Overview

overview

8

Static

static

3

2024-08-17...ye.exe

windows7-x64

8

2024-08-17...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe

  • Size

    216KB

  • MD5

    3c93b97c5852127e8b42b547b359854e

  • SHA1

    b18abe54984b6479963b38339ffce2620d2c775a

  • SHA256

    6337ffad33b369c6be593ff5447a76c06cf381c1625da01ba7946e399b923303

  • SHA512

    c8f732d45d65df424516b1b7a1136248eea7c37e9a85cdddc84426cc32dbf095f722dd5d757bd6deae4e2559114de9ff62bbb16298e098e03fed58fd95b745ff

  • SSDEEP

    3072:jEGh0oSl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGklEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\{C63DD08E-E88F-4ae5-9C31-901E67F3760A}.exe
      C:\Windows\{C63DD08E-E88F-4ae5-9C31-901E67F3760A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\{C4FA55F8-25DA-42bd-9205-DF4C39FAAC13}.exe
        C:\Windows\{C4FA55F8-25DA-42bd-9205-DF4C39FAAC13}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\{15186D96-33E3-419e-B980-940AF8B5F09A}.exe
          C:\Windows\{15186D96-33E3-419e-B980-940AF8B5F09A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\{40FE115F-0079-4663-8E00-9E88AE6348F8}.exe
            C:\Windows\{40FE115F-0079-4663-8E00-9E88AE6348F8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\{4DB0A740-7E22-4af6-A3FE-2DBB56F6FBCE}.exe
              C:\Windows\{4DB0A740-7E22-4af6-A3FE-2DBB56F6FBCE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3008
              • C:\Windows\{0AF48A78-AE3A-4872-B031-EEE7D58EB047}.exe
                C:\Windows\{0AF48A78-AE3A-4872-B031-EEE7D58EB047}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1440
                • C:\Windows\{9B411337-A725-4e8d-9C69-FEBC1AF127C7}.exe
                  C:\Windows\{9B411337-A725-4e8d-9C69-FEBC1AF127C7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2528
                  • C:\Windows\{1F51AE3B-5B20-4689-B5AB-3FDC0BB05566}.exe
                    C:\Windows\{1F51AE3B-5B20-4689-B5AB-3FDC0BB05566}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1008
                    • C:\Windows\{B488A0DB-DC51-402f-8E4F-495DBB76769E}.exe
                      C:\Windows\{B488A0DB-DC51-402f-8E4F-495DBB76769E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1472
                      • C:\Windows\{A1462254-A3C1-4f90-BF5F-27025FFA295F}.exe
                        C:\Windows\{A1462254-A3C1-4f90-BF5F-27025FFA295F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2136
                        • C:\Windows\{9739BCBB-CE8D-4c54-BD5E-777B194E7D57}.exe
                          C:\Windows\{9739BCBB-CE8D-4c54-BD5E-777B194E7D57}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A1462~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1860
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B488A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1148
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F51A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1600
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B411~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:772
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF48~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:528
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{4DB0A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1196
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{40FE1~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1276
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{15186~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4FA5~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C63DD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0AF48A78-AE3A-4872-B031-EEE7D58EB047}.exe
    Filesize

    216KB

    MD5

    ceff2098e9e83ad4a0b0fa0222eade48

    SHA1

    3e1af40fc253f068103f3ef4e3a37feef5c522bf

    SHA256

    bccb7a6a734fc0634a734c16ea76f3be50717460933017718328d73fbdacddfc

    SHA512

    3a5edb7cd9fb0ee7405eed51afe02e9bffb5a658d54a5f1c126e084e6a22bea798612ae569d34c829dd4f1f248f332d94eafc9c706d50350acee9306c36c5b71

    Download Submit

  • C:\Windows\{15186D96-33E3-419e-B980-940AF8B5F09A}.exe
    Filesize

    216KB

    MD5

    31a430ca101d754adeda6e8e619a1659

    SHA1

    933367805dfbcbccb476fca0117b09a5099972a7

    SHA256

    1429e6d3f87b3ac165c3df701e67b6a0cc0ef02dc5820c8d58c4668e16ced529

    SHA512

    7734625b5dc5d18dcd9be831a5127b34d4302c7e4535ecec8958849ae59488cd0f480ad841bd58b8c7a10331c331032178a4e0fb046f49496bd693f90c9b9210

    Download Submit

  • C:\Windows\{1F51AE3B-5B20-4689-B5AB-3FDC0BB05566}.exe
    Filesize

    216KB

    MD5

    9ab4f0fcabe613f63196a4be76dc0864

    SHA1

    0e3d3e826917b044ec5e96713ba165bf9710d61d

    SHA256

    9bf403cce89879ec37d71c668d2d2127026ae49c3507362bafb80fd2e54a0623

    SHA512

    1356e00e2662088c7891ac3ed91ece671920f5fe5a5e56e2a3d87785a14b3dcf3e268fba39be5f19255e06da68fc6fb39f184426d0ade6050aae8badd1444142

    Download Submit

  • C:\Windows\{40FE115F-0079-4663-8E00-9E88AE6348F8}.exe
    Filesize

    216KB

    MD5

    a1d6aa473360d2e513e09eff04ec334b

    SHA1

    1e72be6205838700de1cdc01f77759779f020208

    SHA256

    b87f3423982d322a199a23723449f947d5199af6b3e12e3e2c84ac6501d8a0b8

    SHA512

    0eaee8da46b8710febbcc597a52d6e47e6e6ddd28439507f835a906b1c9884ea35e040c20dc2c5d37bb86871baa0661aac06f4501a032dd0ac8eef07be63770b

    Download Submit

  • C:\Windows\{4DB0A740-7E22-4af6-A3FE-2DBB56F6FBCE}.exe
    Filesize

    216KB

    MD5

    d38bc20cd1b0516bc222292ae3db5c8d

    SHA1

    ff7404aa08fc239934a5cdbd26cf0b2d1aa5c4ba

    SHA256

    b496205777da07812ece3ff9a0098afa0d1dcf01e32375262b3b5598c8d95533

    SHA512

    c323325dc80097bd4f889326918a74a5d97620daeffdecdd24ee09effe4fc4a1367a5716788526bb7b074d793322196be2d927ce2e791e09b20ab5c01679c2f9

    Download Submit

  • C:\Windows\{9739BCBB-CE8D-4c54-BD5E-777B194E7D57}.exe
    Filesize

    216KB

    MD5

    a611f610909dea08d269381024d09f20

    SHA1

    7138cd8a79b40703e32c59f2cd00a1895dd28ec8

    SHA256

    eca1e5a0fa51449f938598289dcbacfae2b234aba786e1cf58f5499749d0b4c1

    SHA512

    38509980ce670d38666c20e0c3e2956b14c0a971b95552c8b11551dfb709b0b82572e0c2a00795bf7d9efe43560d469f28ec768cd8ef799f1d665d87eea58ccb

    Download Submit

  • C:\Windows\{9B411337-A725-4e8d-9C69-FEBC1AF127C7}.exe
    Filesize

    216KB

    MD5

    62a06e267b933b02691e387d3c23b037

    SHA1

    c8fcaa66e3bad12b4e8fac1435272fc4cf947c23

    SHA256

    52e93c92401e0814829807ea953a502029ba912230daae51e9f8af394b2910bc

    SHA512

    ed5d3de8a27f6860967293882b0a9d22fa56f7e438121deef286fa94e2365fc73d0225bc01a2309fca2bc42fc80bc703d4b2231ddf624c6c07682fbb8c9e361b

    Download Submit

  • C:\Windows\{A1462254-A3C1-4f90-BF5F-27025FFA295F}.exe
    Filesize

    216KB

    MD5

    ae7a474dc87734f65b9aef7cdca2dfcb

    SHA1

    e097106d774f32c96833e18ef9237b11d974b687

    SHA256

    c7066f24954c53927197c125f5862c05a9a79570af598554aa71eefa2027981c

    SHA512

    f0baed8fa227770fdf142d415a82cff8752602f9add09b233cae536a7f2c11bcc04d3376e7ae57ed684cdeafeb28cf787892b5b71baa36172fda242df501c3d4

    Download Submit

  • C:\Windows\{B488A0DB-DC51-402f-8E4F-495DBB76769E}.exe
    Filesize

    216KB

    MD5

    ad5a3166280ffcdd7bd1c0e0830e2ffe

    SHA1

    c97d7d1e291c6b54d8ee5d1058acb5af2b3d01d3

    SHA256

    608be1c62bc65df996478469d0ea7034184f16893172d50929e39f185fb04a65

    SHA512

    6fd914ce5e54cbc0196d398d67b28cba9dc26338573e666865b79cb6cc33a615d8ae0d7af45312b6838f80fce87109f6a618e626333d46317928b2a446d0142b

    Download Submit

  • C:\Windows\{C4FA55F8-25DA-42bd-9205-DF4C39FAAC13}.exe
    Filesize

    216KB

    MD5

    deca103b80ddc2e7b2c3141b4cae6a02

    SHA1

    b1123c0e9e92377f09488b44178cf49a9ebde044

    SHA256

    e265085e0ca0e0ff7b272a2e55b6958ccd56208c27d5876fe0b13a12758e6f27

    SHA512

    4ac5ee37a9149328d907831b976fd9d9c45fe33e997481c5c0ba85a7300d122986d885d70fdfb4b858896112f09f5ef6cfeb25724ce0ea8077e8110f07b84fd7

    Download Submit

  • C:\Windows\{C63DD08E-E88F-4ae5-9C31-901E67F3760A}.exe
    Filesize

    216KB

    MD5

    3d2fe93ef7731c1e4457fbc1ae9c7e41

    SHA1

    e725ab206388e7d84efa37e37f3c50ddf50f7e0c

    SHA256

    df89d8699bf193aaa582cab3bef2c49f43791b4a522c36bfbf132e25751a743c

    SHA512

    01d4a90b19a4f4e69d043099c2b3ae7ce97595fb9d5817349d2adbda01df6b04ac2df8c03d69b5f94753f6dd40cc8b303eea7ab971575b5633cd103bf9160464

    Download Submit