Overview

overview

8

Static

static

3

2024-08-19...ye.exe

windows7-x64

8

2024-08-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 06:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-19_686de7ba06b7f285337b335791f34b3b_goldeneye.exe

  • Size

    216KB

  • MD5

    686de7ba06b7f285337b335791f34b3b

  • SHA1

    4f5c1073312fa4c1dac1bdf8b4f731a8b0ce11fe

  • SHA256

    f11b75338d097edad2750a09fce07de2edd83f4528898742094ae90a6aecd7f8

  • SHA512

    a344b6a9a124ccf960a0961f6d44f6f9254759331ec51a3d768f891ade1452a5850470709c76c6d256046078bfd4cf893138e751785745d2d502bbad05e61d48

  • SSDEEP

    3072:jEGh0ofl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGJlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-19_686de7ba06b7f285337b335791f34b3b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-19_686de7ba06b7f285337b335791f34b3b_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\{C45F0F64-9B76-4334-B416-04DD456DA63E}.exe
      C:\Windows\{C45F0F64-9B76-4334-B416-04DD456DA63E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\{512A2888-5824-4d84-90D3-35636C5C006D}.exe
        C:\Windows\{512A2888-5824-4d84-90D3-35636C5C006D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\{59CE549A-7AAD-4544-8CC6-F34CABDC19DB}.exe
          C:\Windows\{59CE549A-7AAD-4544-8CC6-F34CABDC19DB}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\{CCAB43AF-B697-477b-B0CD-DB14EABFE231}.exe
            C:\Windows\{CCAB43AF-B697-477b-B0CD-DB14EABFE231}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\{03E3DAE6-38C8-4d39-B9FC-1EA4B5ED53CB}.exe
              C:\Windows\{03E3DAE6-38C8-4d39-B9FC-1EA4B5ED53CB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:680
              • C:\Windows\{581A9720-D877-4507-BFF8-5FD8D367290B}.exe
                C:\Windows\{581A9720-D877-4507-BFF8-5FD8D367290B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3452
                • C:\Windows\{A1DD5FC8-5563-41c8-9EC2-979B780615FA}.exe
                  C:\Windows\{A1DD5FC8-5563-41c8-9EC2-979B780615FA}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3684
                  • C:\Windows\{99A20264-AE82-4ea7-99A9-E76421945D64}.exe
                    C:\Windows\{99A20264-AE82-4ea7-99A9-E76421945D64}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4492
                    • C:\Windows\{6BD9F02B-4647-44ce-B84F-8AAED58D4DBF}.exe
                      C:\Windows\{6BD9F02B-4647-44ce-B84F-8AAED58D4DBF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3060
                      • C:\Windows\{81852E2A-8732-4c24-97DD-90FFE3006748}.exe
                        C:\Windows\{81852E2A-8732-4c24-97DD-90FFE3006748}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4364
                        • C:\Windows\{D7656D2A-87D5-4a4a-9B27-25AA0493E2EA}.exe
                          C:\Windows\{D7656D2A-87D5-4a4a-9B27-25AA0493E2EA}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1172
                          • C:\Windows\{407A42C0-B9CF-4720-83EB-D86E5033120C}.exe
                            C:\Windows\{407A42C0-B9CF-4720-83EB-D86E5033120C}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4664
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D7656~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{81852~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2200
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BD9F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:752
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{99A20~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2856
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1DD5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3248
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{581A9~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{03E3D~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1340
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CCAB4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4348
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{59CE5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4516
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{512A2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3344
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C45F0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1400
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2316

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{03E3DAE6-38C8-4d39-B9FC-1EA4B5ED53CB}.exe
          Filesize

          216KB

          MD5

          81717b6e2a3a6b5bdfc727ded2c6be81

          SHA1

          0eac9546e3a913cf117b8a1688e105916d30ac7d

          SHA256

          0feea20b06e14e57e90d24507881561b254abdfbb86c4bd0b22ea08b84dbdf59

          SHA512

          0a5299996f592b065ff2302e0b802786203493a9fb2f505fef9fc688fce4c320f4e43298ec6b1661993f76016e140118a3dc418f13872407e08ae43db74eb90d

          Download Submit

        • C:\Windows\{407A42C0-B9CF-4720-83EB-D86E5033120C}.exe
          Filesize

          216KB

          MD5

          f654182c1103ade72972f79aa0dcda7c

          SHA1

          40e694613a2cc6e5d8af4215e5e79754b0813615

          SHA256

          f2cd2830914856dd5accd1d2d2efbc104d0781be4c705493759f414264285f2a

          SHA512

          43f2a2fa95241b16f783b344f32905b74c1d23b7d1bf262021be81ff0d45ae6c0af609b9178312ccf2f7b57a5f8c5edb24450c4eed5c6a4c53ea3328aad35d75

          Download Submit

        • C:\Windows\{512A2888-5824-4d84-90D3-35636C5C006D}.exe
          Filesize

          216KB

          MD5

          fe9742ee0480afbc1b57311ffd4e3c97

          SHA1

          ac288bc7c7e2bf6bd9aab54f2092ee667a5d924e

          SHA256

          84edc88e6c828ba7ee7322d1f9586f498905c80b9267d80d96b71159341a90cd

          SHA512

          f9c26566aca7b4f25edb9465f118006bc48833e0fc65ea647b8e8b2752c88c9ea3e6a48129a7e1cc8ebac301523bd43e78e7432b74ea0d2a7349724bd4063b2f

          Download Submit

        • C:\Windows\{581A9720-D877-4507-BFF8-5FD8D367290B}.exe
          Filesize

          216KB

          MD5

          634be2427d135c8bb83f3bdd589fb87f

          SHA1

          92f1467cfb389948593879b4f957e32e455cb631

          SHA256

          2cbf16ed4c1bd58a16e4b93ca63f6ca3b68ead09834899d7976cf4f4892dbb7d

          SHA512

          dbd582f41a396d0391503f2ece3fcba787133d8886cedc9af5b44fa6fd51950d06c5a4ad552b9e3989616d37fd6e03a99fb4d38be05834c2c4779721c994dc1e

          Download Submit

        • C:\Windows\{59CE549A-7AAD-4544-8CC6-F34CABDC19DB}.exe
          Filesize

          216KB

          MD5

          6a10ce6156b8aaec328d3b122797c79f

          SHA1

          ee59b5ba91536dd28d826beba3a738547e9fe156

          SHA256

          e606c2ab665c2afb739240cecb15a3b1ef06f74c0645faf1a4c2ee175f8b73a5

          SHA512

          80c465208452f3c1bff90699197ffcc61b0203b5c042b729a66e7a7edf0f39cb66131910893a89e4130fd38e9c29960cbf47edcd831f9eca1d97ed7a73872487

          Download Submit

        • C:\Windows\{6BD9F02B-4647-44ce-B84F-8AAED58D4DBF}.exe
          Filesize

          216KB

          MD5

          e1af6996a697e34bdfc0be2f5754e507

          SHA1

          f3df4bc78e575f9ccb963adf2dfb5b030aabaeb2

          SHA256

          c7606bc7e2f6a3c436c93d65f56244951c335012c7eaaa1dc7258f3403038e18

          SHA512

          bfc0391f7c4d4423b8af696e1e56b11fab103f3fac5fabf553dc6f52a66ce0e1cf294478b77883e5f3ffd28342d7bebc8926ef78a1d1b3bebf9f29e8f2b1c698

          Download Submit

        • C:\Windows\{81852E2A-8732-4c24-97DD-90FFE3006748}.exe
          Filesize

          216KB

          MD5

          5401f1fcc662c119f56cbc85228d50e2

          SHA1

          0931596f86df92ce6952927e307f85b91f4489b9

          SHA256

          bddeddbdd81e0e763fd319aba46bc9aa84b29ff8e072acf34579aa847d8b33cf

          SHA512

          f910923d211fbe54b439ca033e4b35eaeeb1b513489d0fe6978913d14f1acce31db4fae4bcf816eba79858dcf6440c5f6984623415198ac8deccc3f6a6e88859

          Download Submit

        • C:\Windows\{99A20264-AE82-4ea7-99A9-E76421945D64}.exe
          Filesize

          216KB

          MD5

          39b312b65415a60d4b01fa005fcd1eac

          SHA1

          e16b6444cc7ca73a04c8fb674ae5df339ef1ef98

          SHA256

          fc0eefc427cefbd1e7b07645b3d95457d36559d901e8ee7126f32bcdd4ada5ca

          SHA512

          0244fada10d9ca0d4ad5e8feae636303118fb31ad8aaa1f5785931890ff1b34eecf19b69bd1dbecddbe805188fa754df37fea0592f8d508cb29747d3354f7c24

          Download Submit

        • C:\Windows\{A1DD5FC8-5563-41c8-9EC2-979B780615FA}.exe
          Filesize

          216KB

          MD5

          560a93a309ce2142785320ff6ad5d5e6

          SHA1

          0537ed349d09c0c5ca9f43685a913f1bd6371475

          SHA256

          a61ffdc4294615023857274d3ed87c28e39db16abe1a21c42dbbeb3fb16323dc

          SHA512

          227d9b68594c42b3caabb68b3fad21fc152c51f0bcc85924efe211eb510f246ace1e0281027735ab98fa7c400dd43596eba1b7521a5db3918c4e1a7bfcde170f

          Download Submit

        • C:\Windows\{C45F0F64-9B76-4334-B416-04DD456DA63E}.exe
          Filesize

          216KB

          MD5

          155cb04e8308642578a2eb92cee81cb0

          SHA1

          3f40a621f10b02598f121721ad0609ba35e2a52c

          SHA256

          e080f30bcec0ab0370dff5b4ec78b4cc8037c262feb967c22e9881999bb7a3d5

          SHA512

          634f5ee14a1ae4ed7cf5ed7b529675780bdb35649652b5c564e0ed42c8e45168f993df1b31d464ba3a46500861dbc0e64ebafabc5d6a0cec250d1b4b3d9ad5e4

          Download Submit

        • C:\Windows\{CCAB43AF-B697-477b-B0CD-DB14EABFE231}.exe
          Filesize

          216KB

          MD5

          bd496fac5d4b510f5e4c9a85b63cb1f2

          SHA1

          44d40c2f2ee7b7a57505bb1d95ac46a4ce34b5ba

          SHA256

          23828e3ca2516128111694f500295d4e20498e67c5450b186752fe7640831b31

          SHA512

          8adf3adef6ee17c015447f5683f82fd6705e560292f3a00d18a54abfa08588d679ecb27c7bb7845e94c006efe2152925bf05ece16924702877797716786bb480

          Download Submit

        • C:\Windows\{D7656D2A-87D5-4a4a-9B27-25AA0493E2EA}.exe
          Filesize

          216KB

          MD5

          4b6709b0277d0d62a7892b48fc94d6f8

          SHA1

          7eb97578c578ac58b6c48b78dd8d1a34fe666a52

          SHA256

          546feec4e6dde37e892d9bd69688252c42c5610c3b6f92beb7a0c52a3d3642e8

          SHA512

          152b50444b89fbe06edc2f0be382f96df99bae12e322efe27ee85bccdc42dbeeb20f5dbc94a0f0afe8a87293d1b97c446dfdc4af87d952c423c9d86d0d12ad6a

          Download Submit