Overview

overview

8

Static

static

3

2024090562...ye.exe

windows7-x64

8

2024090562...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024090562cd081bd3e7f9784db59a7d190bfa57goldeneye.exe

  • Size

    372KB

  • MD5

    62cd081bd3e7f9784db59a7d190bfa57

  • SHA1

    def16a2b60a6aa463506dd16e62e2e123ee6e19a

  • SHA256

    674ad5de64c23d0e0bb26d875d0ffac969bec6bdc38f76e5a135970980d3d54d

  • SHA512

    f9c90f55b3cfe7ceb2185c7f55122b8793c8bcb8c627a1c05ad7ef264f4944f887772233762a5f34b5ea81a60b1867bc66ce93117ba45da0ed438836489cd42e

  • SSDEEP

    3072:CEGh0o2lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024090562cd081bd3e7f9784db59a7d190bfa57goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024090562cd081bd3e7f9784db59a7d190bfa57goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Windows\{24C2E8BA-4223-4a77-964E-EBC82040278D}.exe
      C:\Windows\{24C2E8BA-4223-4a77-964E-EBC82040278D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\{514AA36E-11A7-4fae-8F3E-27A9E945AEA3}.exe
        C:\Windows\{514AA36E-11A7-4fae-8F3E-27A9E945AEA3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\{0F423D85-2A85-469d-A55C-4A9EFBC160DD}.exe
          C:\Windows\{0F423D85-2A85-469d-A55C-4A9EFBC160DD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4288
          • C:\Windows\{9F259B4A-4804-4a81-BE8A-077121A774A6}.exe
            C:\Windows\{9F259B4A-4804-4a81-BE8A-077121A774A6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5016
            • C:\Windows\{3E68C8E4-0875-493b-844B-37287145A6B8}.exe
              C:\Windows\{3E68C8E4-0875-493b-844B-37287145A6B8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2208
              • C:\Windows\{35F8FF24-E341-4597-99B2-2CB024ED3A22}.exe
                C:\Windows\{35F8FF24-E341-4597-99B2-2CB024ED3A22}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4100
                • C:\Windows\{DB763F37-6EAF-46c4-B3BE-300A044BABB4}.exe
                  C:\Windows\{DB763F37-6EAF-46c4-B3BE-300A044BABB4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2300
                  • C:\Windows\{07E4EFC2-61D9-4e17-9BF0-69689137A4B4}.exe
                    C:\Windows\{07E4EFC2-61D9-4e17-9BF0-69689137A4B4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:888
                    • C:\Windows\{70E4E410-059F-4c52-AFDF-B7C374BBD821}.exe
                      C:\Windows\{70E4E410-059F-4c52-AFDF-B7C374BBD821}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4396
                      • C:\Windows\{F90F7D89-030A-4a5a-970F-FBFEC0B7E17F}.exe
                        C:\Windows\{F90F7D89-030A-4a5a-970F-FBFEC0B7E17F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4620
                        • C:\Windows\{2A65867E-3020-4a4e-96DA-D38AA99B636F}.exe
                          C:\Windows\{2A65867E-3020-4a4e-96DA-D38AA99B636F}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1032
                          • C:\Windows\{2C67784C-06BD-4197-A6F5-57FD3017F8F2}.exe
                            C:\Windows\{2C67784C-06BD-4197-A6F5-57FD3017F8F2}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4164
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2A658~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F90F7~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4644
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{70E4E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1548
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{07E4E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5032
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB763~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3144
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{35F8F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5004
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3E68C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4300
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9F259~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3016
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0F423~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{514AA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24C2E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{07E4EFC2-61D9-4e17-9BF0-69689137A4B4}.exe
    Filesize

    372KB

    MD5

    d908f078791623e5ad5fdd533da878bb

    SHA1

    68b67515abb77ceabe7057a217933dbf7093d849

    SHA256

    10e5b3a8f377fc8479c6e99a55361a43bd68a1beb79ce13a2615db00cbef3c18

    SHA512

    6dc70600819cda2bbc679b56118d0c21b74ffcf2b55e108802e127b00f39bc3d399252cc1bf1fff67f3e2eee67ec197483e4ac44e0699d9cc4a1cc4125433c55

    Download Submit

  • C:\Windows\{0F423D85-2A85-469d-A55C-4A9EFBC160DD}.exe
    Filesize

    372KB

    MD5

    b69f4899fa61a061b0ac4f91cae14b37

    SHA1

    3b3c3d8c52baf7a40b2bdb154323af2ac92706e3

    SHA256

    6f6273417f73ed0f6854ced212f93b0c4c64b9631f23b503d771bba15781c947

    SHA512

    f74a07792fddd67127a22c91de50dbba626f9490e0f44668e8cbfe06cc7c2c0406bf823453c63caab7dfb3ee9fbe2ee95713f1daff4fbedb3756c5acd3242dbf

    Download Submit

  • C:\Windows\{24C2E8BA-4223-4a77-964E-EBC82040278D}.exe
    Filesize

    372KB

    MD5

    9b468096e9f7388e8e066e7543622172

    SHA1

    193f819a39f0642d236c3925112d082d2e4528d5

    SHA256

    94406e375ebaee65baef8e8a5f7019355623c2c29f56e1b8ba6fd7699c821422

    SHA512

    0b552bf78304e123c34d6206296a0ca697a9ac46faa2eabed813e78c4af4cb2ed007d3bd31cbb99239f5cb6104df8b616e44deff7d348adc77108e8662dffcb7

    Download Submit

  • C:\Windows\{2A65867E-3020-4a4e-96DA-D38AA99B636F}.exe
    Filesize

    372KB

    MD5

    1b0418a6451305157b6230d184624e47

    SHA1

    24945bd53d4b80253cc663b42e8e0d324652f804

    SHA256

    e1f45823a98871fb633083f5114ec47eb78b54a425adbda45172d7cd12067f98

    SHA512

    5fa929651d3bc3a349545b459a0b441e883e3479b0b2c8aa97d0003addcf3d153b148b34f15c33e088039553a55cb686422d80457c04dba70272cf788149b4be

    Download Submit

  • C:\Windows\{2C67784C-06BD-4197-A6F5-57FD3017F8F2}.exe
    Filesize

    372KB

    MD5

    0d6bc2dfde7c36be6ec917619cf3c9b9

    SHA1

    c38d14ac0c3fd43c1e4d28fb1abc1c3f4d71df28

    SHA256

    43842d9d422965a1752e9c53ee85ca09c1beb2f136b97876ba7030417e6b0835

    SHA512

    2bd4addd32d9ca13aa851fc97f07f30419fbc1907dcd020a8949ee1166742cdfaa6a3192ee7596b4c995e73c1c1552ad77be417b02b8fcc9c7fc8d64d2d5a147

    Download Submit

  • C:\Windows\{35F8FF24-E341-4597-99B2-2CB024ED3A22}.exe
    Filesize

    372KB

    MD5

    c36ec9d6384345935d3a524b63dc0a4e

    SHA1

    b22f91fd9f963c46e618cd9918c418c071517f76

    SHA256

    5f6f3f66efd438faecced31c180430b380fa50bc568cca1ef5c4a75793686444

    SHA512

    8583a837009741608d0703ef10638cd4af400937e05955daeb36437f91ac8c0e26ef293a6cc30847c7740fd58a480167f9eac18f34cf5d7e011177f8cbc3ffb3

    Download Submit

  • C:\Windows\{3E68C8E4-0875-493b-844B-37287145A6B8}.exe
    Filesize

    372KB

    MD5

    1471436ce54564d8ce391f977d17d1da

    SHA1

    9d40c248074c608b7bc8bab68b545bf65d2f626b

    SHA256

    8f43157351dd14e644b3726898e86832461421afb3ce008b1ce7d15bdd93f7c1

    SHA512

    e65005a6ccfc65ed662db2bbd1e3afd9865954773e9bbaec6b7c8771e682ab6bab7b29f313ff70168179c672fa103b55bd34c8af38a11fade0748731a5080fd5

    Download Submit

  • C:\Windows\{514AA36E-11A7-4fae-8F3E-27A9E945AEA3}.exe
    Filesize

    372KB

    MD5

    338b993d736e2270226c52c28f112272

    SHA1

    aa85c61bd396bad5d75454b0d6f4a535b4f61c70

    SHA256

    3f0033b5b6ed8e0c1593c5d212b90aebb5371183f6c03a61710f2e0348ac46a7

    SHA512

    06f120656c55f21cea98ff8e307d4a373f9a13ea129a44d9e4cd511d6f7912851ad42ab67630e106fa0b5b538c59b382b57a15d510c40a96af50123319be27a1

    Download Submit

  • C:\Windows\{70E4E410-059F-4c52-AFDF-B7C374BBD821}.exe
    Filesize

    372KB

    MD5

    94f53d5542728053421df3f802297cf3

    SHA1

    8eb9dea014895511c4ae9cf93f49b92dc8d0b2ff

    SHA256

    a3bef6ab09e7649dd1da33873a0ea0b1901d62833512d731925f28d3501b7d6b

    SHA512

    2d1597a12e133399c9158733f7839fee813f41417360200692e004eb6da98d34e208404dda86f9a341eb1193fdf1f69c7f6f9d24ad0d39c31d1e0f43c6f6190f

    Download Submit

  • C:\Windows\{9F259B4A-4804-4a81-BE8A-077121A774A6}.exe
    Filesize

    372KB

    MD5

    42b2dead4ca52bc3d08f901066294e40

    SHA1

    ffbe9d2d07c956230979c19d5b8a11af3e5025f6

    SHA256

    17dd1aa5f0d99fc712efc2d059af7b3979b526805148a4bc97a589999de86eb3

    SHA512

    4fc801aea1f7a3bafb0bcdd9578ecadca767d59b7b8d17866605bbee8ac946ea55fa8a0a840c54455a2e20f8fdeabe56e2bd369895c2cf0e942e396d5e2aafe0

    Download Submit

  • C:\Windows\{DB763F37-6EAF-46c4-B3BE-300A044BABB4}.exe
    Filesize

    372KB

    MD5

    d1194a9b3492c36e403a799e195680f5

    SHA1

    d5bfb838096e33c82eea23069a223f4273d45560

    SHA256

    226e85ceebcf579fe32fd713164bb278163bedb5bf7af81b6a71d1e205ef71bb

    SHA512

    5630ec8499c10eaed6325d51bf836fde7910a9960b49da1ec9177ad7d731c9763870827467910be757d25b3e9eaeab8c89bc2bd5b2dca4e607510ec2a0eb34f9

    Download Submit

  • C:\Windows\{F90F7D89-030A-4a5a-970F-FBFEC0B7E17F}.exe
    Filesize

    372KB

    MD5

    81205c9040a0910783d40fa1f63ae700

    SHA1

    6f7b63db8633c535455fefa090761691d3f4806e

    SHA256

    63245d4175ba0c7ddb7d7387f8f1e1adbe75dc552eb198ddc5311eb3426bdd1d

    SHA512

    e18a8d64854fd81af3931048808ba3d7db6cb6b6576a02a2ce24f2baf5d0dcf01fdcd51b1d1b69a81481966d5a9ea6dd863db52fa2d4e874db8dc39b8ce946a2

    Download Submit