9c0a0f435d4aab03d888e515541c8a19b7d595feb47f57ce0bdf38e

                        SHA512

                        7f0fce86e542ee203dc296c5cac2d3757b87101de5dc6e6f1b02411d541251c5721263678b0ffc31d9b07076038fa5bd2391714fd802144da821f9a3c8b851a6

                        Download Submit

                      • C:\Windows\{77A0D099-3EC1-4093-88FA-DF055794844A}.exe
                        Filesize

                        197KB

                        MD5

                        2b7f2e7d196c10965e3c7af141861b64

                        SHA1

                        5f2aa1abd96120c41b13a990baedc58f1fa4d248

                        SHA256

                        ec821af216e1fcdf93a2bd71f9981539a321eacc37159b4bf7db842090a15e45

                        SHA512

                        08e019824e398a61f300c3ca73be7eec42bb14d926e8d9074b527a9b1a2006c0cf84655af405351cbb8bb370560ca33a36775b07b3032c2360864aa8daf722ee

                        Download Submit

                      • C:\Windows\{791C884A-1D88-435a-8F7E-139F8C371BA0}.exe
                        Filesize

                        197KB

                        MD5

                        9ac678f741a6e1b0de6af8425f35490a

                        SHA1

                        27dddafd2e4f0774e25a4d9827a13bdbe36e03f5

                        SHA256

                        c89185736fbfdb810b031ed693afdc21f8787c8b99344842b9290ed2cae13426

                        SHA512

                        84aa9cae91efd6689b75039b23b2876ed42d76ee384c536dee4fad8550aa4b39272a94797ba783c4ac3079b9d3e46971e1ec560ba92d30d01daa4971a01ac935

                        Download Submit

                      • C:\Windows\{C242975F-B735-4798-8C34-771952CA1940}.exe
                        Filesize

                        197KB

                        MD5

                        3b1e1126bae3d542a7ebcecd5441a932

                        SHA1

                        f314c7a1c4017b77fceaa032c4d4532a2d2a89b4

                        SHA256

                        3afa48d013f62b565ffc14db0dc992b500782bfdd628095e98b8fb61d23ec138

                        SHA512

                        975aef143002925df0c65d0f6aa76de41c03e85bc569bce90b1af019a9f2451255e66713eb2dd8519894ed72679da112125a0bf737fa2c879337c583c5b62405

                        Download Submit

                      • C:\Windows\{CF20663C-1D5E-4425-9CEF-92A2E4AF3F5D}.exe
                        Filesize

                        197KB

                        MD5

                        9e0c71e57c05b5f538cc2667fc128f2d

                        SHA1

                        c4ca04c5cf9300632e3b4f36f6de32f26e552356

                        SHA256

                        ce5f63cd024e1d3fcab3fd94eb59f9974e7f9d26b76e3487acc880add72bca41

                        SHA512

                        3e98eb0233f64c5d7b2196809244113fe34cd128a7cb5d4384881fd1c931f0b127147487d4361594d3314638142921136edff4b04fc9c01d600fd183b79d81b4

                        Download Submit

                      • C:\Windows\{DE0F8D78-C962-4395-A401-B5A1AFEFB2BC}.exe
                        Filesize

                        197KB

                        MD5

                        0815a00f76ba4aaf4a892dc137e7e9d8

                        SHA1

                        fa9ba501c48452cdecf4818007529910bcf1231d

                        SHA256

                        891f53c54a13c3e19a8bda554af55eca90d91a19b2a087f82b641ff5fb43772c

                        SHA512

                        fbedc9f2985f4c8c9c274e163c903cabcec083cb018d4f6a66d11a8a1703e3316f7fb4229ee95dd12634a72c731311c9d29705c9a9a21b8918abc914728f523c

                        Download Submit