Overview

overview

8

Static

static

3

2024-09-03...ye.exe

windows7-x64

8

2024-09-03...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 04:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-03_d7b058fce1c0d92fdc51c51aedb134c0_goldeneye.exe

  • Size

    408KB

  • MD5

    d7b058fce1c0d92fdc51c51aedb134c0

  • SHA1

    5497249f86b497b5ec4a2b61307f1b1bad00d128

  • SHA256

    b5ca48ed8395a8490392fb75014fdb62e572bc0bcb66a4ced32bb16b249a7787

  • SHA512

    1965202f3b4071f1c4917556df0ff8ff97326c3a79c40fc96382d6aeb3dffafafb456ca040e5b6b1c87e4039595b1cf83afa55142ad3dd86107164aff360b854

  • SSDEEP

    3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-03_d7b058fce1c0d92fdc51c51aedb134c0_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-03_d7b058fce1c0d92fdc51c51aedb134c0_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\{76D9F871-1BA8-4f22-B355-EE0C0D609BE3}.exe
      C:\Windows\{76D9F871-1BA8-4f22-B355-EE0C0D609BE3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\{EFA18E6F-8098-49a1-A6D1-5A69CA983B5A}.exe
        C:\Windows\{EFA18E6F-8098-49a1-A6D1-5A69CA983B5A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\{56062448-949C-4761-8CAB-173750C1D0E2}.exe
          C:\Windows\{56062448-949C-4761-8CAB-173750C1D0E2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\{99E338D8-1789-4108-8599-A8A64251C3AB}.exe
            C:\Windows\{99E338D8-1789-4108-8599-A8A64251C3AB}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\{D624AC2E-1CB0-43c0-BFB9-5E811BE84FC0}.exe
              C:\Windows\{D624AC2E-1CB0-43c0-BFB9-5E811BE84FC0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2132
              • C:\Windows\{4B62C9CD-3293-47c0-B5ED-BEE59FAB419E}.exe
                C:\Windows\{4B62C9CD-3293-47c0-B5ED-BEE59FAB419E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1968
                • C:\Windows\{76EFC5EF-71EB-47e5-8D88-335E14257CC7}.exe
                  C:\Windows\{76EFC5EF-71EB-47e5-8D88-335E14257CC7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2168
                  • C:\Windows\{DDCB332F-388B-4d96-A134-4FD8D30B524F}.exe
                    C:\Windows\{DDCB332F-388B-4d96-A134-4FD8D30B524F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2244
                    • C:\Windows\{80FD5EA4-9FAD-4f39-863C-3103DF4A0880}.exe
                      C:\Windows\{80FD5EA4-9FAD-4f39-863C-3103DF4A0880}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2164
                      • C:\Windows\{D10719D7-030D-48f5-A33D-00EE79B9A0A9}.exe
                        C:\Windows\{D10719D7-030D-48f5-A33D-00EE79B9A0A9}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:584
                        • C:\Windows\{C63E71A6-AD3E-412e-9222-3EFF1646B0E4}.exe
                          C:\Windows\{C63E71A6-AD3E-412e-9222-3EFF1646B0E4}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D1071~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3040
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{80FD5~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1116
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{DDCB3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2068
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{76EFC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1880
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{4B62C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2924
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D624A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1972
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{99E33~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:644
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{56062~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA18~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2348
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D9F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2996

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{4B62C9CD-3293-47c0-B5ED-BEE59FAB419E}.exe
          Filesize

          408KB

          MD5

          3f472e395ed60c1655e1e8955efd4777

          SHA1

          b519056d12fb8343056bd4d2d14fb1d920668ed4

          SHA256

          5140b2383d2f7290729fac05d8f24d86de7909716eaf63058b710975fcd1f749

          SHA512

          b1f233db31af93d0fe48e99eb12673736dcef9ecbc7a4835f92f1455a0ffa408ecbc58a73a7a5abf8713b019bd7941948fbcc68b43ea5f61e963ae3b1bed341b

          Download Submit

        • C:\Windows\{56062448-949C-4761-8CAB-173750C1D0E2}.exe
          Filesize

          408KB

          MD5

          d4d2ee8025a216e51335c97c361aa112

          SHA1

          6f2ed252af16620b668b8bfc696c488c54cb499a

          SHA256

          deda25d669530ee40a45032f57779aa73332b9606addb731f02cb8ece45941ac

          SHA512

          bbd981d0b5e578b6015e2822e41e4cc4ee8325a2f4bc12051922e57e620467b1a8c653add700110597550797d05463bff6c854263464b4a66f9dae748285d5a4

          Download Submit

        • C:\Windows\{76D9F871-1BA8-4f22-B355-EE0C0D609BE3}.exe
          Filesize

          408KB

          MD5

          d8c2bc76c44b5680da95cca411b20348

          SHA1

          8d6e87c58aac4691e4d00644d9f696d646e55347

          SHA256

          84cdd22e944da1e2cb014a4b5568abb6feac7a98a5d3494cae9da49442945986

          SHA512

          0084f0d27f41179554cd6c1c4f672e4013ea347ed4b6bba4fe3aca5d9937936c1c6da2d2c2dae979abe9e7d30751b968e3ef0f0ce5aea3005fa3bf103cbfbff4

          Download Submit

        • C:\Windows\{76EFC5EF-71EB-47e5-8D88-335E14257CC7}.exe
          Filesize

          408KB

          MD5

          fe49e7ee6acec80d0ac164f07fef8881

          SHA1

          dcae1454f96f501b854d0a4a377b9871b8c47dee

          SHA256

          067e2a6390fb7948d6ce0a84a72e57379d6ade54c3498de9186263ebb1d13a76

          SHA512

          30d2cc756d8cb55d942d8a38b0f1bdd7b6dd83f627e0cb400d3338f0945e768b51d84b15c527e78ecbf78422ef40239be926592d821f4c425d372a6490e12409

          Download Submit

        • C:\Windows\{80FD5EA4-9FAD-4f39-863C-3103DF4A0880}.exe
          Filesize

          408KB

          MD5

          3f31bd81c9bd48f74030ab162232882a

          SHA1

          a6e698e0653bf7a91d1e7a3a29b02d88c5457e2d

          SHA256

          fdae232219919aa475efcd638fefd7fd840f704f2209cbf8b619f9acf12931ed

          SHA512

          d2491de25c460ee3e433dcd56b489ddc84759b340132be0fab76b0be05c0215e90b571be4630392d702401c4de62edc039ec46f9dc3a412b0743eaa79201e9e6

          Download Submit

        • C:\Windows\{99E338D8-1789-4108-8599-A8A64251C3AB}.exe
          Filesize

          408KB

          MD5

          e02d55b25653af88839b449760bf22b0

          SHA1

          43cc598581f71f9bdd4203475207a457085b9b38

          SHA256

          3eab167b412acf6c3197ecc4662f8883b78ae5f1b81adefe166e3f493e885062

          SHA512

          2a1a5102128f865d27219021d4a2ba8e633513f1b1d590c026f7b5d97dc17a59a99620bc652c00b59ac504ec1a4cfed671e3cb9bf84f1607776c9f15d6482fa0

          Download Submit

        • C:\Windows\{C63E71A6-AD3E-412e-9222-3EFF1646B0E4}.exe
          Filesize

          408KB

          MD5

          659d7f8ba25320609a49039124649d38

          SHA1

          3139995c80676197271f24c1a5fd4c87eab2a2ca

          SHA256

          2ff24e0d8a3dd6fcaea9b92434bb0deefc1fbb3caffa63c606b34cb6d17a5c07

          SHA512

          515d3b3f301dd5394cfdd863068fdadcc899f9a33de430ac9a8949317a94179324c52ca994c6175a9fff1e70457c0ed1bb8bc0253f28d40fd019a8585883c5dc

          Download Submit

        • C:\Windows\{D10719D7-030D-48f5-A33D-00EE79B9A0A9}.exe
          Filesize

          408KB

          MD5

          3a1e0c0ad2b2b2cc0b5ad8e0c31436f7

          SHA1

          4ccb4372bd6fded813e341072f4a699a32a6233b

          SHA256

          3cb75c25fdb5a2048bdc537ae434eda82ec60d578f1176b9b5387112a21731fd

          SHA512

          ed75bfe188822d16c268a2ed2619761c38d729e330cd086cfb40a8cba41a1fda83f1e44f301174dfdefbad7309fd7f2fde87c0d64d16d334f92572dd031d69a3

          Download Submit

        • C:\Windows\{D624AC2E-1CB0-43c0-BFB9-5E811BE84FC0}.exe
          Filesize

          408KB

          MD5

          a75631353ad1df9eb25ad5add9ac90ea

          SHA1

          7ec8efce9af65f63e87dc186cd3a65ca75d056f4

          SHA256

          3705d8c7d6d52cc678a9c7df6166f8826619e96c1725016a18bfa4151b52a716

          SHA512

          88e0fee955efc40832267cf974e26412361bb192339654bb5f7c3770c345b57a3c2df6dcd4bc065080e5c987a4716c1b3a0576eaf82b97aeb9dcf41595b62c2e

          Download Submit

        • C:\Windows\{DDCB332F-388B-4d96-A134-4FD8D30B524F}.exe
          Filesize

          408KB

          MD5

          609f5264f0aebbc3017d454813a39a83

          SHA1

          805861644844c8011d33e313e30a3a94bb2e0b4d

          SHA256

          8b7a1539eab9527c7163ad9abed7371ad8cc785339c4cfff2423a1a3b21ea470

          SHA512

          b0f43491cf911311ee509864b87af2137571ff39b7fa06b093167a53e29beaad067973d044f44fcd3b846d1479325ec7d2a9826e7319877f1a59f172016d4613

          Download Submit

        • C:\Windows\{EFA18E6F-8098-49a1-A6D1-5A69CA983B5A}.exe
          Filesize

          408KB

          MD5

          7a28ecc58be381524cbd4f8c7fd42975

          SHA1

          4e5c048384f9725189f02b1e78c9f6f9cb2abe23

          SHA256

          e885a3a5bbf20dea4589876d6ea24fd0e95825518ffe62fa390e2e4f9a642865

          SHA512

          67482c09953897819043d4ca113c4c3eb5bd9910506aee0824ed2078dea733b53c042de046662d45af52c84939ea1e7cc3202faa37f7f67be7373972eb63d97a

          Download Submit