Overview

overview

8

Static

static

3

2024-08-24...ye.exe

windows7-x64

8

2024-08-24...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe

  • Size

    380KB

  • MD5

    6695bd046ca147122eb8d3f93d7adc91

  • SHA1

    37a27964a0bb273d554ceeb2b249c3754b565d3d

  • SHA256

    78e801372f856070a4e7921f0e1028a2880f917c2a174c0208c8d58b0982a41d

  • SHA512

    bbfbd242a8a12adc940f14d83a98c376b64d50fe4fee638eaba8dab776e3186a2d12a916e6710d65b8c7f9e9ded4af18ae03c8dd3b2ac60d37dd362cc403b66c

  • SSDEEP

    3072:mEGh0oI8lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGbl7Oe2MUVg3v2IneKcAEcARy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-24_6695bd046ca147122eb8d3f93d7adc91_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Windows\{9547C278-3F34-43af-8488-F2DC085559C6}.exe
      C:\Windows\{9547C278-3F34-43af-8488-F2DC085559C6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\{17CCA477-AFD4-4131-9F6A-DB54F719343B}.exe
        C:\Windows\{17CCA477-AFD4-4131-9F6A-DB54F719343B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\{5FD698FC-A2B1-4d72-97A0-CC37919446E5}.exe
          C:\Windows\{5FD698FC-A2B1-4d72-97A0-CC37919446E5}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4852
          • C:\Windows\{1F1852A2-71A5-49f0-B7A6-ADE59E7E9F60}.exe
            C:\Windows\{1F1852A2-71A5-49f0-B7A6-ADE59E7E9F60}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\Windows\{5FF38B86-84A3-405e-A869-64A69B0CE89B}.exe
              C:\Windows\{5FF38B86-84A3-405e-A869-64A69B0CE89B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2484
              • C:\Windows\{F3334F6B-031D-4106-B8C1-EA47544CE6A4}.exe
                C:\Windows\{F3334F6B-031D-4106-B8C1-EA47544CE6A4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2960
                • C:\Windows\{18218AFE-1367-4725-93F7-CDED55EEF5A9}.exe
                  C:\Windows\{18218AFE-1367-4725-93F7-CDED55EEF5A9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2780
                  • C:\Windows\{EDB546F8-9854-4e2b-A121-96D3817FBFC5}.exe
                    C:\Windows\{EDB546F8-9854-4e2b-A121-96D3817FBFC5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3964
                    • C:\Windows\{FFA7EE4C-9440-4484-B57E-8716EB183E97}.exe
                      C:\Windows\{FFA7EE4C-9440-4484-B57E-8716EB183E97}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2732
                      • C:\Windows\{70A6EF6D-3CD8-48df-991A-4F1DE3C722D6}.exe
                        C:\Windows\{70A6EF6D-3CD8-48df-991A-4F1DE3C722D6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4248
                        • C:\Windows\{A7596C87-1A39-424f-B628-E06A99B6B363}.exe
                          C:\Windows\{A7596C87-1A39-424f-B628-E06A99B6B363}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4932
                          • C:\Windows\{4DD1F78E-0642-4edc-9AA8-15F5C4766F92}.exe
                            C:\Windows\{4DD1F78E-0642-4edc-9AA8-15F5C4766F92}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A7596~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70A6E~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1300
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA7E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2236
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EDB54~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4120
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{18218~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4256
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F3334~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2232
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF38~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:224
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1F185~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4420
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5FD69~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{17CCA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9547C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{17CCA477-AFD4-4131-9F6A-DB54F719343B}.exe
    Filesize

    380KB

    MD5

    a0a52669dcd0eb3fa6695cd9b308b4b5

    SHA1

    8a96085a29f93c2da9c3a49f7d40ba2d88850e54

    SHA256

    e39c148941c3f95a947b8aca0f5df28507dc556ee6594d1ea5e749e90b2eee4c

    SHA512

    6cc3eb0ad5b7f3de133bc90e7bb9c7801b0114dd995eb6eebef6ab7971d5d514d482c437746a49c3ff108819127034ed85eac02475852e877c151e97a7233dca

    Download Submit

  • C:\Windows\{18218AFE-1367-4725-93F7-CDED55EEF5A9}.exe
    Filesize

    380KB

    MD5

    cf31dc6ff2c3c3fd206ab8527ad75e21

    SHA1

    70af620a5f479ef6e78900a618aa376dc515f719

    SHA256

    d8634033c48220fcee2173abce0c80bce4e6590de3ec9336aef38a5419cb3d8f

    SHA512

    32f23c0149049bd6420e35739bed7d63b969ffc3d044739d3fbbe70d35cb6eaa00fe870434ee5917770972c3760391f50a5d96c501a8aaa2357844bcd65800d4

    Download Submit

  • C:\Windows\{1F1852A2-71A5-49f0-B7A6-ADE59E7E9F60}.exe
    Filesize

    380KB

    MD5

    0317c93329ec4f46410d9135c09a1f88

    SHA1

    2bc76498ff862182bc60c2bd362783725f335274

    SHA256

    988fcb4e48e7d88f1e56e8c88622c21faac9cccf94d3b7152950bb1b01d43ee7

    SHA512

    943d7b54deef525434c77a1e826305042dc5241817cb38bb2c99b1f33ac4986f7f62413cded0450af7f5248af4d924cf4cac91de0b20d7fee88c558a6cb839fe

    Download Submit

  • C:\Windows\{4DD1F78E-0642-4edc-9AA8-15F5C4766F92}.exe
    Filesize

    380KB

    MD5

    fd9c744c4b3eb3197275d849c40e6b60

    SHA1

    cb272b760cb498eeca5f1ec2c1e9b66287663013

    SHA256

    ac8bfe4e453bd43d2c29b338181f8553d2b566ac8a570de5889db56f859e9329

    SHA512

    5ebc07201131e6afb6282da84c8c6d15fcae78f8d06332be643a08111388e27c7015cdd30a315871de89440459639120fc05f1d25ad290bdc088dfb7922cc95b

    Download Submit

  • C:\Windows\{5FD698FC-A2B1-4d72-97A0-CC37919446E5}.exe
    Filesize

    380KB

    MD5

    f1cb354942205f0fbe9282972e08c4f6

    SHA1

    7a29ae63bd18f4b660a7be1c790e67bf87e80f28

    SHA256

    345a88ab3be4b0cc3ae0a5f3460ecd3a01fe85ccf624ead20c9d13a973db31f0

    SHA512

    7371b84dc670dbd868603854c0c144f994fce5ca3e8d6d9a9ad70c4ed591bddfc5705007edf42b8da3783cac707646db8906125fc76265ed49d3c2e50a5f6732

    Download Submit

  • C:\Windows\{5FF38B86-84A3-405e-A869-64A69B0CE89B}.exe
    Filesize

    380KB

    MD5

    192e174abb83e0107fc9a5de68b62277

    SHA1

    09229ce0c5bf55c57c9754492444a634cdd2d887

    SHA256

    c55634174f375462141a53d38b32e53bfbef1bb75e6854881661727f01d8e681

    SHA512

    ed4f14468994bceacaaf380a547423e51247ac74d1442e938ab1f58eae877e21cba276464ccb8a3685db73559469ca7e62516617f2a7ce87e6564af63f9b6ea8

    Download Submit

  • C:\Windows\{70A6EF6D-3CD8-48df-991A-4F1DE3C722D6}.exe
    Filesize

    380KB

    MD5

    46e930dfe0ffed1aad19dd8b68a28fad

    SHA1

    098d2e68e8721f8a3918600ef574b31313bb93ff

    SHA256

    360b28f3ced747bba6a230976335671fe608e0ca2444578f78f7b84fe86be927

    SHA512

    da4ee809fd0fed5b1562f12e3446bfd0c460172691d51a82dabfdd8fb785590d037517cce0d040efb119adae069d53ef4f2aa1fd89f50249c6825f893157fe49

    Download Submit

  • C:\Windows\{9547C278-3F34-43af-8488-F2DC085559C6}.exe
    Filesize

    380KB

    MD5

    3c8c47b29fa42bb4b4912a5e15e36ff2

    SHA1

    c88c2a86ffe0f552c74d807e115eb0bec47d0f5e

    SHA256

    7ac2e5d6fb19ba7cfca67423de6974eb608a4f40689a1300a7ccac3895ffa7bd

    SHA512

    1df1b3ceee894005e272f584b49dbd5e5b05a8021442ca3aa1a03b69b78baa43b0c3f8b4c52b81a6706afc5db0b7bae288ad96b2a7c85fcf86cb06ede84b7114

    Download Submit

  • C:\Windows\{A7596C87-1A39-424f-B628-E06A99B6B363}.exe
    Filesize

    380KB

    MD5

    179e0141ea9bffe4007554c237e3cb87

    SHA1

    6b7a363119690da14c1b6f44c121f281020b212a

    SHA256

    4124c910456cf0afcec9b25893dca195cc2dee3ba1748897813a79f119e3045c

    SHA512

    f48c1665d7634a4dbf0a7cd7e71afdfbcabc320f0a62417ba56296762a319b3aa7369f2dae368f15e5453c18de8045591906eaa95816e531ad3b95288c76502c

    Download Submit

  • C:\Windows\{EDB546F8-9854-4e2b-A121-96D3817FBFC5}.exe
    Filesize

    380KB

    MD5

    25b2f530f66ae199c77a067f9f54b0d7

    SHA1

    0b18c5635ad20170def9cd4a1022c686514d6e1a

    SHA256

    5fac48c05fa8c9b640c1b896da454c880a4fc3632bfad56e1fb190e6ea820784

    SHA512

    2f5871ffac6037092a6a8ea7154320895b427146eb7b89b422d9b7af8be3e4d7680c0afbcc70df4332c59b710f37e98b06575c3b50e5fa31a373cd43fc3a6907

    Download Submit

  • C:\Windows\{F3334F6B-031D-4106-B8C1-EA47544CE6A4}.exe
    Filesize

    380KB

    MD5

    ca9a00a538669715b4130606f52bf8e7

    SHA1

    e0ff0a7197307a8a037eff55f87bb10a496d8674

    SHA256

    2aef32b2c7906828d9478ea8f74005f27eb08e558d6d2fe1cc256123e1ddb1bd

    SHA512

    6d60cf9f5c4e18691438c90b31f8154e180df996f929781d65058b5759f9a3204176c9e5ccc0ec773f15d15224a82de7941866b0d6690e059a86867e0072c8c1

    Download Submit

  • C:\Windows\{FFA7EE4C-9440-4484-B57E-8716EB183E97}.exe
    Filesize

    380KB

    MD5

    87db74346ceeee5fc7579249f3f6a01b

    SHA1

    3aa2dc4a9cc26a60780543022f6501a2a8a309c5

    SHA256

    352e45d8ce174f667e3b0dd9293d428a24d0469e92cc052c9027355cab8ee3b8

    SHA512

    f0cf586f7d9fa731a2ca50b6b1737f22e0aa0fa3a22848b2a4a5ea7bd5a4dce617d98671d2848987f558621bb8561f4666fa1fd97b91f6e13d913db14cea6911

    Download Submit