Overview

overview

8

Static

static

3

2024-08-26...ye.exe

windows7-x64

8

2024-08-26...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe

  • Size

    168KB

  • MD5

    f4139cdf8a72fed5c8cd9150986821eb

  • SHA1

    864d7506189aebfa391c662cd94329dfddb4beb9

  • SHA256

    dac4d3aca6d6100937052c0c38667b60bbec05f2d94edc9b54369851326bc8b0

  • SHA512

    9caadde6ba860c859b471fd768026d80dd8aef0859634ccc5b62fd89f854048b5d6c96d4897978960e5b9135b8acdd1904d978c6dcaa478af0a774cd21c46150

  • SSDEEP

    1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-26_f4139cdf8a72fed5c8cd9150986821eb_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\{42304C44-626E-49a6-A11B-6CCE58B84D63}.exe
      C:\Windows\{42304C44-626E-49a6-A11B-6CCE58B84D63}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\{7AE75A68-8789-48f7-B4AC-3F4A73FDAFCB}.exe
        C:\Windows\{7AE75A68-8789-48f7-B4AC-3F4A73FDAFCB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Windows\{4225B474-3417-4fb1-A36E-C38C9A08D8C9}.exe
          C:\Windows\{4225B474-3417-4fb1-A36E-C38C9A08D8C9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\{9E51EDB3-A0FB-4e26-8D36-C267AC72C967}.exe
            C:\Windows\{9E51EDB3-A0FB-4e26-8D36-C267AC72C967}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:532
            • C:\Windows\{D0AC4E1C-9B4B-4623-819D-0D6848EF7934}.exe
              C:\Windows\{D0AC4E1C-9B4B-4623-819D-0D6848EF7934}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4544
              • C:\Windows\{BB948308-3059-4a2b-8AF5-6260DAF1329B}.exe
                C:\Windows\{BB948308-3059-4a2b-8AF5-6260DAF1329B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4516
                • C:\Windows\{B8FB41CF-A091-4814-B44E-82B73A635CA3}.exe
                  C:\Windows\{B8FB41CF-A091-4814-B44E-82B73A635CA3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1084
                  • C:\Windows\{17C0DFAE-607D-43a8-9C19-940A7EB8485E}.exe
                    C:\Windows\{17C0DFAE-607D-43a8-9C19-940A7EB8485E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3448
                    • C:\Windows\{B5D99E26-19BF-4841-8449-9532AC86541D}.exe
                      C:\Windows\{B5D99E26-19BF-4841-8449-9532AC86541D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3476
                      • C:\Windows\{6DF2FAC6-63DE-4732-82A2-F231ED21D71C}.exe
                        C:\Windows\{6DF2FAC6-63DE-4732-82A2-F231ED21D71C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5116
                        • C:\Windows\{2F1CB05B-5D20-4c26-8A03-DEF25BCAA61C}.exe
                          C:\Windows\{2F1CB05B-5D20-4c26-8A03-DEF25BCAA61C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4544
                          • C:\Windows\{4F9E2363-61CB-42cc-8FE5-C3FA8F477F6F}.exe
                            C:\Windows\{4F9E2363-61CB-42cc-8FE5-C3FA8F477F6F}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4356
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2F1CB~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6DF2F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:5004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D99~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1036
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{17C0D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1824
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8FB4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4112
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BB948~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2436
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D0AC4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9E51E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1824
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4225B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE75~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42304~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{17C0DFAE-607D-43a8-9C19-940A7EB8485E}.exe
    Filesize

    168KB

    MD5

    aeb57d5da39bc75fd605c2ed6674094e

    SHA1

    18836bf624c8dd8c90b812839d434bf268bb705a

    SHA256

    af2f2b5f95d781f84a467c7175365b3dbc1be64866531d7767d01afb1fc12044

    SHA512

    ba89dd641b0b0942f255f6f4c763bd14b8a3762d91da470b6704f3f9aec42fb76e99f41b954e3b936ef6c142544fbd1b0516e2f62fb6a4b7d7a36f778bd08d7b

    Download Submit

  • C:\Windows\{2F1CB05B-5D20-4c26-8A03-DEF25BCAA61C}.exe
    Filesize

    168KB

    MD5

    fdae3bb7146fe176a85b6a7a0e265c6e

    SHA1

    e65b6c9c1ee624fdc826a996cfd5d68f0e44b310

    SHA256

    2d7456066e0afb2280a202840e0ced9208dfced5b508f2f749bf845513153893

    SHA512

    c2b35cab18616f52fe2eb6794d6b4b2b42de23ed6d59554954fe474644d10466fee014a2d14449155b2c9625e64a3113b0fe15ca989ebc301ac8e35e37f89433

    Download Submit

  • C:\Windows\{4225B474-3417-4fb1-A36E-C38C9A08D8C9}.exe
    Filesize

    168KB

    MD5

    9ef5fa727d8b7bb928fe66b94562b0ec

    SHA1

    b2b9e6af5658115169efa19aa939363e9eaa04e5

    SHA256

    d5f6418de00152d0abfc67268bb5044d8a5491c45f4acf10d0e694494d8c6116

    SHA512

    2051dd2b773ededca75c1bab14b67c4ae5c89559fb1f2aad6cd62b2ed7483aa1fb3eb5b82d0a6acb46e659845d85a3314ea8211b4f8368a47ef5e26a5ac9b36f

    Download Submit

  • C:\Windows\{42304C44-626E-49a6-A11B-6CCE58B84D63}.exe
    Filesize

    168KB

    MD5

    1f818719500f93cacfc65706e10661cf

    SHA1

    7870342fb54f4839125cf55332b333b9a79eac7f

    SHA256

    7cde6a6af8ad09221ae969f13dc7a391b6f0f42896f658ae5efa96a65317879a

    SHA512

    0e3b889f39a9f58af55a9966e8d53331da94158246b788e6a7c402f396c76836940dd3eae404fb9ae4b23da0d831d44162a9c65256fb327f7f2ca18a0f9669f8

    Download Submit

  • C:\Windows\{4F9E2363-61CB-42cc-8FE5-C3FA8F477F6F}.exe
    Filesize

    168KB

    MD5

    3c6d2098ceba893d257879cd09061bc9

    SHA1

    b0a585e812407722948d6f70305eeb061a24a30d

    SHA256

    da8e7ab6fbacb44c9d1e9247f9b6189dc4fee8bf69369e9e990d01d775fbe4a1

    SHA512

    a5e90b1a67e7f52e60f36e601dd68f9978dcc6badea6ecba9e2594f8899830db332de7d0a9d2a914a27c12ece3aef2a9a5b91f615c5dd4f9762a51c4ffdfbc7b

    Download Submit

  • C:\Windows\{6DF2FAC6-63DE-4732-82A2-F231ED21D71C}.exe
    Filesize

    168KB

    MD5

    f223a6ac3c984194a849464ebdb7d589

    SHA1

    02aa8630a1c12107a1c37838bf6eb6580fac60d5

    SHA256

    070c618475a339d332e30d48bc7d66f227f99235825ea283b271ae3ba9c7c6dd

    SHA512

    62809352274e294fb4aafa3c679798381e1047210bb9a9b4af9abc7777cbbe542bbdd5e323e8ddf5f795c821efb5e751f92d4cf5a6f6ce7a211ef5853420d0ed

    Download Submit

  • C:\Windows\{7AE75A68-8789-48f7-B4AC-3F4A73FDAFCB}.exe
    Filesize

    168KB

    MD5

    c54e7ff7ab112eacb4b316d40a77624c

    SHA1

    181fa7b28bcb8a05b519a331a2fe83b649d651af

    SHA256

    93dd94230d7b2f5b13fb5002d08bc7999ccd7cd7ea4e78624b058c8851640da4

    SHA512

    ca8300e5211a8b5bc37907fe770236490bc323ec20279ef6d1cba5de3f7151d53c94b6f171a7c409007e2859104101c16003199636eb984f4b9678da7e120ad7

    Download Submit

  • C:\Windows\{9E51EDB3-A0FB-4e26-8D36-C267AC72C967}.exe
    Filesize

    168KB

    MD5

    52f35197947e93ca1b98dad2d21b2830

    SHA1

    34154a0408337be88fe2b8b8e3250286c081bf7b

    SHA256

    53dd63cd51fd07e1d861fa0dee68b2ecd38ad112a72fc331b359a5f4e0cd7712

    SHA512

    0a46a55d77f3e50c856c7d85f546bce557be28308c2a778be705f8e9cfaaf617baa2f9c74f958a481691b1515d14967b145326fa6fe69d1bd6846850cd6a3fd9

    Download Submit

  • C:\Windows\{B5D99E26-19BF-4841-8449-9532AC86541D}.exe
    Filesize

    168KB

    MD5

    0e69833cd8bab4fe22cb2a23ae6d1acb

    SHA1

    6f086161221a1a7d9b4c77c01b5564b16d0a9640

    SHA256

    34cd5c9d913e4a1ed0c793ca4222ec9860e552e0e75ffd590052cef651d2d115

    SHA512

    741357284383c4fc74d3c39c0f1dd0740851251c396d5f58c485394c99b3d9c95df8a999b7a4b7015a35680f0c0c994da477c14797eeeb5fdd62756c84ea98f1

    Download Submit

  • C:\Windows\{B8FB41CF-A091-4814-B44E-82B73A635CA3}.exe
    Filesize

    168KB

    MD5

    4b93b68640d8da567131d70779b53d35

    SHA1

    d75218d2848252130d89fe0c29ee2283e987030d

    SHA256

    8e7395fb738d776a5343f3c75bd8b6baa27e0dd0b9030c81eca38c3f356feffe

    SHA512

    69a07e484c8eb97007d1a2d901ba5af307e199beee83c5449abb5899a8640ae98d79dc342e103bd2e279cf37a5277776ea6434dfe414db1b4ff377f6ef0f0c41

    Download Submit

  • C:\Windows\{BB948308-3059-4a2b-8AF5-6260DAF1329B}.exe
    Filesize

    168KB

    MD5

    56a60f97d1b83e970757b7564cb1bc42

    SHA1

    de17e502c0255a289898154e77cc586efa2131d9

    SHA256

    74c3db5ef4ff4974152cd0971228a3988b62b3b97bd378b3cf1c37ab7dfa9a62

    SHA512

    5c2d4a52b9c348ef7f15195e6efaf53201a95a1c131deb0e2c9533ca1662594f6154ecacccb9ecdcc3acc85b207b5d73676434f2077bf4e3c14c0df618e57f40

    Download Submit

  • C:\Windows\{D0AC4E1C-9B4B-4623-819D-0D6848EF7934}.exe
    Filesize

    168KB

    MD5

    41aa4920ce633eb0831e78d41e979d6d

    SHA1

    bb0f5a8eddbecee538d9b99accc6576f8dc16e5c

    SHA256

    5c48aadc75ee0fa6b4b102f7a5d136fe86c98b90f84576050efc77f8c685c24e

    SHA512

    0daf31a275aeb83dcff5597732370e600422f227ed79dd886bfbea3542a8ca9d9575a06365df6f95eb0554f17906ea1997283031157966b479e5adc1054dcf37

    Download Submit