Overview

overview

8

Static

static

3

2024-07-25...ye.exe

windows7-x64

8

2024-07-25...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-25_62c39a8d0b386f5dd138b6b89067afa2_goldeneye.exe

  • Size

    168KB

  • MD5

    62c39a8d0b386f5dd138b6b89067afa2

  • SHA1

    ce87700db3839b139ec9198ddf87aeeab51468b7

  • SHA256

    fd2ef1556cc048faa77e82b93225eecf5ccaab4e0515a961422b02bbd2337452

  • SHA512

    e0b9a10ea8b450c975d97534581a183ef07cbda505bc9df1be07cb48828e1befc72d30f573ecdc297ae0b8afc2ea92c5234b0681f240f96a19e687d85d258177

  • SSDEEP

    1536:1EGh0oFlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oFlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-25_62c39a8d0b386f5dd138b6b89067afa2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-25_62c39a8d0b386f5dd138b6b89067afa2_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\{E6B0389A-527E-47cf-BCC7-B257EE2D0F53}.exe
      C:\Windows\{E6B0389A-527E-47cf-BCC7-B257EE2D0F53}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\{0305F11F-1AAF-467c-9A29-78CF40F56C5F}.exe
        C:\Windows\{0305F11F-1AAF-467c-9A29-78CF40F56C5F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\{0EA63E0E-5E89-4ab4-B9CD-015FC0C5DFC6}.exe
          C:\Windows\{0EA63E0E-5E89-4ab4-B9CD-015FC0C5DFC6}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\{CEE2CCD3-BD1C-45cd-A134-E7EB6CEEF412}.exe
            C:\Windows\{CEE2CCD3-BD1C-45cd-A134-E7EB6CEEF412}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3024
            • C:\Windows\{5F30CE43-AAE8-40f2-83BF-F156CF209880}.exe
              C:\Windows\{5F30CE43-AAE8-40f2-83BF-F156CF209880}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:872
              • C:\Windows\{94ED758D-931F-4ef0-BCA1-57A98DEEC793}.exe
                C:\Windows\{94ED758D-931F-4ef0-BCA1-57A98DEEC793}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\{193AF1E4-2400-42df-96B0-E8CE006A60E9}.exe
                  C:\Windows\{193AF1E4-2400-42df-96B0-E8CE006A60E9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3020
                  • C:\Windows\{0E898EC9-8B06-4fb6-83F8-055FC3F89864}.exe
                    C:\Windows\{0E898EC9-8B06-4fb6-83F8-055FC3F89864}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:780
                    • C:\Windows\{D3243270-EFCB-4e41-8F18-C4959A4F050A}.exe
                      C:\Windows\{D3243270-EFCB-4e41-8F18-C4959A4F050A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2432
                      • C:\Windows\{BB09C8BF-F761-4153-8BD1-D597BD029951}.exe
                        C:\Windows\{BB09C8BF-F761-4153-8BD1-D597BD029951}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2008
                        • C:\Windows\{3F91AB9E-2D94-4ad5-874E-72347AC55E03}.exe
                          C:\Windows\{3F91AB9E-2D94-4ad5-874E-72347AC55E03}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BB09C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1540
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3243~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2456
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E898~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2248
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{193AF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1688
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{94ED7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2896
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5F30C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1732
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE2C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2428
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0EA63~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0305F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B03~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0305F11F-1AAF-467c-9A29-78CF40F56C5F}.exe
    Filesize

    168KB

    MD5

    76b92548fdf302c4fc552c911cad6a5d

    SHA1

    c97cdcea013b319f1b9e019adaa5612ece13bf11

    SHA256

    7ee799d4e3b981bf75c518cb0a26e2f83d57f2f3b1ab3e6bf2522cf744bbc873

    SHA512

    976aa876e2dcc435136455b2476d38edbe7484071eccb2745dac30758045b4601a7e2744c7524b68c233d6dcfefbc08a491025e25c3321dbc739be1de38da4fe

    Download Submit

  • C:\Windows\{0E898EC9-8B06-4fb6-83F8-055FC3F89864}.exe
    Filesize

    168KB

    MD5

    5d0740573a28a09645d77a8340f246b9

    SHA1

    2a615b55f993523e27327a58d115ef6138d198c7

    SHA256

    881e560d471970f349a7afa57d66076ab1f5cfaf4e7a9412f8179d3fc09bb6d7

    SHA512

    c826daec7ac2e3df53a1a150807dee0401e0ae38b2bb06bdbe28809c52d7802da3d9e761b13a4ed77a509326dc94bbcde468e0d9c2ff3cc637d53eadec793432

    Download Submit

  • C:\Windows\{0EA63E0E-5E89-4ab4-B9CD-015FC0C5DFC6}.exe
    Filesize

    168KB

    MD5

    8ea8db0c3532a3918a8f63e4d8114d97

    SHA1

    e1104ad9711a0c6dae05466f172430982d2ddd23

    SHA256

    acfecd120fc07011aade8e7efa14b658f7b11542dd41f8489db3728fabb155c0

    SHA512

    457b4a4aac268db218ede4ff278e57a76b1c8e545bd4c1f0d38a480df238efa531e418b141670c75d8dca88b493fb88ff90e64335defcf20b6e3cf4132f9caa3

    Download Submit

  • C:\Windows\{193AF1E4-2400-42df-96B0-E8CE006A60E9}.exe
    Filesize

    168KB

    MD5

    4e16bbc6298d877728bee3cca0944f61

    SHA1

    ba3223822d10990155eeb0ae9c20b9883e302422

    SHA256

    0b3256e09a8738a7d2ea75d2f954d60cd86935e9176693f1240953a4f4e7dc44

    SHA512

    2f558c01db332fde72f5229488d575ed8d32aef995c624770ca3700c04d8e662a581f2bdd4c59c9803fa8b16eaae9e1d1402b30f8cb2b6b99d024cdc59235475

    Download Submit

  • C:\Windows\{3F91AB9E-2D94-4ad5-874E-72347AC55E03}.exe
    Filesize

    168KB

    MD5

    23b31cc700ccbefaa703c1785f3a96c9

    SHA1

    1313bddcb695c15541cfcf823bbd63cc2041e4a1

    SHA256

    926b9009d76ab31bb260a57df0964bcd68b93aa0aa8e86fdaf7ec94ec85ae841

    SHA512

    1a7bddc7ad603000b2c43584ce67839702d7e42c79c8dcf1fef10a96fe997b99e3309256ea96772a9ed7e47551837c33e84b2991aea7c37803dc70a1da4abd90

    Download Submit

  • C:\Windows\{5F30CE43-AAE8-40f2-83BF-F156CF209880}.exe
    Filesize

    168KB

    MD5

    59930f7e3d9900db17c701e7b997498a

    SHA1

    b28213d2eb12951b3683c2fce80c5ad4afcc7015

    SHA256

    d1ab147c52f09f8a6498a2919f47d32ed7e48488dd003308db7316dd6455d08b

    SHA512

    b496c253d8fc7234852c6aed4443ec9c41dbd9bd69ad4b311c7a11cf91a0ba2b8af97fba6460c78283ef9cf2b479d092e0b7530fd76accb5d042f7eb3dcfb100

    Download Submit

  • C:\Windows\{94ED758D-931F-4ef0-BCA1-57A98DEEC793}.exe
    Filesize

    168KB

    MD5

    df9b7ac35767449a3a3f11ca3caa7b93

    SHA1

    f3c508cd7fe1510c333f9457251ac1797bdd9355

    SHA256

    ec9627beb97695e94beaa634804c65a30e80b77b7110d74b014c5911dd6aa23e

    SHA512

    7856672003dd41bec518ea25cbed804731bf679aac3950571a273ecc9a93c60db95d104b8ec86f5385a1c5c36499f7521a1f96e8757c67fe5d3ec3cc3952fc9c

    Download Submit

  • C:\Windows\{BB09C8BF-F761-4153-8BD1-D597BD029951}.exe
    Filesize

    168KB

    MD5

    287afc644e85f72ea3f90057b39fe85c

    SHA1

    bf22805c7217b388634c3ca234a434ecc0f16f66

    SHA256

    7450dbb974a29801967fd4b7e78fb52f21aab39f92b24ca81ec1dde7ce98b0e6

    SHA512

    86ebf4dd3ca59a78c6d96974d23faf41425298ea00170298dfccf0a1ac924cbdf73c11bf0e8332b635defcacd103c4bca57dc4c0300b489ba24601a312c75898

    Download Submit

  • C:\Windows\{CEE2CCD3-BD1C-45cd-A134-E7EB6CEEF412}.exe
    Filesize

    168KB

    MD5

    b7eaac9395de63d2cc6aca459f69da2a

    SHA1

    d2bc5609b289de5d7cb20aec908322bab437be68

    SHA256

    46e403392cc1e36d7f6d86017a19c44a8ee93b7631680d7d359c29665938ad3b

    SHA512

    88ca3d7ba43035d12429d4d0f222f041448fdc48317350e7381224db4e8f337461f1e2ccccf37e03f4c6179b527cb048a0992de5ed9332eef642c8df577f2b70

    Download Submit

  • C:\Windows\{D3243270-EFCB-4e41-8F18-C4959A4F050A}.exe
    Filesize

    168KB

    MD5

    f92343bc6c42d9267872209b93c08390

    SHA1

    71166a06bb49c95ee9efa23b7e6bbf311c45e2ea

    SHA256

    99874e0189a19dd50777c112d0a7712a0c8e8cf73f491ed7e9534118600ff432

    SHA512

    25d4dc18814e1562ad633634674605980fc7f7824015fa715f7d752cb00e86cc7f584048625aa18359bb9e16b140185ba5de6978a194d27c243267bfd4036560

    Download Submit

  • C:\Windows\{E6B0389A-527E-47cf-BCC7-B257EE2D0F53}.exe
    Filesize

    168KB

    MD5

    1e3e0accac4d5fff939a08a395af5411

    SHA1

    ce270c8d50ec6165ed2a5c73f9c97a5c3bd8c0a5

    SHA256

    c66bef153ec1068db143cbbc7d8c2ae72be0698432127af0c1fbe3005c85cb0b

    SHA512

    012c662f76f921b318b92b1b45ccfed0dfe7ef2e836d7e7895a4f3c433e7549239f67fde30723148f389181e62dcce96657194826f6ff9370ab8ceb7d0cfe415

    Download Submit