Overview

overview

8

Static

static

3

2024-09-09...ye.exe

windows7-x64

8

2024-09-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe

  • Size

    408KB

  • MD5

    508e14c07b710e9f09a714899e20c7d3

  • SHA1

    706e0084d5303186cffbc27faf4b7f343fa3b341

  • SHA256

    4204727d562c1e6a328c40c693dfacc47ee5d92ad1dd3fb8e59966658bd77fa6

  • SHA512

    0677a59f17afd90030bb09a1e95217f673c9775e21679b356643b3af70332e15cfa2c249998f63592b6a595adca6b1c9f64d881ec67771ad1ea2123fd5ea229b

  • SSDEEP

    3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\{E18A85D0-1834-45d8-8D8E-9C81C8C5C86F}.exe
      C:\Windows\{E18A85D0-1834-45d8-8D8E-9C81C8C5C86F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\{DA0B38DD-5B50-43b4-B6BE-B2931BDD1489}.exe
        C:\Windows\{DA0B38DD-5B50-43b4-B6BE-B2931BDD1489}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\{241BA38B-9349-4ca6-9757-91972A6DCD66}.exe
          C:\Windows\{241BA38B-9349-4ca6-9757-91972A6DCD66}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\{4597819E-F39F-4e49-9EAB-D3D59AA2D3E2}.exe
            C:\Windows\{4597819E-F39F-4e49-9EAB-D3D59AA2D3E2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Windows\{A82766BF-FAF8-4811-8373-034CD65D6720}.exe
              C:\Windows\{A82766BF-FAF8-4811-8373-034CD65D6720}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2900
              • C:\Windows\{11F88F77-F1F8-4ede-ACE3-DC720371B9A9}.exe
                C:\Windows\{11F88F77-F1F8-4ede-ACE3-DC720371B9A9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2348
                • C:\Windows\{550FD352-CCAC-4ea8-AF73-980633D82982}.exe
                  C:\Windows\{550FD352-CCAC-4ea8-AF73-980633D82982}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3012
                  • C:\Windows\{783AC596-C576-4490-BC1D-ABAAF55908A1}.exe
                    C:\Windows\{783AC596-C576-4490-BC1D-ABAAF55908A1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1920
                    • C:\Windows\{E8C0EAB2-F4E3-4ab3-A715-A4C00EE61AF8}.exe
                      C:\Windows\{E8C0EAB2-F4E3-4ab3-A715-A4C00EE61AF8}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2940
                      • C:\Windows\{3104DBDB-2268-44d9-88F4-0B4A8613633B}.exe
                        C:\Windows\{3104DBDB-2268-44d9-88F4-0B4A8613633B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2096
                        • C:\Windows\{5974A213-F43C-4ed7-8D62-86AEBE4C6E29}.exe
                          C:\Windows\{5974A213-F43C-4ed7-8D62-86AEBE4C6E29}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3104D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1360
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8C0E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2376
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{783AC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2384
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{550FD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1588
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{11F88~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1784
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A8276~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:768
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{45978~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{241BA~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0B3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E18A8~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{11F88F77-F1F8-4ede-ACE3-DC720371B9A9}.exe
    Filesize

    408KB

    MD5

    240d6b016dc17bc07757e46a4f471f79

    SHA1

    db54791f522617bb462cd08d90a94ca097749bd9

    SHA256

    d1746ac3cc8c692ad5b14fbc014eaea67646699fe746d6f22faabf2bfef67697

    SHA512

    7ef078e337a57eb6166a542c8d072ba1150fc46398c1deb9279cd3c0521d5f4b40ae25909814191b6f9d0327a6a720eaa2f2b900c0ee6738bd659c3aaeaf0702

    Download Submit

  • C:\Windows\{241BA38B-9349-4ca6-9757-91972A6DCD66}.exe
    Filesize

    408KB

    MD5

    f3eef5d4931fe5e6f286297479d73bbc

    SHA1

    f986d5ef57f0f1e1872e5964d8082ca9d2dc904c

    SHA256

    22b23a3b367f43608541cea4e54f17de5294b39e40dfed6afa436423358b608d

    SHA512

    ac44f98d91e9ee80849d89d625ea7cf77f4e66691ce62b5fb53fdf87beeea43ba8d847a7eb5d3481ffb1ceafa72de290653315f9a1465ebedfc3ab4c3338071d

    Download Submit

  • C:\Windows\{3104DBDB-2268-44d9-88F4-0B4A8613633B}.exe
    Filesize

    408KB

    MD5

    1b28376a38a06ebd27fa40173d3c97e5

    SHA1

    15bdf2af08fcec54f2cb779e7539c3f9d2e8dd3e

    SHA256

    27cb7c9e3168596a222cdbdc75707fb7cfb7b437596b6838aeee55903047e64e

    SHA512

    8eb3a676928d50245f9b7035636643784bcaf8bb160594c189114e5fb3b1df2dc2d1c6307017ce893e3b13bd708cbf1d9b3dcc9ff547406d965b60518c7911ac

    Download Submit

  • C:\Windows\{4597819E-F39F-4e49-9EAB-D3D59AA2D3E2}.exe
    Filesize

    408KB

    MD5

    67a7dfc2de9752d8688bcf3846803d89

    SHA1

    b799be1cc0170604bc3618ded6573f18421a7b7a

    SHA256

    b6c6e02b5b4aa9fb3e78128e803db3b23bd14c9b8b564394d46c01bdfeb50439

    SHA512

    d4549c6ab349dd32928bb6a00738982831e4b41b4fe327f52acaea255f7054f2103786c982abffda65f92b520acb09f9fb54f6a72bcc99b1c9395e9e6dc834cb

    Download Submit

  • C:\Windows\{550FD352-CCAC-4ea8-AF73-980633D82982}.exe
    Filesize

    408KB

    MD5

    5552f40b0d2d73598d201bb4b0ec8566

    SHA1

    8038821a249e53ed76a016f89f5d8a770240ddb4

    SHA256

    0898c0ba0f815d94cb804a596e09a60e411899e9346f23781e4362400177b4c1

    SHA512

    4edf8c15928d064d39b85cec1812c4a6df0b649b7f61a92c3c9fb6174185ab0ae68855f5379a8134ff091326eba966f4aca3730e41d02bf8c82d2e63da42a87e

    Download Submit

  • C:\Windows\{5974A213-F43C-4ed7-8D62-86AEBE4C6E29}.exe
    Filesize

    408KB

    MD5

    f0941eb34d8a7767182378f7c4649335

    SHA1

    578502db62f637b5e16b6b69df99ca0615f8c66e

    SHA256

    0c438d0e2330bfbd9aa1db69e8900afb173469ff25bff7b066c9f6b9faafaaae

    SHA512

    353736778ccdfae21212eeb3434f934bf16f3aecddb204402bc33adea4110eca1e4856bdaeb38bb6babcbafa2d581080f72f704ffe6ea5a3c36c3605bcdbea80

    Download Submit

  • C:\Windows\{783AC596-C576-4490-BC1D-ABAAF55908A1}.exe
    Filesize

    408KB

    MD5

    dc87d2de9a54841d08b847d28c7f8a40

    SHA1

    529db4eed6a368c4a6136fefcdea3de61584a11e

    SHA256

    7146eee0e956cc331926e7ca7ea577c91144c454ee42c7444d1348d4e888bb1e

    SHA512

    cc612912bad95bf3f5137e4f1a0653142d643dfcd183d9c89b006032130b66cc37bcebcdbf2afc7bf152c4e803a177a18f02133568d24933e539bdc61d9f6911

    Download Submit

  • C:\Windows\{A82766BF-FAF8-4811-8373-034CD65D6720}.exe
    Filesize

    408KB

    MD5

    b822331f84695a57ab035157df9c68bb

    SHA1

    284304d7609752acdef5185ddb94db31082f9f9c

    SHA256

    a597575b00b66b8b22edd1ea35df7282277e7d20f81adcb3f6fefed373352c6f

    SHA512

    ed22ea8e35bd62aeacf0ee81602c670c0d30a0fd518844b65517cd8c721d5f06bfcac35edd938d7c568637ef9afd6b5fdc1f711b5b7871bdc8ffd663d56604a7

    Download Submit

  • C:\Windows\{DA0B38DD-5B50-43b4-B6BE-B2931BDD1489}.exe
    Filesize

    408KB

    MD5

    0d27766e922445eec396079c2b14ac8f

    SHA1

    f284ddadc43082c5ce869323f95247e7457e765e

    SHA256

    60b504d6896e65a67c3204b36538b8b7346ea501db17e0f59a55a61742067c3e

    SHA512

    df695c7d61376c0ccbf867f248b00afe4209c38d7a0c73c43dba55ec1f5c5c065217252598741ff511daa714201593b6d91517720e9d5042bfd7cf6669c65b48

    Download Submit

  • C:\Windows\{E18A85D0-1834-45d8-8D8E-9C81C8C5C86F}.exe
    Filesize

    408KB

    MD5

    b4bfef00bcaa388fe6970a0f91773cf7

    SHA1

    d19fcdb27419f766d64264359656714bb3e59645

    SHA256

    f978f5c41ea43bfefabe8482e510e7e543a9587369ba6281d39b4a3f682107f3

    SHA512

    6ed6d3ebcbda138ae02df59048d97179430341109bd9bd632340e26061221065b01c6ec2f7862b737dcdbc2fe95bc8644fce571aba71c71ec246cb84b42115bd

    Download Submit

  • C:\Windows\{E8C0EAB2-F4E3-4ab3-A715-A4C00EE61AF8}.exe
    Filesize

    408KB

    MD5

    b35237af51ad21a9a007eb9bca3eb426

    SHA1

    2f399aeb0bdd16e523e1eb947a212289128514a3

    SHA256

    7697319e786aef435216c9f0e0a85d74f83a322cc2ba9dba277e9edbe3d011d6

    SHA512

    2a270b342e3a4c58dbd10b75616c74518f30be4e44ff1bc41562aaf60f000eb6ddb79316f0c4cc10b55cd04ef5b24c23d6b3f7c687e3f7e49cddb74ed43418da

    Download Submit