Overview

overview

8

Static

static

3

2024-09-06...ye.exe

windows7-x64

8

2024-09-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-06_e49e1033b65840b1618b04514d6c913a_goldeneye.exe

  • Size

    344KB

  • MD5

    e49e1033b65840b1618b04514d6c913a

  • SHA1

    bb3fd0e30377ca368ac55352391e057cefeb630a

  • SHA256

    cc7f30e2d09ab061d70e2b762e120c34c1df4ccf626f4fa32475907cf2e3b97d

  • SHA512

    6f1555754d31aedbc37fd5874bcc239139a44463045069502d64a93de4d2c7357b39dda36b549e3e476352687e14994f4976a2a72b833a84f94b7fb5dfde44da

  • SSDEEP

    3072:mEGh0oXlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGRlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-06_e49e1033b65840b1618b04514d6c913a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-06_e49e1033b65840b1618b04514d6c913a_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Windows\{2567FE16-D28F-478c-9689-27CBC73955A8}.exe
      C:\Windows\{2567FE16-D28F-478c-9689-27CBC73955A8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\{8A21CBD2-B5CA-451e-9659-126AE0D15926}.exe
        C:\Windows\{8A21CBD2-B5CA-451e-9659-126AE0D15926}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\{F641CBA0-90C1-4b51-8C62-35705C732509}.exe
          C:\Windows\{F641CBA0-90C1-4b51-8C62-35705C732509}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3356
          • C:\Windows\{6C6332D7-579D-4153-9245-6243EA5866A8}.exe
            C:\Windows\{6C6332D7-579D-4153-9245-6243EA5866A8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4728
            • C:\Windows\{263DA861-DA52-472f-8B6A-0ACDBEBCEAB0}.exe
              C:\Windows\{263DA861-DA52-472f-8B6A-0ACDBEBCEAB0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4048
              • C:\Windows\{1D458490-1AC6-4118-9DE2-165ABD89F4EA}.exe
                C:\Windows\{1D458490-1AC6-4118-9DE2-165ABD89F4EA}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1672
                • C:\Windows\{44221C32-4A74-4018-9448-186678C0B470}.exe
                  C:\Windows\{44221C32-4A74-4018-9448-186678C0B470}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:376
                  • C:\Windows\{1C057C81-A026-425a-B47F-6E4AB807EC03}.exe
                    C:\Windows\{1C057C81-A026-425a-B47F-6E4AB807EC03}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3820
                    • C:\Windows\{08392E5A-971B-42ef-9598-F52AFF7FD821}.exe
                      C:\Windows\{08392E5A-971B-42ef-9598-F52AFF7FD821}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2612
                      • C:\Windows\{94A12B1F-7545-4471-B417-004780AD00E2}.exe
                        C:\Windows\{94A12B1F-7545-4471-B417-004780AD00E2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2800
                        • C:\Windows\{3195CF19-5A68-473c-90A4-B844E4EF8DF0}.exe
                          C:\Windows\{3195CF19-5A68-473c-90A4-B844E4EF8DF0}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:448
                          • C:\Windows\{0EC3B526-12A1-4252-B03C-B9B3A0989FB9}.exe
                            C:\Windows\{0EC3B526-12A1-4252-B03C-B9B3A0989FB9}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4944
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3195C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4372
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{94A12~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3232
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{08392~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3252
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C057~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4436
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{44221~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1712
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1D458~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4568
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{263DA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4472
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6C633~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3068
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F641C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4460
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8A21C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3292
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2567F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{08392E5A-971B-42ef-9598-F52AFF7FD821}.exe
    Filesize

    344KB

    MD5

    d26e5d4bfff01cd1a869527c7a87681b

    SHA1

    ddf11029ce79ab638656ad2d0bdf1dd1fa1ea3e0

    SHA256

    98731b43b997621ca3dfc61ec67ddd32d15da50d7a3ba8441337ceb03429ea74

    SHA512

    cb66f895770c8643478ce42511a1f91a63bb3721e99c2a6e16137c1f4af1b99bd892cec049911106cff3bd511d3e2b9ef721e6ca51680561f3d081288618aacd

    Download Submit

  • C:\Windows\{0EC3B526-12A1-4252-B03C-B9B3A0989FB9}.exe
    Filesize

    344KB

    MD5

    4339191e88e474fc63ce7931c86e160b

    SHA1

    6828564e7af5778bdcfed304dda9cabcb592df70

    SHA256

    5486aef57529ca69849f5753133fffd68e93bc6e8b00c7a47723aa5772322d4f

    SHA512

    904e5c9343734f0a16255fb2b5f2f35a2f1dd99893dd924bc80ef2349aef02e17d72a253b9e8808a2d3de4a59e98452b3a8214f65ae56c7228f7b6d561341085

    Download Submit

  • C:\Windows\{1C057C81-A026-425a-B47F-6E4AB807EC03}.exe
    Filesize

    344KB

    MD5

    57bda057b3f323bf0936dd33f2496869

    SHA1

    6f113be6a13a1f1a66591ac4469e0d825419e476

    SHA256

    ceeae1cc55acb8eb5088106da6a2b9a20b4965472494feaa6ff58ec93dacd35f

    SHA512

    d8e74ae8ed3a1a07424b17acec06c0b7c04cedeafa3ef9495604119d29591911f48852900a46a96b5404488b7d2e77f7353960625a89a80e37349fa68b29d604

    Download Submit

  • C:\Windows\{1D458490-1AC6-4118-9DE2-165ABD89F4EA}.exe
    Filesize

    344KB

    MD5

    cf092615f60db90a5201983b3a43ddfa

    SHA1

    e8320ac42a3f42e7b5bde98ba1e156c749344998

    SHA256

    7abe315a875116110ab6e2d8e5c2f17be3302bc9c48f32daf683aaa44d7dbc74

    SHA512

    1e3aa79d627161c9549779ac13162ae995c384f678d79433fcda29707ee6f68eaa32e2b206a6752add7da1d5f37755cf53932b1fc2db1e8b8154af861b751eb5

    Download Submit

  • C:\Windows\{2567FE16-D28F-478c-9689-27CBC73955A8}.exe
    Filesize

    344KB

    MD5

    62e22f662c1036e8b3a678450284c08d

    SHA1

    ad4c89e814204df9cfde04eb359c2945788d9626

    SHA256

    37e05527f9701dcfdbacc11b4f1f7a6a64b1d3cc4c955633bdc5b4fc76919e6b

    SHA512

    75be319b03836ad14d299975a5c4cfc16b0646a4c1f8d1b146f8d74ea00f16c3413867e537447997baf9c253ecafa743485bd4e0964eb6100255c31b30f55ade

    Download Submit

  • C:\Windows\{263DA861-DA52-472f-8B6A-0ACDBEBCEAB0}.exe
    Filesize

    344KB

    MD5

    3673e98b8bce16306bbe7b3d9ebf9e7a

    SHA1

    7ecd1017500f3be21de3410f51b4976767d5e615

    SHA256

    8c26c44133bba865d4cd946af9f11d781af5bdfd541e7dded2319755ff6bcc0f

    SHA512

    f855aeb35463adca4e44be38b6657fcc3a546323a3b98c32f284a01bd6cbe295d34588c68b076756666aa9d835a00a965bb6e8fd4b68f02a61f6b89f8eb221c7

    Download Submit

  • C:\Windows\{3195CF19-5A68-473c-90A4-B844E4EF8DF0}.exe
    Filesize

    344KB

    MD5

    9225fdb62c4cc35f4fc76b9a6bda5032

    SHA1

    2eb9d0e486516f203996b78b81637f648314a7b3

    SHA256

    63246f08bec5d1a6f036016a429e0ceae64c85f61d7e1c38482ea21bd2a98dd2

    SHA512

    a7cffd6110c0ddee8230d8df03a36038edf9ef09c99b292f98c4abed0613455bb329208750136a68c707d0d748b839df457e559066b43143802695ca9e23b57e

    Download Submit

  • C:\Windows\{44221C32-4A74-4018-9448-186678C0B470}.exe
    Filesize

    344KB

    MD5

    c61f06d49a682867da73ed564f0de715

    SHA1

    2f61e3f95406546be5618c6a77a583b4cb19f4d3

    SHA256

    f431bacfeaaaaa3e749029b404b697456a0ab18f4f97fffca4848d600698d512

    SHA512

    04481ca04e35c2f9f0fb90d44dafe3cad89fb62652e0dd0cd063ad18ae534e502cb27f6fd73bac0073591b1c6fb23e71bb62a23191c248ee8eabf7bd5716906c

    Download Submit

  • C:\Windows\{6C6332D7-579D-4153-9245-6243EA5866A8}.exe
    Filesize

    344KB

    MD5

    3f054a9c5bafe56b3e007fff1f2d31f5

    SHA1

    edba44b1a4e9ed8bcc250b42292dce877c67a458

    SHA256

    59f0ad75eedbcb0013f378c203ef6bbdca52aac3f15a1c36e0948c366c9633c4

    SHA512

    0f913a1956ec8dee3125344ce422a5f8b6bd1ac52519e05dbf70c6ffb99397574e77fffd107380c8a73f84a58e4a347bbfa0fd9be80aefe5ef1a71c1b9617a9c

    Download Submit

  • C:\Windows\{8A21CBD2-B5CA-451e-9659-126AE0D15926}.exe
    Filesize

    344KB

    MD5

    30ec460d8904e6bbc34d672e463ec275

    SHA1

    c499e94324511d6d548538c79df948339fde7f9e

    SHA256

    5b39be3940fb5e90e0d52e9bdf91f80653768884d972da01a32c1ece27729f10

    SHA512

    fd5e382a9918e226fe371b7c4694ccbbae6e77db368e66ca9dea36a10bd7b2988e37eb5d4019b857edb420d0d2a76968b1785c1ef13f5ecdf73cf355e53b8c6a

    Download Submit

  • C:\Windows\{94A12B1F-7545-4471-B417-004780AD00E2}.exe
    Filesize

    344KB

    MD5

    7fd488807fa425cf308fc04b6dfd92b3

    SHA1

    759db5cb0ec68c7464258795baf8ac7a36b50e76

    SHA256

    d98d414f86794d6998a0289a86b739480b6b04de2b84b310eef8e87dca5a27c8

    SHA512

    dd6f36c9983c728808249104f41ab0496813ea9a203181c48548429c009b18160edf0943f5272d1aab52754c9288623fe41ea30d08cab774b6f048e6282100b5

    Download Submit

  • C:\Windows\{F641CBA0-90C1-4b51-8C62-35705C732509}.exe
    Filesize

    344KB

    MD5

    e26895941fc014c80969237bda846d5f

    SHA1

    66a96d6a02f35dea0b7b86284e0e1faa0fa5a80a

    SHA256

    e6ecc7fa80ae2d45f4e874ffa35f9e10302bc387282419fa18075ceefe7b48f2

    SHA512

    bdeaf4eb1897bccb8487f7536a4c8461fea0d305d4a59b3a6ff08cdc994c6c6b4a910cc6c041e2347705a3f2cf7ebfbda6c2c9a14ff86db2100da388bda48c59

    Download Submit