Overview

overview

8

Static

static

3

2024-07-27...ye.exe

windows7-x64

8

2024-07-27...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 08:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-27_9089db63f522f1030cb2abda708e1d80_goldeneye.exe

  • Size

    197KB

  • MD5

    9089db63f522f1030cb2abda708e1d80

  • SHA1

    2db9beaf48a405227a26961c97ebf9b6c04e49e9

  • SHA256

    c2061adeb1294cc98488cb84429eef3f61ca1b486e42b416f55dbecbb5777587

  • SHA512

    b0855e6d0e5cac7858b341404ab92299531ee84625894087fabac045ba5ddb5c05020da2ee7eda8fa49cb9838b1d1b8671ba0eed184b91450e212e7673d5b7f1

  • SSDEEP

    3072:jEGh0oWl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGolEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-27_9089db63f522f1030cb2abda708e1d80_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-27_9089db63f522f1030cb2abda708e1d80_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\{11165DC3-5FBB-4eed-AFFF-09EEA1EED69A}.exe
      C:\Windows\{11165DC3-5FBB-4eed-AFFF-09EEA1EED69A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\{BCA4F04A-778D-4dfb-90CF-54663C6173A6}.exe
        C:\Windows\{BCA4F04A-778D-4dfb-90CF-54663C6173A6}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\{A6942CA1-8166-40bf-A27A-C8813B9C8172}.exe
          C:\Windows\{A6942CA1-8166-40bf-A27A-C8813B9C8172}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1012
          • C:\Windows\{4CF183EE-E61D-45ec-AAAC-E0508BA4063B}.exe
            C:\Windows\{4CF183EE-E61D-45ec-AAAC-E0508BA4063B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4188
            • C:\Windows\{9559A5DB-59AC-4895-ABD2-6F882EF2B7C7}.exe
              C:\Windows\{9559A5DB-59AC-4895-ABD2-6F882EF2B7C7}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4688
              • C:\Windows\{71625413-E022-439f-A046-9F418A6E8D5E}.exe
                C:\Windows\{71625413-E022-439f-A046-9F418A6E8D5E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4980
                • C:\Windows\{AB5B9B82-A430-4cda-9A10-A968DF92F3FD}.exe
                  C:\Windows\{AB5B9B82-A430-4cda-9A10-A968DF92F3FD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4488
                  • C:\Windows\{D8511ADE-0760-40f3-89AA-E90800706F70}.exe
                    C:\Windows\{D8511ADE-0760-40f3-89AA-E90800706F70}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1728
                    • C:\Windows\{4C58B3DD-6A17-4e75-B773-9AC76DCE2C49}.exe
                      C:\Windows\{4C58B3DD-6A17-4e75-B773-9AC76DCE2C49}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2696
                      • C:\Windows\{34828AD8-AAB3-4b24-BB27-B94D2D64E747}.exe
                        C:\Windows\{34828AD8-AAB3-4b24-BB27-B94D2D64E747}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1596
                        • C:\Windows\{E7E4753A-2FE3-4b02-9D4A-F34254BA7CE6}.exe
                          C:\Windows\{E7E4753A-2FE3-4b02-9D4A-F34254BA7CE6}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2752
                          • C:\Windows\{B873D4F4-2584-4c8e-86B6-007B1A4D75C0}.exe
                            C:\Windows\{B873D4F4-2584-4c8e-86B6-007B1A4D75C0}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E47~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{34828~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4520
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C58B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3648
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D8511~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4352
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB5B9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3996
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{71625~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3448
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9559A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4CF18~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A6942~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:860
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA4F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11165~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4080

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{11165DC3-5FBB-4eed-AFFF-09EEA1EED69A}.exe
          Filesize

          197KB

          MD5

          8c0c9d7d9c6adf3d6e09a2a6ad4fef0b

          SHA1

          a88f690f5d04011ee9bef366343bbe159ccf10b4

          SHA256

          3e3adfc95e02b957903e7def94ad63486acff20bc4a6cfb8087775fc57e9ad65

          SHA512

          dbf35672712fcf43eb078f4e8b8c781142250728e8056eb93bf063d50c5ebc5dd7adb84e34937049c871632da8b8de2ad7466355895b675207c889f1bb4e49a7

          Download Submit

        • C:\Windows\{34828AD8-AAB3-4b24-BB27-B94D2D64E747}.exe
          Filesize

          197KB

          MD5

          1401cfd86f6051f1a60f40b39834626f

          SHA1

          c5b51d9842d7e60ac92cb087fd990c1cc2a9eea7

          SHA256

          c8f52b81cf4eadb7c00321fefd4b802b180e9503431ef9c3c75399d7ca5334ed

          SHA512

          9f7acd72d236eb1a97897a4260d5b63bec3b072cba5ac86d29586a509ab6b70ab345486e7109155177875c3c8628e56beb39bf4f43043aae63a0409192b7c148

          Download Submit

        • C:\Windows\{4C58B3DD-6A17-4e75-B773-9AC76DCE2C49}.exe
          Filesize

          197KB

          MD5

          427005f3b30f1dd7005004dbc970f70b

          SHA1

          ed477b6c49e15d7197481cf98c83848c6a43ec78

          SHA256

          e0a133750675e210519efbd132983c7bf25bc1ed31b9db717ef3760252fa58a8

          SHA512

          b651c623fe04c00f825743d9015e4a24710b2c64cac868fea57a510b6f32d40c8168ab77684b1e796d9bee6ce0df0ce45eb178924435194db5a574b453427793

          Download Submit

        • C:\Windows\{4CF183EE-E61D-45ec-AAAC-E0508BA4063B}.exe
          Filesize

          197KB

          MD5

          71c66c80bdef2f83af95dd9fc55b86b0

          SHA1

          e5170ca9aed2ca9a87aaa6dedcc136f397955cd9

          SHA256

          cd853b77b46e146da2236aa0d85bf71daae19202835ea6ed50a0b31212a5893e

          SHA512

          a63bd235a4ad905cd3b992a30c41449c01e78108d74910f02ee086f2a575442b6aa0ebe3e65163924d62cb9fbc7e206178bc89dc1541a74218e43718a723b829

          Download Submit

        • C:\Windows\{71625413-E022-439f-A046-9F418A6E8D5E}.exe
          Filesize

          197KB

          MD5

          009426de705b9aa03ddae22b4468022b

          SHA1

          6e4f7bacb681a3882692a7a8532fd145012655ae

          SHA256

          c17cacf4b82298ab33ae94e71e992d8c6b0287f43be7f4aae2103e3e8f10658a

          SHA512

          ca4efd103e540e26b380f22fdced4926f0d4b0edbe0b739fb8097875a9206a4e63a78a3651350b9af7723ffe9fa501bee3aacc082dd7aac9b72c2573872bdc8e

          Download Submit

        • C:\Windows\{9559A5DB-59AC-4895-ABD2-6F882EF2B7C7}.exe
          Filesize

          197KB

          MD5

          052cf98e44afaeec1ac23dcd24216783

          SHA1

          12827ec98e2cc66a31573483fd8b89c8dbe44d2a

          SHA256

          854bd68d6e516147264439c3f506ef2b6287e3f092d6ef35da717ff99025aebf

          SHA512

          64ed79f0e213c63c9e42bf265719c1265327276dc0ad851ed9a2760396b91fdf3070f066738b895b10057edb9eb6f990f781a9ed5af0b65887fb944982864a94

          Download Submit

        • C:\Windows\{A6942CA1-8166-40bf-A27A-C8813B9C8172}.exe
          Filesize

          197KB

          MD5

          907eb22180dfea85dae2096df38ddca9

          SHA1

          071cc2096ccffc876b5145c57c0902fbc6b1d902

          SHA256

          300ac0fba5a016c9656739c8dd5dac8d4ee1624f899ae65be149b05e6b2180ed

          SHA512

          eb6e990c638d92f80c0aa727754406af2eef69a8a035c81dadf90fe1f4948cf58a090ca71cabd5189dffaca37f839f226dd0dbae97cbdf9e8d16880bd6691942

          Download Submit

        • C:\Windows\{AB5B9B82-A430-4cda-9A10-A968DF92F3FD}.exe
          Filesize

          197KB

          MD5

          7d985234484043a6c96493c00f695477

          SHA1

          e4181573e7f5b6f63af4a7a756c5a520667b494d

          SHA256

          5b08a31d77973b8a89ec40eeec2f258ec0ba219c9e2e146e260ebd155e4bc772

          SHA512

          9538a1679ce4a08e7c38f6b9ab72a63334a7be0014db0e9e20e29181bc7810d783cdc14f62a334155e0cfda8c977a5e52e6e2a35eb0585ca4fa271e64d56806d

          Download Submit

        • C:\Windows\{B873D4F4-2584-4c8e-86B6-007B1A4D75C0}.exe
          Filesize

          197KB

          MD5

          8fd151b3b3a32b3a44d78be6b3430055

          SHA1

          3678d7d99ad175fc9522a8d548e4250a135ce2a3

          SHA256

          adc0db1a2f2cc30cd5137419ac712861549690f911f11f92e19e319ebbab114b

          SHA512

          934031affd9658fdaeb7485207fa9328cc1dba4ab26f6b5b8043316efc78b8cd46e392bd6f37764916d4967c65b96185c904317ef6d1f73bdc829c544f08abee

          Download Submit

        • C:\Windows\{BCA4F04A-778D-4dfb-90CF-54663C6173A6}.exe
          Filesize

          197KB

          MD5

          e3111261cfdff1de900789f87d3c6e4b

          SHA1

          739708dff96a88ec730c468419c58fc8c639a66c

          SHA256

          6b1f3c1fb2fb5080f9239adc6e71d1f901582a8862f23ae821c1f99e10af9dd4

          SHA512

          2770713b04acc6e6e3f2c693453bcb8db53fc1f0e7769ea5b1d20444c0ff0732fc22db557dc017328fdcc1d4aee8478cc0ef8cfa5a9f56744b095494bb67c9e6

          Download Submit

        • C:\Windows\{D8511ADE-0760-40f3-89AA-E90800706F70}.exe
          Filesize

          197KB

          MD5

          a58e5bdfc446809f368c855642ba26b4

          SHA1

          99d73fc5b56c4d5ca634672ac135cb1daefa711c

          SHA256

          5b7e0ebe331c4a6f0e3e1a25b3a4b052e9d107cef300fcdcbff48ff332fba4fb

          SHA512

          ac013ba1307c2b4710216b9c7a60bb36f4e0d4a3a9c16a3b7021962e25a16a30fc0de023b12d2424e59a9befbd3ad4aac50b91f3ac97fce50a8356e11b10d75a

          Download Submit

        • C:\Windows\{E7E4753A-2FE3-4b02-9D4A-F34254BA7CE6}.exe
          Filesize

          197KB

          MD5

          c45a7b89fc06d9be030a491fc0bbd37d

          SHA1

          096d628c09b36e1635c0424d366e803ad16d191b

          SHA256

          e17fd5037f093edd8e65ddb971e820e1c5e00373e3601f992bb252e0e61e4d22

          SHA512

          5a3cc4456f4f000d0da3a5366c1efbfead0df53d00a4039247639b6e7069767d5821259add7c9c08baa592625f1ed59a5533c7c1e6918fcc49ce4a77979ae282

          Download Submit