Overview

overview

8

Static

static

3

2024-08-06...ye.exe

windows7-x64

8

2024-08-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 11:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-06_7cbd64ee1178f2b4e5b36a68f7984e5e_goldeneye.exe

  • Size

    192KB

  • MD5

    7cbd64ee1178f2b4e5b36a68f7984e5e

  • SHA1

    46918d4a8e0cc175fcb2a5bfe83c7aa3f5cd736b

  • SHA256

    fe024b3b0b94d70b32178477560148f4c3e7852847df8f51d9a13758e8f759f3

  • SHA512

    64e98226b6300e74ba89c708357fc8c60179d5ae028deffdfa9d8a71b63f255514b7b8c5c74d93dbaad60113f3f57da5c3940852b8e71a6358823e863e029911

  • SSDEEP

    1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-06_7cbd64ee1178f2b4e5b36a68f7984e5e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-06_7cbd64ee1178f2b4e5b36a68f7984e5e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Windows\{242DDD05-4E97-413c-ABE4-54FF827FC540}.exe
      C:\Windows\{242DDD05-4E97-413c-ABE4-54FF827FC540}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Windows\{8F742B47-65DE-4a03-909C-0C66DF1C46FB}.exe
        C:\Windows\{8F742B47-65DE-4a03-909C-0C66DF1C46FB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3580
        • C:\Windows\{C091ECE6-961E-470b-88A2-72C4A2D32F06}.exe
          C:\Windows\{C091ECE6-961E-470b-88A2-72C4A2D32F06}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3208
          • C:\Windows\{0D7D2FD6-859D-4bee-9514-A37D4B43EF9D}.exe
            C:\Windows\{0D7D2FD6-859D-4bee-9514-A37D4B43EF9D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1652
            • C:\Windows\{330C0242-1D70-4c7c-8778-869F17635E49}.exe
              C:\Windows\{330C0242-1D70-4c7c-8778-869F17635E49}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4296
              • C:\Windows\{31E11C9E-69DE-4359-A8BD-F211CFEA09E5}.exe
                C:\Windows\{31E11C9E-69DE-4359-A8BD-F211CFEA09E5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1536
                • C:\Windows\{0D9E25E3-696C-436d-8329-D505C3CA84B3}.exe
                  C:\Windows\{0D9E25E3-696C-436d-8329-D505C3CA84B3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3436
                  • C:\Windows\{7CF6CB72-10BC-4e62-BA8A-F20810619417}.exe
                    C:\Windows\{7CF6CB72-10BC-4e62-BA8A-F20810619417}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4540
                    • C:\Windows\{6CC7E3C9-8D41-48c3-8823-DD9BBDF0671D}.exe
                      C:\Windows\{6CC7E3C9-8D41-48c3-8823-DD9BBDF0671D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:840
                      • C:\Windows\{B1FAC4F5-0656-4065-8ABE-E1EC2F5ED008}.exe
                        C:\Windows\{B1FAC4F5-0656-4065-8ABE-E1EC2F5ED008}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4600
                        • C:\Windows\{5A0EB70B-6CE5-41d2-92B8-F75D27A3505D}.exe
                          C:\Windows\{5A0EB70B-6CE5-41d2-92B8-F75D27A3505D}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4188
                          • C:\Windows\{11D9EB12-7892-48c3-89BE-9D0FE4554692}.exe
                            C:\Windows\{11D9EB12-7892-48c3-89BE-9D0FE4554692}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5084
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0EB~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FAC~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3000
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC7E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4512
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF6C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4788
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D9E2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4940
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{31E11~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2676
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{330C0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1760
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0D7D2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1488
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C091E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F742~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{242DD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5040

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0D7D2FD6-859D-4bee-9514-A37D4B43EF9D}.exe
          Filesize

          192KB

          MD5

          ab0ac55137c854e07680781ef6a58c14

          SHA1

          3508427e2e6ea2397a98a278c002bb48b07e21d9

          SHA256

          30755ece6554d234cdd0a37bb240df53d9c783fc55308eb3adcd8c03f2a9c592

          SHA512

          595335f270d5528ac1c6a936991977b69e597ec73d90ba67eb1d347916adfc4b54515c16ad1d1faa9087db207f23943a987af879abd5e3bff22700cb3c16af0f

          Download Submit

        • C:\Windows\{0D9E25E3-696C-436d-8329-D505C3CA84B3}.exe
          Filesize

          192KB

          MD5

          c368541fb28b05c3bb578820797c7ba9

          SHA1

          fc97f6a8c52f7d0ed31cd6880e03d5d45e103bae

          SHA256

          7ee0a76f46a62788addcb7b5ad78dce062e3e024181becf859b87ea9a1555986

          SHA512

          a14cf5c8734d32d949687cae4ba66a28fc5506dabdd957bc334542c28be1f1f00615e6904041a64b9b1da6368a2930542304955cab1dc1a0968ee14e5cd6b1ed

          Download Submit

        • C:\Windows\{11D9EB12-7892-48c3-89BE-9D0FE4554692}.exe
          Filesize

          192KB

          MD5

          9f19a0e2f3902820d7c88bf9abf6bbfb

          SHA1

          00e55cf9d87db7f24eb1c67b550c3d9178039dd1

          SHA256

          2cf9ab5ee82e40ce5dc827fdbc2da1cf83f5989b7d568d5c9a7d85e76ba1d8a7

          SHA512

          5fa1989e8d36f7aa9e89452e2c285e7b37439139cf75614c7f52dc1d03743fb5915a2e859e1b19cdafc5212572adb3c4bc0eed14756705eab4ccc4aca9ea175b

          Download Submit

        • C:\Windows\{242DDD05-4E97-413c-ABE4-54FF827FC540}.exe
          Filesize

          192KB

          MD5

          b320e42e79fed2f41b35021e175f4ae8

          SHA1

          5ae6d0fd23c45cb883c5c9c3d22867271ae96b18

          SHA256

          272d47a9cea35ae8066fe202ab51e7f01410bc9b3833dc2321daa21884dfd024

          SHA512

          8a2d6776e61fbe2789cb0b7fc9d05f0e0c8521e493481df3fb8b4238479b3be17e7ce0536057e0e13970c9d2820684eae82bd2f7867e8f79b0ef0a6da2e8ab86

          Download Submit

        • C:\Windows\{31E11C9E-69DE-4359-A8BD-F211CFEA09E5}.exe
          Filesize

          192KB

          MD5

          9350398ac127a92121762a8c265914f0

          SHA1

          8992c51f25aaec14c1d7ac40c6e1c29fa39d4b7d

          SHA256

          4d5feb061f6c8fddfc88ee93ca52b264392bccf45e3ce3f06f719ab82d6292dd

          SHA512

          3c845bce80bd926780fc59690f07c46d68818b0f47a2fc1eecdbe2e0045ba0906c0240890ba1f5eb78cd31a3f71155f85e50a7d15c2548cf1457d94bd77651b1

          Download Submit

        • C:\Windows\{330C0242-1D70-4c7c-8778-869F17635E49}.exe
          Filesize

          192KB

          MD5

          602453e14deddea21c9a80530af5197b

          SHA1

          824af142e69d1f3ee77d6ae15b00d25676cce874

          SHA256

          ebde6fb5193f97763bc4543c6ae8ce246fae2d41b1b7f7d406e0a5f136c49d8c

          SHA512

          33dc3d4667a095ed4dca7339ba4cf900b745418c09ffb457e72549748213ac245c55b8bb18bc6831fe5f6706bd06bb8573f39b13ee7730bf910aa88a7f6d9c59

          Download Submit

        • C:\Windows\{5A0EB70B-6CE5-41d2-92B8-F75D27A3505D}.exe
          Filesize

          192KB

          MD5

          31d4f990205a3204dd9b886458c971b2

          SHA1

          1f5bbecd9e711c7f01ac5cb405bb9a8035bcf1bb

          SHA256

          ca93110a8f4603fad6432424db97ebe85792e29c240c885059fa3810daaa29da

          SHA512

          789b629d2170a0c81203ad378c73edde58edb522a9dde7817a378eb6ae08e446a506bd2cb2021d245aff8d816fec5cf4de5472bb9b86c7bd894ed4f37c7d72e0

          Download Submit

        • C:\Windows\{6CC7E3C9-8D41-48c3-8823-DD9BBDF0671D}.exe
          Filesize

          192KB

          MD5

          86051dd31f308dea9b361883cf4fcda3

          SHA1

          052964f28937b93b022ed0ac79e75caa88daf48d

          SHA256

          9763f2d26d8cb3dcdbcaf2a260e23fb60ecd8f7e98b9bacb739c7a51aae5c4d2

          SHA512

          48d87a3c9a810dc4db80b7ec448396c7091b664dfd711c0070150c4bc618d883cef8539463d0966a686e9ffe55037490dcc1cc073f1ee990802efaa78aa60b9e

          Download Submit

        • C:\Windows\{7CF6CB72-10BC-4e62-BA8A-F20810619417}.exe
          Filesize

          192KB

          MD5

          bf474a4b9bc35b071bbba9b821dc93b5

          SHA1

          5bdba563d159e7f04d469462ea30f6bf8a038e14

          SHA256

          3649812d35c5775cdb2006a061a9a22aeff3518cae4bd05a2512e0b94b6dcd94

          SHA512

          f5caa47b69df6b3c91681a52d17f7b8e5d03f230fbb56b75d9265136396f8d5df1769457c27b521b13ca8c387b74224ced8944745ce03957fb80aaed5efd370f

          Download Submit

        • C:\Windows\{8F742B47-65DE-4a03-909C-0C66DF1C46FB}.exe
          Filesize

          192KB

          MD5

          c1c00571246518396340a7ff21846fd8

          SHA1

          7cb495f58701feb167c5d78c4ccd5859c0d60944

          SHA256

          b90691651a2ba54aa5714e681df045ae43ba1c335543e0b413157bf2c18eec98

          SHA512

          7f3c89fec203f240977bdd9ec76eef9519300b4a2c3ba8bd2d3eebfb7c90bc8cbd49dd567aee6355401d3d0fb8bd38f8c54c738eea055b0004b4f83036f2903a

          Download Submit

        • C:\Windows\{B1FAC4F5-0656-4065-8ABE-E1EC2F5ED008}.exe
          Filesize

          192KB

          MD5

          f69af8014e52a54cd0041ab7e95f2116

          SHA1

          e4164450977a265332a63f5c6079507fbd1d2c3c

          SHA256

          96a9b82d7a72ec6bb3a20824073e35bc54b083af4164589c831eb101fa8598fe

          SHA512

          41aa0c06a7656f9f8a152616ab68eaf9aeae16f79257255d796ae6d2e7224e80c8b73f9931bad93b49c3789f46473f138bcafb7359627ed6395567cc88bb2205

          Download Submit

        • C:\Windows\{C091ECE6-961E-470b-88A2-72C4A2D32F06}.exe
          Filesize

          192KB

          MD5

          45b8da1f190de6c80904d65d86d155b7

          SHA1

          51277546beba435d719f2c2e5f002d0de6945c30

          SHA256

          8f6d1f573a59454a0439227cb36e0b1580b1f22893105caa331c0c9cb92289e3

          SHA512

          9e9b6b751878605ebbb4ed63f8c5b574a76ab8ed2901026201f1fb0dcd3e3aa297cfa520587f9da215a751782279147ce3067da6144462b002e0ebbe3bb9c71c

          Download Submit