Overview

overview

8

Static

static

3

2024-09-08...ye.exe

windows7-x64

8

2024-09-08...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    138s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe

  • Size

    197KB

  • MD5

    85dbf2af3a820608c506266b00567e84

  • SHA1

    4d531e9d3134939b23b3adfc3fee364a68ba17df

  • SHA256

    ee8aef9c0827580f22cce5bddd68c91daf0427ac9d071ea4addf13d217e36f04

  • SHA512

    c1ce7bf0cd65a738dad56fc36781f3b0ffaa9b3710707f013435bda91c8747743e6f457ac0d197012c8bf680ad6ef61968f1b433a7ddfc2f80e937b56c9536e6

  • SSDEEP

    3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG2lEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\{A51511A5-3C37-48b0-A036-EAB913D8FA0D}.exe
      C:\Windows\{A51511A5-3C37-48b0-A036-EAB913D8FA0D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\{920AD54F-39F0-4c9a-9470-C7102B97D562}.exe
        C:\Windows\{920AD54F-39F0-4c9a-9470-C7102B97D562}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\{C0D758CA-FAA7-458e-BDA4-C01C3A81D9A9}.exe
          C:\Windows\{C0D758CA-FAA7-458e-BDA4-C01C3A81D9A9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\{3629E906-6512-4143-BFCB-D98BC888F66B}.exe
            C:\Windows\{3629E906-6512-4143-BFCB-D98BC888F66B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2152
            • C:\Windows\{E0055210-CF96-4609-AC28-91A6C4D307D2}.exe
              C:\Windows\{E0055210-CF96-4609-AC28-91A6C4D307D2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\{8E83C214-F765-4668-94A1-C89974B4F376}.exe
                C:\Windows\{8E83C214-F765-4668-94A1-C89974B4F376}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\{31578A71-BD2A-41ed-82F4-245C400093A1}.exe
                  C:\Windows\{31578A71-BD2A-41ed-82F4-245C400093A1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1524
                  • C:\Windows\{1D6641D5-A53E-4c7e-8DCE-CE94B78B6642}.exe
                    C:\Windows\{1D6641D5-A53E-4c7e-8DCE-CE94B78B6642}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1196
                    • C:\Windows\{1CA81A7F-5066-40e5-9A20-927439B16580}.exe
                      C:\Windows\{1CA81A7F-5066-40e5-9A20-927439B16580}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1252
                      • C:\Windows\{FF604707-609F-43a0-880D-4C64103FDEC0}.exe
                        C:\Windows\{FF604707-609F-43a0-880D-4C64103FDEC0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1520
                        • C:\Windows\{32B48F4A-3F0C-4e63-9140-5D39D24B49E9}.exe
                          C:\Windows\{32B48F4A-3F0C-4e63-9140-5D39D24B49E9}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1044
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FF604~1.EXE > nul
                          12⤵
                            PID:1000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1CA81~1.EXE > nul
                          11⤵
                          • System Location Discovery: System Language Discovery
                          PID:964
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D664~1.EXE > nul
                        10⤵
                        • System Location Discovery: System Language Discovery
                        PID:1768
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{31578~1.EXE > nul
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E83C~1.EXE > nul
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1796
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E0055~1.EXE > nul
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2140
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3629E~1.EXE > nul
                6⤵
                • System Location Discovery: System Language Discovery
                PID:856
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C0D75~1.EXE > nul
              5⤵
              • System Location Discovery: System Language Discovery
              PID:804
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{920AD~1.EXE > nul
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5151~1.EXE > nul
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\{1CA81A7F-5066-40e5-9A20-927439B16580}.exe
      Filesize

      197KB

      MD5

      cbdbf503eb9702213042db2af14aa1f3

      SHA1

      47eb35b0add55adea637c99ce73152d2a91a25dd

      SHA256

      96673c52462f884b0735405797591758eed5f8969cdbd6529726f9279a757e82

      SHA512

      e1ef9ae3ff57b06a452e91c78960df95ffa6dec069db15d559e095553db7da5bd9005e018567e0f417a930ccc281a58e7336517977ae7efe11c055ee86b0db6a

      Download Submit

    • C:\Windows\{1D6641D5-A53E-4c7e-8DCE-CE94B78B6642}.exe
      Filesize

      197KB

      MD5

      9c7a3b71f9ab33aa707e68f33f24dc76

      SHA1

      528c568a5ae1424e541e5abde8577a1f0642b5f5

      SHA256

      5bfcee592d330a1afd8f71011283b1519e47222901175ab8fcc3176df2ce6ce6

      SHA512

      9debde878a658f8745082ddcbbf8e362078036faee0dc793cbfb40659b009b76c4304424ee9b655a15ad86dbee866d0d5e5a09ea3222105e3805e6fdc1d2e25a

      Download Submit

    • C:\Windows\{31578A71-BD2A-41ed-82F4-245C400093A1}.exe
      Filesize

      197KB

      MD5

      0f6568091653dd4ec27d6c61f6139bbc

      SHA1

      f1d1c61233369a3b9db3aa739c153bf3e92ab9d0

      SHA256

      2d820c7c4d7f9e3a078d61f3eccb922e01d212114645b6d883bcb58301d81184

      SHA512

      e627d92804984c20d781fffae85806a8d87260d145d3367c79893f769d3e862538834e17a2e4ee7056cc010b3639c65322112219ba20f73649f45967a33649af

      Download Submit

    • C:\Windows\{32B48F4A-3F0C-4e63-9140-5D39D24B49E9}.exe
      Filesize

      197KB

      MD5

      aa98e0a31d9da2717a4d5d5b3fb7ec15

      SHA1

      86aeb72138f189e02077e7c35afd3f683fa50d2e

      SHA256

      a05a4061db6eeb18acc896d1965e4899b5e58dafdfcf5a3cf77427f043ec26de

      SHA512

      7231e3dab003e62240a110b4fdf1018ca0c9ba8d7ebb7dd2fde102899d9d550c0a26a0861396202d7580e4ae0d84f09899912f4e86da4e7b8c46bb2351809139

      Download Submit

    • C:\Windows\{3629E906-6512-4143-BFCB-D98BC888F66B}.exe
      Filesize

      197KB

      MD5

      4cb940b31226da6c12d584527c9e67a3

      SHA1

      084137de2fdc52bc68924d4f9262ddb3a421c3cf

      SHA256

      f4522ac7021ef84a887800bb32129acd2d01934d411fc3062560c24395be9a32

      SHA512

      8117791cd17bd9d5ab12de571eb253bccdd815ec505ff0c51165072944baa82dddc55610a2a6647da4900ad4f011cde4086fdf85861ac8cbc1938367bc3be71b

      Download Submit

    • C:\Windows\{8E83C214-F765-4668-94A1-C89974B4F376}.exe
      Filesize

      197KB

      MD5

      dc50abde9a33d0e03a7e12d69ffc1179

      SHA1

      2f9849fafa147773f165c61eab6a081e463ca5ab

      SHA256

      1b67f9eac5695fc1cbef4730167f367d2f485e6560aeb339347f7eb329fd1b82

      SHA512

      7d552ce8dd785bb420275d140917e6940445da046a708328375792b4648f5a8c7b4507c4a85617f494ed07bbec29e03b65785be2fd29c41041fd1f0bb732abf4

      Download Submit

    • C:\Windows\{920AD54F-39F0-4c9a-9470-C7102B97D562}.exe
      Filesize

      197KB

      MD5

      ba7bc3cfa8dd959a33875bc1bb094875

      SHA1

      9ea7b3d08391b61b777ef14048f5805fbfe856a4

      SHA256

      414f3b6f6c6d0f70df24138e6d1e348afc5678a709080ad81c2a7d0a74589260

      SHA512

      466d93a6f1907017373e398de187eebe7f0daffbd3605ab54c65ff633796ba2f55afe09931d17ee8813fedf0b0dbc9fbe8de73947963b0951c75cace10b42ed0

      Download Submit

    • C:\Windows\{A51511A5-3C37-48b0-A036-EAB913D8FA0D}.exe
      Filesize

      197KB

      MD5

      7440276b4279efdd2075213374c05914

      SHA1

      4d41355a189fe83bccdb17c4cb5306dfd9effb97

      SHA256

      31ac01a8a8ce16deafa42472d22023a52546f4fcd31268d3086c1a64fd2639af

      SHA512

      e92260bc52ef70f52094fccac14ea715b2eaf68bfe41fb2a736f88b64b61cf9c847420cf74f03aa4081f87a73cb99eec12329be33e576210313ad6df356ec6d8

      Download Submit

    • C:\Windows\{C0D758CA-FAA7-458e-BDA4-C01C3A81D9A9}.exe
      Filesize

      197KB

      MD5

      5ce75cc9b06d8e1d72def9b11c7635a4

      SHA1

      61fe8d888935480e28ba326f7e7f61460b415600

      SHA256

      93c2c10047baecf143bad6814a96cc15e3af2919128e011ae8d2ac05b5323aeb

      SHA512

      42cc9bccbe31fc49561b5afc0f3418431eea8e448d763460f67693c02d09686d8081971fbb7e6ad5b5a0bacaf779b8b61457be5a7f50397a89fa7133f5382577

      Download Submit

    • C:\Windows\{E0055210-CF96-4609-AC28-91A6C4D307D2}.exe
      Filesize

      197KB

      MD5

      77f207f2c0882e8ef73261f3407bc1c9

      SHA1

      c36b2b8a027b0aab55e492b6baaba6f06e7f32fe

      SHA256

      1bc06b3f2fa385319046dc0572d4a6833a590727bc67c51ca311759a70805913

      SHA512

      175e18aa256ff2c61b0a300d3980b485d6e470c10b0d330bd3a81cc08219bf613357aec62f601ff521c9d433756c66842df41d9e9aab75e6c2fada0d676cc51c

      Download Submit

    • C:\Windows\{FF604707-609F-43a0-880D-4C64103FDEC0}.exe
      Filesize

      197KB

      MD5

      693dc8f07d41d42a04d030b7258a3f80

      SHA1

      64b0c390e6434d45163a0d3d7538572c434d8521

      SHA256

      b8cd06cdbfc35f522c6fe27651e4f3eb4c2757597662757c5d12a49b15906dfb

      SHA512

      eb6b94abadc9772b1e2d5b4caf350551718191e7b19db72df221ddd02ad47927422579fc80c00275a3cd43adae2693127662bb66019192f274d90ec129afa660

      Download Submit