Overview

overview

8

Static

static

3

2024-09-01...ye.exe

windows7-x64

8

2024-09-01...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe

  • Size

    197KB

  • MD5

    1ff6f3cb42e242825ee5e576cad00e83

  • SHA1

    365a3d93345f7dd26896d679a7f48c1d776eb70a

  • SHA256

    76cdbc2503f69e94042422c7b02ffe3de39f956689102aaa1caf019167242456

  • SHA512

    f1b7b912d145dfb1cb7d043651fb49407cb45b52831bf8e448ecb564d5565961ef6b940a77d272ffe3572fb1c50c5a072889ed458e087b0cf59e97110d92bcb6

  • SSDEEP

    3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGzlEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-01_1ff6f3cb42e242825ee5e576cad00e83_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\{2312D659-70DE-4c88-93B3-87C8F4EA79DC}.exe
      C:\Windows\{2312D659-70DE-4c88-93B3-87C8F4EA79DC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\{81A5B4BE-2E25-4b71-BF1A-579CCA7D9743}.exe
        C:\Windows\{81A5B4BE-2E25-4b71-BF1A-579CCA7D9743}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\{A6C783AB-F911-4cb4-AD69-4F6F7FD21586}.exe
          C:\Windows\{A6C783AB-F911-4cb4-AD69-4F6F7FD21586}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3584
          • C:\Windows\{2B4E42CC-BF77-4025-B3C0-381689AB34AF}.exe
            C:\Windows\{2B4E42CC-BF77-4025-B3C0-381689AB34AF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\{994574AC-BCED-40ab-9318-26599BE18C0E}.exe
              C:\Windows\{994574AC-BCED-40ab-9318-26599BE18C0E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Windows\{03E185F8-2915-46d7-9BC3-9E2F71C765E3}.exe
                C:\Windows\{03E185F8-2915-46d7-9BC3-9E2F71C765E3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2508
                • C:\Windows\{8FC1B540-C196-41c8-BE90-4A51419ECA77}.exe
                  C:\Windows\{8FC1B540-C196-41c8-BE90-4A51419ECA77}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3220
                  • C:\Windows\{7EE657F9-A8B9-4d6f-89D0-532172920886}.exe
                    C:\Windows\{7EE657F9-A8B9-4d6f-89D0-532172920886}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2064
                    • C:\Windows\{601F883C-08C5-4877-803C-571B8D2EABBF}.exe
                      C:\Windows\{601F883C-08C5-4877-803C-571B8D2EABBF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1256
                      • C:\Windows\{B462A280-BDBA-4df1-A96B-8CC3618A77E9}.exe
                        C:\Windows\{B462A280-BDBA-4df1-A96B-8CC3618A77E9}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1916
                        • C:\Windows\{99DB3DBE-F0B4-4f4e-816B-170CA3C49484}.exe
                          C:\Windows\{99DB3DBE-F0B4-4f4e-816B-170CA3C49484}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3452
                          • C:\Windows\{8AF12373-A7B7-4c89-814F-69B79C2AA823}.exe
                            C:\Windows\{8AF12373-A7B7-4c89-814F-69B79C2AA823}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{99DB3~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B462A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1884
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{601F8~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3936
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7EE65~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4596
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8FC1B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1224
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{03E18~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3340
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{99457~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4696
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2B4E4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4972
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A6C78~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{81A5B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4768
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2312D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03E185F8-2915-46d7-9BC3-9E2F71C765E3}.exe
    Filesize

    197KB

    MD5

    f7ba0143bd331cfd4e4edccf1a2aab4b

    SHA1

    aca44385b2e7b538d80ba95d113f755704d9d7bf

    SHA256

    721b7209cfc0c62e62eb57d382d1654cdf73ff9522e1f0f86b987e9b67eaa64b

    SHA512

    c74873e900d22cd3ae424de7c560684c4826ebd231673c487f902bfb8d6944e6d5be8b59d518155483e3125be74927b75d9968d69ef7a3e0a17baeb3b9758256

    Download Submit

  • C:\Windows\{2312D659-70DE-4c88-93B3-87C8F4EA79DC}.exe
    Filesize

    197KB

    MD5

    befacc2ac538bde553242a1e242b7c94

    SHA1

    e412727c6c4d2d61a5837bca40f902d34b0f3853

    SHA256

    37375443bc7547299262b65a33460dd30542fdd370ed34233703624108ed46b3

    SHA512

    b940cae662deae16b221803ba50b91a3aa5b263f1cc784b336e0237e1d371d9cad0fe8b0aa09be44ba40ff0512da677e0417a991c379756665291ca5319453c4

    Download Submit

  • C:\Windows\{2B4E42CC-BF77-4025-B3C0-381689AB34AF}.exe
    Filesize

    197KB

    MD5

    51b553f5a86f3dcd07dfad2831a9f3b2

    SHA1

    fb6d976350a6a28701223f88b4c53faa413ac031

    SHA256

    c3ea3511eda49b5a5bfa69c6fe23d7fc268110044dd693c8368d0bde0b64efb0

    SHA512

    8f6e9d9a47700b73421675608f25dd34f7f6b3ca4b6bbde3b028a52e35294fb46de4e22e0c756868509cb3e529107e27081017b48ddd6d7dfa13d2d844bfebda

    Download Submit

  • C:\Windows\{601F883C-08C5-4877-803C-571B8D2EABBF}.exe
    Filesize

    197KB

    MD5

    525f0691ced8247ff77036004e74d220

    SHA1

    dc2fd0a32f15441409ab2ccbdb27175f3455d125

    SHA256

    7d5a5fcda7a81504612828840d5490235615bed607460f190ee03cb42a6173be

    SHA512

    e878d6668068f75e8c641b33b7b7c24047df808d0d21b898b316923b36853b6be30e280e01c5cd5b5e5479d9d7ec4d212413fbc3a520f866fa59b094e01454a9

    Download Submit

  • C:\Windows\{7EE657F9-A8B9-4d6f-89D0-532172920886}.exe
    Filesize

    197KB

    MD5

    a7ec6f5d0669645e1e5fb2b4884d8dde

    SHA1

    d130a01c4b76e3cf0d13cb58b6b39739d5347efe

    SHA256

    ec4648829f022af9fe1859c96dcb62793a2a161992774cf2a44c2d72daa45797

    SHA512

    489dc013d1322eb6859876336d4abf2a80c5d4042086cec3c47b6dee3f6e0b43bb69f7d192255dd3fa44efaae488a909d3e70bdfe5df6795f09021322cb8a3cd

    Download Submit

  • C:\Windows\{81A5B4BE-2E25-4b71-BF1A-579CCA7D9743}.exe
    Filesize

    197KB

    MD5

    67fb6a2a6d2ba6cd409954ce897356f7

    SHA1

    8efee95bcedd4786ef0aa8c250a1fc9621f35677

    SHA256

    aa360470a5a39201799d4e5432e703d094038c98a3da99a139a45656b71e31cd

    SHA512

    baf93df6f6df04d7c8a24be52023958a50ffd356f9d41d4f0cb998f6315fa32be62b35f4c08ed880cd9fd0363ea665b464e23e1c979bca809ae5986e088bc067

    Download Submit

  • C:\Windows\{8AF12373-A7B7-4c89-814F-69B79C2AA823}.exe
    Filesize

    197KB

    MD5

    d66d9167985bf655b7718e0b955ecc82

    SHA1

    2901bc7106dccbf1befddcc1ab10a2d768a9dd6e

    SHA256

    5a9c273162afcba659cfdd33187ef0f379e56508ad4efcd43e4557d83c2ec151

    SHA512

    3a1025837ef13c641ddd5743f485a46a46d9667bb0bc79ea8be986e49a40154aff9bff7e9a1cc09583b1854c5e51c529f28fdefbe10c37538dcc7050755fcd57

    Download Submit

  • C:\Windows\{8FC1B540-C196-41c8-BE90-4A51419ECA77}.exe
    Filesize

    197KB

    MD5

    0112af4695e00110d1e7f2bbbd8678f6

    SHA1

    1af2e642de618503c56f7bcba6e962569a48563a

    SHA256

    20c60000bdcf46ece1547aa2104e621309940431a6822e38ac879db7de50a075

    SHA512

    5efa91ef77b7074ae024f1be80303d71abb7403251d0ac46d66070af81e3f3c8b2cb972b629f4e07768f07583715edac1dcd9344df8ddf630ccdf0b8618bd9e7

    Download Submit

  • C:\Windows\{994574AC-BCED-40ab-9318-26599BE18C0E}.exe
    Filesize

    197KB

    MD5

    52fd8eabdaeb2f42c69eccbda3c0d215

    SHA1

    85c8eba2f7a50ce04c6ddbf7d4ff9cd8c8cd38f7

    SHA256

    4098930dcbd0c36e020a0e21a345bc7b467f6c2cc76fb4d1c503dbdc5cea53a0

    SHA512

    88eaedf4ba8667e7c5eba9d6e85063e03e4b7470611289d3b52ed6b7e180c2f149f7e9e4cabbca81f161873b3900df92210a8a936f67e8f9452217d5fcfd8087

    Download Submit

  • C:\Windows\{99DB3DBE-F0B4-4f4e-816B-170CA3C49484}.exe
    Filesize

    197KB

    MD5

    1d880a95dfeac3db05a96deb390f4b8b

    SHA1

    f0989c6e28c1921db0b939a594564224cbe3f121

    SHA256

    3249dc082960934d269e4395e3aae8cb473939b7513c78e5bc12c93ab1461d54

    SHA512

    e717f2dce98a3aeeb09b0f01cb37735c8ad0634db44abd8d8716c4b1868e0abab4abfd28ba86de2a658f7b405e164c539712e059409f8183634a118cf2df6927

    Download Submit

  • C:\Windows\{A6C783AB-F911-4cb4-AD69-4F6F7FD21586}.exe
    Filesize

    197KB

    MD5

    6ee203b2ce24cf1416210e6a9ee7d534

    SHA1

    9c3336c23f7a1654018f1bfae2dd575faf2b9897

    SHA256

    d07b000e743b1fbe1fc56c506b847e80d4a63373fb3635e00c1119ecf18e8fc5

    SHA512

    b2a4880ee59506a4597093247e9a74a7d447a4fe61b5d3dd118d17c6145a492f303bf59176190a77f6a2364bf6d0f1c6a2886d719a998ef0a992f1b8010ff09e

    Download Submit

  • C:\Windows\{B462A280-BDBA-4df1-A96B-8CC3618A77E9}.exe
    Filesize

    197KB

    MD5

    c0af87755b1899e754927131bb752f56

    SHA1

    a01b5b15b6e7cb2cb5db52036d83142d81805c11

    SHA256

    ef4c3a71aaa55753ecf3779388fce9fbd4f70bcd7d29d89e992aa6f9b77153fa

    SHA512

    589265c21e6011ad7328edb307f1d05bf16a2e79325c6b4c8755dc05ecff157e91a997c654c4bbdf07a96d2fe3d91bb56d3772fb6025ca4eb2aed92f5a5b5da0

    Download Submit