Overview

overview

8

Static

static

3

2024-08-11...ye.exe

windows7-x64

8

2024-08-11...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-11_de850b0903e46951faf5cf7a9af27a5d_goldeneye.exe

  • Size

    408KB

  • MD5

    de850b0903e46951faf5cf7a9af27a5d

  • SHA1

    fe58275c65003fee158e0280ac9f30bac2c375c1

  • SHA256

    2a5392ca69b1c533ca878d509c63ff9e8c5b55d918d5f3edbf792c04d860eacb

  • SHA512

    f772de0897caeb7ee3f00d1e32af9218d5634f99ea82417245bf191f4aad2ccc33ad635ffaa566f97208bc3e4092f9d4d08b8a1e56baf39811a9ec5bb4271467

  • SSDEEP

    3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGTldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-11_de850b0903e46951faf5cf7a9af27a5d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-11_de850b0903e46951faf5cf7a9af27a5d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\{56726CD0-4907-4c25-B5B8-5A757CA50796}.exe
      C:\Windows\{56726CD0-4907-4c25-B5B8-5A757CA50796}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\{01338E4F-91B3-4376-AC47-4D0BD7F1AFF2}.exe
        C:\Windows\{01338E4F-91B3-4376-AC47-4D0BD7F1AFF2}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\{B02AF11F-9978-4296-BCC6-111C542C395B}.exe
          C:\Windows\{B02AF11F-9978-4296-BCC6-111C542C395B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\{BBB26DEA-08F3-42f0-9AC1-AFD920D27FB8}.exe
            C:\Windows\{BBB26DEA-08F3-42f0-9AC1-AFD920D27FB8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Windows\{D43B3D9C-4A3B-4a7c-937E-24D7DA51C701}.exe
              C:\Windows\{D43B3D9C-4A3B-4a7c-937E-24D7DA51C701}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Windows\{4596F25B-BE5A-48a4-BE74-9B07EC213E86}.exe
                C:\Windows\{4596F25B-BE5A-48a4-BE74-9B07EC213E86}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1944
                • C:\Windows\{E34865BB-74F9-4b52-B6A4-ACC6414597EC}.exe
                  C:\Windows\{E34865BB-74F9-4b52-B6A4-ACC6414597EC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2724
                  • C:\Windows\{23C7B0A6-1ACA-4189-8317-B5FD0C7CBCBD}.exe
                    C:\Windows\{23C7B0A6-1ACA-4189-8317-B5FD0C7CBCBD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1576
                    • C:\Windows\{195DF049-FF0A-43ee-876E-D33139CE355A}.exe
                      C:\Windows\{195DF049-FF0A-43ee-876E-D33139CE355A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1056
                      • C:\Windows\{2ED702D3-3978-4e4c-B958-3EA86BEF3712}.exe
                        C:\Windows\{2ED702D3-3978-4e4c-B958-3EA86BEF3712}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2004
                        • C:\Windows\{3C3C1731-73A1-42a5-8604-B6DF8892265F}.exe
                          C:\Windows\{3C3C1731-73A1-42a5-8604-B6DF8892265F}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2ED70~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:960
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{195DF~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2168
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{23C7B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1200
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E3486~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2052
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{4596F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2352
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D43B3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2324
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BBB26~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2376
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B02AF~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{01338~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2956
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56726~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{01338E4F-91B3-4376-AC47-4D0BD7F1AFF2}.exe
    Filesize

    408KB

    MD5

    e52c5dc766f7d7bfd45e5d804720adea

    SHA1

    9af86578530800f7ba8d232ce42b904de1a953cb

    SHA256

    ef2f0be99363434ce1fe25cfe0bba8737f178244f02db92f5264bf4a001e0139

    SHA512

    7052caceba06e158ceb02369c047d1c911322f522b163b4bef0a255ddca1d6278eee461e3fb773909db20c488d85cfd96c431760afbc1ddd56589a5225f57fde

    Download Submit

  • C:\Windows\{195DF049-FF0A-43ee-876E-D33139CE355A}.exe
    Filesize

    408KB

    MD5

    b63382ee3d6e1388dcf8ec8310ca8b41

    SHA1

    4d21faff291247f5180fa5117d3165d40e4bc825

    SHA256

    fa9b1a88cde2db6244839eb14777f7bb0c0a9b398e9b83a40940699fae55c5a1

    SHA512

    daeb371a0d2525e79eafbe8ea53bf58311fd9a12494c3e702550c5d90183ffd354b543c512b25ef5e54b61a354b94b03674681778b2e0d949da33d240491cad9

    Download Submit

  • C:\Windows\{23C7B0A6-1ACA-4189-8317-B5FD0C7CBCBD}.exe
    Filesize

    408KB

    MD5

    9198b5cf9b07a345540361e283630cd0

    SHA1

    77d4f406afb677f1bc29a003422f5077c0609438

    SHA256

    c7908aa808cfae64f312ed6e9427b934fa2d2cf9bbb1f402f6b813080ba925f4

    SHA512

    cd2c86da2d49bc546b5947cb8053f42a1894eb3a7a8849155c8598646ca8bf44ab848fa43bf37d7d6193cc11c87c5bc43968dd410c2f85295721b5ebe32c5bc5

    Download Submit

  • C:\Windows\{2ED702D3-3978-4e4c-B958-3EA86BEF3712}.exe
    Filesize

    408KB

    MD5

    46ca27538ed38b64f2be07d662c2a742

    SHA1

    bb0c30480e32ef73f30fecd6400fd8efe0733607

    SHA256

    0fff7839eb5d0aac1fbebf57c6d4b6e4a10637b6fd5e08450dff61a02be605c9

    SHA512

    0b0621bdb79b0c69add5cd4418c53fc2b31f4b5c0df2f753d4c14a4d7b71aa9a29c956bcc857ecefce284a437161b4e1b7b72a7b65112dd62c703d03e57eef18

    Download Submit

  • C:\Windows\{3C3C1731-73A1-42a5-8604-B6DF8892265F}.exe
    Filesize

    408KB

    MD5

    6b5974754ffe02f95afa40dc41cce0e2

    SHA1

    13504ff0b0e7ab294d65e75924322e7dd07fdfee

    SHA256

    abc93093d3204da69df3fe5bb2bfd067798f233b969f5cdf114ec8cfcbde9277

    SHA512

    5b6f09d6b3fbb3ddedd63958df11db46db3d8e596e4dddfba3deb47fb65905dac64e26efba25c7dd036d0540534928113a51326c3aa366bf476f1ffc92ac94fe

    Download Submit

  • C:\Windows\{4596F25B-BE5A-48a4-BE74-9B07EC213E86}.exe
    Filesize

    408KB

    MD5

    a6982452bea6449a2ee8e5a0db739711

    SHA1

    dca004aac13181ce69fbb2294310af1f058567d2

    SHA256

    11173fa8589c44aa5ba9425395b496d141289ec8ee55d89f17c87349a1862f42

    SHA512

    851483b6ddcad95f9dad171319b67a1643fb43cb4fdc3631185b0170a91b876a1bf392231ce91f8b57badd9734f5ce4b727342ee295ca8144bf79d679b86d87e

    Download Submit

  • C:\Windows\{56726CD0-4907-4c25-B5B8-5A757CA50796}.exe
    Filesize

    408KB

    MD5

    a866fe139aeca7243dc38f302f853995

    SHA1

    94b72a2b14b388e961f5f9ad4987aedee8fa6a9f

    SHA256

    c295b1abf57e144464ad9415859cbc423a5f18fc75e7e4bb30d3fc71eac65842

    SHA512

    0d1384c31ca653de1c0f7d843c5bd1de9bf60ce7f44830f977b62fbded719ce8b18f26b133dc2beff09c1bb70da3fd6f0c4482bfc32335380cdd9d9bf5917e60

    Download Submit

  • C:\Windows\{B02AF11F-9978-4296-BCC6-111C542C395B}.exe
    Filesize

    408KB

    MD5

    e701c0993bb68a2edea46a6f7e04310e

    SHA1

    1e389168d600057d5d3199a43dbd134dd3461211

    SHA256

    d72d5f9543cfb0aebb0b74b7358e917e1fc72aa0c54d6674683d803681489bd8

    SHA512

    b4f6fa20ba15345945c0056c7b493925a6473aaff86586a36dc8ca13273c46b6345ec9ed0076c9bd3adc8459870db8cbef13ca24a45e5aadf8b3465246078d4f

    Download Submit

  • C:\Windows\{BBB26DEA-08F3-42f0-9AC1-AFD920D27FB8}.exe
    Filesize

    408KB

    MD5

    9460460e4d01ade2333636c84f0c2da7

    SHA1

    be4d0b4f471ef014238bcd474a96b03c156c5874

    SHA256

    ca9ecaddd13841212db95c73fc3be02d7a926b88a99eefd6d60e93ba617b5c1d

    SHA512

    8ac0726564fb6be7bc3d3bb3c110c8c35330a1177ef8e4e044317c9c8f5eb6829ab355cad48d0e8cbdf0a3f7c69b3c5ab37af832ffd4bc8f64d2092aaa5eef4c

    Download Submit

  • C:\Windows\{D43B3D9C-4A3B-4a7c-937E-24D7DA51C701}.exe
    Filesize

    408KB

    MD5

    e2339c97cf4610d2fe0adb4ee8e44a25

    SHA1

    e80c97525e8e19507d40a6a0d1a639d0ff944e9f

    SHA256

    6ac06d31dfd02697458aeeb43daa1affcf1ff8aa81cfd4e1cc932751abdd8fef

    SHA512

    105b6f896c978619b32b967d9a17a365d23f6b9cbea1e155f62066450ee353643f805a9bf91bb74809a8f5364e17d53a6e4327bbd338c513cf99f14947c7af0d

    Download Submit

  • C:\Windows\{E34865BB-74F9-4b52-B6A4-ACC6414597EC}.exe
    Filesize

    408KB

    MD5

    5097a8fab910022d23814824364993e9

    SHA1

    8d1b2f4ceead2bea845b70fa4bd0e99418325760

    SHA256

    91a51697efcc11f33c601eedb725f59e78e3f209e1f7a2a8bc27e2a601f96d46

    SHA512

    7b5f8f2242d234f0279a0649fed2739802e1465bf5bfb6c75afeae1077c979051328f1237f1e3acea149eb52e051a5c84f7ffa59b932590f08ad5153c7b414f7

    Download Submit