Overview

overview

8

Static

static

3

2024-08-06...ye.exe

windows7-x64

8

2024-08-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 07:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe

  • Size

    372KB

  • MD5

    366355a38eaf93a3694a6cf496e6faea

  • SHA1

    5ef7e0f8ba850ff05497b7989d6ee95b11849319

  • SHA256

    3b95b3ed262c1834e05c646e1d22d794ee8cde6522e9652a1e832a469d91125d

  • SHA512

    84cb5fc8cadf65be642c7def7b832bc1aaf22d3abd4bba5067f6cafc1f043a1be0c39902b4e8d8983d84a5e8b2daa79dfb1f3f3d64b1675d9f63e22480a2a6eb

  • SSDEEP

    3072:CEGh0oAlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGSlkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-06_366355a38eaf93a3694a6cf496e6faea_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
      C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
        C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
          C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
            C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5016
            • C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
              C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1928
              • C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
                C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5116
                • C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
                  C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4772
                  • C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
                    C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1916
                    • C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
                      C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2904
                      • C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe
                        C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4040
                        • C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe
                          C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1080
                          • C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe
                            C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{11603~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3696
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{53BEA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4064
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{86992~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2744
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{22DC5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4368
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7730~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2976
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD0E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:716
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{163B4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3580
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4193B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5088
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{EC689~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{10983~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E92EA~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3568
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1436

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{10983CD9-4FB9-4709-B449-CAE8C0C7207B}.exe
          Filesize

          372KB

          MD5

          3d0c4925fbe91d401d8040cab15f8ccd

          SHA1

          0499995a3b25c1e66d2f8d1e952a2d04fe318c2b

          SHA256

          6854fc53b7ac4672706c31df0b0bb9636783191368c991331e814a90f46b29f4

          SHA512

          4e417a3372005880559c37474023daab043297a1c0a6934f858763db47b592dc259733065d119cb401374781cf2e03ba541dd1443724d93ebb92bc53fd620f99

          Download Submit

        • C:\Windows\{11603772-41C7-4a35-BFFE-9625C464F991}.exe
          Filesize

          372KB

          MD5

          de0e239ac55d2c997e395534751dc710

          SHA1

          8b541db7140eaf023bd5ee39f838f0aa6a91b758

          SHA256

          484a29f42f4de55c38e2bf3bb398a1ccfda5b1c59271348b217ce498e4ca823d

          SHA512

          373e8dfec333675147b019986ee8f00d6e95a9ee4c386487e5c77eb9f6c82115da62ab74f588fda019b96f7327a0e9e79a0041f7cedf743ab60412810c025ad1

          Download Submit

        • C:\Windows\{163B477E-FD04-4d87-B9AA-C670E8D4C790}.exe
          Filesize

          372KB

          MD5

          a46cc43e3893b7536c1596df2532a98f

          SHA1

          c930d6760778a6a3d3002623d699e3eae1812434

          SHA256

          fb75e16328528603f35a406a1fdc4012eeacce3daf9fdc92cbaddce56dd7b005

          SHA512

          b344ac2a579fdfedd0c5f1c1c6b474354679c104c8aff05cfc9cb2d721823d4ee90e4f7a66581b4b4a60e5e38a930384bed3515dd9b8c832031a0a5815bc9ece

          Download Submit

        • C:\Windows\{22DC5F5E-645D-4102-9241-88A7F3BD430B}.exe
          Filesize

          372KB

          MD5

          843a874e15b82c30a6142601f4d75b75

          SHA1

          d589a0022dbf4560ecc5cc16528c218f0b4ed79f

          SHA256

          adbc218a8dd4f581fc65593a94d1a32f4936c7eb0710e19541f27b59c2db2266

          SHA512

          63453cb8fb42fd7c58459039fa7fb45146c8d783366605cfea1a818b4f048bbc234f20f7dc13681add279b01406b34d849b8c251873ebcf0cf499fc9f014670c

          Download Submit

        • C:\Windows\{2DD0ED73-7AD6-4a8a-9328-E65C17C9C486}.exe
          Filesize

          372KB

          MD5

          38c1e95ef5d46391a73c3bda7f6bab1b

          SHA1

          e3a9657a44c34eab8cbc621e8e3515afc768a0a3

          SHA256

          1796d8a1681e17165b1bb41f94bdf50f6e1c95dfa13465708c7d73a6da9e7e9f

          SHA512

          e7633db94bdea4caea193e6cd9c1fcb363f333c723a644c68c13a54edc61dfa8e0aa86d4b195e3731b67af8ed1612c55fc5e356fdc322a0a4aa37c3752237c26

          Download Submit

        • C:\Windows\{4193B845-5D19-4692-B67B-59F38A4190C1}.exe
          Filesize

          372KB

          MD5

          907c89477028afd653585ab27b5da45a

          SHA1

          0296579be917812360074f33f13f53ae5fd59146

          SHA256

          1d54c3a846e7fc24db4f2c49fddb07a2009fc716cb8569541a9a58a0e1403476

          SHA512

          7606865c8dda571b4b199425159485da502981dfd6ebeb5008b6c39d0974a9abec920a747815088fe16445bbaaaaf4b3c501af8ab4aebef03475eff1818fc1bb

          Download Submit

        • C:\Windows\{53BEADAF-FC52-453b-9C43-52E854816494}.exe
          Filesize

          372KB

          MD5

          c99b9d2f80e34b400327f32f95c0d3bb

          SHA1

          38e68990fee8d207c708061f8cbac96a4595a96c

          SHA256

          33f1b6aca4aec15465ad1a8dada6d7141411e9bb56e289d58dfc2a071a7118df

          SHA512

          0916f1df30d411a908c1f846e6b21368442bba08cbde486d2fd9409f4b57019e73859a6e71250492e8681040d1b48db961eec9ee5082e54f5281ca3e260987f3

          Download Submit

        • C:\Windows\{66A01121-3AFA-4d2d-9A6B-21B2492D84AE}.exe
          Filesize

          372KB

          MD5

          faab78440830991f210cc027dcf52ed9

          SHA1

          b7ba65966bb23bf3f576dc2c34071619f3e88ec8

          SHA256

          d45ab1f72fb97225e96f2e2c15ebec1b2974a056bdbea1784187c02f4f3685d4

          SHA512

          62ee485db643122a08c11cf0a126cf91137fdf5c7764c357904bf99aecd184670e7b966dc37a5de8c99b9d7bfcf07cd2c198783e6c9132d83e80a637e3b38600

          Download Submit

        • C:\Windows\{8699212D-A1A5-4cca-96CE-F197FA8170C9}.exe
          Filesize

          372KB

          MD5

          5bdc15a7e69d56f523570ca7e25a9061

          SHA1

          125696df58dcc3a4af42c57e395953260aca89a2

          SHA256

          3fc68f7cda2b845f2526a840967224c7af18ae997df7297b3c380edbfc9b1fbf

          SHA512

          c8bb4fcad9a3e9591ec4231b48f8be8447c342ddad08c4013a6280c11828d79034acacf9cfc898dfa8882cc78832fb2c32312110caec52e460fff73c2ca8cafc

          Download Submit

        • C:\Windows\{C7730325-6361-4b2c-9CF9-EF297E59D6CA}.exe
          Filesize

          372KB

          MD5

          39ba93efbd3ec35df66b16f1d932a0d9

          SHA1

          decef24ef68d7963585b90b3f7afc8941f425676

          SHA256

          82de4d50936ac3f43f2dff27c893ae5a37c223df2a207b50d1fa8ed19f0b3640

          SHA512

          3abb8b36792a2cbd3a60871f77cb0767d1bd8533b66888f509f8060afd42e290254ed5da634aa379a993db441af8d163c156add17d0310b649d90755c38bcc39

          Download Submit

        • C:\Windows\{E92EADE9-9872-44b3-AB96-63D71BB1C474}.exe
          Filesize

          372KB

          MD5

          b04ddf7b10e39c1a64ba855e83962732

          SHA1

          6701c686b5339e6e8204998f09a8e45e1e104f68

          SHA256

          0d4b5a3572d8eb0424f675418233ee0d9383f795988fbc4c8bdb9add686288d5

          SHA512

          884d41a360fb106856902c9abc368f0b54601a9e6c06f125678af8b8c167b6619c37dab7612e9cbf01bd53236b36ab7e8a43fbe31f5de6bd997cc30a72539535

          Download Submit

        • C:\Windows\{EC68950D-619B-4226-ADE2-D3790E692B91}.exe
          Filesize

          372KB

          MD5

          41d23b4a8a3545ef36cfa426ec1b97ea

          SHA1

          b0486d622f9e26906f89716e076a7c1c043e9bf2

          SHA256

          3371fc71dbab9e3aba3722dfebc2bd43306a7b0eb84d43e9473ebf22a5bfadb2

          SHA512

          f00f098a66cac9e1ab21768816a7d0f1dff9261070dbce47f6a5ba6a505c43597318412f5ae92858153c44d5e3c887fde377d032217fbb5ef1a58426237fac52

          Download Submit