Overview

overview

8

Static

static

3

2024-08-20...ye.exe

windows7-x64

8

2024-08-20...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-20_4005bcab09fe0d66f76838fc25cee882_goldeneye.exe

  • Size

    168KB

  • MD5

    4005bcab09fe0d66f76838fc25cee882

  • SHA1

    2ddf80aa25b23fc1043aea9319bb0f7464a1f72b

  • SHA256

    27018efa95597baa70fc9ec146b6cf86194c2a67cd7a76cfdd97710cc92c896b

  • SHA512

    bc9712bcb496940d4c8773313143348dfd762e6c1d576b2a1422262ee2103bf7aad666e518e3237d6163a5df918b09d49a373b92922f9225074c47fe225cbd6b

  • SSDEEP

    1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-20_4005bcab09fe0d66f76838fc25cee882_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-20_4005bcab09fe0d66f76838fc25cee882_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\{02E86292-E4CC-490b-94A1-1819DC3879B6}.exe
      C:\Windows\{02E86292-E4CC-490b-94A1-1819DC3879B6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\{4F234400-3231-4a75-9D4D-9D0D703AFD8A}.exe
        C:\Windows\{4F234400-3231-4a75-9D4D-9D0D703AFD8A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\{FC5C50BC-FB92-4ff4-B5F6-664798EB12FE}.exe
          C:\Windows\{FC5C50BC-FB92-4ff4-B5F6-664798EB12FE}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\{D0D2810A-AE03-4ba6-927A-845A9EE3FD6B}.exe
            C:\Windows\{D0D2810A-AE03-4ba6-927A-845A9EE3FD6B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\{F22B7E42-98F0-437a-9256-9582760186C4}.exe
              C:\Windows\{F22B7E42-98F0-437a-9256-9582760186C4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2428
              • C:\Windows\{A12CA7B0-B3FA-4d3f-A99D-D01A5ADDC7D1}.exe
                C:\Windows\{A12CA7B0-B3FA-4d3f-A99D-D01A5ADDC7D1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1720
                • C:\Windows\{87FA49E5-C0D2-44c0-B625-38E8718306A3}.exe
                  C:\Windows\{87FA49E5-C0D2-44c0-B625-38E8718306A3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4484
                  • C:\Windows\{5239E264-F2C3-4e07-AC92-43AD3C5F2866}.exe
                    C:\Windows\{5239E264-F2C3-4e07-AC92-43AD3C5F2866}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3960
                    • C:\Windows\{5963C522-C20A-426f-BE38-2026F410A15E}.exe
                      C:\Windows\{5963C522-C20A-426f-BE38-2026F410A15E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3068
                      • C:\Windows\{854E7A3F-7537-4914-9E89-1FB81BF66EB0}.exe
                        C:\Windows\{854E7A3F-7537-4914-9E89-1FB81BF66EB0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5012
                        • C:\Windows\{03203714-6A88-4ade-87BE-B92237CB4253}.exe
                          C:\Windows\{03203714-6A88-4ade-87BE-B92237CB4253}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3184
                          • C:\Windows\{5DF1A1AA-1648-4591-AB70-40E72CAD212D}.exe
                            C:\Windows\{5DF1A1AA-1648-4591-AB70-40E72CAD212D}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4964
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{03203~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{854E7~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1584
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5963C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4608
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5239E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2836
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{87FA4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A12CA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2552
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F22B7~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1428
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D0D28~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:408
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FC5C5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4F234~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1340
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02E86~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{02E86292-E4CC-490b-94A1-1819DC3879B6}.exe
    Filesize

    168KB

    MD5

    d620f1fdecdae02d3ae5f03d57afa7ec

    SHA1

    6733c9f8423127e1c7164b380b1620a8af312e0c

    SHA256

    46ac6777a14917b9d5b25159eed9733472838c7bf7d194e8398581f08d25c990

    SHA512

    bb444c85dbfdb5bb6969833077293b90372b7c9fc357a654fdc870a824622bb67e835771f60b157d2826cb5eebd5e180a250f98293a010022c842e99263ae212

    Download Submit

  • C:\Windows\{03203714-6A88-4ade-87BE-B92237CB4253}.exe
    Filesize

    168KB

    MD5

    9100fff73fba7774ff5b18abbf5745d7

    SHA1

    108c852600521cd3000d89e597877804bc699beb

    SHA256

    f75cb39ff67212fdf0c604816ada508c55762b503deeaf2a1e7ca79c88dec6be

    SHA512

    49f64df5f5e4b2869819dd929a43807d46640d779a9b318734426d086b074afff44af77f11d8139d763e8d5d6d7ebd85bd73f821bee8f114abd0e341234b2d74

    Download Submit

  • C:\Windows\{4F234400-3231-4a75-9D4D-9D0D703AFD8A}.exe
    Filesize

    168KB

    MD5

    86bf4ab1255ddab53e5b462606650d02

    SHA1

    8bdf1b4eabeea2e5adc4728abb77f728cff0df92

    SHA256

    78ccbbd8abaab3c2218823b593ddd01982d302567c88a02132371311db10dfad

    SHA512

    76380c41a954137437b3e84f3cd53b9b8265294d4a4aab565cc997a0f51d29d9e741d6b44e781a655bf668bb5a5f6efe56ec2b5791572791e8c64681e49cd32b

    Download Submit

  • C:\Windows\{5239E264-F2C3-4e07-AC92-43AD3C5F2866}.exe
    Filesize

    168KB

    MD5

    767954645e618de67470d7369d06d020

    SHA1

    ebac7918f47ddcf02919e9bfe3ea236b5510c875

    SHA256

    4d3b3dda7df2afcc7b5b8c088a2f6a99839b9bc4a589070a2ba70d11729e3f31

    SHA512

    e869d4154eb5e0111867a2cb6c1e7960fdb26319050f01090cc8dd317790028b18c2248491b602330481a8fa81c0329f1f100aa1e73fb3f85404074838191654

    Download Submit

  • C:\Windows\{5963C522-C20A-426f-BE38-2026F410A15E}.exe
    Filesize

    168KB

    MD5

    3d4f2e1cfafda2bee306b0f2959c0487

    SHA1

    2f791083c2fbc9a55a5bb1ef2ca4d800d16bc3d5

    SHA256

    9a855ce085812489a58b5464be8661cd230c97759ff2071d3d706a19e29a157e

    SHA512

    348d8e1c03acbf11c6fe4e4e9dfc94afa5228752834637508fb607d1f913e84194697be386168de9a4c8dc67b85407ba3b54c7ecda5895fa17209ce58c404673

    Download Submit

  • C:\Windows\{5DF1A1AA-1648-4591-AB70-40E72CAD212D}.exe
    Filesize

    168KB

    MD5

    572a9cfa470fb403913845244a58ebfa

    SHA1

    d5cc2b75731c097e1c3461ae038c1d29d80ee34e

    SHA256

    a9d81d8ba0deebb927a891708060be70400eb69f5a300aa4350fd8d32e68430d

    SHA512

    d23255b993b40adbaeff119f389210e45d3896abb328326fb96516869888962ef214c99579c0f82c6479749790e88a893eeecd0d80727547d17941fc7860bb98

    Download Submit

  • C:\Windows\{854E7A3F-7537-4914-9E89-1FB81BF66EB0}.exe
    Filesize

    168KB

    MD5

    7e09886828df4542bcc5317a9e30819b

    SHA1

    fc5ac7778b9af10e3799b954d016aef8649200a0

    SHA256

    b670f6f0e4d09e8b1bd250334016cb55788bb24df41feb3893cee0085778861a

    SHA512

    8090907f08a83df4dfdd2c6171ab70c1ccd96ecaa3eb7d956edb72a916ec9e2d3b87da538462d239f78b80a0d8cd467981f4ee676c5ab182ebf93cf74014c502

    Download Submit

  • C:\Windows\{87FA49E5-C0D2-44c0-B625-38E8718306A3}.exe
    Filesize

    168KB

    MD5

    87eb4ac3e2131fa40a9383999eab1c6f

    SHA1

    54f8e4fc95e54e7d7a78a75e49780acdd05c1850

    SHA256

    e09ee826f50e38c85177c1f24ba883b54b9f9e188f2f0655f5e4d3d0fcfcdb83

    SHA512

    54c0e45be42d53c827b3c0a0a1374a3bef626843890620c918bb7c10def21bdcd0cedfe90141f82a61d32f450967d72be2ae8b7b12f3165f021a7f770b499a92

    Download Submit

  • C:\Windows\{A12CA7B0-B3FA-4d3f-A99D-D01A5ADDC7D1}.exe
    Filesize

    168KB

    MD5

    11a9f4783807d256c710c9b5b6c879be

    SHA1

    d8a4f16b7a20a19aa3eb278ad04c067fb6d5c691

    SHA256

    929c7b03c792a5d1c04c0fb809e24e012ea6620b8a83a30404c2ae6450fc5b67

    SHA512

    7c0e38e34815778bd749aaca37672ba72ae00570cf65954693b0b73a852a75017fb36a1a90490011dde6fc73dcb329d7eb81e5e821781b7fad6a53abe85c6085

    Download Submit

  • C:\Windows\{D0D2810A-AE03-4ba6-927A-845A9EE3FD6B}.exe
    Filesize

    168KB

    MD5

    638e8d9be8c512b217e2136b3c7cdebf

    SHA1

    6bedeb0ce4d7514f513699f79b0b01309a15d6ff

    SHA256

    e4f31815489eb5b86130d0bfeaf44617c4e3999793973a40fd084031bc4c4f3f

    SHA512

    7f2e2cf6aedfe838e4bfa379e12b22fa1b31fad06add6e04599bb11b687142b37b1b3fe48dfa8661fc98fedab10caef9bc59870509e83f2cb153fa2dda37d5c7

    Download Submit

  • C:\Windows\{F22B7E42-98F0-437a-9256-9582760186C4}.exe
    Filesize

    168KB

    MD5

    4d4be376eb2a4600ce671607bf2e52a3

    SHA1

    7b205ab6c138ec4fdcb5fcbcafe8fb36d44cc3a1

    SHA256

    6f70c44b7bbe639182e0586224909e16497ae685b972b127004718c736fceeaf

    SHA512

    616c7d0bd7c6e1aafd4f7f695458023406fcc2b1cf5151103d922fcf952458e770323fa25b6a5458c73ae38c804a3be8fa665a4ee4ef7dc4ec77616cb8a04f1a

    Download Submit

  • C:\Windows\{FC5C50BC-FB92-4ff4-B5F6-664798EB12FE}.exe
    Filesize

    168KB

    MD5

    431579dbaacbf4b2b8259398f90dd483

    SHA1

    f1be73b4428eb8aec54a132acd1f508bf0e3ae7b

    SHA256

    8c9bf0c7ef380a500856b84a2f47c6721938a9d0d7d0659a14846c305b3ed435

    SHA512

    8898b94e24785bb739b8275261e5c2c8818f2f3e0c359c057d71613b65daccb9b8c096d4bf4c01e935af8e6d69501490c7dca0fa3eb29979396af651305bc314

    Download Submit