Overview

overview

8

Static

static

3

2024-09-09...ye.exe

windows7-x64

8

2024-09-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe

  • Size

    197KB

  • MD5

    684f7891cf750ef3af5c130a20d488e4

  • SHA1

    819b4b59d82d25c16e1a293cc3b4db59e3b2ccb9

  • SHA256

    d85905b3b435782a9389e35f80cbeea9c2a574989c40ad254b7f22552a3adef0

  • SHA512

    d5549dfb7c465f615064470784575da38d36d64d9daf5aeecce71b578d4375bd26c9321df04890164cd1bac70648a1f43a7f27a94207e90432bdc1409bddce3a

  • SSDEEP

    3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\{E781F277-6967-43d4-9A96-3283AD2545B0}.exe
      C:\Windows\{E781F277-6967-43d4-9A96-3283AD2545B0}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\{AE020FEE-7F73-41bd-8D00-0959CE140B8C}.exe
        C:\Windows\{AE020FEE-7F73-41bd-8D00-0959CE140B8C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\{4D87552D-E62A-439e-AA55-A63C10297449}.exe
          C:\Windows\{4D87552D-E62A-439e-AA55-A63C10297449}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\{794679C9-71BF-4582-BB7A-A1EAEE61E2C2}.exe
            C:\Windows\{794679C9-71BF-4582-BB7A-A1EAEE61E2C2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\{71D9575D-4105-4c5d-8D70-2E8BA738997A}.exe
              C:\Windows\{71D9575D-4105-4c5d-8D70-2E8BA738997A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2072
              • C:\Windows\{FE9AD114-41C4-40a5-AB16-84575C0DC1E5}.exe
                C:\Windows\{FE9AD114-41C4-40a5-AB16-84575C0DC1E5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2256
                • C:\Windows\{D50600AA-AB00-4ab1-A42D-84E04A7F1757}.exe
                  C:\Windows\{D50600AA-AB00-4ab1-A42D-84E04A7F1757}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1332
                  • C:\Windows\{D73479E2-515F-4923-8A42-39AD5A66E1BA}.exe
                    C:\Windows\{D73479E2-515F-4923-8A42-39AD5A66E1BA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1612
                    • C:\Windows\{540BAAC6-6EFF-4f0e-A313-1EB17308B4C7}.exe
                      C:\Windows\{540BAAC6-6EFF-4f0e-A313-1EB17308B4C7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1648
                      • C:\Windows\{BBCB269F-0466-44b9-BFD3-00D6F80B15A4}.exe
                        C:\Windows\{BBCB269F-0466-44b9-BFD3-00D6F80B15A4}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3012
                        • C:\Windows\{14D434C1-6268-4f0d-BC13-7C2D15615908}.exe
                          C:\Windows\{14D434C1-6268-4f0d-BC13-7C2D15615908}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BBCB2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1692
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{540BA~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2380
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D7347~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2084
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D5060~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2296
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FE9AD~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2060
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{71D95~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:296
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{79467~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2408
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4D875~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE020~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E781F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14D434C1-6268-4f0d-BC13-7C2D15615908}.exe
    Filesize

    197KB

    MD5

    5dc94ee6cf3b493a157e72c0293042f3

    SHA1

    276d544c0d4c6957dc94d4ae98bb90ebb8ad2199

    SHA256

    285954a313c9a2e8cb7523ab6e390c64b6641a848090fd4f224407b6ce6208b4

    SHA512

    c06ef750fb75b646a2aac71725fecb38717a751c0ad15e38646f6fe6e10abbaadc4f719e1fd1705796ffdb9e2d1d72305d1e8f3ee0d8ff086d7ef2a17970b16e

    Download Submit

  • C:\Windows\{4D87552D-E62A-439e-AA55-A63C10297449}.exe
    Filesize

    197KB

    MD5

    fc5ba97db52f69d217d8e3a239f3824a

    SHA1

    ad299840bf2af84ac30871b90e493606700cf581

    SHA256

    a5f68fe59be57368910149f26f14848a35be22fba4f9ee4c7dd41630fd93ef0e

    SHA512

    9ac43e3ad10afbb79ac3985fe6556865bfe86ff4d7d6cb2e9825fbfaf8b876e8a73e0fd8e7fad130f078d0b4e6c7f9f2623becf92094fd047c27c28d4bb504be

    Download Submit

  • C:\Windows\{540BAAC6-6EFF-4f0e-A313-1EB17308B4C7}.exe
    Filesize

    197KB

    MD5

    00a72f9b9ce65bf65c563e215e9c8057

    SHA1

    766503c748d6600527e6ce069b3b85247e0ce1b8

    SHA256

    fc959155fc4d1c8997b2d4b78085f3348815225b021a7f87ba393c43155f79ab

    SHA512

    89fb5d067fea953b339e50af50ce291d6a1a963ae067aafd3ed12f69221685a4dc9b7a14a94a0c42d14ac570ca26fa4e9af4d81282259a5889f41a9a4bd13dcc

    Download Submit

  • C:\Windows\{71D9575D-4105-4c5d-8D70-2E8BA738997A}.exe
    Filesize

    197KB

    MD5

    720d71275b2850e1129654ea08ded5ed

    SHA1

    ed12f5e6046815415af489925aba5595360ac866

    SHA256

    39e950215250af0c31e1f0704a13e6d8543ec57b11ce6af1b1133696ea21a0f6

    SHA512

    6369389b02c93ba291c732ad073d3a4c511b100082bea6e5f987d090d56565c7f4f48633186fc9dee8ee98d985514c5e79be36899f93460685124ed016ff6b7f

    Download Submit

  • C:\Windows\{794679C9-71BF-4582-BB7A-A1EAEE61E2C2}.exe
    Filesize

    197KB

    MD5

    89e1f0ef11515c290f211dbe381c1364

    SHA1

    3202c88ea3458b8eae048a8f4fb3dfcb1d6cf313

    SHA256

    c69d58a666fa0b23068264ce051b88fdf4e83807bae179f44e21f500d1717703

    SHA512

    376be4d50ddf6e86e92869d187426c5b4c60fb797e9bcbe72c052ffc1dc1b3f0c832126c4be5ea507f13ecb27f926e63b92e64dea96f6ee22b8ed6e7674a9b43

    Download Submit

  • C:\Windows\{AE020FEE-7F73-41bd-8D00-0959CE140B8C}.exe
    Filesize

    197KB

    MD5

    f6ddc2ebfe9903bdb4bce178225a2441

    SHA1

    1253af906e28f175a8d528df949034ccfc1d5c93

    SHA256

    b1c155dc368e0e715e5cadfdf415d9eb41db2474f1d486a62d3ee704da73e9db

    SHA512

    a7be808752ed95dece7574e35232c1f9d8ac83608e8bd9e73fd01ebaebab7e91d40ef544a9660aee7550a5602cf280aca5c0a150ecb5571340fa35dd06d020f8

    Download Submit

  • C:\Windows\{BBCB269F-0466-44b9-BFD3-00D6F80B15A4}.exe
    Filesize

    197KB

    MD5

    32c5a5f4e57307d3638e214607b59abc

    SHA1

    54bba0ec2156d4f551a87733ac5905dd6fdb5c68

    SHA256

    9126a607311a126496f2e7e2d1614cb878e5520f801df1b6a1989bc0f4ff4298

    SHA512

    6ca10e84c663aeba878c27d3a9b6fa816cb4e4a238bcd29c0aafae64105cecfd7824bdd9a930b5fbded997ed63214cd9bb129fdb2dbf1a7bb9514c58105fc495

    Download Submit

  • C:\Windows\{D50600AA-AB00-4ab1-A42D-84E04A7F1757}.exe
    Filesize

    197KB

    MD5

    0c3bab3832e11993c6754f2c9488b743

    SHA1

    d33b294556f1499f6d44dfb5074d5ccb1fb1b3cc

    SHA256

    9721fd972b8d2786751e3a95212d15a8cd15d9f4cf18fd5daaab97d7e3377470

    SHA512

    e642adc64bf65b76e90d0950f49c731877a60ed199f85fbbe2838eb0f0445823b8e3358041229c1d6cd2468c59ea5a601004dc05e8b6a409767acdb903cf80ce

    Download Submit

  • C:\Windows\{D73479E2-515F-4923-8A42-39AD5A66E1BA}.exe
    Filesize

    197KB

    MD5

    6d92a97ea9cd026c1b789c2052f58e3b

    SHA1

    ee83fcb8cbf60189d1a658795eded59929f35c2a

    SHA256

    de5ea65a6404f5e8b6fce6dddec2ee935ab34cfb923315f445783a97d983e2bc

    SHA512

    0c7cf70846f95a3eb53b776d9c99db9bdc9f52a23fd67508a9ab0af4af79ebfd4d1bb6a9720d123562da2b61869a48e89343f3214e2c817e77577694d582cde2

    Download Submit

  • C:\Windows\{E781F277-6967-43d4-9A96-3283AD2545B0}.exe
    Filesize

    197KB

    MD5

    1f09f5349afe1ce9b9d06667aeb2f6a5

    SHA1

    a6c924809ed8ac58144c5ef30c1042fc7d1a3304

    SHA256

    c8439fbd515cd3ecaa260787e13d42bcb5dfaf107960ba7c5b6ac268d18ed86d

    SHA512

    fb64538abd596b7c27c4a3da86724c46fdb1775ca5dd274c4019249b24888dcf0c5287f40da72f757a0e7dc3be6b30e2dd9886c76726c06b6569442e78ac12a9

    Download Submit

  • C:\Windows\{FE9AD114-41C4-40a5-AB16-84575C0DC1E5}.exe
    Filesize

    197KB

    MD5

    9966f560d90d1a2fe8a247091f7a1f97

    SHA1

    415c10711807459eba86ea2b84652d8251478e3e

    SHA256

    50c4bf2289284205b0bf99a5cb3ee712f7115f20c114b7f5aa516efe6aabb135

    SHA512

    d6a9d1026ac354416a3df784aa6c66099edf65a782dd5400e5f34e6aaefd94bed61c79f91c6bd521a53b789d9576125ed26f4460e1a4edce03f2e62ce5e95801

    Download Submit