Overview

overview

8

Static

static

3

2024-09-05...ye.exe

windows7-x64

8

2024-09-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 10:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-05_d43c664aef2f855d360b3d8f2b7e87ea_goldeneye.exe

  • Size

    344KB

  • MD5

    d43c664aef2f855d360b3d8f2b7e87ea

  • SHA1

    05056272029d8bc065a5413621a4cd8e4b7162b4

  • SHA256

    9b329279665e9a3ad98c9a9560be17b2a13ab05a14d1e8486f19fdedb60a2dff

  • SHA512

    5ca4801b81981fcce70e32a7ffd3da036be8bddaa4c6dbdc9d2a44ee4f99a47e31bba9a600e64b042823b3c6101193f4a000483e0123282955e99aa13576fcb1

  • SSDEEP

    3072:mEGh0o1lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_d43c664aef2f855d360b3d8f2b7e87ea_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_d43c664aef2f855d360b3d8f2b7e87ea_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\{0E7C491D-ED0E-4df1-9399-7E00D0D85FBB}.exe
      C:\Windows\{0E7C491D-ED0E-4df1-9399-7E00D0D85FBB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\{954CB69E-E17C-4a05-94BD-081837628745}.exe
        C:\Windows\{954CB69E-E17C-4a05-94BD-081837628745}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\{E0FFE042-9DB5-4c6f-AF25-0ED16CE25676}.exe
          C:\Windows\{E0FFE042-9DB5-4c6f-AF25-0ED16CE25676}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\{97D38BAB-61E2-48e6-A1C8-F0E5E7B72063}.exe
            C:\Windows\{97D38BAB-61E2-48e6-A1C8-F0E5E7B72063}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\{2A500170-A476-44e9-B2B8-3960476BCAE6}.exe
              C:\Windows\{2A500170-A476-44e9-B2B8-3960476BCAE6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Windows\{57ED0E1A-ADFD-46b3-9901-C9F5AB6E6FFB}.exe
                C:\Windows\{57ED0E1A-ADFD-46b3-9901-C9F5AB6E6FFB}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:484
                • C:\Windows\{133D4C58-0D3F-45fc-9391-0C615617CCC5}.exe
                  C:\Windows\{133D4C58-0D3F-45fc-9391-0C615617CCC5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1864
                  • C:\Windows\{C46FE8E1-F9DA-47e8-A636-29DB4E82002C}.exe
                    C:\Windows\{C46FE8E1-F9DA-47e8-A636-29DB4E82002C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1704
                    • C:\Windows\{934D7AEC-4E83-44dc-B198-D8A7DAE5FF01}.exe
                      C:\Windows\{934D7AEC-4E83-44dc-B198-D8A7DAE5FF01}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2060
                      • C:\Windows\{54624637-D726-4c17-B14B-95D7C9809585}.exe
                        C:\Windows\{54624637-D726-4c17-B14B-95D7C9809585}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1872
                        • C:\Windows\{148AEB71-FF62-4407-B503-0668EF6F3FC2}.exe
                          C:\Windows\{148AEB71-FF62-4407-B503-0668EF6F3FC2}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{54624~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1832
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{934D7~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2920
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C46FE~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2504
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{133D4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1784
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{57ED0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1280
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{2A500~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1428
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{97D38~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3036
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E0FFE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{954CB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E7C4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2244

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0E7C491D-ED0E-4df1-9399-7E00D0D85FBB}.exe
          Filesize

          344KB

          MD5

          fb6ab36b2bb4692d01d44e715e0f3900

          SHA1

          c12ec23320814010958454fafde12d459ad19ef5

          SHA256

          7248abafd1352ef53420b1eef424c735e85de86764cf7a0d757346091766d903

          SHA512

          1d9e02be0314d17fd9e7ad7e53664e25da45dfbdddb87ab538d0caf54b3c0d07525d0ca08457d0b53858d93b825c8adaaa5c4922d0dc47b37044415509d1a9f2

          Download Submit

        • C:\Windows\{133D4C58-0D3F-45fc-9391-0C615617CCC5}.exe
          Filesize

          344KB

          MD5

          0979ae21e4bacbbaea4fa5105c5523a0

          SHA1

          4f2747e84e977096371401f76ead8cc52c2ce8c4

          SHA256

          2c531ecd507de51526b538d793b71fbec96b62f4b990fe5e26ee5207efbb770c

          SHA512

          26788a8ae720b091ed89e192ac358c00498b783bbc650a3f5359e819da122bf857329658aded6840876c4eadf6e99e91c4bd0bcdf9aabaaece712f6c4728df37

          Download Submit

        • C:\Windows\{148AEB71-FF62-4407-B503-0668EF6F3FC2}.exe
          Filesize

          344KB

          MD5

          e668a32e0168a08816c61016e9b9cf3f

          SHA1

          8a2a6d4d932133a6d52486e68c18451ea2d206f0

          SHA256

          b13a3fbef00dd76656dd85ebff450183c5f21735d5abc05e54c53eae425f1f35

          SHA512

          cbc6ef6939586cf28d0ef91633bccb989c6528cb28483ceb5407a39ae3801b6fb6593d34914df4f23401d290076dcf80e6a51b0bac821b05ad97561494aa58ec

          Download Submit

        • C:\Windows\{2A500170-A476-44e9-B2B8-3960476BCAE6}.exe
          Filesize

          344KB

          MD5

          085a6f4d9aa974be7c6e5be822d46c92

          SHA1

          909048231c00c653179fc795a46b9f43d042d889

          SHA256

          a9096dbe2257f04916d262e079751e75c5e2cd315dd978753264c18e4a8ca04b

          SHA512

          6500daf9a7f90198e856578f4db66f4a40b043d411a8536d6666011820bd17a3a65e2c8d6ac02781a75784c16698a754aa54d0f30c088bfd54bee35b4d9449b3

          Download Submit

        • C:\Windows\{54624637-D726-4c17-B14B-95D7C9809585}.exe
          Filesize

          344KB

          MD5

          479c005399498b2adb195fd88f44e38a

          SHA1

          c4a57b8577f2917b1b339db13a223b0d2c8485fc

          SHA256

          d8ce10ebe39583d3539b96eaeab38b117710dceaf1567e670ded02f116fc852f

          SHA512

          bbc0988174b1abfa02dceeeb3ac45903ad43a0485e533006dd7a483110abf799e78afbbdd92da960d2963e1fed63b03ecf1514f33b6bdf3fe342a72686df20b8

          Download Submit

        • C:\Windows\{57ED0E1A-ADFD-46b3-9901-C9F5AB6E6FFB}.exe
          Filesize

          344KB

          MD5

          dd0296a2ed9dc4fad8665b41798a6d74

          SHA1

          1e9d0cb9767dbb6849e0c21ceac17ad8202f6d68

          SHA256

          9cc47c17435c405167e0cd32896df4fe72fa53a7e1b0f41b93bc372c9a0ce983

          SHA512

          a335dcc80545088fab64cd604f9c5c386e205159063639c22c630d7f6447a0eb9fc1a45fe99cdfc7dd12e4f3c2322b3d4b1bd5cff51efc2883052cca28a256b6

          Download Submit

        • C:\Windows\{934D7AEC-4E83-44dc-B198-D8A7DAE5FF01}.exe
          Filesize

          344KB

          MD5

          71f500598f32726e2804dc3394f78b11

          SHA1

          ecf5f747104225273451d629a85a26bedaddd01f

          SHA256

          313dff582d99e078efaac1247690c465b60fc4988b8f2311985573735fb1c339

          SHA512

          78a2a38b64371129a6de9506598628d21bd5cd313b50d3b0a7379a8d48ea376b70177850f999dbf6ac54f3407291759feb66122a8e6069883a7166f920667c05

          Download Submit

        • C:\Windows\{954CB69E-E17C-4a05-94BD-081837628745}.exe
          Filesize

          344KB

          MD5

          4a51d41b181f66946cb6400f95221fec

          SHA1

          157924940d1784a919ddcf15b220db19bf566edb

          SHA256

          74fda44a661d337327d99f8501f599b49df0f1e239de0445bb4be8ea4c50ca97

          SHA512

          25f1a3264300947d75f8314fd3fc24047f11bd2deaf373a988a742d50ddd6847157e55be2cc9dd2bbef68449372ef6e303026740481774601b203d86017d3ff6

          Download Submit

        • C:\Windows\{97D38BAB-61E2-48e6-A1C8-F0E5E7B72063}.exe
          Filesize

          344KB

          MD5

          1c8e970a8f6dd5b9e03f566fbec0bfb8

          SHA1

          7ba9f3c13f647c19861e67089d9a0a3347b9fed9

          SHA256

          852b7be570e60a1f0783dfea4aad5dfe4e6fb517f0cbf55d0b94f20fb6a9cbd5

          SHA512

          e84218453c08511e9c824b253aecd5e1038f769d961c671a0024fb422b251d5f5de126d9812da2e1c3ff2152a992d8251b4ab5aede4bbb541033d27fb2ac9e3d

          Download Submit

        • C:\Windows\{C46FE8E1-F9DA-47e8-A636-29DB4E82002C}.exe
          Filesize

          344KB

          MD5

          b273d74983a442d52d8583de4fbee850

          SHA1

          16769ee636ea771fe0160c415a8e127157677fb3

          SHA256

          2ef2bfce4df2ca7c858154b7d0a21daf187bbd192d1196710013cae3a3aeccb8

          SHA512

          117aee6084e5dc327df816cba093ca195e7688f3f7cc87f724371b0ed3bb2791da4f2366df9aafa2aedef951256422950cede39a2f419c57816593512ed22b70

          Download Submit

        • C:\Windows\{E0FFE042-9DB5-4c6f-AF25-0ED16CE25676}.exe
          Filesize

          344KB

          MD5

          b865ff25c0fc5548630c47d76ad9e4e4

          SHA1

          cf0d82fbf095082e92081fea29995b35b35d4b8c

          SHA256

          3b579262550b967b68753b16554bdabe6828d6de85ba27edefd05b22b617de20

          SHA512

          b499c639b25d6b800f11a930fe70f1a9b40de90e645c98e170353fd13dde72a4cda9591f42f913802a7752735933d93cc98dff66c9cf58b3e2736ccc54683dc9

          Download Submit