Overview

overview

8

Static

static

3

2024-08-07...ye.exe

windows7-x64

8

2024-08-07...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-07_01c6263239382be917f3ad14b6ee9862_goldeneye.exe

  • Size

    372KB

  • MD5

    01c6263239382be917f3ad14b6ee9862

  • SHA1

    4d9ef07e1bf550bba9172ae7b1b919e0cedbdc82

  • SHA256

    1670026222caf77194ee148e5b25e0fe83d8565ced95f6fbf6f2a052187589af

  • SHA512

    d714189a26f193638b6552e5894ecdf3c6be28fcc0d4cb254a845b30882a351dfe056887265b6cdbc69f02e2495d6ec5f769e666d8cfed1a20da25c1b0748f03

  • SSDEEP

    3072:CEGh0oHmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGEl/Oe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c6263239382be917f3ad14b6ee9862_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c6263239382be917f3ad14b6ee9862_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\{E6E0B094-6006-48a1-B863-F12A81EA8B0E}.exe
      C:\Windows\{E6E0B094-6006-48a1-B863-F12A81EA8B0E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\{B7F773A0-222C-441a-B1B0-41394C529091}.exe
        C:\Windows\{B7F773A0-222C-441a-B1B0-41394C529091}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\{19A1132C-78B9-47ae-A340-A930D5FE6891}.exe
          C:\Windows\{19A1132C-78B9-47ae-A340-A930D5FE6891}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Windows\{4398A167-53CF-482c-8D39-44BABB0F89D3}.exe
            C:\Windows\{4398A167-53CF-482c-8D39-44BABB0F89D3}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4452
            • C:\Windows\{E0BFD6E4-A574-49e7-B419-649700DB83C9}.exe
              C:\Windows\{E0BFD6E4-A574-49e7-B419-649700DB83C9}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1252
              • C:\Windows\{B158A138-4AE4-4824-8A6E-A0744F83F442}.exe
                C:\Windows\{B158A138-4AE4-4824-8A6E-A0744F83F442}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2248
                • C:\Windows\{5BFD7F6A-E3AD-4864-92CD-77C09A6BCB39}.exe
                  C:\Windows\{5BFD7F6A-E3AD-4864-92CD-77C09A6BCB39}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:616
                  • C:\Windows\{5B76D631-7232-4588-8267-58C35D20BB17}.exe
                    C:\Windows\{5B76D631-7232-4588-8267-58C35D20BB17}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3100
                    • C:\Windows\{71E5C7B5-4202-4a47-B035-277ECC23C249}.exe
                      C:\Windows\{71E5C7B5-4202-4a47-B035-277ECC23C249}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1620
                      • C:\Windows\{DCECB2E4-245F-4c44-B42F-41E4E581F279}.exe
                        C:\Windows\{DCECB2E4-245F-4c44-B42F-41E4E581F279}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3544
                        • C:\Windows\{94576252-C0BF-4470-8167-14FE8D13634C}.exe
                          C:\Windows\{94576252-C0BF-4470-8167-14FE8D13634C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1244
                          • C:\Windows\{7853C141-381F-4eee-AD80-B1CABEDC75E3}.exe
                            C:\Windows\{7853C141-381F-4eee-AD80-B1CABEDC75E3}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4832
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{94576~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3292
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DCECB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:872
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{71E5C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4772
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B76D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3088
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BFD7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2576
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B158A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2340
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E0BFD~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:116
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4398A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{19A11~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F77~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E0B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{19A1132C-78B9-47ae-A340-A930D5FE6891}.exe
    Filesize

    372KB

    MD5

    4eccbc4a2504a8f2e5a39c7c371ca526

    SHA1

    e9aadc29c3f31aaea3c2ad89675315b66e5093f1

    SHA256

    83b937289778ae4ab86e8a7b2ef6d3f80d14d06e732dc344896f66df0f7b2bcc

    SHA512

    b142cc52ab30caea89a2afa9fee32d81eaaddf0bc88a23a1bd09ca59a8431aafed851bb28e6aa5c9745bf0088228bc7a3673b73ecbe469777da1873ec8b8c4c9

    Download Submit

  • C:\Windows\{4398A167-53CF-482c-8D39-44BABB0F89D3}.exe
    Filesize

    372KB

    MD5

    01e29f51484e64032c74bf545d9b8bbd

    SHA1

    add2283a819a4befba7b05463253eb8f474e07a8

    SHA256

    902c2fd3d3ebe9f19f4f735694f0daecaab26a56c1be8bc3e795c067f4870292

    SHA512

    a9989a11551698debf470091ff89f401e7899e81d9f5b2245bcf862038585db0ed1bc458d653d230aef4a93cf71ec928369d813c86f80e3115806c733d131b05

    Download Submit

  • C:\Windows\{5B76D631-7232-4588-8267-58C35D20BB17}.exe
    Filesize

    372KB

    MD5

    3c6deba7333aa64aafd4c928c0b59c75

    SHA1

    f2a42c2bf36afc91c212b83a577c77a682e4e139

    SHA256

    4adafa62f4fd4c45b7aea3efaf9d17dd2a9890165a33052ca43a16322cd01ffa

    SHA512

    0dfb65c7e47a0487d5063fedff3f2e067cca2d8a2a98ce6e948b9cd0b2fd33937db440114eaf1c8d5d598811c52f4d3c8a5f489eed48b3c7a551c1ab2d718e42

    Download Submit

  • C:\Windows\{5BFD7F6A-E3AD-4864-92CD-77C09A6BCB39}.exe
    Filesize

    372KB

    MD5

    201a674298f93373e4acb8483b90b78d

    SHA1

    fe80e7acdbae2992f2fb38b328aec50fb6ba8759

    SHA256

    f5927db8c2e42700e14688e7e06a2fff662c39bbb67d80783ffb3ee898154cf6

    SHA512

    70a2d54461b4c64c4d33397a01480665ce423894f41899c61d7cdb92364c669a90b01432fcb28e1c4a7a09ff7db3e415b1094f6c095fd01a5a38f0f95fe70c0b

    Download Submit

  • C:\Windows\{71E5C7B5-4202-4a47-B035-277ECC23C249}.exe
    Filesize

    372KB

    MD5

    2248722cb701f37a279bde5eb9f3e0f6

    SHA1

    63c4a1c2f1f0eae2bc80adab4a49d854a0785c48

    SHA256

    609c9f165a7f79c52b533df1cc4db86730a9dd912ba8bc6f903372c9d2fa74de

    SHA512

    4323b8c64efe27c5ca0a69237f253ae1b2f5775eb8bfe58fb5de4313e6c7f7d4d94432b6dfacc95fdf1d20eccafff6a4123a31cc86dc227e6234cce977645628

    Download Submit

  • C:\Windows\{7853C141-381F-4eee-AD80-B1CABEDC75E3}.exe
    Filesize

    372KB

    MD5

    5800a665cafcdde1fc9efb5171a741de

    SHA1

    d526decaca5add14dd53d8ac9c713d19e235d6b1

    SHA256

    142d23cab7ef93ec9cbdad976500d64fe67d6e7e0dce5959a7487b0a24b0a7ae

    SHA512

    cfe52c6893794fe86f4295a86838d2d484b63cd7072cf821f41980a4796a79cd88c62491b3045fedb3ffb268c790764677523a30605499b2a63471b935950d00

    Download Submit

  • C:\Windows\{94576252-C0BF-4470-8167-14FE8D13634C}.exe
    Filesize

    372KB

    MD5

    63d25d4853ae2d1c48a39eb342a40f7f

    SHA1

    661c6cc66d2942cd65c60274ef8f20d6ba2f95df

    SHA256

    1712ef40c9c2633d66bb57faddc2370d34bbe229e0ca215e62d7bfcedceebb40

    SHA512

    42d7b72d671e545dedc3a380ebb26e63872d7b714809d32b2b3f4a341031cd09bbe1746f0774c41cfa3bd4b8b0e79d005e80eb63d9d2de6e4497a96e0a8d363e

    Download Submit

  • C:\Windows\{B158A138-4AE4-4824-8A6E-A0744F83F442}.exe
    Filesize

    372KB

    MD5

    b2cf613d0b8f0391f0ab01b8915192ff

    SHA1

    05d69528eef64dae37ab21071fb5786e8a6ad965

    SHA256

    8b47310c38ccd2b19bbb51b618387f273bfe3797b960bdb95bc52948c5e08eeb

    SHA512

    0a592f67a35d3ddee67ce32d914e66ab5b3d7f1ba0c954d7cfb06fa93187709c8a2025768f9de1e866988e17b45a9be7983f1a84819054c0d0c10316ffac4e0f

    Download Submit

  • C:\Windows\{B7F773A0-222C-441a-B1B0-41394C529091}.exe
    Filesize

    372KB

    MD5

    16fa66b8c12e44231a92d09a93af2cb5

    SHA1

    2029a4aaefc398d977cec0079a0a9f1ce32e474d

    SHA256

    259abf35176e8c0dd86c239c6cb9dc07c8e2c1c6baf4c0107666e975e2473fd6

    SHA512

    47b3b1a75d7b11070e5d8700160386ca1c5aa89246c99a1d897739837e05f0d5f4542529db25a095d2cb321b5608e9169e61d1ef8a0870dafd84b95d204ba743

    Download Submit

  • C:\Windows\{DCECB2E4-245F-4c44-B42F-41E4E581F279}.exe
    Filesize

    372KB

    MD5

    5aace3a28eaeaa5d7eb32f9b7838e817

    SHA1

    41a176d536fcf59e14e9ca9c1298dfbc65781d0e

    SHA256

    c17b2f22023688b8230e8b22e7dd98911d1d5d97b8e3e4f72d8238b6239059cd

    SHA512

    97928a93ea68945a1cb38ef6a270f94f83f88cc2da1950c952921aeaa25f77d6c3390f3b8bdb7e5afd40f86532027e7546961c312302bc357df148b8b265b514

    Download Submit

  • C:\Windows\{E0BFD6E4-A574-49e7-B419-649700DB83C9}.exe
    Filesize

    372KB

    MD5

    4d89d6fc9a84229d2ad218b59de3892e

    SHA1

    73c3a0417a0ed899b742648b390280d8143bea27

    SHA256

    cf91989b08c5fd376158270499ec22efc54693dc714c0aef189275455731e15d

    SHA512

    968bea9ba7198949febf47ece1f2c9aa9dd139f5b92fcd6d0d50d0d68f5bb2838e6f2db660e29f52ace4b4cdef5d203a15d824a6e7b3106f36424a34260300aa

    Download Submit

  • C:\Windows\{E6E0B094-6006-48a1-B863-F12A81EA8B0E}.exe
    Filesize

    372KB

    MD5

    fe30b5b16b7d011a5e8b9e18ba046449

    SHA1

    12c5c25c3c3f027abe45bd608d97e20e13ac1c1a

    SHA256

    f6840ddb3d338947ae1167ab07fe7102f6885491dc83043cc2577eb896fe961c

    SHA512

    a7a752cc7802ad1a419a05ba6f7f57ae4b409d7b0133634a72a89e2225eaf77b7b9de7dd8fc493b187980d6f730c111eeb99f78c97a757225cb606137ebe8a76

    Download Submit