Overview

overview

8

Static

static

3

2024-09-08...ye.exe

windows7-x64

8

2024-09-08...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 01:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-08_35192e89006d10c925969e6363018cd0_goldeneye.exe

  • Size

    168KB

  • MD5

    35192e89006d10c925969e6363018cd0

  • SHA1

    562cff44b372c013b42e2335aa5af49dd4dd4353

  • SHA256

    33775182b91005df376ed1c3f08057cc6fe3fceab7c30aecdc7070f638981a49

  • SHA512

    08483284587a1332239cd36420ecc84422325a6059709dc2c108c2a8b313d4792dfb228f4e5122cc5064984e306ad018859a736ee82e507a2e1482241b077346

  • SSDEEP

    1536:1EGh0onQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_35192e89006d10c925969e6363018cd0_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-08_35192e89006d10c925969e6363018cd0_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\{49C0D723-603C-44bd-85CE-438DAEDD566E}.exe
      C:\Windows\{49C0D723-603C-44bd-85CE-438DAEDD566E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\{4FB0BE66-EFAF-4ad7-938D-B21DC38400FE}.exe
        C:\Windows\{4FB0BE66-EFAF-4ad7-938D-B21DC38400FE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\{36F967A5-E952-4306-8776-A04972B430F6}.exe
          C:\Windows\{36F967A5-E952-4306-8776-A04972B430F6}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\{7C76AD35-10C1-455d-99BA-30F871A15178}.exe
            C:\Windows\{7C76AD35-10C1-455d-99BA-30F871A15178}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2912
            • C:\Windows\{8CEAC21B-64D0-467b-A8CF-54601B2F5B40}.exe
              C:\Windows\{8CEAC21B-64D0-467b-A8CF-54601B2F5B40}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2140
              • C:\Windows\{EA072352-1492-46d5-BD92-3F6C3908C487}.exe
                C:\Windows\{EA072352-1492-46d5-BD92-3F6C3908C487}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2212
                • C:\Windows\{4902DC17-D81D-49d0-B304-BF7D801F33BC}.exe
                  C:\Windows\{4902DC17-D81D-49d0-B304-BF7D801F33BC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2812
                  • C:\Windows\{B93D898A-4F42-4d0f-BE18-FBAD81DFB005}.exe
                    C:\Windows\{B93D898A-4F42-4d0f-BE18-FBAD81DFB005}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2036
                    • C:\Windows\{55B4B985-147E-4c89-8971-4295F09DF9E6}.exe
                      C:\Windows\{55B4B985-147E-4c89-8971-4295F09DF9E6}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2280
                      • C:\Windows\{C4DD2B10-B090-460e-8081-C9B6B012855A}.exe
                        C:\Windows\{C4DD2B10-B090-460e-8081-C9B6B012855A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:872
                        • C:\Windows\{71DDDFAB-9985-4637-A709-12CEE096A043}.exe
                          C:\Windows\{71DDDFAB-9985-4637-A709-12CEE096A043}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1152
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4DD2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3040
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{55B4B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1352
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B93D8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:564
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4902D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2020
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EA072~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2844
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8CEAC~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2328
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7C76A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2104
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{36F96~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB0B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C0D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2232

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{36F967A5-E952-4306-8776-A04972B430F6}.exe
          Filesize

          168KB

          MD5

          c3b2de40e08f561caa7ef6a91d31820a

          SHA1

          57ac1aa1649d7dc1329a4fc96e25ea8d7ee8e9c7

          SHA256

          536d00453738c54a7ce835e5442b96e58dd091ca0e53fa7d9fbf1dd186d21841

          SHA512

          eb74462f2541b919a8dcdee1dfed2bf3b7efd9af7389f325f43ae3e956f165c542d3770ef7f49af0b01b0bf19a710827d2d9d956812c99d95afe71fc46cb7e0b

          Download Submit

        • C:\Windows\{4902DC17-D81D-49d0-B304-BF7D801F33BC}.exe
          Filesize

          168KB

          MD5

          0c08ff3feda1bb2e2e935451c87b74b7

          SHA1

          65878ca7c5115dce0de961e989dc3513e6bf044d

          SHA256

          7ac8ba55b65f2a83aafd491101c1a9295f2221454cdb688b5bf949f2c8b5c3d0

          SHA512

          acaa2037105fc92bfc21592c0af6d2afba6061f61457c462113a447b624a38e90a137e5da819f8ed230c0715df677a8a21e59d3e6f5d1b4d67b36a30e51a16b9

          Download Submit

        • C:\Windows\{49C0D723-603C-44bd-85CE-438DAEDD566E}.exe
          Filesize

          168KB

          MD5

          cbf1af03983f57987e0732d37e859488

          SHA1

          068445d2448436c744f45405090cf8123e666911

          SHA256

          a86166e225670c9ff30d5020f91946e861c490cb797bd494259def326b81cced

          SHA512

          65b26ff5b14f8000da0afdc546630fb74163d6b35b17036ede684154863c31d94820fd94a0a0ee141a95d9449d665c4fc12720cabddbd30e04585cc72073df74

          Download Submit

        • C:\Windows\{4FB0BE66-EFAF-4ad7-938D-B21DC38400FE}.exe
          Filesize

          168KB

          MD5

          69436ce2ca0fa7183dc5a57abf429396

          SHA1

          c1817993448bc9298c98ee7eece38960515edccb

          SHA256

          759b21cf1bab6b54e77d31d78e611e34f625609869f0e9e5cd5f87106cbeb998

          SHA512

          64cba68209247c1081d46af5c957ef60768ce038861e131453fd33025e3fb4e873d31a8c44dd19a02f8239377a7338626c0138d41b8306fee9e03de1a1f7e834

          Download Submit

        • C:\Windows\{55B4B985-147E-4c89-8971-4295F09DF9E6}.exe
          Filesize

          168KB

          MD5

          7b5eeaab75e10148580c308e1a35ef2a

          SHA1

          0d47f9df45c12727079ea684e56ecac7bde3164d

          SHA256

          944b3a1569d266d876b188c3b3cc772e7377960cdc91343a77685e3ca4376133

          SHA512

          16ad8a32b22354113ee80997db436f72e797b0e532e3446ff2dfae26b77d609525159fb3ab9546fae54b8978808204780540a359898c30b6bb327556d2fe03b2

          Download Submit

        • C:\Windows\{71DDDFAB-9985-4637-A709-12CEE096A043}.exe
          Filesize

          168KB

          MD5

          2fbd356e2dc356c5982747e8fd09d39d

          SHA1

          35fbe975e04b9864f137dde546f7b99a7f91fc8b

          SHA256

          bc98e66ab868b5af76291516c9115f72acfc0c9d5036efcee28a7a194d6fab66

          SHA512

          c864aa130da57db98d6033e1d4395c6561c366554bb8fd419212a19f7741ec7fe1f1aab2f3e647da3a9ce2acbb5ab28737dc9b96e8272e311d00f131873db079

          Download Submit

        • C:\Windows\{7C76AD35-10C1-455d-99BA-30F871A15178}.exe
          Filesize

          168KB

          MD5

          fabad8aa7059af0ec7de9c0d4dc776a3

          SHA1

          a446d90a57abdf63489d9cb7ea2e124ca9960811

          SHA256

          1a12c745b5aa95f2afca31cdd9dc8259d1ea8d22177f704b49caafea6f635eca

          SHA512

          f7e324791798346e46c43e88eace5d29aa5dc10fa83eaf761c5b232bd7f8c34db3ab6903462342d2204dea2c13fb2d70dfef48d59daf6e9b53f6235ea8506ae1

          Download Submit

        • C:\Windows\{8CEAC21B-64D0-467b-A8CF-54601B2F5B40}.exe
          Filesize

          168KB

          MD5

          c61a976bfc17775fda82331576325bc3

          SHA1

          15690431bdd7144ece99447e9b929370661c27b6

          SHA256

          a7dd2bb43c81062d7e1565efd46322cd5c696298de07fde33d65f5b3054c5ef1

          SHA512

          d7b6ca389822d1d6fdd23db98852a63c522e29aeae59ba457685325702dd31901f0b14d5afee044a2d54021411d5fe426cad7f222f47a8ad351e9333fa58189d

          Download Submit

        • C:\Windows\{B93D898A-4F42-4d0f-BE18-FBAD81DFB005}.exe
          Filesize

          168KB

          MD5

          8e7fce9e0bfdb23bc7be406ec76b8a30

          SHA1

          a2a1bd707944799749fd9d3cc98f93f6a3660902

          SHA256

          004517ce466c7a3d8c04ec3a90abc06b3a519a9173fa15017adc0f640f527b92

          SHA512

          5228a4836ef2dfa864d73ab00823e11ad77a4115ace72bccf3e9ff80d2c0215b9ba1aa6004251c511738f35bd5327826919b0383862fa061326da4a450d3f922

          Download Submit

        • C:\Windows\{C4DD2B10-B090-460e-8081-C9B6B012855A}.exe
          Filesize

          168KB

          MD5

          ee55f62ae39def9aaea57c5ee340fdde

          SHA1

          674e9b62cccc055a9e3856dc489d6fdd2c2c6339

          SHA256

          b20f314fb4771225ee8439764edd2330ec74c371144a134b31be2332aa3452c0

          SHA512

          bd129fbdbc7fe32d1083410d8c87f82e697ddda45d2bc664e2b219d5380cb7e1dab64d1b982e64202534962ef0581a4f5619332ee05ac3dd674c96d3e0b750a2

          Download Submit

        • C:\Windows\{EA072352-1492-46d5-BD92-3F6C3908C487}.exe
          Filesize

          168KB

          MD5

          98ff7e7a3e13eb23b8dffbb3af3f4afe

          SHA1

          e755684a9015c49229d5ea594c295127f878a8da

          SHA256

          e08eca4f90c8ed2deeffe1a767b8a4a51fea67a0358c63e54aaa10560b0039f2

          SHA512

          1ac7e84c3b0dac9bc2bd6c3b1536e2bbc5d763316f4ef363c554045b0d58247584236eae0b1dc4a68ec38a3abc9de80a17609b7838f47c26c89af11663cad245

          Download Submit