Overview

overview

8

Static

static

3

2024-08-23...ye.exe

windows7-x64

8

2024-08-23...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-23_7685007bba76daf9e6891684d23ae06e_goldeneye.exe

  • Size

    168KB

  • MD5

    7685007bba76daf9e6891684d23ae06e

  • SHA1

    a1c4be262384741d7c1cec07cea72b71dedec6c6

  • SHA256

    821ebf25974b09f1cb16010eab94fb62e9a4451d11c6824c0fa504f4b178d551

  • SHA512

    7663117f53f7642196b4320ed8ac22a99f9dded3ebb5ce3334af38d7a12bf0699148b6a3fdce195660d4c499abca3be50e2bee75d49bafd357febe55fd6f4262

  • SSDEEP

    1536:1EGh0o4lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o4lqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-23_7685007bba76daf9e6891684d23ae06e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-23_7685007bba76daf9e6891684d23ae06e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\{AD7CB56C-B613-42a4-8804-36F84D170C5A}.exe
      C:\Windows\{AD7CB56C-B613-42a4-8804-36F84D170C5A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\{5F23C9D5-F141-4cff-A3F3-8AFDF62BB131}.exe
        C:\Windows\{5F23C9D5-F141-4cff-A3F3-8AFDF62BB131}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\{95B76683-B0AD-47ad-BF77-2BD71864D798}.exe
          C:\Windows\{95B76683-B0AD-47ad-BF77-2BD71864D798}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Windows\{71BE7FD8-76CA-4862-9981-E21CA41E1D9F}.exe
            C:\Windows\{71BE7FD8-76CA-4862-9981-E21CA41E1D9F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4428
            • C:\Windows\{304B532C-EDD1-4a5b-A5FD-09184F231B33}.exe
              C:\Windows\{304B532C-EDD1-4a5b-A5FD-09184F231B33}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Windows\{7DE69C43-F12F-4064-AC3C-4F231F60BA3E}.exe
                C:\Windows\{7DE69C43-F12F-4064-AC3C-4F231F60BA3E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1936
                • C:\Windows\{97ED3695-4000-4671-BFDE-EABDD8DA6187}.exe
                  C:\Windows\{97ED3695-4000-4671-BFDE-EABDD8DA6187}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4384
                  • C:\Windows\{D154B27F-21D0-4029-A236-D0F01FCCB1D0}.exe
                    C:\Windows\{D154B27F-21D0-4029-A236-D0F01FCCB1D0}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3412
                    • C:\Windows\{0B5366C9-C5ED-4ab5-BD45-1FBA93C17186}.exe
                      C:\Windows\{0B5366C9-C5ED-4ab5-BD45-1FBA93C17186}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1448
                      • C:\Windows\{42B954E7-FA73-4adf-A820-7262058277E0}.exe
                        C:\Windows\{42B954E7-FA73-4adf-A820-7262058277E0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:520
                        • C:\Windows\{77685A10-86D8-4659-8573-868D19AAA683}.exe
                          C:\Windows\{77685A10-86D8-4659-8573-868D19AAA683}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4724
                          • C:\Windows\{01AE50C4-B588-48c4-8F38-2D65C283458C}.exe
                            C:\Windows\{01AE50C4-B588-48c4-8F38-2D65C283458C}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{77685~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{42B95~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2680
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B536~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3868
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D154B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2084
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{97ED3~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3684
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE69~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2864
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{304B5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4068
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{71BE7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2760
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{95B76~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4588
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5F23C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD7CB~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4140
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{01AE50C4-B588-48c4-8F38-2D65C283458C}.exe
    Filesize

    168KB

    MD5

    e24ce879fc2972b290959de2a1de9310

    SHA1

    e5f94b3a72e9c63ac2cc35d893770aa7b7fe927c

    SHA256

    1dd23938e71b5529e5ad398ef6868c98b69ab12ef1474871fb4abc614051f4ae

    SHA512

    4a6d5567df5f5c4d40b76a8281f72bf6093badaa29f5c22b6e128adea8397c221772cb8cc55d85dff81d4313516b92f6455ba3f66627db95a178a09997ff9adc

    Download Submit

  • C:\Windows\{0B5366C9-C5ED-4ab5-BD45-1FBA93C17186}.exe
    Filesize

    168KB

    MD5

    53d3b8d0ce2b02373aeaad70fc75c140

    SHA1

    c2c14c2c215b37d365516a188771b4bb74c192a7

    SHA256

    cb04cf4cea0aaa8bbb86c27584cd2733e09e9e365913605303814e4e0b34c14e

    SHA512

    1e20a0abff04032bfcd4815fb950aa5b5ac648e3deec5853953be0285fcc2635b324db8d3c1b6ed869083204759d62768dfc1e8379b5f27788b90796ece520db

    Download Submit

  • C:\Windows\{304B532C-EDD1-4a5b-A5FD-09184F231B33}.exe
    Filesize

    168KB

    MD5

    1f2377ac43a3aa9547f0adcbd670806b

    SHA1

    2ba463b9f1c91d3039bb58775ae81729e9785f81

    SHA256

    3284cf05ad96d3809ff7edee15d0d3d1ff6d5b1aeb42375d3ff7a91ee0437c0b

    SHA512

    40313687879042b002a8c407bfe0b0a797321f07b0054cbb3b5a81d816c345dceb7e4a4018b99bdd22259aa715c00d70d61c77fbd9f8da8ab8fcf15cc959cf09

    Download Submit

  • C:\Windows\{42B954E7-FA73-4adf-A820-7262058277E0}.exe
    Filesize

    168KB

    MD5

    a167711307b1dc32b496d1eb9a18a641

    SHA1

    5490bc9483054e0296904d11c8c6bf5fd0dc28e1

    SHA256

    93900a74f9510ac016b73d2fe98150abd3a106ca6cb1885e1c10dbbf5b7dd17e

    SHA512

    1d5fcb96d31d19923d25f57021104c614629264138685c3920edb6643e8853054162dc68f712fb58f5a4ec7123f0f60e7d5d5046c4088f0c52a498abc9faa796

    Download Submit

  • C:\Windows\{5F23C9D5-F141-4cff-A3F3-8AFDF62BB131}.exe
    Filesize

    168KB

    MD5

    128ac51345370a90bfab0531aecd1dfe

    SHA1

    76061242bfc1f0ca08fed664b67bab2c507fb28f

    SHA256

    53fba2852cd4f845529561b250164cf4fb50ed674dcfda49e1381212d3863758

    SHA512

    59d6a9ca3886774713122b8add041eeb2895610572db92656e19dd7030957d8b2b5d27811998a0d79bb1cec04e605df66cf6e99e3e8316ac6a8e6a7fb9bded3b

    Download Submit

  • C:\Windows\{71BE7FD8-76CA-4862-9981-E21CA41E1D9F}.exe
    Filesize

    168KB

    MD5

    db12af4c56b33ecbc65cdf81d8afb800

    SHA1

    5e57fef92112a3bc91fab6d236076d62cfb0f48e

    SHA256

    27280c10784f6ace66c26c5de78250b59ba25b41e04afe6bd12f85cc48037665

    SHA512

    81b413a5e832a4c51718142509ad2bbb6d5dd6cc441e31e756638fb17c664cb729c1fda373332b9218c73c41cb8db278e415a12ca8301cac51cb17bb12e1b6a0

    Download Submit

  • C:\Windows\{77685A10-86D8-4659-8573-868D19AAA683}.exe
    Filesize

    168KB

    MD5

    c15504660522fa5c4ccbfb44d3ec726c

    SHA1

    3e9832ab6fa9a2fa87552fa4d2507db4062b99d8

    SHA256

    41b7af1bfb7994d60f6ab4d455cd69e08cf7c5df06816528a7b3a1898e2d5784

    SHA512

    320067d04d103011743da024ed3e3c5d059b966bfc15afe8324f712ef74b252ab178f17830f5c4cbb1c14cc257d55bbfec8be240e63745c8507ce9261fd5c552

    Download Submit

  • C:\Windows\{7DE69C43-F12F-4064-AC3C-4F231F60BA3E}.exe
    Filesize

    168KB

    MD5

    6fb91e2f2a1567133b59b6153f5277f7

    SHA1

    3f320bb2003fa44edcee7d984f134c993c1feed8

    SHA256

    926404709d2cd338e57817fd052cc2c1823fe404c0e5bdb2cb42a75e3abf532b

    SHA512

    5923230c191800c2d3d4d5504c5c3a9eb15e1a0e08c760fc72fe727bb222afdd91f55668faeb91b3341a6e9ee5d45380d9b3f1d4a442181d5fa337d167891714

    Download Submit

  • C:\Windows\{95B76683-B0AD-47ad-BF77-2BD71864D798}.exe
    Filesize

    168KB

    MD5

    4ff693c9a22d4de5ae51109f6e9636f9

    SHA1

    39ef0d395242ed3061e7eb90fb11c35dc62af4f1

    SHA256

    a5a983cb862af17c70c304a3381ed66177a8ec96ad254a9c09ce583ff86ed946

    SHA512

    3a4adca4b552cfd3df3d76b6352b2195bc065a4dcaeebd2c3e93f35841c917da7daa33c23de730ef105ae15e1305241ee503fe748ced3496300c965ae8b2cc88

    Download Submit

  • C:\Windows\{97ED3695-4000-4671-BFDE-EABDD8DA6187}.exe
    Filesize

    168KB

    MD5

    b29d1a7eb308e3d2388eb5d6dafc7f92

    SHA1

    9de1220aad77e3f9c2e11f1ed203b592722953f7

    SHA256

    43d5f98470409a7e0aff602c88bb7f4bc417e006fdffa3e651b69bf33140bf28

    SHA512

    43d33b80b0dbe3d13572a5b19ac5601059d348088c63676282d8ab1601aeda33cd6da4050f390b1333f0cc678681863d00d57af2370c1a4da84c193a053d179d

    Download Submit

  • C:\Windows\{AD7CB56C-B613-42a4-8804-36F84D170C5A}.exe
    Filesize

    168KB

    MD5

    901610f1125ee1b7d7a85e2b71d2fd24

    SHA1

    60e651ded5ce49a4902ddb8c6631e8e180ab2b65

    SHA256

    2bddb9e5a8186987259af80178402f72356c5a672738435843569d7a074aa1b7

    SHA512

    177482189ba4768599c466e4d34a602078ee5212ace53d2afdbaf05fc983afabed414ba6c2b07e757944b762843a99c475e4bbfe8094e4bea5258b007ee20f53

    Download Submit

  • C:\Windows\{D154B27F-21D0-4029-A236-D0F01FCCB1D0}.exe
    Filesize

    168KB

    MD5

    61eb605a6ed3ba0968fed0973e8fd4ca

    SHA1

    ea58bf23f257424a02c9e24fe9228a60ba71d1ee

    SHA256

    99b70ccfa68b3465236a88be9eab3953931fbce887fccc46a34536d6788ec149

    SHA512

    1752e35c4f69685fc3a92ba08f8e3878d7ecc8d774640766a871cc05315317ab067deee0961203854a16e8e4c8478ea07551deef6b23820dea446da5a6e3acb2

    Download Submit