Overview

overview

8

Static

static

3

2024-08-10...ye.exe

windows7-x64

8

2024-08-10...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 01:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-10_5b19f1c6288b3d62aed7a826abab0d6e_goldeneye.exe

  • Size

    204KB

  • MD5

    5b19f1c6288b3d62aed7a826abab0d6e

  • SHA1

    c43ea4211b5b85a455b195f0df33fafb1a4de0ca

  • SHA256

    d0e6044ef4fae086b9d7f0c2273d6a28b2a0cdbde686729c8d63cc81b00bde3d

  • SHA512

    7f68cb108bef3673582176fb3f7f6990c44556dc26b3df917e6f5a5efbf8cf0fc6ae5e5230ecd0c4c5562189e1d2f2a8aeb96ab794b17b6e43d97ff3185f71fb

  • SSDEEP

    1536:1EGh0otl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0otl1OPOe2MUVg3Ve+rXfMUy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-10_5b19f1c6288b3d62aed7a826abab0d6e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-10_5b19f1c6288b3d62aed7a826abab0d6e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\{896B9E58-B88B-460a-B95E-B6BF48F38129}.exe
      C:\Windows\{896B9E58-B88B-460a-B95E-B6BF48F38129}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\{E1C60CC2-3EAF-4d0c-9C96-511DE6B2C0E6}.exe
        C:\Windows\{E1C60CC2-3EAF-4d0c-9C96-511DE6B2C0E6}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\{81A6BEC7-F47A-4d65-95D9-2D5AC1B7F21C}.exe
          C:\Windows\{81A6BEC7-F47A-4d65-95D9-2D5AC1B7F21C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\{0F5EB84F-E22A-40a2-BABB-95CC1A4E18B9}.exe
            C:\Windows\{0F5EB84F-E22A-40a2-BABB-95CC1A4E18B9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Windows\{11776137-87FD-4eff-9863-6CBCBC52C756}.exe
              C:\Windows\{11776137-87FD-4eff-9863-6CBCBC52C756}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Windows\{69E3F4DF-0AA4-4304-817E-C0A3BA9B03AF}.exe
                C:\Windows\{69E3F4DF-0AA4-4304-817E-C0A3BA9B03AF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1488
                • C:\Windows\{D2693A3A-11FE-40df-BBAB-1AF4972A3ACD}.exe
                  C:\Windows\{D2693A3A-11FE-40df-BBAB-1AF4972A3ACD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1696
                  • C:\Windows\{4CB0329D-3D40-4285-A0FF-436B354464EA}.exe
                    C:\Windows\{4CB0329D-3D40-4285-A0FF-436B354464EA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1108
                    • C:\Windows\{5DF4E9C7-AE0E-4798-869D-C5DA18F5699B}.exe
                      C:\Windows\{5DF4E9C7-AE0E-4798-869D-C5DA18F5699B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1492
                      • C:\Windows\{80B16BAA-19AA-436e-B895-900CD5A486CD}.exe
                        C:\Windows\{80B16BAA-19AA-436e-B895-900CD5A486CD}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:956
                        • C:\Windows\{5B99BE7B-D61B-4150-8CCE-5C9E7B74C0C5}.exe
                          C:\Windows\{5B99BE7B-D61B-4150-8CCE-5C9E7B74C0C5}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80B16~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1036
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DF4E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:936
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CB03~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1984
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2693~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2812
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{69E3F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1964
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{11776~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2340
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5EB~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2264
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{81A6B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C60~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{896B9~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0F5EB84F-E22A-40a2-BABB-95CC1A4E18B9}.exe
          Filesize

          204KB

          MD5

          716edd2c2024291525d39cd2b0345ede

          SHA1

          7b444ac9808e0e84aca265dab888f69d6a749640

          SHA256

          7fb7e2420207221e83b3467958ab7e63df6b5b15dca23d919dbe8e63d4994eec

          SHA512

          adfa548858208f7c81092c00a1c86db5afdedcc71b30539f3b6d0d73daa8bb6e8b264c2b60dd535366dd362f184bbe0d21b1f802242ebc7223c43525f52cfe0c

          Download Submit

        • C:\Windows\{11776137-87FD-4eff-9863-6CBCBC52C756}.exe
          Filesize

          204KB

          MD5

          f97432192160d70478a8f4a90d05dd81

          SHA1

          d5996cf38f393ea548a7c3707933fd7d1b65cbcf

          SHA256

          3841d2d26a6c9b74b360fc9f6e3cd36087153f32b9f35ccd4f60786a58fbcc6d

          SHA512

          22bab044586f72a70c49f4eb6576bcca1c3f52453f91618b0677f3d69bccb66d10c4f1e5a9452523485b56ef11916997e3373d96e636ba975419b23755fe1633

          Download Submit

        • C:\Windows\{4CB0329D-3D40-4285-A0FF-436B354464EA}.exe
          Filesize

          204KB

          MD5

          e3602f25c4bacdc027fb2375b19dbafc

          SHA1

          9bb8d37bacd0430aa69a5b394312099207dc5461

          SHA256

          91000b9d42c233ea8a1f3d69dd69934eac9c81d3a9bfe27d682526721b01a86b

          SHA512

          d989480dffcbfbabc69b0a67dcb7ad762124dd7afeeaa01b10f170ab2296f4846277ec1cf01e8b2ccc69f9baba8c0d23df722a0c21d5197a91e993402163286d

          Download Submit

        • C:\Windows\{5B99BE7B-D61B-4150-8CCE-5C9E7B74C0C5}.exe
          Filesize

          204KB

          MD5

          cdd91c3eae347794b7db1c66133547bc

          SHA1

          3407cf5c8d72fc5214ab24d6d50d6dcff313a045

          SHA256

          a4d3e833f80856c4a94ead5345a82ac6835ba0c71c86638ddb9701752b9cabbf

          SHA512

          d8057d6a020761771fe07272ee6a5d72a62c88c6bed7068d4ac8c33d33716befe423baf8350f416137ed4a6aa1bc32258ee87b33b52cf6a24b5e2e1984057b07

          Download Submit

        • C:\Windows\{5DF4E9C7-AE0E-4798-869D-C5DA18F5699B}.exe
          Filesize

          204KB

          MD5

          03a5e8b901f626a0f0ae08fc2650272d

          SHA1

          ec586487956c11231a169c64fa9b268a5852ba59

          SHA256

          1c590cabe51de4f16803f51c37421f956875792c306c40c70f7e520ed56c9a8e

          SHA512

          64c57c1b71c0b0d4f6a22f5faeb8d932b4deb4e55e434e01c8c116d6a0a52ca18089c348724f77fd01699f5f4419e02df682a33d0913c3dd926ba96e31659741

          Download Submit

        • C:\Windows\{69E3F4DF-0AA4-4304-817E-C0A3BA9B03AF}.exe
          Filesize

          204KB

          MD5

          a4e31492b48aea28ada0544cc0b88308

          SHA1

          b972356e86d8e1ddea1817cc758da78bec4a4cae

          SHA256

          295b9d69e930d8d7b21a86719ea069be6e8c429d27c04a30ae7f592cdfb897d1

          SHA512

          3473a2884b1e119520bda2a0f9d07d23c3d654ce268bb632700816bc02854d0b0414fbcb06aaa6532e76fdfd46b6961f4f6f0881e8b6d9dda25796e090f49e16

          Download Submit

        • C:\Windows\{80B16BAA-19AA-436e-B895-900CD5A486CD}.exe
          Filesize

          204KB

          MD5

          f1eb5247d9d2890edd8517bd4e0607c1

          SHA1

          5e3006885a28e2e618c0dfb2d4ef6d845111e4fb

          SHA256

          be5137d18171bfdae657af59b06b72aeb30ee87b60471d4b6b3961a553252edb

          SHA512

          a67419264902fc2d430c20b5151ce391411840acf2d231f60147d0ef01f28158347140e27b057b0a3214ee667d208c6a1cd264a28b8faeb7986f2cd8a71e793f

          Download Submit

        • C:\Windows\{81A6BEC7-F47A-4d65-95D9-2D5AC1B7F21C}.exe
          Filesize

          204KB

          MD5

          587e29970dcf8b3f135b423a601a7249

          SHA1

          4f50dec948dc201f0b7d03b114729e759c39d193

          SHA256

          1e8ed1a78144dbf8ec00f20f93e6086ae5cd8d2d1320d0b71af4d4fb16650b82

          SHA512

          da479c7bafaa5064c2969f1c494738993ce6bacd138a9e7aaf1acaaf68b2e32eba4d3c7404bfac8f10cfdec0c759ef81521a7eec0e4618dc971c8aa0851b62f5

          Download Submit

        • C:\Windows\{896B9E58-B88B-460a-B95E-B6BF48F38129}.exe
          Filesize

          204KB

          MD5

          496840e3faa3dcefed155e6b2084fe95

          SHA1

          559fb308846c88ed6b063715f61d69483657fe2e

          SHA256

          c18c0b9aebd56c19bb41dc259947c7c7c1c79dfae2538e3af41769eefb727d55

          SHA512

          c3031eaa4ad8aafddee85acc2934d3425dd3d883e85b09e150b41999d363b5bf06d374e66d41543a5872ba30d2aed104f2d2ac5e29a4851341c5f23eff9e2f62

          Download Submit

        • C:\Windows\{D2693A3A-11FE-40df-BBAB-1AF4972A3ACD}.exe
          Filesize

          204KB

          MD5

          12dc4314b43933a69e65249c1b736411

          SHA1

          874705971466922e216d41de1c5ec6d00509bc72

          SHA256

          618911efe151c4f9d6e2a8a87f77607bcf489478802069ceb4cbb91e9716fe16

          SHA512

          165222ea95a6d3b389af8fcf018df8b43335519b0ff6be72cab69db58ecb09609d8bd47a7cbd4553663a8dd3fd279030cf82b2dd30365d29702fbceff3c4abd2

          Download Submit

        • C:\Windows\{E1C60CC2-3EAF-4d0c-9C96-511DE6B2C0E6}.exe
          Filesize

          204KB

          MD5

          38ce8e25e8341be9628cead8e062a677

          SHA1

          49d6e7a73024605696fdc0b24c83d6d8653d3847

          SHA256

          314d0ad0d6fe0b41a00dc1803373adb3794b782c2943046aa06d853d3d086666

          SHA512

          6a727c44e113acc8929c3b628583425c29249d7c1530923e483dd8c741e401db3b2139465132c2e54fc45037aa8880ddd35bbf9b3119fa3ce49115ee2ac8220a

          Download Submit