Overview

overview

8

Static

static

3

2024-07-27...ye.exe

windows7-x64

8

2024-07-27...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-27_9fbf26a7f2f3254976a75141afcff618_goldeneye.exe

  • Size

    168KB

  • MD5

    9fbf26a7f2f3254976a75141afcff618

  • SHA1

    b2d0decf1076977c0811e8fcd572528ccce46cae

  • SHA256

    f30218af8fecf016b9b10ed7f3aa781eea074e224d25ecad92ddd54e34efd988

  • SHA512

    f8bbe52f0157cb3e04f6803d02b0f4bb98f6e48715051b5d1c944da1afc87697a4a0f89544e8c6faf7f9e477c0bcc2739e5b9221483467440fd1165fc10ba7aa

  • SSDEEP

    1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-27_9fbf26a7f2f3254976a75141afcff618_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-27_9fbf26a7f2f3254976a75141afcff618_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\{053218C0-FF21-4769-804C-12692D3125BF}.exe
      C:\Windows\{053218C0-FF21-4769-804C-12692D3125BF}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\{4DC9D145-1708-40fb-9A06-E3F5C34E4A88}.exe
        C:\Windows\{4DC9D145-1708-40fb-9A06-E3F5C34E4A88}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\{BC745AB0-6183-4a88-B2B0-242A62BD0DAA}.exe
          C:\Windows\{BC745AB0-6183-4a88-B2B0-242A62BD0DAA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\{DC406D69-96C0-4a64-973D-7A2DE1BA2D0E}.exe
            C:\Windows\{DC406D69-96C0-4a64-973D-7A2DE1BA2D0E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4956
            • C:\Windows\{05BCE5EF-3574-4d4b-8076-735E4E2731D0}.exe
              C:\Windows\{05BCE5EF-3574-4d4b-8076-735E4E2731D0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Windows\{AFA3F4C2-9A79-43cc-B8E7-4BA25E2FD180}.exe
                C:\Windows\{AFA3F4C2-9A79-43cc-B8E7-4BA25E2FD180}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4992
                • C:\Windows\{6A1585D2-4532-422b-8957-4FF930799B18}.exe
                  C:\Windows\{6A1585D2-4532-422b-8957-4FF930799B18}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1172
                  • C:\Windows\{03A7EED7-E88E-4486-9E4B-93F09499C2C8}.exe
                    C:\Windows\{03A7EED7-E88E-4486-9E4B-93F09499C2C8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4660
                    • C:\Windows\{2962D484-C2B2-4cc0-BA18-F79F23FE2A00}.exe
                      C:\Windows\{2962D484-C2B2-4cc0-BA18-F79F23FE2A00}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5092
                      • C:\Windows\{68A762CE-9904-4892-BCDA-988E1C3F3890}.exe
                        C:\Windows\{68A762CE-9904-4892-BCDA-988E1C3F3890}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3496
                        • C:\Windows\{9ECB9AFC-3D0C-4622-A94C-7A3C219650D9}.exe
                          C:\Windows\{9ECB9AFC-3D0C-4622-A94C-7A3C219650D9}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4912
                          • C:\Windows\{C627812A-DF8C-4cfa-80AF-E1BFCA5DCDEE}.exe
                            C:\Windows\{C627812A-DF8C-4cfa-80AF-E1BFCA5DCDEE}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9ECB9~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1404
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{68A76~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4280
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{2962D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2760
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{03A7E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2572
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A158~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3652
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA3F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3044
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{05BCE~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4492
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DC406~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4444
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC745~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1600
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC9D~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3140
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05321~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03A7EED7-E88E-4486-9E4B-93F09499C2C8}.exe
    Filesize

    168KB

    MD5

    b59ccee2771b36b1adff59d38b63c530

    SHA1

    5e44ac17086a380788b3901be4416c15236db4fd

    SHA256

    547d6a6cd7f6b9eb170ae68b9286a99a8b3e12dbe367de88719b23d119aea4ee

    SHA512

    23b31f0cd49fc394d1e1934d21a673163656d99566466c6e7ee0fb05f75867eaaa0eca9fa175c07214bb0a1d18f952dce47d56e3ad0e96bd640d4b4f46e0ddd9

    Download Submit

  • C:\Windows\{053218C0-FF21-4769-804C-12692D3125BF}.exe
    Filesize

    168KB

    MD5

    a277279af52acf818359b843c5b6d743

    SHA1

    de23351c966c89b8c2de180b7d9fe0bf7c30f54e

    SHA256

    f76453049eadc46d6e5d1dcc856f2ba177318b5d068838cd1634f99d377a5acf

    SHA512

    424d6bccbc54166f8a6c78ac317ce460e9074dff19072aeed7a43c5d2e586c00b4b2dc052ab84ff5475d796fa56290975ef39fe85354bd4fcb82312d8cd8e54c

    Download Submit

  • C:\Windows\{05BCE5EF-3574-4d4b-8076-735E4E2731D0}.exe
    Filesize

    168KB

    MD5

    99b09df1feec8a00cc9e1e6e4020bba3

    SHA1

    939d03bc9372d61d4bb45af60cad2c47fc126761

    SHA256

    cc8dde5c7e95d289aa5bf3d9a29361817f54ee534c5022c7dd18a3a0631883ea

    SHA512

    468f79b7cb24d5d5c7c782a98a9400a39e3f58540fef2672dc2a9bc7bd3da9388e42b7001fae0c07ce11b0d5a11994c7016f26162c5837a4903d9251d5ab7640

    Download Submit

  • C:\Windows\{2962D484-C2B2-4cc0-BA18-F79F23FE2A00}.exe
    Filesize

    168KB

    MD5

    1819a5141ece6af47e5d3ab8e350e29d

    SHA1

    96749bb9b54bfb4b0a1799d3c1c21ec735bdde93

    SHA256

    0bd91ff6827a1fc43435411bda1950311b47a9bc22675ca69fafa8130f19d8ca

    SHA512

    5650a0553f267fb6d9b2a7d4debeaebe2947f4f47392470e36a507851a58419c7fd3e950ac746b58e64239f70a71000513da496694fc3e89cca709b231e0ef93

    Download Submit

  • C:\Windows\{4DC9D145-1708-40fb-9A06-E3F5C34E4A88}.exe
    Filesize

    168KB

    MD5

    1bc0ced99d3755c7cfaace3ab60e23e8

    SHA1

    efb6b5958cdcdf0eba9644f7b01db19e5cde5dff

    SHA256

    68195ba524c6bb6147fb627fd5e6a0ae37cb687c6f5dabc42b1aab9ac1da5b36

    SHA512

    8d31b169364af6ad03c5233116541ecd996498bddd66f97bc19cacc8193aaa536dece439c42dae6482e23c334b9aa6f485c80d3bc140559b9ed52648305e073f

    Download Submit

  • C:\Windows\{68A762CE-9904-4892-BCDA-988E1C3F3890}.exe
    Filesize

    168KB

    MD5

    5f5c9ffa5a8c9069be16dd7307fea0e5

    SHA1

    60d590b8ec6c6ca839a94b18982c7b5e6d66b1c2

    SHA256

    8253a6cb5be44eaa3aaffe91cc94c7c413ad7de0e2db35d88abae1d36bca19cc

    SHA512

    95435d6ca6e351fb47af492c4982a9fb3228128117fc9d4caaba3655e0430fcc8b497e8966a771203d14c82856dfabc25218c8d1786359341a865170491318ec

    Download Submit

  • C:\Windows\{6A1585D2-4532-422b-8957-4FF930799B18}.exe
    Filesize

    168KB

    MD5

    bb129d3866365b9dab7ff6174f6058db

    SHA1

    1d6f8fe2ba17d124add326bda304ac225369bc48

    SHA256

    799f6cd7f3d99e157f9f29477934554b8effd9fc7b06e91ca50770382e4aceed

    SHA512

    7b3865a7cf6dccd2d99b748cf468a0a9886582eff1edd61f2f5eba8d06ae92722d1f9ac65bdafd19161142a98eb7d6433d0cd240aae40263e85258adcc7e9115

    Download Submit

  • C:\Windows\{9ECB9AFC-3D0C-4622-A94C-7A3C219650D9}.exe
    Filesize

    168KB

    MD5

    90362621a0a4370fc598c5fa20657763

    SHA1

    96334fd7d043e4e126728aad3e7bbd65b3dcffa5

    SHA256

    b6ea03170bb086a09d1501bfe7064c93e71589a91ede3a7aa11e78f9aebc2169

    SHA512

    9dd6fdcab823e9f0cb28d4296b3b91b12cd17a83330618033e46664124f819654dbda08e0c8d513bbbb9ff231955b86a0b2ac77baef8a2cbb0678c96a68fb624

    Download Submit

  • C:\Windows\{AFA3F4C2-9A79-43cc-B8E7-4BA25E2FD180}.exe
    Filesize

    168KB

    MD5

    e4a1400da93c975b4048f5e6e0641945

    SHA1

    035eb7639677bcf8409b26e54094d2e017730b3e

    SHA256

    4f32a5bcdc5094ab814a6ca93de4be4f1ca372b01ffb07579955d596d27b26a1

    SHA512

    2f07e36e84bdaae6543140516d002ef29788d97e928df5c91882bcd6cdeedf9acc42de3be10f1c0ff067e4dcc4f8875b7501776fe4d6d14664b24f37ac976594

    Download Submit

  • C:\Windows\{BC745AB0-6183-4a88-B2B0-242A62BD0DAA}.exe
    Filesize

    168KB

    MD5

    ba0200a6267d6735ec5ff73af5e71d05

    SHA1

    40004bdc9a0ba265c6fb297be0eb64ab52d47c79

    SHA256

    40472790596ff34d85813e7a2176eee8b0d8e35e8206542fd91d45f8152c963d

    SHA512

    b599e26cebdef4ed8bd416011eec1cbd50c8284653340dd9b6cb09bad167992c4739aabf0e37b7529b2447cf537388b86aaf01ddba440153b6db25cf34782322

    Download Submit

  • C:\Windows\{C627812A-DF8C-4cfa-80AF-E1BFCA5DCDEE}.exe
    Filesize

    168KB

    MD5

    07a1678578abae1c44637b42ab91a2ae

    SHA1

    e4408e87ec234112aa9bb3f3149e3153826b8abb

    SHA256

    415a6d453f7c9d8668fb0489bd309b6ba7fc96b42503352905ac9d37adc60b91

    SHA512

    e227cfb14b6d9d98888a200c60807fb7f277122baa8fa1d2ac530102a45e37276208e2aa9a10f9a3d32c872cdbf901a116f96e065a7c0a558ecdedc91dd207be

    Download Submit

  • C:\Windows\{DC406D69-96C0-4a64-973D-7A2DE1BA2D0E}.exe
    Filesize

    168KB

    MD5

    679bc04568bdb0c18094f12a258cfa7c

    SHA1

    25d4cf628e44a688f39e7bfe2a761e1d90413805

    SHA256

    0efea7aab966c7be66f307d7e25a3530c6903b0252e06c9273c08c8725b593de

    SHA512

    e04ba5c166501e1d257a313719b9e72c3dd8b245906f73f6fd6877318d97912c31295c45d196e33efe43d8fc2434994290b179e0b13b79a71dd9b02d14a9d9ae

    Download Submit