Overview

overview

8

Static

static

3

2024-09-12...ye.exe

windows7-x64

8

2024-09-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-12_82e53d5d1828d46216c5656aab51da76_goldeneye.exe

  • Size

    192KB

  • MD5

    82e53d5d1828d46216c5656aab51da76

  • SHA1

    fededef8a4dce8b086f8ceb7b6cd62f8975127e7

  • SHA256

    c23499b3ff7931586e34b382c83c25c8a4ee1067bc7839d4c760fd2a0c86660a

  • SHA512

    44faee01822f913a1c89a1c69541a64aab3f280e3a4da17d949a540354377ce9ed80a50688748e5049df7f34e4b26134902feb83ba5476c2d46bacd2f7abad86

  • SSDEEP

    1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oNl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-12_82e53d5d1828d46216c5656aab51da76_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-12_82e53d5d1828d46216c5656aab51da76_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\{6BAB5EEE-A9CA-4845-92FD-BAB386AEE0A1}.exe
      C:\Windows\{6BAB5EEE-A9CA-4845-92FD-BAB386AEE0A1}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\{98D38F1F-8983-447e-93CF-6A4A189833C7}.exe
        C:\Windows\{98D38F1F-8983-447e-93CF-6A4A189833C7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\{C418E571-F6EC-4f01-8B7B-E5EF3D335C0D}.exe
          C:\Windows\{C418E571-F6EC-4f01-8B7B-E5EF3D335C0D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\{7B5E1F35-6950-45be-BB35-B4EC4962982A}.exe
            C:\Windows\{7B5E1F35-6950-45be-BB35-B4EC4962982A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\{5D69572B-9FCF-4c66-912D-BF380603C75A}.exe
              C:\Windows\{5D69572B-9FCF-4c66-912D-BF380603C75A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Windows\{17170914-9C11-494e-8C32-D549A9D79E59}.exe
                C:\Windows\{17170914-9C11-494e-8C32-D549A9D79E59}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\{612864B0-2D36-478f-BAA6-B68EC4440C15}.exe
                  C:\Windows\{612864B0-2D36-478f-BAA6-B68EC4440C15}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1560
                  • C:\Windows\{701A3BA6-11C5-425f-878D-4361F8B3CE8C}.exe
                    C:\Windows\{701A3BA6-11C5-425f-878D-4361F8B3CE8C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2368
                    • C:\Windows\{749C0783-2F4A-40d6-BE46-097FFB3E7DBD}.exe
                      C:\Windows\{749C0783-2F4A-40d6-BE46-097FFB3E7DBD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1320
                      • C:\Windows\{7EF2897B-971D-436a-8550-D8C13CEEB0C8}.exe
                        C:\Windows\{7EF2897B-971D-436a-8550-D8C13CEEB0C8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2428
                        • C:\Windows\{0621D198-720E-4374-9BE7-956E164C1004}.exe
                          C:\Windows\{0621D198-720E-4374-9BE7-956E164C1004}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF28~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:292
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{749C0~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2668
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{701A3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1212
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{61286~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:840
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{17170~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2124
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5D695~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1160
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7B5E1~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3004
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C418E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{98D38~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BAB5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0621D198-720E-4374-9BE7-956E164C1004}.exe
    Filesize

    192KB

    MD5

    bc10603c7382be88dd9313741c7091d5

    SHA1

    449d5764d674dfef3122ea6bd8bdbf9d2204f647

    SHA256

    d366bdbf1bbf3195607c54b589aead8729a491667be2880069f07ab6d57f7be2

    SHA512

    5bcd25c7fa2cdffb54b36d3540246d743e712d2ab67e3cb145511f2e85b2b577f66a6d7525e6376ffe7e039935bd836a106e1acc3be8fe6b1a9efb5dd471032f

    Download Submit

  • C:\Windows\{17170914-9C11-494e-8C32-D549A9D79E59}.exe
    Filesize

    192KB

    MD5

    0437181bb0e5cc2fd9f1031b58a48746

    SHA1

    65fddd948114adac8b63703cc66894427c073052

    SHA256

    de4a37b63da8bddb271f4e7f16f2d5d004a8cb2761426454390f034fa7e8f2e3

    SHA512

    2663586a567ab5c97507c3cd8e55813b64b01e4246a5026537c8cf5eddff5c99cf77b53f3232b617f0afdcda15933f620a6cb6fed44a627f0214eebad6fc177d

    Download Submit

  • C:\Windows\{5D69572B-9FCF-4c66-912D-BF380603C75A}.exe
    Filesize

    192KB

    MD5

    c138b3b66b035aa653f0a151d0fa3fca

    SHA1

    8c96dbc80eeae7c017be5d9cf0fec7e2c2c1ed46

    SHA256

    0c5cd9679a05e40b1f36f6425cacc7107d09499a1c3573acb1c19a2211282243

    SHA512

    9b814cd72433e0654f3ed5a558229b2047aac2312ea48bf8c887ebe6251d2818f99262aa6a4e2bf690c52f8763c4bec61d4f7c46832a28557218d4ae40510fcc

    Download Submit

  • C:\Windows\{612864B0-2D36-478f-BAA6-B68EC4440C15}.exe
    Filesize

    192KB

    MD5

    3b08ff39e409b7b9c4d36d90b34fa7f8

    SHA1

    5d46d51f4bd42d6fb8af8deb2f83c5795de0ddf6

    SHA256

    ce7b8f92752e80d08f4b1d2b97aa4e6009e69a5d2cf8c550a59b5730b6584666

    SHA512

    196cfd564e118be95995741e7ea178a7acaa24fce2cb5ee1c64661246d1de469b5de967596c8f6cbd0c0b7dff839d45e022686429392c569170e60ce52b5b762

    Download Submit

  • C:\Windows\{6BAB5EEE-A9CA-4845-92FD-BAB386AEE0A1}.exe
    Filesize

    192KB

    MD5

    cf3da92244723c015ebc9deba4633af7

    SHA1

    417ddcfce51c9f706b805db8d21079ec0e4c63f8

    SHA256

    0cf2ea56cad0191eb710f0871c383fef7d78e116724e88e00fe9e2aeb8cc12e7

    SHA512

    d4e1278fad22cfc8cfb323017662c1262f4c7be353fe9f9a77df8cd6db1e239f0293cb33cec7aca0cb00fa4aded2eb170bd87c6154e79274c2077efecaf0d1cd

    Download Submit

  • C:\Windows\{701A3BA6-11C5-425f-878D-4361F8B3CE8C}.exe
    Filesize

    192KB

    MD5

    73e77195c306c71f11e978cea80a898b

    SHA1

    e6c96f9c34596455a0769b3ecc3c3cc409c4a373

    SHA256

    447c661a9dd88dced8314d55dfc6b5dbd783b82be2175a59430d7d217bd2f2d3

    SHA512

    49298cb40b0771d18d92453c1b547057539456eb7afed1a4327ee95ea63bc9b2249441d21005d8ba67278860b0074989d5c223b30afee381344efa06635fd9a5

    Download Submit

  • C:\Windows\{749C0783-2F4A-40d6-BE46-097FFB3E7DBD}.exe
    Filesize

    192KB

    MD5

    c84c2dc8446a848a626d779a5e6fafc2

    SHA1

    409a46f95424243f549cafdc2d6bce184d038b46

    SHA256

    5c5375a58a8b467d9cef878dd358fb108bcb0e36bb0e1ab9cbcb09204809679a

    SHA512

    4f1f4862a399d7dea3b7c7847bdfeeeaf2d2e84c17930722f929b43501edb0be3ca0385296f22247f04fbaad84267890d7cb51f7f98468a187292b0def79e181

    Download Submit

  • C:\Windows\{7B5E1F35-6950-45be-BB35-B4EC4962982A}.exe
    Filesize

    192KB

    MD5

    dc6c2524b4f02a5ecc3995c453490a3e

    SHA1

    e3bde8664e45fc1b313a824d438e23de5863a397

    SHA256

    520b5cfc6cfd6a00a31da16bc2054e2bc47d83d6421f9057de751475f67396f4

    SHA512

    bd262c5f81ff1135eafd5ebb3529d2546e83bfecf57305a114376abea20d900c52b65eb57782eb1737895411d9031aeaf18b63b687c90556c07004c982326e72

    Download Submit

  • C:\Windows\{7EF2897B-971D-436a-8550-D8C13CEEB0C8}.exe
    Filesize

    192KB

    MD5

    f1bf8bc147ade416a0050d2018762a93

    SHA1

    66849ea071a84a698eb0b9dfccda1ecf67be81ea

    SHA256

    ea3a20bd8a9829005499b467496bf87164d06dae898a18854ab8d58eae8054dc

    SHA512

    5bc2920126ce3e00c2c2b80ddfd666556c008fa05aaa7574fb7beb6dd33e2e1068a5b9020844fe8fa854a961be004c4f00087fce5727d90fb08702b87446df72

    Download Submit

  • C:\Windows\{98D38F1F-8983-447e-93CF-6A4A189833C7}.exe
    Filesize

    192KB

    MD5

    57a40680e7e89c4b5923122eae15c2c6

    SHA1

    4a8f58bd6df7c0e9135c4c375fc45cb9a651def8

    SHA256

    d7b0f6162959f526de83b977599ba60d79e6fcd13a2b12def11f1cd8202b2671

    SHA512

    1b77c1d834e03991372edce8dbb2f8d790b99c10d00e6dcd5b3aaecc003a42aed5d924cee0755fa047c9aef47e188a89fd32cdaf94cd14c0166c179834cce8c5

    Download Submit

  • C:\Windows\{C418E571-F6EC-4f01-8B7B-E5EF3D335C0D}.exe
    Filesize

    192KB

    MD5

    e1caf778ea7d6fedcb33c43a50056bb3

    SHA1

    a169b68704d40bb9a2fd4829544bf9178532691c

    SHA256

    77ebf239603b7e606d348ef3c135744ae6fcf7995a143bbe88e076db82f89a6c

    SHA512

    8d5d133f7ce4ebd9fc3985a16ea10944c8ab8780ee04532b31c9142d73bc2c73249a23fdd1d2efb50f83bf76b851c6a8c9ada208c8d41d6e3261b875c7264e2a

    Download Submit