Overview

overview

8

Static

static

3

2024-09-07...ye.exe

windows7-x64

8

2024-09-07...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe

  • Size

    344KB

  • MD5

    98482feaf9eb3d76a570fb5749b9cdec

  • SHA1

    4cc36f3ea4dde25dfcb1a216ad95b39cf859c09f

  • SHA256

    85215d9138ce57e501e742ad561460b9f08df73de4299bec8a6caffec743711f

  • SHA512

    e9fb4e971949ab1c53eab8c846af963795bf4be1bd8dfb80566a67004805bc1c205a794b24f624cb3f5d4c6bdaf182a55c2a02957b07ccac0e42c90a612d589e

  • SSDEEP

    3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG6lqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\{87358BD7-A258-44c2-97C9-F17FF03D432C}.exe
      C:\Windows\{87358BD7-A258-44c2-97C9-F17FF03D432C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\{823B39F7-F1F6-47a7-B4D8-E38991EDFFC1}.exe
        C:\Windows\{823B39F7-F1F6-47a7-B4D8-E38991EDFFC1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\{7AA4EC5E-E63C-4d02-BD06-8E3B8EE2E330}.exe
          C:\Windows\{7AA4EC5E-E63C-4d02-BD06-8E3B8EE2E330}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\{EC216DA2-E038-4747-8F3F-49DF1E3BD98E}.exe
            C:\Windows\{EC216DA2-E038-4747-8F3F-49DF1E3BD98E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\{3259A6D7-0A77-4d4b-9375-13447B04E295}.exe
              C:\Windows\{3259A6D7-0A77-4d4b-9375-13447B04E295}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\Windows\{1BDFC53F-3267-4aee-8FD9-E9F537FB5C24}.exe
                C:\Windows\{1BDFC53F-3267-4aee-8FD9-E9F537FB5C24}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2856
                • C:\Windows\{2DFA57B5-5D01-456f-82BC-378FCCF0376F}.exe
                  C:\Windows\{2DFA57B5-5D01-456f-82BC-378FCCF0376F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2368
                  • C:\Windows\{26F445EB-75FB-4877-856F-2DE991EFBA5B}.exe
                    C:\Windows\{26F445EB-75FB-4877-856F-2DE991EFBA5B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1152
                    • C:\Windows\{6E122E2B-DA73-4e8d-A4DD-0BB14FD0B1E5}.exe
                      C:\Windows\{6E122E2B-DA73-4e8d-A4DD-0BB14FD0B1E5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:876
                      • C:\Windows\{89AA4D2A-4965-499a-BAAD-F4B8514FFE3F}.exe
                        C:\Windows\{89AA4D2A-4965-499a-BAAD-F4B8514FFE3F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1528
                        • C:\Windows\{785895BC-1C49-43a4-B4BD-A00FD048FD2E}.exe
                          C:\Windows\{785895BC-1C49-43a4-B4BD-A00FD048FD2E}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{89AA4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2292
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E122~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:560
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{26F44~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{2DFA5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2092
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1BDFC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2508
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3259A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2964
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{EC216~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:800
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7AA4E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{823B3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87358~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1BDFC53F-3267-4aee-8FD9-E9F537FB5C24}.exe
    Filesize

    344KB

    MD5

    f79e81216ae72977f20a1cdfd9ec0fba

    SHA1

    6d37aa3d167754eb1db80140d10d36536fa7c968

    SHA256

    65553af7fdf1841066a2d8da20b4d2959945bc3a5c807bf6cb9babe451f5fea1

    SHA512

    7f56bc12bb5718c3b32fad37844f120e96da400b3fa5510d29f9737e0c5e00bea021fb5b66a1afd4055af32769353166ab891e118159dfc14397f935431ba02b

    Download Submit

  • C:\Windows\{26F445EB-75FB-4877-856F-2DE991EFBA5B}.exe
    Filesize

    344KB

    MD5

    1e5f80e4417cb6387b339d14c02d082f

    SHA1

    a0feaf5d614e6c4d6a446a2e46afcbfbb1325899

    SHA256

    9664993b5712e84c91c94ca1bb9e83831e54d5abdfcbfd2fbe7932ddb8c4a2b7

    SHA512

    6ea1d681de8bca3e860ba84727669b5e84700215ec003060c8f7dcd0d84ab1f9fe362b4e26891932aadc8db4b7ea6ef93ecf174fdffafd159175b8e240d13908

    Download Submit

  • C:\Windows\{2DFA57B5-5D01-456f-82BC-378FCCF0376F}.exe
    Filesize

    344KB

    MD5

    565e9fb30ccf9208e6d9f6c863889085

    SHA1

    47e0185f07a5dfe3b839af365570284207db1497

    SHA256

    4954f51948740e9b7cbbe4212bdd0cf0ea213b75426ec7864f3aeaa27d92cb27

    SHA512

    de1f648ba519dde50c17c4dd9740f3c65e55419ef74c1935c8bc6220523a72e9277b4002c69db690317dd3fd4d10c8ee7cda74057d7c5236bc297dbb77e2e6fa

    Download Submit

  • C:\Windows\{3259A6D7-0A77-4d4b-9375-13447B04E295}.exe
    Filesize

    344KB

    MD5

    9f7752143f6eb3e52a074da7e896e4f4

    SHA1

    7d4792f63661f101740b817cb96e717db28ac333

    SHA256

    797bd5d74daf7abdebfe36edc0e1a142992d97cdf103866d0d3fb1d817432fab

    SHA512

    8c75585575e4e54066b7ec8a0be88f8fadd9a15226c7961daffddb407e972f28f5f1fd45d62f8bb8e09db9eda865406851d2623328c35cc6c62b886ff78db17a

    Download Submit

  • C:\Windows\{6E122E2B-DA73-4e8d-A4DD-0BB14FD0B1E5}.exe
    Filesize

    344KB

    MD5

    41a13d03cd800575796b95edf98f3dac

    SHA1

    92bde88847901ffbbb91a7a7eea55b861db8b361

    SHA256

    1e9cf08624e033e0edc5aa94584301111d274cf9da2b3746493abc0422e836d6

    SHA512

    8c5f138c3829760626a59dd6a44060dc457bf861d81fe1321d69936cca9e8db221ecfa4641a69f40d70f89047b8e6cde4993851467069d151382c5ba0486d9fd

    Download Submit

  • C:\Windows\{785895BC-1C49-43a4-B4BD-A00FD048FD2E}.exe
    Filesize

    344KB

    MD5

    a8f8d4f9d9a523e4680bfe032ff98173

    SHA1

    8eeb79a5fb297c8e6859d0218dbd0e444429d6d1

    SHA256

    a47bbb3d0ccd5a2339098bdaf5925ad511b0241c3d6dbddaa07bc6eb0081b804

    SHA512

    cb2de4e01f5c101322a0c61a5ad2c23d1ea27409c2df0cbfec506cb745f1d2cc3a30ab067b3fd1ec4eada7b7b047496254d799bc92fea1e97a0cd319e64470b7

    Download Submit

  • C:\Windows\{7AA4EC5E-E63C-4d02-BD06-8E3B8EE2E330}.exe
    Filesize

    344KB

    MD5

    d33576994069e35821538fd167e15806

    SHA1

    e785f094747d6ab44e1869fe2eecbdc3858bed90

    SHA256

    70caa32ed9f32a4cc85387c172210ff24596a9aadc127ee6a6c238c89785881a

    SHA512

    3b11232071bd6fc867253da2caec7cbd651fe6725b7437c66a9783098fddebb565cdd48553c8c896307f33452317e44b1975f183040e84792f87e5a5d3df14b6

    Download Submit

  • C:\Windows\{823B39F7-F1F6-47a7-B4D8-E38991EDFFC1}.exe
    Filesize

    344KB

    MD5

    f25aa46d11ff6703549fb4787d387ad0

    SHA1

    88f6bc40bcb66b6ee4033b8d957b14db8287bd64

    SHA256

    996c1aa35cbeedce058566254d916bfa01718d58a94d0d15f6e68fea3175d851

    SHA512

    24a92f4df74ddb2924f251feb686d46ea7644e071908d7f43245a2ada3536d6d1e93c78e281e24133e356b29864fc8d3376d7ba461db3d00acffe26047e8cf90

    Download Submit

  • C:\Windows\{87358BD7-A258-44c2-97C9-F17FF03D432C}.exe
    Filesize

    344KB

    MD5

    e0470a6b09c89690cd0c85ca8a78eb7a

    SHA1

    6fd1936993a8a366a5340afbf33db104bdc38c0e

    SHA256

    4cf27bdfb3335330eabce3c4b980b06ab583c3da75a94854b2f28d5335b0708f

    SHA512

    c949499105704ed568384a6aef0b725e29afaa30cd563c24df17d208ee56a1b253d899b33416ac86b36fa53033e6bb744aac4f11077b0c06bb80a9ab335eb71f

    Download Submit

  • C:\Windows\{89AA4D2A-4965-499a-BAAD-F4B8514FFE3F}.exe
    Filesize

    344KB

    MD5

    82560603f324b8b84b0992fdb07c8fa5

    SHA1

    d52ef2b8028923e452b260abdf09648e1481c4ea

    SHA256

    2049f9718c3708b8c7d402e51194ac4a76fe94a51d4a51e0c862da9b6d380e19

    SHA512

    4734234593242cf06c56e6d97f336f581515d63acffbbf8546db79fa483009673e1db7793054dfead67f187bbd58ca5d1160db44a116d6d10d25a4d1058b43a2

    Download Submit

  • C:\Windows\{EC216DA2-E038-4747-8F3F-49DF1E3BD98E}.exe
    Filesize

    344KB

    MD5

    f3d9b70fdb38c597fea4a8fc395a9230

    SHA1

    53069f3f9107e2640f9abb2fbc967822c65ccf3f

    SHA256

    e1439faee89f4d99e32b6d1fdfa577ea4b658de74442e5882eff0a77b8e4d84e

    SHA512

    9b9ba00b3535ebfcb802e42338d2b4339a1c4e8a1a3b27867495864502c2699a90c5f7537f1ce0ea9d4b6c9cac5936424cb093bc53c8e7eb56519a448fe8947e

    Download Submit