Overview

overview

8

Static

static

3

2024-09-09...ye.exe

windows7-x64

8

2024-09-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 19:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-09_d342f710da982c31fc39b137884e701b_goldeneye.exe

  • Size

    168KB

  • MD5

    d342f710da982c31fc39b137884e701b

  • SHA1

    435aed3b8655fd3c15dc69aea5733fe999f2636a

  • SHA256

    045df7e42f5229c6ad1e02e66d7007fc671424c0a0490e56a3fc248ee34d32ad

  • SHA512

    7b1ce73215c2fb5ea6098d8fd41c63f015a5f67d7149ea269186e8df0ffeacfdeeef1eed3477bcf21972c9e5b970f203a2f894df200822e694b9d6f66e31f85d

  • SSDEEP

    1536:1EGh0oAPlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAPlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-09_d342f710da982c31fc39b137884e701b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-09_d342f710da982c31fc39b137884e701b_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\{EC030088-5D56-4672-9206-E735930A3637}.exe
      C:\Windows\{EC030088-5D56-4672-9206-E735930A3637}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\{D7415938-A9FF-4721-8010-D6C2C3CEEC9A}.exe
        C:\Windows\{D7415938-A9FF-4721-8010-D6C2C3CEEC9A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\{9C79B133-B86F-4f84-A828-AC71DEC392C9}.exe
          C:\Windows\{9C79B133-B86F-4f84-A828-AC71DEC392C9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\{92E22757-1392-476e-B0FC-1CB11218C98A}.exe
            C:\Windows\{92E22757-1392-476e-B0FC-1CB11218C98A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\{E89A8E9F-504A-44b7-96F2-78977E29FC9F}.exe
              C:\Windows\{E89A8E9F-504A-44b7-96F2-78977E29FC9F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:664
              • C:\Windows\{24283467-357A-4565-84FA-6F6BD2DC796F}.exe
                C:\Windows\{24283467-357A-4565-84FA-6F6BD2DC796F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2068
                • C:\Windows\{EDAB1404-FDA0-4440-9DFB-9C47D923B5BF}.exe
                  C:\Windows\{EDAB1404-FDA0-4440-9DFB-9C47D923B5BF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:836
                  • C:\Windows\{1821F2AD-C674-4605-86BB-D235E4582DF2}.exe
                    C:\Windows\{1821F2AD-C674-4605-86BB-D235E4582DF2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1040
                    • C:\Windows\{B7EF7498-AD68-45c7-A0E5-CA4B766639A6}.exe
                      C:\Windows\{B7EF7498-AD68-45c7-A0E5-CA4B766639A6}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:764
                      • C:\Windows\{3F713480-CAC5-4b4c-B19A-E15C76D4BFE8}.exe
                        C:\Windows\{3F713480-CAC5-4b4c-B19A-E15C76D4BFE8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1864
                        • C:\Windows\{51AC1E14-6320-43cc-8F40-D68C224CF892}.exe
                          C:\Windows\{51AC1E14-6320-43cc-8F40-D68C224CF892}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3F713~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1592
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7EF7~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:452
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1821F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2948
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EDAB1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2196
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{24283~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2792
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E89A8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2596
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{92E22~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1444
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9C79B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7415~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC030~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2724

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1821F2AD-C674-4605-86BB-D235E4582DF2}.exe
          Filesize

          168KB

          MD5

          303d0f296d40a13f94aeaf7e2550aab1

          SHA1

          4611ce029194a2732d73315c47dd7b0c895fa982

          SHA256

          f647672616b537de32d1ad29d7c93895f8b4f4e72f001b8edbb65bb5bcd12b21

          SHA512

          0baf5f70ea331c2f36e2ad1ac8be7cf12fd33a332b9c0255f27c3dcb4fa241f6bdb480a6142dd298a49853fb8a92d444f65cdeacb3c658313052f80ed3d3bd21

          Download Submit

        • C:\Windows\{24283467-357A-4565-84FA-6F6BD2DC796F}.exe
          Filesize

          168KB

          MD5

          5105b06e553724cb1beeef45ab376be7

          SHA1

          09f6fb77e50d9c1d50a6b38da33ec403c2a27238

          SHA256

          39eba92100d89d0b620aeab76cb78dbd650f48db5bdaf8d7b5928c1386e505ee

          SHA512

          28a4a24de6411e3279eca167cf6003fcda1dddce31621494519e36a98407af380c08c053baa92c4e7c1136c4f961e87774b8ff5ffea8da4a235c0cfd4fe9a6fa

          Download Submit

        • C:\Windows\{3F713480-CAC5-4b4c-B19A-E15C76D4BFE8}.exe
          Filesize

          168KB

          MD5

          7caa46b676b1ca8e41e8e5ca8644e30a

          SHA1

          0379c0775ce58eb13e940b2fcdd52b92f918790d

          SHA256

          37990f69abb66a319ad55119c0556b5652531e0a3372df210352a2e9461b83da

          SHA512

          c42964be55ee37232bf4e388b66b6ad14354d21c0fae9f07bbd8c6ae7aa6ae637e6ffdb140c000ffded4c733ccfa727c778924dc764861a47e91c6539f4bb81a

          Download Submit

        • C:\Windows\{51AC1E14-6320-43cc-8F40-D68C224CF892}.exe
          Filesize

          168KB

          MD5

          351eec03059e7f87c066c72a0d19d17f

          SHA1

          6643c8fa31f0f86c4e56071996674032abb2c1f4

          SHA256

          079b0a4b54623c811bad5fbf981eae08acf0c1c48f3d6a1e3eb578dc0a5276c6

          SHA512

          2b6d4bb95b95611cc67d99cc03312a9b5bddecc9df8fb298291557e813ff22e5650a17c7578169898fade3e05e8af420d94921e4eca56b338b6cf24d698bfbeb

          Download Submit

        • C:\Windows\{92E22757-1392-476e-B0FC-1CB11218C98A}.exe
          Filesize

          168KB

          MD5

          c0c089c89088f251f7f349b6d766252f

          SHA1

          00701c6fd807a2bf08cf176aecf7c0cf9bae616b

          SHA256

          3f115e04a15dfa25b1c072acf4ab2aef1aef515fa70789e1f4a7d90f2fcf1c6e

          SHA512

          3a7095c4f64ae39344c2b5123beb0bd87393008916625165af7aa09c2755e2a4125cab59d3e5335dbe9154116a0588c661bbf551988c30399ba805f97153c2d3

          Download Submit

        • C:\Windows\{9C79B133-B86F-4f84-A828-AC71DEC392C9}.exe
          Filesize

          168KB

          MD5

          367133793d7a23d0ef8239320fbe6c25

          SHA1

          f7269fdaf7910ff93c82ce96c1a71df70b39e8bb

          SHA256

          d6dfe32eb3aaddc436c398cf900c4a1b2a1e6ceafb46a379d3d2148e540ae328

          SHA512

          b16717820d9a76a074b89c0b2294765ef8d3b95caa9800fb8dd28658c54b5660599693585b791c19230d16248ad748749227d9ab73d4b2b561f1bc7ffec44db1

          Download Submit

        • C:\Windows\{B7EF7498-AD68-45c7-A0E5-CA4B766639A6}.exe
          Filesize

          168KB

          MD5

          a494562a19e12465f9f9cbd950c2be22

          SHA1

          d5bf42a3221369010e171607e2e806d109e48e2b

          SHA256

          415c3d27eb5f4798dac3e25a172f820f1bd19b42b412f870a69a35f7173a0cab

          SHA512

          0d8e5eb2e8f32032a1717fc96b4a4634217cf2185c6a63e259baa90d8579d08c31d14d9640869ea12f653e25a3e2edf69fa0876f16d5873f698a23b8c9a8d3a9

          Download Submit

        • C:\Windows\{D7415938-A9FF-4721-8010-D6C2C3CEEC9A}.exe
          Filesize

          168KB

          MD5

          b40228ab52bf186c8c07a6b64784832b

          SHA1

          fe3f262408761b4a0a2c9455d4a9e3b040c9d436

          SHA256

          e96e5f03edb98ec23e901326126bdd347d8c6dc25e005b03e35e25851644d0ce

          SHA512

          00b0d055cd2e2418e9e4e9bb7417ba22a9b92fb99d35bf0c75e811fee9d57eeecc1f6ef5f18070f60961738242fce9c053e18d4abf8e209746fb32c8bf7270f5

          Download Submit

        • C:\Windows\{E89A8E9F-504A-44b7-96F2-78977E29FC9F}.exe
          Filesize

          168KB

          MD5

          d0426439d8d6da7a5009f4510fe6601a

          SHA1

          6e752029bd5c44d73396929eea7cda3a4d5c6d7c

          SHA256

          09c2fb94952296739475a70efd4aa6faaae13c65d3f7b9f36db711c6d6fa2600

          SHA512

          048f2a4299580263b73822096f77b62fb1781f2d0ee08670cc75c51e575f5a988ad21c8c3e808a37ac809b773597234252ff145f4180bed274ac5228b3f2533c

          Download Submit

        • C:\Windows\{EC030088-5D56-4672-9206-E735930A3637}.exe
          Filesize

          168KB

          MD5

          962c514e651f91da98e7f55c233b14f4

          SHA1

          d4010365b1e2c0937f3ee58000d675893e0199c6

          SHA256

          477e828189edb57270991998c4e54b7480403649c8ea003c0770dfd1f7f6ebe8

          SHA512

          b5e807b4a21f0145f113e33b7c685b64e977aa80096247637b2e0e5a18cc6ce7b6de91eea0fafb2aeeed39c40835271c341d5772994c1c33a4db207dd481a253

          Download Submit

        • C:\Windows\{EDAB1404-FDA0-4440-9DFB-9C47D923B5BF}.exe
          Filesize

          168KB

          MD5

          326a60817969c97ac9ede7539b75d6f7

          SHA1

          7af0fc142cb7b268eab63e69a4456f87a50a8160

          SHA256

          935504ea170f5bd55334caad6f863f9c01facc22b56a6b5584eb7bc7fad30ca9

          SHA512

          0cbbaba20dec74bba182ad04c7d4e252cb902643ddbdca7c4925e735e225816ab900197dea9ccc9e73c263902997f7fc31a677925ac0148094165ec61ef8ca9f

          Download Submit