Overview

overview

8

Static

static

3

2024-09-06...ye.exe

windows7-x64

8

2024-09-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe

  • Size

    408KB

  • MD5

    6a5a4e995801b16fa572127029bf3030

  • SHA1

    2ca35553daaca842df7b0c50f87d2ec127b39905

  • SHA256

    0d6ca38949b3046297959ff92a108f31e784c8fc308ce22ff4227c82786a0bb7

  • SHA512

    b19c685257989570b03b7c82f5281ab14689373f0ebd843d2d06fa20c81edf1546edc0a3564b0def9066bf0cbee89d3dfe7dc6a99afa61ffb434386e5882e56f

  • SSDEEP

    3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGtldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-06_6a5a4e995801b16fa572127029bf3030_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Windows\{9C084767-38D7-4ea1-8F24-1BD73F301D93}.exe
      C:\Windows\{9C084767-38D7-4ea1-8F24-1BD73F301D93}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\{60FA926C-5BA4-4ec2-AE83-DFD8FB9D1C3A}.exe
        C:\Windows\{60FA926C-5BA4-4ec2-AE83-DFD8FB9D1C3A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\{E71EE6E2-D143-4f22-93EA-C881C1B7DA0D}.exe
          C:\Windows\{E71EE6E2-D143-4f22-93EA-C881C1B7DA0D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:388
          • C:\Windows\{E9553056-7BD2-4799-AB35-E4D40F312C11}.exe
            C:\Windows\{E9553056-7BD2-4799-AB35-E4D40F312C11}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4132
            • C:\Windows\{999C3172-3204-47a8-8424-F285D5B677D2}.exe
              C:\Windows\{999C3172-3204-47a8-8424-F285D5B677D2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4508
              • C:\Windows\{D0993FA7-F301-423a-BFB2-BA705688282D}.exe
                C:\Windows\{D0993FA7-F301-423a-BFB2-BA705688282D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3228
                • C:\Windows\{E2EF7225-53D4-4795-A51E-FF22BA0FE501}.exe
                  C:\Windows\{E2EF7225-53D4-4795-A51E-FF22BA0FE501}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1800
                  • C:\Windows\{1141C108-691E-4f3a-9F62-30E21444477C}.exe
                    C:\Windows\{1141C108-691E-4f3a-9F62-30E21444477C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4408
                    • C:\Windows\{85B08F43-DBA2-47f2-8DBE-ED96502907D4}.exe
                      C:\Windows\{85B08F43-DBA2-47f2-8DBE-ED96502907D4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3808
                      • C:\Windows\{926C40CB-F7A0-49a2-ADA4-8CB33E9A2686}.exe
                        C:\Windows\{926C40CB-F7A0-49a2-ADA4-8CB33E9A2686}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2088
                        • C:\Windows\{13C689A3-CBBB-4277-AB28-4E74E9EFB553}.exe
                          C:\Windows\{13C689A3-CBBB-4277-AB28-4E74E9EFB553}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1244
                          • C:\Windows\{CEAFCDFC-1310-40bb-A474-7E0358DE5A5A}.exe
                            C:\Windows\{CEAFCDFC-1310-40bb-A474-7E0358DE5A5A}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{13C68~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2512
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{926C4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1960
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{85B08~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2348
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1141C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4984
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2EF7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3880
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D0993~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5028
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{999C3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4524
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E9553~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3612
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E71EE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{60FA9~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C084~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2508
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1141C108-691E-4f3a-9F62-30E21444477C}.exe
    Filesize

    408KB

    MD5

    e55054f7164674043c8f65b54b548b4f

    SHA1

    8d0a3e07d4262bbfb29ca267665c9290a5b02104

    SHA256

    99a81973263d6b1ae6f8b306f55331d35c340553a8e218ab0e616edf3b2b9023

    SHA512

    ead78c153136ca493f723e04a635c0064abc20967b753c7abed989cabbf04f34bf8a69a94b34a4d536d5520ca21d25bfe63e75e862f6b72da2e7f5d2e9c33d78

    Download Submit

  • C:\Windows\{13C689A3-CBBB-4277-AB28-4E74E9EFB553}.exe
    Filesize

    408KB

    MD5

    081903c5ff80d41cdaa42aa203322fc7

    SHA1

    8a9850f2ea135bc03435ec6cdd403ae7d4b1d9b0

    SHA256

    ff5af084872f316b4702a0452443860547f3c0df101007383596c8db79331b3f

    SHA512

    4021e84456dbd2cb29eecd814aa17d76c2cbead5f255cd9d01fc9c6c6093606af6adb154e47cbdb5cd1c28e545f63e3a5e595e7b580a86348a13b383e4be4c3f

    Download Submit

  • C:\Windows\{60FA926C-5BA4-4ec2-AE83-DFD8FB9D1C3A}.exe
    Filesize

    408KB

    MD5

    934161fc34367666351df533eddf2e8f

    SHA1

    7c4522b9d08f111a96903734127fd7e3fe069227

    SHA256

    41676fd753787a5babb062018773a9bb44da5f5984b6f6ea6b3dc5c54ae78da0

    SHA512

    318a468e1609e3eaf8668dffcf1074afec7faf539377fbca25e1a6b3e26036d386b2d77eba492fa391fb5af180f9bc9ab7d93b4de306dfec88ee22341688b4ce

    Download Submit

  • C:\Windows\{85B08F43-DBA2-47f2-8DBE-ED96502907D4}.exe
    Filesize

    408KB

    MD5

    f9cc4b07499fcf6554370b9267e832d6

    SHA1

    6666b2354dd608dd7e6b1f9306a103af31ffb053

    SHA256

    cd28403010b8851df51a32544fb90443355445551fd75f772351c0f12e9084a8

    SHA512

    d1346212ae247f2cf3af0937fb6f4ca70b2ba60e7b64582f05fefea915979de6fcc7a3a40c5b9191d481d4d7bce3f6043fa863e9f67c5ec5794542442858d36f

    Download Submit

  • C:\Windows\{926C40CB-F7A0-49a2-ADA4-8CB33E9A2686}.exe
    Filesize

    408KB

    MD5

    84ad2938ccb784180aace3dc60cd2adb

    SHA1

    aecf32366589ef5d20ee3f8c4cd2089429849046

    SHA256

    36087b5e860d5f1398b180c30b365090eb94d99f4b5671ebd889b91ebbe03784

    SHA512

    1f2650f6bc2d76d97bab8a915641c13441adbe1c2f5a61c03afd38302e1bac2fea32f5fd6765fd62f95e868061f3b53e3fe1445fc213d2e5287feea47f1e6adc

    Download Submit

  • C:\Windows\{999C3172-3204-47a8-8424-F285D5B677D2}.exe
    Filesize

    408KB

    MD5

    a568e33ab7a093f4d3eccf186525b9a7

    SHA1

    2d209aeab2301b16860e58470a19e16b551860f5

    SHA256

    347e836524fc608631b6276726727cbf600590713311e62df100d4bad3dde733

    SHA512

    4aaee898c7628301dcd760f028c2264a2389889d4fa32fb2026fbc95d444ac478703fba67ab75220665ece25ea5fff501e569cba6ee66dba3ff50c0712a676a8

    Download Submit

  • C:\Windows\{9C084767-38D7-4ea1-8F24-1BD73F301D93}.exe
    Filesize

    408KB

    MD5

    2d759c8a5996438021296d0e60746271

    SHA1

    340edb934828f84720499e872a1ecee019b9bacd

    SHA256

    ab59239e7acaa9b437015cfaf07159180b4ac1d7dced6aa7d342d34ff5542b75

    SHA512

    18df170e5353ffeefa6fcae3904b57e063beee28233fd3b966ac572c5bfc53cd9828ace22e0bbed86a5ff52df1c1df081d1df96da0f4c722ff0e3d459bbf3e2b

    Download Submit

  • C:\Windows\{CEAFCDFC-1310-40bb-A474-7E0358DE5A5A}.exe
    Filesize

    408KB

    MD5

    36293cf28cbb50e67b9488c1f32fd2f5

    SHA1

    cc4b836f0bb6175ea5074952de937f83e908b41e

    SHA256

    89359766f0b3aa3c0d2b60810e3f4fab3f3ec94aef31960a9442f6277cfe0a72

    SHA512

    e0b829fa20789d14ef56ac7664827a5f627b56ba75ee88fb369f7ba65f8b9ffeb91ca6be505940d604b314571f98d0d7f7efc633965ee08fc94b7b80ab023e12

    Download Submit

  • C:\Windows\{D0993FA7-F301-423a-BFB2-BA705688282D}.exe
    Filesize

    408KB

    MD5

    2929c7b6277edb776e2daf1ff44997a3

    SHA1

    6a8d278bc4e1bdfa6c97538288202eca47ff76f9

    SHA256

    42e3473baa441998ca5c14c916b620b8d0054d4580d985c38fc3e5a211f4b57b

    SHA512

    7a963fe45f4c8af0354d49d09e78bd5725a9d20570eceb9d0bff05efa7e16bd97345b7859eaada7fd0ffd34f273a9f8c56fbd6522fb7de650c62615d4a1fe89b

    Download Submit

  • C:\Windows\{E2EF7225-53D4-4795-A51E-FF22BA0FE501}.exe
    Filesize

    408KB

    MD5

    92c1c514d04d82e6e44de5ed84fdb667

    SHA1

    172ab3dadf4202a662a50619c9aed50c341b55b1

    SHA256

    c762533a81caf9d02a4898197d69aada51c4fb243fd1a2ad0f957f5b1350d947

    SHA512

    317da78ee5538189d134f948cd601bce39488a493425244c91e7267fdc4be13983dac1dc1a41c6d55fd0c52ffcec3acbaea83aba90fc02c1e0a03d0739333dd8

    Download Submit

  • C:\Windows\{E71EE6E2-D143-4f22-93EA-C881C1B7DA0D}.exe
    Filesize

    408KB

    MD5

    8fd525c922e8e2b15544955ff84197b2

    SHA1

    9282532c276e47e8f3ff448ac332197d246888bb

    SHA256

    f626e34351bebc6607ded4ec3ee49e9bca94e417536667dff663db80b58d5d55

    SHA512

    c561bb304d6d1279f8f786ac80d61fb38bd79178ce3a49db641013c754113e4e693542d6217eea22de46e2287eb8418f756b1399d7242fa9ceca8e492c76e1ea

    Download Submit

  • C:\Windows\{E9553056-7BD2-4799-AB35-E4D40F312C11}.exe
    Filesize

    408KB

    MD5

    c4b01e79168e0f0bf038bb3a8c7b6729

    SHA1

    155e83a11399455b43f845a0dbbb4dc705eafccc

    SHA256

    701f46dfc40eff1b6eb4f409abfbf4c11967c4beb82c7ea268b69da220ed508c

    SHA512

    ded735840255ba2488a6512db98f35212b6c02de666c7c681dc664318827122c1b00f8b75f430bfd910be4431267c3b64d3881125958725833219e29b1ab3135

    Download Submit