Overview

overview

8

Static

static

3

2024-08-24...ye.exe

windows7-x64

8

2024-08-24...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-24_fea30277256688ebef83ab9eba939fa9_goldeneye.exe

  • Size

    192KB

  • MD5

    fea30277256688ebef83ab9eba939fa9

  • SHA1

    24ff0abd21fea01e5299f1311b652a836def94f6

  • SHA256

    2645168462e76958d6fcf639fa0def8a57b40f99f756efee902e734e5ffc402e

  • SHA512

    0a0e473471423d0b0f023b71428fd27848aa8eb78502356a19247e3d58254ab87adc236e194c6b317536a84f59902be35d7a7c481e6e7ee4140dde65e34f00da

  • SSDEEP

    1536:1EGh0oOl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oOl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-24_fea30277256688ebef83ab9eba939fa9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-24_fea30277256688ebef83ab9eba939fa9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\{A2E49C86-156F-4693-A9C3-AC3E18ED6929}.exe
      C:\Windows\{A2E49C86-156F-4693-A9C3-AC3E18ED6929}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\{C14EAEA1-6ADA-468e-94CD-E059BE54AD01}.exe
        C:\Windows\{C14EAEA1-6ADA-468e-94CD-E059BE54AD01}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\{19061314-6626-4ea3-86A5-43A2C4C167EB}.exe
          C:\Windows\{19061314-6626-4ea3-86A5-43A2C4C167EB}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4512
          • C:\Windows\{91BA0471-66D5-439d-AB7B-EA1973AFF4AA}.exe
            C:\Windows\{91BA0471-66D5-439d-AB7B-EA1973AFF4AA}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Windows\{133951F9-AA6A-468a-AF6E-13D0EF988FD4}.exe
              C:\Windows\{133951F9-AA6A-468a-AF6E-13D0EF988FD4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:724
              • C:\Windows\{D143D800-E726-45a2-9C02-C85C16211BB6}.exe
                C:\Windows\{D143D800-E726-45a2-9C02-C85C16211BB6}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5096
                • C:\Windows\{1327DE10-F67C-415c-9B05-7D9E364D37B0}.exe
                  C:\Windows\{1327DE10-F67C-415c-9B05-7D9E364D37B0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4192
                  • C:\Windows\{3E8FBDA1-1342-4436-9CDC-495A6FD71594}.exe
                    C:\Windows\{3E8FBDA1-1342-4436-9CDC-495A6FD71594}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1100
                    • C:\Windows\{BD0195E3-E418-4272-8F37-E85669F3A5AD}.exe
                      C:\Windows\{BD0195E3-E418-4272-8F37-E85669F3A5AD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4548
                      • C:\Windows\{EB7AD502-72DA-4190-B1ED-2252F7FDAB4B}.exe
                        C:\Windows\{EB7AD502-72DA-4190-B1ED-2252F7FDAB4B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2132
                        • C:\Windows\{86555CF6-90C9-46e0-9B8D-5C16AFAB0CD6}.exe
                          C:\Windows\{86555CF6-90C9-46e0-9B8D-5C16AFAB0CD6}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3628
                          • C:\Windows\{218CA6D0-BC2B-40d9-87E0-22FACDAF221E}.exe
                            C:\Windows\{218CA6D0-BC2B-40d9-87E0-22FACDAF221E}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4612
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{86555~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1324
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB7AD~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2300
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD019~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:764
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E8FB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2860
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{1327D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3060
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D143D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4784
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{13395~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1524
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{91BA0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3576
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{19061~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C14EA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2E49~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:64
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1327DE10-F67C-415c-9B05-7D9E364D37B0}.exe
    Filesize

    192KB

    MD5

    2dfbcca06c9bdf0e8a08d5e546eef9aa

    SHA1

    b92d711f1e3f9f79b2aee8f027cc065a44a20e6a

    SHA256

    0ef4aed46ec94149ff477017dec26d692fe85dc9e1510c38c8e36493fc5df266

    SHA512

    d0be814979c3517e5287a9609bfc972435066762de978cc4a72ff8873bbe83b8c7619456a33aeb119cfe26ec44b0c4866fd95eea13e0a2e95ae40fc3577ccc3d

    Download Submit

  • C:\Windows\{133951F9-AA6A-468a-AF6E-13D0EF988FD4}.exe
    Filesize

    192KB

    MD5

    8fc4daaebb695dbaa9a7e5ef77183067

    SHA1

    453e6f51150226a9c4564bcc329514581f0fc9c7

    SHA256

    538840191d6f07e3a9a8b58a12b8a896e35b1204cb74b1c712f400eff392c40d

    SHA512

    ca93b36a5ddb3f942c16a33b87c5a6efbc93ff31532e91a0a30f3c21e33cc39cca88399dd4be79ab9483049957dbeec593f05ae4ecee075bfed1d8dd5600f8a5

    Download Submit

  • C:\Windows\{19061314-6626-4ea3-86A5-43A2C4C167EB}.exe
    Filesize

    192KB

    MD5

    45cd01516d4601f17c573db3f17a3eb7

    SHA1

    6c9c2a7161f0924b7c7e6343dd011c560a0229e7

    SHA256

    09d4bdfd2a460b2652360c58b66b3a56c392923f839ff0c491f635e3c55b369a

    SHA512

    1a0d7c537615b9060fa0f25cd03ac9f8e40cbfdadf705377aa88ec8facf4dd1bef0b2c8ac74617126e93a717a2f5559cb5751ad82182ec1839c235d3a75fd090

    Download Submit

  • C:\Windows\{218CA6D0-BC2B-40d9-87E0-22FACDAF221E}.exe
    Filesize

    192KB

    MD5

    bbbb523aa03c1728a6972618985d7a65

    SHA1

    01a608cb53d178e2746a7ddf9e2845857934f682

    SHA256

    a35b623d2e6cf7fba04b67cd168effa3fe2200ba51ee31713dbcc03d2eba9a15

    SHA512

    8488602fe30573dcc7f557e622d77caff22568347377dfb6238d4b0e0b87ccd715420ebf0c3296a1a306c09b87cb031e059be566c9d06e6888b455a0226b3616

    Download Submit

  • C:\Windows\{3E8FBDA1-1342-4436-9CDC-495A6FD71594}.exe
    Filesize

    192KB

    MD5

    59a0e95da631486efd56e479ba593440

    SHA1

    d17a46d69fb71c2a03c0c426f2fbb7b8a666a3ac

    SHA256

    df6b7a6ca6561ea547330d48071e0a073dd8d5ea6f095a2a3018fcfe13d1eb92

    SHA512

    288f39fd36869ab9ca4c0b9fa4c74ca9b631f48c4f15f7da64b80a6b316b68fe4086c910e717b2aa7b34c2e65ffb83c11916a7e133c7b96b9f5b9a299032ed68

    Download Submit

  • C:\Windows\{86555CF6-90C9-46e0-9B8D-5C16AFAB0CD6}.exe
    Filesize

    192KB

    MD5

    b3e12b101ac72ce1a8044f76ca237561

    SHA1

    97d22f2eaf0f2d6f521d390efae5163092503577

    SHA256

    d803d4c9db69fc1f39e1ba6c137dca3d2a551bd0bf5130de39c0847486891a34

    SHA512

    ce1c7a545fe2d57defcbfa17da4280d29e2b9478814f7839fe51f3f3d011d27f1cad10dff07e3ea14081bd38ca7d5e5b36f1d803116982507eb8462242a5dad5

    Download Submit

  • C:\Windows\{91BA0471-66D5-439d-AB7B-EA1973AFF4AA}.exe
    Filesize

    192KB

    MD5

    bef72520f4fb95faec4acdeace9b390a

    SHA1

    510401589b2e7b3ffc3ee27fdf5209f35deb9d73

    SHA256

    a175bab9a5faf2d40ed00339ab5e7d82c766b1d296ebe28be29ced41e1e03e81

    SHA512

    d184511dd212689ad5c48499dfde560bc702770e13cbad154607edd053e2b7bec9724b33232c5ee33b5fd19912b045e2fa80e52e9f7f11ba3b8137e6ba7696fe

    Download Submit

  • C:\Windows\{A2E49C86-156F-4693-A9C3-AC3E18ED6929}.exe
    Filesize

    192KB

    MD5

    93518446033c4777f242d1fb44528db9

    SHA1

    9b81db864153427a65a6edc3cc46ead93d31a6a8

    SHA256

    4bbd36176739abac71dd0918ef1f069a59b888067500766624e7824978754a4c

    SHA512

    1b2600e4a41d4798e835094767cd264be5b32e7c3bccbc47186f176210a2ec746392c39881ed808f7031b4f2eb5f6c2614b1b81b07599f1aa6bede28a140954f

    Download Submit

  • C:\Windows\{BD0195E3-E418-4272-8F37-E85669F3A5AD}.exe
    Filesize

    192KB

    MD5

    3583c5cba6f1e41844fe93817364e294

    SHA1

    0a37815d6b0d6be147bed9ad7615ea9353e1e9c2

    SHA256

    7970538aa45d9ec3fb9fd8ce1647e913e227f6a746cb390da52b01d90b281304

    SHA512

    6b5eee72e06497fe958ae5daef5828366441b67f44f7222f6632424fade55a4766187b237a38754db0d2a941775b498e0c5f33f1eb8edb36b1b756bae0e1ba37

    Download Submit

  • C:\Windows\{C14EAEA1-6ADA-468e-94CD-E059BE54AD01}.exe
    Filesize

    192KB

    MD5

    4bb5efe0b778a85c9f44d51583cc94bd

    SHA1

    bc1617e14db81f9c4f75a55a2e7f47dbcb0f2a38

    SHA256

    0a17a8480970799c7333b59b75cca814b850dcb376bd0f2815e9d567e9af99e4

    SHA512

    f4eeb700790b98f992d5b67a7bf0db863aa35ac5e4f17cb26bb20228546501ebebdb3af89049268f196f6da7bc53133a7d233dfdac4a75d9beae063ab68ec151

    Download Submit

  • C:\Windows\{D143D800-E726-45a2-9C02-C85C16211BB6}.exe
    Filesize

    192KB

    MD5

    f3c210f4e861f3a080d62a141ffd8f0e

    SHA1

    c58c7c182c2eb84db486d1e945778291cf837fea

    SHA256

    190a8bbc14ae29941fddbb71549c243fd0db6baa1d28ec54c3cced6442f02ffd

    SHA512

    07b8e6bfdbda6a95704e3ccdf7962d458eee14e2abefa65d0f049a769da8dcb7f14aba0487b96ca01ce4565d772af7435cede76cc743eb41fa6d02cb1ce81f83

    Download Submit

  • C:\Windows\{EB7AD502-72DA-4190-B1ED-2252F7FDAB4B}.exe
    Filesize

    192KB

    MD5

    3a14f6d519b47bcd2f5ad43c01e684ee

    SHA1

    f6b6243055c9f77e3f0fe7f1cc8789f810c60211

    SHA256

    baf7f0a1b7d6a3d98a9f78926aa485ea8ffd14055702fda461ce03da5bf10113

    SHA512

    6124a309c05e442f73d8eacd0cf5fcbb6d0a9904c40892fc9fc0a122476c8d43d626449d8e86e455810168d23be4dc84f53bdbc67aca0479c6585697acf58209

    Download Submit