Overview

overview

8

Static

static

3

2024-09-04...ye.exe

windows7-x64

8

2024-09-04...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-04_0f01042c09c6f61995357603865cf3f3_goldeneye.exe

  • Size

    216KB

  • MD5

    0f01042c09c6f61995357603865cf3f3

  • SHA1

    2400aa24a82233fd2de7b3a1df917fd96d4d2eb0

  • SHA256

    059a3ef7c250251a69c9984e37f8551bc288740c7f958da8e5c81c8560d658e1

  • SHA512

    32148b6d5ef63e26040c0ba8a6fbb0cf66aebe412771e0c95b67d377a09f6b01d695c473495262d0818ef478e9533c1359ec38549234796abdc596a5770e8e63

  • SSDEEP

    3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGjlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-04_0f01042c09c6f61995357603865cf3f3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-04_0f01042c09c6f61995357603865cf3f3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\{CFF0951F-E818-4bf8-A5CE-08B45623B614}.exe
      C:\Windows\{CFF0951F-E818-4bf8-A5CE-08B45623B614}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\{37C64544-7ED1-4edb-8B02-218D9BF0E5D0}.exe
        C:\Windows\{37C64544-7ED1-4edb-8B02-218D9BF0E5D0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\{CB9F50C9-35AF-4c36-89A0-14703569058F}.exe
          C:\Windows\{CB9F50C9-35AF-4c36-89A0-14703569058F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\{8800AC84-46D4-4b05-AC1B-9C49B34980A3}.exe
            C:\Windows\{8800AC84-46D4-4b05-AC1B-9C49B34980A3}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:756
            • C:\Windows\{E14EED85-49D2-4733-B608-AB022FF596B8}.exe
              C:\Windows\{E14EED85-49D2-4733-B608-AB022FF596B8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2680
              • C:\Windows\{34412B45-D58F-4056-9830-644C8D514CE5}.exe
                C:\Windows\{34412B45-D58F-4056-9830-644C8D514CE5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2052
                • C:\Windows\{8982CE63-C0C5-4d54-9B0E-8F9F811D05AE}.exe
                  C:\Windows\{8982CE63-C0C5-4d54-9B0E-8F9F811D05AE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2368
                  • C:\Windows\{B1B52B9C-4A0C-4362-916E-B752683D5867}.exe
                    C:\Windows\{B1B52B9C-4A0C-4362-916E-B752683D5867}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2528
                    • C:\Windows\{C0215713-14E6-4143-A5F8-050AAFCA6E5F}.exe
                      C:\Windows\{C0215713-14E6-4143-A5F8-050AAFCA6E5F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1864
                      • C:\Windows\{37B684A5-3321-4e81-8C61-85B2384282B5}.exe
                        C:\Windows\{37B684A5-3321-4e81-8C61-85B2384282B5}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1288
                        • C:\Windows\{4E4595A2-BF32-441c-A53D-D0A2191A85BB}.exe
                          C:\Windows\{4E4595A2-BF32-441c-A53D-D0A2191A85BB}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2108
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{37B68~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1132
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0215~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2112
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B52~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2068
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8982C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1632
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{34412~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1720
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E14EE~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1644
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8800A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2804
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CB9F5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{37C64~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFF09~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{34412B45-D58F-4056-9830-644C8D514CE5}.exe
    Filesize

    216KB

    MD5

    aeedbf24277a9db109c91f1d6750c2b0

    SHA1

    8b9063f6322bbff856fc7c81d49ec1f0ba6357ab

    SHA256

    5ef46d07ab76bfac711acc3c0448c5a498829717db2255803c2a4d6d3551fd0e

    SHA512

    d32d8fb2840f14bfe9a6ac058bde8267055301f7fed147ef144fac7a8122eea8c2cb0008d30bed994add303f2ba409d8986a3d4c17963de01ca556a27e1fc0e4

    Download Submit

  • C:\Windows\{37B684A5-3321-4e81-8C61-85B2384282B5}.exe
    Filesize

    216KB

    MD5

    493908d3eace1c88480b4d12fe5e8885

    SHA1

    d70afd147a274c80faedc008cf0e02bfb49e98b8

    SHA256

    2723c35e5a1091d8d038e1d1e1e8a0022190f5bf8e6756e24013398a2126ff2b

    SHA512

    d5293ec944e206b79888e5506894f2b689cb0f5c281bc51f5a06181e4e5d5c37eb928babfd08c5430d10642fe8e41146dbea813e06fbb1e134927a3b00abc831

    Download Submit

  • C:\Windows\{37C64544-7ED1-4edb-8B02-218D9BF0E5D0}.exe
    Filesize

    216KB

    MD5

    5eb85d71f33f9ae4f0208311f74ebbfa

    SHA1

    77c2b855da95456e55e2153d5d81a6be3765d1c0

    SHA256

    51336ab6bc260061a74a7e4cc2f928b993e3606f89b8be17ffa5598251d495d9

    SHA512

    e60db0af9ffaeadc1b9b7d5d49865462ed2d55513c9e3d724cd3395df68b15fa6a7d7e5bd0d5dd25782bdfa4b4341c9b8dd951de787925711c32efeef7d64117

    Download Submit

  • C:\Windows\{4E4595A2-BF32-441c-A53D-D0A2191A85BB}.exe
    Filesize

    216KB

    MD5

    7cf9a1dc713292359809d64cf85792b2

    SHA1

    a845ff8e8c53efffdd45e4c07d82aed9136c731a

    SHA256

    554c1cb52408cb3904eab6e37a8471612733878b16594c456ddff3503c8b2ba0

    SHA512

    e4880f50e0c2fbe245173d4fbdb0a439fd695db2c6cf45b5d476f7429e73d26cef3306899df55fde1e90d618d72e20aa94d6ec10c97c190189b19c1880c58aaa

    Download Submit

  • C:\Windows\{8800AC84-46D4-4b05-AC1B-9C49B34980A3}.exe
    Filesize

    216KB

    MD5

    edb1c75257ddb778fe3b921acb1a7fa8

    SHA1

    cd541753af3ee6ed66a15365110cd6291ff6f8f4

    SHA256

    9b4a7d7005b47b20bce13a8b4be0b7f7ee70b26a87dfd494827c049b4a621306

    SHA512

    000f2f5c836caf30137ef8ec63635dce124de176d46edfd35559fb7c5245d4c0b2e4bd82e246859f6250f858913791bd610bc262f9e79af069460f188b33cb62

    Download Submit

  • C:\Windows\{8982CE63-C0C5-4d54-9B0E-8F9F811D05AE}.exe
    Filesize

    216KB

    MD5

    df4e107128c99baa8b1b32e938ee3502

    SHA1

    4a84952123a91908303af29c7c364b42624575bd

    SHA256

    f904c1ebff29011f955890b818fba81187d25629ff1720f8c476ab849d03b2f6

    SHA512

    a0db6e163a7685d9b4af062889811aaa977ef09958e85b266a0566ca05be52c35a4e65e99df049708e53faf2532935c607d6e9f7359e5656bd011e3f0c45269e

    Download Submit

  • C:\Windows\{B1B52B9C-4A0C-4362-916E-B752683D5867}.exe
    Filesize

    216KB

    MD5

    d8624117aeb139d551a9cbf4a236f50a

    SHA1

    61502399b86d3d620a6d3d8dd0f449bbb584faac

    SHA256

    33cdddf6f265dad226e567ca6e5a920a5176fa8195ec97cca491a5cd3915b922

    SHA512

    f4dd9abbeba3100c368740ba0222133b4c0b4980ccbfd7fe4f57edd39cc3c9687684329a937ba5d91862321419707c312d8fc2c3cb3fa79d48f247f2f78eed11

    Download Submit

  • C:\Windows\{C0215713-14E6-4143-A5F8-050AAFCA6E5F}.exe
    Filesize

    216KB

    MD5

    ed53b9f4f6d7541cd946d97953441689

    SHA1

    d88c1c3fc13e0cc08149cdffbd253093c694fa81

    SHA256

    20a00cbb90fdbc8ed7631a6dbd1b6714da63a2724b4bd4d86fafda42b3492223

    SHA512

    d1b66fee19aff5a851037352e46301a8e23b7cff32da86dcde678545d102c0ca4b5148594d8d83874a46372e703e07c215838bd9d1554d4f66940d01585d5b1f

    Download Submit

  • C:\Windows\{CB9F50C9-35AF-4c36-89A0-14703569058F}.exe
    Filesize

    216KB

    MD5

    30509c805e5620c9a0d6da280fa70934

    SHA1

    d1cc8ca481e2242fe6759bd2d2d28bf17382b9f8

    SHA256

    37c375bfb21ee7f9bcdfc2eaeadf619825036a0ce53bb73b2f7bb0135cf092dd

    SHA512

    91defe015fd14aacb355a684452369c05ada69e25078beba9317cd61dedf82f0439248154c5b6e34f9ff4d576a42f6577d5bb1b2d1d03f35247a3b786c1b6a23

    Download Submit

  • C:\Windows\{CFF0951F-E818-4bf8-A5CE-08B45623B614}.exe
    Filesize

    216KB

    MD5

    c21b5d69894f665e365425e6a66a9799

    SHA1

    9d5f9f04775a4cdae424a1d4f6874a2d75040c80

    SHA256

    6ff44550ad111a4a3447ebb2ccb28741e3cab763988181b53eddfc6641255b06

    SHA512

    1ce260edb4f268832a7aa5d1eca5f8f692597d42d2099e050fddd4405a10cec4ec7376448410186cf5142f5b631c8e3dc0f67ff808a9fb4e9675887718a1c8ea

    Download Submit

  • C:\Windows\{E14EED85-49D2-4733-B608-AB022FF596B8}.exe
    Filesize

    216KB

    MD5

    9f8405be6e54044418c95b82e7f3d490

    SHA1

    c98e6f68dc797965b4b284810d5b7688c6e867b0

    SHA256

    fad5dac5bba3fe3e94451f6f2e12ae3fa26fa081b65d82b83af836a0e413b5e6

    SHA512

    90b070bf4a2532e3c04f873d8919f7abb82f0d3d10e78940c1787304fc6cf6bc6f3f327834aad1d96f8ba83680f3467fe022b1b5dcba0226a0066ebb22f0a681

    Download Submit