Overview

overview

8

Static

static

3

2024-07-27...ye.exe

windows7-x64

8

2024-07-27...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-27_9fbf26a7f2f3254976a75141afcff618_goldeneye.exe

  • Size

    168KB

  • MD5

    9fbf26a7f2f3254976a75141afcff618

  • SHA1

    b2d0decf1076977c0811e8fcd572528ccce46cae

  • SHA256

    f30218af8fecf016b9b10ed7f3aa781eea074e224d25ecad92ddd54e34efd988

  • SHA512

    f8bbe52f0157cb3e04f6803d02b0f4bb98f6e48715051b5d1c944da1afc87697a4a0f89544e8c6faf7f9e477c0bcc2739e5b9221483467440fd1165fc10ba7aa

  • SSDEEP

    1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-27_9fbf26a7f2f3254976a75141afcff618_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-27_9fbf26a7f2f3254976a75141afcff618_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\{827A1160-E17E-411a-BEAC-6E575DA573EC}.exe
      C:\Windows\{827A1160-E17E-411a-BEAC-6E575DA573EC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\{B3F74113-018E-4ad0-BBE4-53ED9BD5A124}.exe
        C:\Windows\{B3F74113-018E-4ad0-BBE4-53ED9BD5A124}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\{CF9F049A-2278-4348-AC74-6E2357CDE460}.exe
          C:\Windows\{CF9F049A-2278-4348-AC74-6E2357CDE460}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\{7219AC24-0A80-49ef-86AF-72156139CBA7}.exe
            C:\Windows\{7219AC24-0A80-49ef-86AF-72156139CBA7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\{D5F0E2BD-67EA-44f3-A950-19BA0E27FB2B}.exe
              C:\Windows\{D5F0E2BD-67EA-44f3-A950-19BA0E27FB2B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2672
              • C:\Windows\{5158BD2C-D9B2-4e5f-A793-94146D8B1395}.exe
                C:\Windows\{5158BD2C-D9B2-4e5f-A793-94146D8B1395}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:864
                • C:\Windows\{A860454D-19CC-4ea4-8DFC-459892915B73}.exe
                  C:\Windows\{A860454D-19CC-4ea4-8DFC-459892915B73}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1624
                  • C:\Windows\{6098AEDE-5AF2-4097-9A2B-5A040264C25F}.exe
                    C:\Windows\{6098AEDE-5AF2-4097-9A2B-5A040264C25F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2832
                    • C:\Windows\{0D75260E-A104-4629-A92E-EBE88651E880}.exe
                      C:\Windows\{0D75260E-A104-4629-A92E-EBE88651E880}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:340
                      • C:\Windows\{E3636155-B65D-4e2c-8329-2F7758DC0BCB}.exe
                        C:\Windows\{E3636155-B65D-4e2c-8329-2F7758DC0BCB}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2152
                        • C:\Windows\{EB59B907-D883-4fec-BB29-5663870B3768}.exe
                          C:\Windows\{EB59B907-D883-4fec-BB29-5663870B3768}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E3636~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:396
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D752~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2228
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6098A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3000
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A8604~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2816
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5158B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2512
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F0E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1464
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7219A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2336
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CF9F0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2780
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B3F74~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{827A1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0D75260E-A104-4629-A92E-EBE88651E880}.exe
    Filesize

    168KB

    MD5

    e7d29d1b5a7c96dbb1db8276c6888507

    SHA1

    a50db76f66909715811cf022051dfe5f704dc5ed

    SHA256

    ac66c0bbcaf5351f7a89e42e377199c617bccc4f29e3f8354053cc9396bcdb40

    SHA512

    7d51e844209fbaf3cbbfef53bb83a39d52370ca4d154b5f553f6add507931492ab602b6dc03dc82ed686dfd1ec302b649414e044fc1ccfee57b5fc30c17df682

    Download Submit

  • C:\Windows\{5158BD2C-D9B2-4e5f-A793-94146D8B1395}.exe
    Filesize

    168KB

    MD5

    39d7e7b090dee411494d1db52e634fee

    SHA1

    3e6cc119be20ff027f01fde379a10f43e0d9ff3d

    SHA256

    ea9c5b86499d0afbe9fbe4859f5695785a6e267a5cee91a15ce018953eba0425

    SHA512

    9499bd9a96ca32d904f2f0bea2930941ceef0aac4e47e2edceefb9c97f0f7c19cbc3f037925c56c753edad294a9dd8151c8edcabfe0cc6c88ce242b7004bb901

    Download Submit

  • C:\Windows\{6098AEDE-5AF2-4097-9A2B-5A040264C25F}.exe
    Filesize

    168KB

    MD5

    5b58be421be55e9f35adb281e3f2bd14

    SHA1

    4f5f58e3e0763d62c4aba4e573f0319f90a1d963

    SHA256

    562a0f9a0608db5f495d880e0a822062f9b25d0ea16239a62c6ac5d672f2087a

    SHA512

    beaee5b2ee3ba40684443265cd07825b19d9a4b51faad9fd44147a7d7e2bdc74c087dc11c30f89a71f5fe5464fd31b0499f3be6f4e80a3d86a3f4b6761b75939

    Download Submit

  • C:\Windows\{7219AC24-0A80-49ef-86AF-72156139CBA7}.exe
    Filesize

    168KB

    MD5

    4414ed718e95168aff633e74ede8d245

    SHA1

    879e437424bc2d325fd5fa12368828e93ac7d377

    SHA256

    38a7b900c8cdf89ad649c996d33c664bc69435a007d31e8eab4377b5017a2068

    SHA512

    a5e73106f592fe126127892d9a9dfb7c13df0613150dd075acfd12ebffc8c9eb5bc32ed165ea53192d02400d760d281fac2e65975e58809f656f67f4ee4c71ec

    Download Submit

  • C:\Windows\{827A1160-E17E-411a-BEAC-6E575DA573EC}.exe
    Filesize

    168KB

    MD5

    246de951d396ae2be9476261d9da7e49

    SHA1

    fe4924afb84ef3e94b2d171d93ea5f4efdb2f178

    SHA256

    2e28c54df3aac89fa8730888fe6c13cd4940ffdfa4069f421eedf948377219b0

    SHA512

    7a0410f4cda5ece8d4ad4ac58fe1fbf6a991487fe4f016785a9a8a40d75a1bb6ac2501ac5a258a8dec6e0187abe766d717c1d84003d5a292fa87a43e340c06fa

    Download Submit

  • C:\Windows\{A860454D-19CC-4ea4-8DFC-459892915B73}.exe
    Filesize

    168KB

    MD5

    baf85237eb547a205bce6fad1eb4091a

    SHA1

    0d0f228c9d423944ac575fecda6644352861a49c

    SHA256

    bb40bde1a9c9a6ce65b0bd117247d705b2ec7d92d04c09c5712010b7bf689d97

    SHA512

    2b92e894101df4c550e78f9223ebdc63e3a843ff41aaadabfed8c61f5474e81893d55202fedaa625da74a5136ec5c4b2f365479f030a74e73061f59c4e60bd5f

    Download Submit

  • C:\Windows\{B3F74113-018E-4ad0-BBE4-53ED9BD5A124}.exe
    Filesize

    168KB

    MD5

    498077f6020da8c92f79129c2017a4cf

    SHA1

    0319cd5741b7caa01eddf6ef05eb2177e3a338f9

    SHA256

    73c95e02d549872e9b5d720c4f16d924224f2f805c81a02c4b3342f327098a4f

    SHA512

    7a1531764d764a752f78ea10735c546399dd41a855df542e2b47a0e52c72366898490e4df09c24377cf1424f7c51ed9623d6115cffdd6dd6e54c14250158490e

    Download Submit

  • C:\Windows\{CF9F049A-2278-4348-AC74-6E2357CDE460}.exe
    Filesize

    168KB

    MD5

    2f91a51ca7dc15f35b00342670cc2e82

    SHA1

    001d375bf7add2d19982104a592599fc3c3666c0

    SHA256

    5e7b52c197b18d2ce3fdb43ebb29f675ea9ddb18d550c858ccd92ddae22cd04e

    SHA512

    892ee828ad7c0cddca7da5ba515b10fc86d731a745aa6e4eea6c7f76b42e88068e620fc78108136f5746da49257c9ea016fd4da3ad2407dcaae18d265d43f767

    Download Submit

  • C:\Windows\{D5F0E2BD-67EA-44f3-A950-19BA0E27FB2B}.exe
    Filesize

    168KB

    MD5

    d891d0b54ac99dd7ccaf00c0152d8251

    SHA1

    1e9b7ff1bcab991cdba036cd94fb29a698735f3a

    SHA256

    72fea967ea548fd5b7ae10e3a157645813514f5c2df6861d62ff8a78731ff4ee

    SHA512

    d08620363fcd57a830ecb31ded973c1531c1701744d424971c7834081ef5135cab51887d7cbd5fb4db35ec7f36d6118e2f020a0ba7dc29a3f1b08564d21cd233

    Download Submit

  • C:\Windows\{E3636155-B65D-4e2c-8329-2F7758DC0BCB}.exe
    Filesize

    168KB

    MD5

    8daf04ec970ba4eb5b2a54d20d5c6c32

    SHA1

    e86440d0dc727f558db764448d88bb49d0abc733

    SHA256

    963cf23778009a24ace3b09ceed382e1695f321d8241ae17b70d4a5f642dace2

    SHA512

    266e8aabcb08f01e0301b8109f7fd01c01e94c20a9e1dd5e02310f95db19a1a8263d763f679622fa7296f09ac74c8e652386321b33e0462f4732503826c95c23

    Download Submit

  • C:\Windows\{EB59B907-D883-4fec-BB29-5663870B3768}.exe
    Filesize

    168KB

    MD5

    7e8894535d1f1bb56f0267191c8fe3bc

    SHA1

    9013f42c5ff46b72ce0def61ad7cf59b0e0acdc7

    SHA256

    6447778c6c68bb64c812c656c740d711995a92f2077f8e20549d273ed8770332

    SHA512

    e2fb69b0adff08cd8042d8273f9687dce0ba869cd42857a7654de7e934f6947d844b91cdf2aa79c3a216cda3e89ca470515620c5dfcc60e4e36edb0c6f54e1b9

    Download Submit