Overview

overview

8

Static

static

3

2024-09-05...ye.exe

windows7-x64

8

2024-09-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-05_f391f59fac51f2bfc8137803465a8f28_goldeneye.exe

  • Size

    192KB

  • MD5

    f391f59fac51f2bfc8137803465a8f28

  • SHA1

    396a79754120889dbcaee58f6c33ff733171f3d5

  • SHA256

    76fccb79a0e9607d18b84ebd0ee8c6d4b4e5881f6dfa989d767ddaf28f7c84a4

  • SHA512

    780622e152d81540d6ac4801ca79188e989c229855a68399e45c17e948a8e0e174e7508aedd9e556962cfc7e31a35714613cb54f60ebd063b6bf52874220eef0

  • SSDEEP

    1536:1EGh0oil15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oil1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_f391f59fac51f2bfc8137803465a8f28_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_f391f59fac51f2bfc8137803465a8f28_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\{8CE8A2FC-0C0A-487a-99B8-80CEFA80305E}.exe
      C:\Windows\{8CE8A2FC-0C0A-487a-99B8-80CEFA80305E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\{052173F8-9953-47fa-B6E4-831A1C283729}.exe
        C:\Windows\{052173F8-9953-47fa-B6E4-831A1C283729}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\{F0A21365-A145-44f4-9757-90C46DECBF79}.exe
          C:\Windows\{F0A21365-A145-44f4-9757-90C46DECBF79}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\{289FC58D-F55C-4de6-AE62-909A20E049F9}.exe
            C:\Windows\{289FC58D-F55C-4de6-AE62-909A20E049F9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\{4537C010-1AC5-4495-B6A3-7BFE544D83DB}.exe
              C:\Windows\{4537C010-1AC5-4495-B6A3-7BFE544D83DB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Windows\{286B15B4-2FE2-4ab5-90C2-DBCB7B23CFB9}.exe
                C:\Windows\{286B15B4-2FE2-4ab5-90C2-DBCB7B23CFB9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2372
                • C:\Windows\{F41DB5EA-905E-40d8-A4C1-07BA1359DE72}.exe
                  C:\Windows\{F41DB5EA-905E-40d8-A4C1-07BA1359DE72}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1704
                  • C:\Windows\{A1220BD3-BD86-4582-871A-01FCDBEE8473}.exe
                    C:\Windows\{A1220BD3-BD86-4582-871A-01FCDBEE8473}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2536
                    • C:\Windows\{E029C396-4B97-4617-B6D2-1C0FBEFD38E1}.exe
                      C:\Windows\{E029C396-4B97-4617-B6D2-1C0FBEFD38E1}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1436
                      • C:\Windows\{2B279AAE-E45B-4d61-8C4E-19BCFF6A1B85}.exe
                        C:\Windows\{2B279AAE-E45B-4d61-8C4E-19BCFF6A1B85}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2080
                        • C:\Windows\{EFFBDFD0-EB1A-4f44-BC12-84F9710BBE99}.exe
                          C:\Windows\{EFFBDFD0-EB1A-4f44-BC12-84F9710BBE99}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B279~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2332
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E029C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1220~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:892
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F41DB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1608
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{286B1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1140
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{4537C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2076
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{289FC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F0A21~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{05217~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE8A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{052173F8-9953-47fa-B6E4-831A1C283729}.exe
    Filesize

    192KB

    MD5

    d4887d796bf6fe4adfa0bb45738a0753

    SHA1

    4df90bda80fdbaa0b0b71305fa1b0801a8daf9f0

    SHA256

    e208167df546f9d0134cac1a9922e8ffe865b6397171c5a205223bf73304b736

    SHA512

    2afe87f6e9318f2d6a15393bac6bb72d7e862a7ee4fa2d2dffdf06d3b7d845534e8c743538082633a3be15d16a77caee5a3fd8ae105cfef843c39b07b661642e

    Download Submit

  • C:\Windows\{286B15B4-2FE2-4ab5-90C2-DBCB7B23CFB9}.exe
    Filesize

    192KB

    MD5

    daf6562d950117059b40299a6deb9f6f

    SHA1

    f085c3ab681ee55fca8ea4fe8952549903d34ff4

    SHA256

    7a7097119f8c6d1fdfcf44aa33c8df087d4f653a1c74512c9dac26131e67b06a

    SHA512

    e052c355214f14ff7bdc59cd8c77125e16d3526d7082215dbed6729c61f42d77ba20b7d6a561d62c8592f003c65f3fc4ba4b6bddfbb116f727dd4015da19eaed

    Download Submit

  • C:\Windows\{289FC58D-F55C-4de6-AE62-909A20E049F9}.exe
    Filesize

    192KB

    MD5

    890afbf30c7c9612e5f803f3236b7ab4

    SHA1

    bcce1b4d6dd1133e7a5e46f9e016304b60bd01c0

    SHA256

    5939a991149145657f483d13fd031e34589f9c0a7a1c01592f31fb9ea5704990

    SHA512

    a8a243a12748ed106a81a7589a4d0d4644c18d2c16a4fdc43e77eafe0e7a8c8d0c091194178630c509a020de80d9d0f1cfece1bda024c79276571c4f85d9232c

    Download Submit

  • C:\Windows\{2B279AAE-E45B-4d61-8C4E-19BCFF6A1B85}.exe
    Filesize

    192KB

    MD5

    8239232295bc21bd0b15fca0897886c8

    SHA1

    138ae17a9484d716bd47647d55d7ad50b7227a49

    SHA256

    bfb291c5ca5192e71f4819f94349910c26b60fcd6eedd8a7d14b0c9bd3774764

    SHA512

    6f289bb8b186980118349751ffcd78d3bb48237040dfe26107d0b2a162c6ceda5b29ecc46129728221aeb20b288b42a3a1623f432a6e1d0c7d58cb1c6232ff77

    Download Submit

  • C:\Windows\{4537C010-1AC5-4495-B6A3-7BFE544D83DB}.exe
    Filesize

    192KB

    MD5

    8c3e60d8b25d14d2dd4662556f0eea83

    SHA1

    f21d11655265b0ef2beb68a512fc9246c12eb81a

    SHA256

    0fe1a305fd7a5b0391339f586a99c8cc900351940d7c3ce31ec6fd3901117206

    SHA512

    bd06749e9603d43a79b8733a00c27ce3a597f583a64c13b5a7615e6be8e4e6250694aa3adade912519112e5f9cccffea1c47ce04767edede0ce5f271acd85f01

    Download Submit

  • C:\Windows\{8CE8A2FC-0C0A-487a-99B8-80CEFA80305E}.exe
    Filesize

    192KB

    MD5

    0f233bde3f86c6d8bb31bef8eeb09a7f

    SHA1

    b5e7d8f00a85c5f0d2afaf6805b29aa477346301

    SHA256

    19a5d2aafe890b7041192fde9d1629882ff72096ee7330879d5b18784930ffaf

    SHA512

    b6d6632498fafa9445cde0a26cd5df4ea553295ca5bdbb9be9ef4957aedfe3b1a28f740b8b163c8c272c0923b7fd254d635eedba9aac4747ef3b712a9a06f859

    Download Submit

  • C:\Windows\{A1220BD3-BD86-4582-871A-01FCDBEE8473}.exe
    Filesize

    192KB

    MD5

    317460fd2050a8859928ed3278011d6c

    SHA1

    4929cf8f7fe83fdf036dbe4111edf8a756d298f0

    SHA256

    44d2f42de4237b86d1a6aa43e5389c5709f3c46275a2ad25a7f7a6903f65a37e

    SHA512

    1785b1df517837e6b7505d7c6c65cb19b183f3143e75204a162ab67ca4a682f42353889b8112d6ecaf4b75861566294b63a27a8dfc7ec34b12301272f8bab29d

    Download Submit

  • C:\Windows\{E029C396-4B97-4617-B6D2-1C0FBEFD38E1}.exe
    Filesize

    192KB

    MD5

    4f99f5365f23d03be500be8b37a57610

    SHA1

    548465ead80b3a611229c8543d982e619a3ccf1d

    SHA256

    48b5939c80f83e9a34b5279a483836f96df2f988befaa686ea0c9ae3c45211b5

    SHA512

    35775c2cc7dd71ead59b531f1bb64d898599bd971554ba3dbaa3e4f384907933289ee0bbe8eb8688e955cafa34734424db1b5d0f814f7edacc74b2aa4f44e111

    Download Submit

  • C:\Windows\{EFFBDFD0-EB1A-4f44-BC12-84F9710BBE99}.exe
    Filesize

    192KB

    MD5

    70a7272d3615e7998808aba9e991492a

    SHA1

    3025f234b2cfca72082f8a40c92ed46b697fd104

    SHA256

    4bb957afee8b82e000849e4d782f1286f3bf9ec490c3f800321286e9c0a7c246

    SHA512

    30f293f8b9f748f17a7b5a3666692c676c51f867d818095000db5ece88009b4d15a626edcacdca5a656add1eb78818125ec8fb308026549c146abbc3d1709ea8

    Download Submit

  • C:\Windows\{F0A21365-A145-44f4-9757-90C46DECBF79}.exe
    Filesize

    192KB

    MD5

    509bed8bfd9954dc693f2189b0575b53

    SHA1

    2330ed431ec9e4b851214715d6b3d4ba69867097

    SHA256

    c63ae83a6f04287db0065c6f986ac8649dd53daaa0738e359e3cb0c13e7e873c

    SHA512

    b79c73027538395e16a78e5e10eb2f38b7ea7085bb2cd493178b30d715faa05cb305c0f4c500e76246f9dab174e1bf2fc36335f7c699674109a277edb2cb2d36

    Download Submit

  • C:\Windows\{F41DB5EA-905E-40d8-A4C1-07BA1359DE72}.exe
    Filesize

    192KB

    MD5

    5d73d855bf17cc856fe688e1cbd6741d

    SHA1

    39617a08041c68ed91f1bd7760879c0c5f7df610

    SHA256

    d58679451bf1171d4f974ae920ba03de705fb95b13ccc237018d4f5f79007ee9

    SHA512

    06b97a6195d7a898d684fcd8e8b25db13da07f1a022e91c9efbfb4d0b6f7ec8cf4abd82e2400d27bde1ae8d60c45a0a092cfcbab91eaef2043c39ec30d8d9d94

    Download Submit