Overview

overview

8

Static

static

3

2024-09-05...ye.exe

windows7-x64

8

2024-09-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 10:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-05_d43c664aef2f855d360b3d8f2b7e87ea_goldeneye.exe

  • Size

    344KB

  • MD5

    d43c664aef2f855d360b3d8f2b7e87ea

  • SHA1

    05056272029d8bc065a5413621a4cd8e4b7162b4

  • SHA256

    9b329279665e9a3ad98c9a9560be17b2a13ab05a14d1e8486f19fdedb60a2dff

  • SHA512

    5ca4801b81981fcce70e32a7ffd3da036be8bddaa4c6dbdc9d2a44ee4f99a47e31bba9a600e64b042823b3c6101193f4a000483e0123282955e99aa13576fcb1

  • SSDEEP

    3072:mEGh0o1lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_d43c664aef2f855d360b3d8f2b7e87ea_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_d43c664aef2f855d360b3d8f2b7e87ea_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\{5E65F0CA-6713-4785-97B4-81F99FD190B3}.exe
      C:\Windows\{5E65F0CA-6713-4785-97B4-81F99FD190B3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\{7F403C43-CBC3-490e-9951-00F161FE562E}.exe
        C:\Windows\{7F403C43-CBC3-490e-9951-00F161FE562E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\{60155BD8-4C78-4881-B556-99877376D159}.exe
          C:\Windows\{60155BD8-4C78-4881-B556-99877376D159}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Windows\{EF056B69-BF17-4e62-8F06-D76BCA54979E}.exe
            C:\Windows\{EF056B69-BF17-4e62-8F06-D76BCA54979E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4228
            • C:\Windows\{7D66F1A9-FC28-44a5-8359-9501AD952A34}.exe
              C:\Windows\{7D66F1A9-FC28-44a5-8359-9501AD952A34}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4172
              • C:\Windows\{1A1C7847-2A62-4b6d-B4ED-550F087857B8}.exe
                C:\Windows\{1A1C7847-2A62-4b6d-B4ED-550F087857B8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3236
                • C:\Windows\{93CE5C15-7336-4fa6-9622-5BE6F56B781C}.exe
                  C:\Windows\{93CE5C15-7336-4fa6-9622-5BE6F56B781C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4812
                  • C:\Windows\{B4570D11-94B3-4d53-A110-4C6880F69B7D}.exe
                    C:\Windows\{B4570D11-94B3-4d53-A110-4C6880F69B7D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4480
                    • C:\Windows\{B6AB6709-6E1B-47ad-A66A-10696DEC8E58}.exe
                      C:\Windows\{B6AB6709-6E1B-47ad-A66A-10696DEC8E58}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3640
                      • C:\Windows\{F5BF6692-698B-4ad5-804C-E1F0C3F00C0D}.exe
                        C:\Windows\{F5BF6692-698B-4ad5-804C-E1F0C3F00C0D}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:680
                        • C:\Windows\{5B79C315-A6CD-4cfd-B552-14708613EF13}.exe
                          C:\Windows\{5B79C315-A6CD-4cfd-B552-14708613EF13}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4212
                          • C:\Windows\{42D17B78-91E0-4e08-8576-06E5342987FF}.exe
                            C:\Windows\{42D17B78-91E0-4e08-8576-06E5342987FF}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4980
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5B79C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4248
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F5BF6~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2528
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6AB6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3088
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B4570~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1044
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{93CE5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4500
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1A1C7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:668
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7D66F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4472
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{EF056~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{60155~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:952
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7F403~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E65F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5104

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1A1C7847-2A62-4b6d-B4ED-550F087857B8}.exe
          Filesize

          344KB

          MD5

          d32bfcbe8988a6a7445cc24c4d11623d

          SHA1

          fef59858cd1628c9f5b4a9ec7161954f1223d899

          SHA256

          28b2db9a090634f2ed94f24218c47604e32625c394a02471a85ca8965c172a08

          SHA512

          591d7b2f24d819e7152cc1c4dcc6b03c3acd2fe70f9e7637ca231ad4f3b9564964687b085c82cdb4c44794bb24530d3aad63f847b3ca110786e21b9f73f364c6

          Download Submit

        • C:\Windows\{42D17B78-91E0-4e08-8576-06E5342987FF}.exe
          Filesize

          344KB

          MD5

          9c475758eb02dac360b58a3e9708dc36

          SHA1

          3dec781f6947751137558b90f46a53ad5e30b456

          SHA256

          060096e7d85d02d32b21303cd39a498436978bed0f111a901981ca116e874f06

          SHA512

          6187b63eabd12fb85e3adbcaf70cee68fa481d9ae2c4017e6980669a16136223db173a2577977412b00205a89a56d90342b1237c82d1bde0c340ebe02cd2ffd0

          Download Submit

        • C:\Windows\{5B79C315-A6CD-4cfd-B552-14708613EF13}.exe
          Filesize

          344KB

          MD5

          e6cc2d6f3d725dcee2326d024de89724

          SHA1

          635550506a727816c0e161206fed6efa99d1d7c5

          SHA256

          731171934f4dd4cb5198068f4984aa659379cea2026942a5d25fb4664d20f940

          SHA512

          b85caf20312fd7eb7b90610b420edcbc7777a837d2c46a5b01877297d12f8e6c27a1e33860c433af813b9e25ba953799dc04ca4123c0b4c6d26631ebff4a0615

          Download Submit

        • C:\Windows\{5E65F0CA-6713-4785-97B4-81F99FD190B3}.exe
          Filesize

          344KB

          MD5

          9a9c95dc69acdd72addc9acfd04b467a

          SHA1

          acd64bbd5dc94e851c0db8ffd982ee71da828aa3

          SHA256

          cfde1bbb9a1590b886f16b0580cbe7d77069466722b73c44686ead7cd3afa63e

          SHA512

          d26ad615dea4a2b0e06a0c7ad53b82fa82e510887ca1a116326b4628ace778ef3a6c8dd2be881127d065a6dc71d21889c679f42197c30926d39a59cff95905f7

          Download Submit

        • C:\Windows\{60155BD8-4C78-4881-B556-99877376D159}.exe
          Filesize

          344KB

          MD5

          78c1b38d0f545b28df4ac6451407499d

          SHA1

          2e72802e3ebdd12d7faff42f3932f0f81f13f9c4

          SHA256

          757ba5699ccfc7ec14d0ca06e9fe7950afd62be92d66de4f684fcd0c9f8588d1

          SHA512

          103b9b95f3f369d5815335e11d8e1bbd949d19ea26fdb042592cfdf1ab1d1cac622fabead85106a9984436083cdcafa31673b386f1dccef879c09fc1148183ae

          Download Submit

        • C:\Windows\{7D66F1A9-FC28-44a5-8359-9501AD952A34}.exe
          Filesize

          344KB

          MD5

          3ffb184334c242a043e975fd794da4d3

          SHA1

          5ea189895a260844d7d076f865b5de6ea94829d0

          SHA256

          42750ee3a4fae6e770efb155dbf0be4e137a8cbe3a080a088966b79c97cb447e

          SHA512

          5eb5933c8af8e3c408a557f5a12208bb13ac9715e782a0e92d3fb8f64aefccd60c05148ae1a178c5bee75252e11db48213a6d7b959c10617f0cf4d3994f40f6d

          Download Submit

        • C:\Windows\{7F403C43-CBC3-490e-9951-00F161FE562E}.exe
          Filesize

          344KB

          MD5

          ec0aec1b85394626e466cc39743c3dca

          SHA1

          8639b846482879221ccf028578ce6c547849b62f

          SHA256

          15ef742ec92497708776ad28833a8237660dafd1dfb3348821ff6604e7742231

          SHA512

          ba1617669716eacdcf696d130a217888d5455d6ad7eddf2a94dac39c19de896452b0d9457934c0fd28a9a0dfb1d61c2def3e97d963ed254f92c78cbb50070198

          Download Submit

        • C:\Windows\{93CE5C15-7336-4fa6-9622-5BE6F56B781C}.exe
          Filesize

          344KB

          MD5

          d2fb35505fb39478dffe9b410e9f33fd

          SHA1

          6e1beddf9a39af08d8f70f1f85ebcc7d4e2a5e1b

          SHA256

          724d30f0db516d87efd1d483d8e95376e6a25358a75d2eeddba3bce37eb74f5b

          SHA512

          70274cb8dd4b1ca170e61320fd6448e2d380cce4317a20ae9624787d229dd55088657cc1f44921ff21a877ae692a9a1f45097cb0a0882f9bcda939dc2315a643

          Download Submit

        • C:\Windows\{B4570D11-94B3-4d53-A110-4C6880F69B7D}.exe
          Filesize

          344KB

          MD5

          63591f9712a72a1e5eaaa6e13d54ad3d

          SHA1

          162d47acaa0d08312f03606193c41b02fd4876d2

          SHA256

          6d7766cbaa0b3b446d2d448af74679a94ec38252307a46e3bda9574f9835ded1

          SHA512

          b4b8cd3ac3d5acf66db6dcda26da6dca502e7423b2ea3bcd5631ccf24e661ade2e665b06582ef0874cecf4f428d579b58d8ad7faa54b536a8e80401dc73c3eb6

          Download Submit

        • C:\Windows\{B6AB6709-6E1B-47ad-A66A-10696DEC8E58}.exe
          Filesize

          344KB

          MD5

          87622da3f6141bbcdd67b92d73e3f614

          SHA1

          a9d00bbce75d5ba02c48a54a7f992aeeeed296d2

          SHA256

          870a19a50e94a954bbeb7a5e66b90fd1a5fcdcc8ad172316f7ab0e67dce46950

          SHA512

          2808b21a1a4495e05aebb33760f28e9be0dfb0a1395b75b1a34de4c94b5fd9cffa1357ee64f17736e6db1e7a0015830e19049b98fad57b05b58541288d560823

          Download Submit

        • C:\Windows\{EF056B69-BF17-4e62-8F06-D76BCA54979E}.exe
          Filesize

          344KB

          MD5

          e65a75b5ffefe83de788891614f53746

          SHA1

          addc307e9dc565892cbb3611acbc2f14a6138e1c

          SHA256

          9444bf7655f411f45a86967830b056f09061d42b3d0dbec46c08cc36fb5c9acb

          SHA512

          5982fdd604e355d16151ea11faa79a5c9506dacfe7e711a2ad7ad54ea7fcd23fe35b77e127c7a2efec2b17373368a096762446799486a8ec0a45e371258780d9

          Download Submit

        • C:\Windows\{F5BF6692-698B-4ad5-804C-E1F0C3F00C0D}.exe
          Filesize

          344KB

          MD5

          f10c187792786ddd60d58c187b95927f

          SHA1

          3d4cdeb1d7f90477caeed6004c3ef794d05b3a3f

          SHA256

          44411de069407d6ea3cd29e18ac8d15df202883ab0955d2c4c2de40f55ce9a7a

          SHA512

          a3f6c3cff0b6f14d9953ce5110311db29b58dd5731404fad1564c115a36964b4daaca0d69c7e72e27e0582c543276982b227a355de80444d4c2c3e3ef81deba6

          Download Submit