Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe

  • Size

    344KB

  • MD5

    70293947357ea290aadace87092958ed

  • SHA1

    75e815ce877662f251d679504f468e1c9bbbe1db

  • SHA256

    63bd316e8f0d2d7712bcce63df0839d06fe213b6bfbc0223111589616a2bbca0

  • SHA512

    443e041531d138ae9934a719b4aef30404b9cf4e463ebd28dc4b91e483d7887fbbefc9fc1b7df29b7313b12df3351e0b66327a88aab6e105b53a57c953e436d7

  • SSDEEP

    3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_70293947357ea290aadace87092958ed_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\{7285AD50-8399-48e1-9EFB-BB95ED6CB6DE}.exe
      C:\Windows\{7285AD50-8399-48e1-9EFB-BB95ED6CB6DE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\{0E1F5D42-3BAE-4108-9CDD-E7B7785BA097}.exe
        C:\Windows\{0E1F5D42-3BAE-4108-9CDD-E7B7785BA097}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\{9A9194FE-E2CE-49e8-BAD3-4B9FBAE4732F}.exe
          C:\Windows\{9A9194FE-E2CE-49e8-BAD3-4B9FBAE4732F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\{733F70E3-5804-4a33-B2F5-9A684727D93D}.exe
            C:\Windows\{733F70E3-5804-4a33-B2F5-9A684727D93D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\{9F4EFFBD-56E0-4b7f-872B-0B142A271C74}.exe
              C:\Windows\{9F4EFFBD-56E0-4b7f-872B-0B142A271C74}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\{3323B02F-7F05-4870-92D1-82430D8D1D90}.exe
                C:\Windows\{3323B02F-7F05-4870-92D1-82430D8D1D90}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3584
                • C:\Windows\{926C952F-7F14-4688-833B-E37CDD9D1A00}.exe
                  C:\Windows\{926C952F-7F14-4688-833B-E37CDD9D1A00}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4884
                  • C:\Windows\{ECC888A6-A297-4fa1-A610-8112DA2ACA34}.exe
                    C:\Windows\{ECC888A6-A297-4fa1-A610-8112DA2ACA34}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1312
                    • C:\Windows\{7E1DFCEE-A490-4e9a-98A4-B5A04C2C9307}.exe
                      C:\Windows\{7E1DFCEE-A490-4e9a-98A4-B5A04C2C9307}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4692
                      • C:\Windows\{A5BE4744-2C9C-461c-8F79-814B8847C10D}.exe
                        C:\Windows\{A5BE4744-2C9C-461c-8F79-814B8847C10D}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2104
                        • C:\Windows\{2B0A4601-B448-4a21-8576-DF4B89E5FFF8}.exe
                          C:\Windows\{2B0A4601-B448-4a21-8576-DF4B89E5FFF8}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1868
                          • C:\Windows\{15651121-A2B9-4aad-B1E2-98B41FE36897}.exe
                            C:\Windows\{15651121-A2B9-4aad-B1E2-98B41FE36897}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0A4~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5BE4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1012
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E1DF~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4680
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{ECC88~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:696
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{926C9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2136
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3323B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2700
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4EF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4252
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{733F7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3904
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9A919~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0E1F5~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3368
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7285A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0E1F5D42-3BAE-4108-9CDD-E7B7785BA097}.exe
    Filesize

    344KB

    MD5

    358df4cc48af9bc051544ef5e449d846

    SHA1

    6a6e2e757bda63434f75fc04be0d35442254bff5

    SHA256

    ac5fa989a61337e764db5a7a32645a4974ae4d32b5bc3463dc262509be370b1c

    SHA512

    1834028deac15ec83bbbca99f3d31c03a035aab4ceabac519080781a916ec04f2282f37db179ef6ee8560269f305c3b514283fe60e44622d97579b896b0a65cc

    Download Submit

  • C:\Windows\{15651121-A2B9-4aad-B1E2-98B41FE36897}.exe
    Filesize

    344KB

    MD5

    f7869ea9677fc3f61625ada9bdaa558a

    SHA1

    748affc910201436910ac7155124a614e4a5e242

    SHA256

    c83bfb0e04cef6accb990e31eb31c1e0696c4408073496f26b2d3928f1cd6187

    SHA512

    4a48d7eaa6fab1d0e674bb5ac171e2d36f32748c3c095242f4c0f0e588629106ee5bd72911e6d1e518fef297c281a154525530480d96262059067fae0b72b666

    Download Submit

  • C:\Windows\{2B0A4601-B448-4a21-8576-DF4B89E5FFF8}.exe
    Filesize

    344KB

    MD5

    2710c20e34dd11b4533f44d9a69e8484

    SHA1

    1fa9320187f1f5da4f08e30a4f3c0f02c7c4ccf5

    SHA256

    9da6d6fbf8578cb3e899ead890bc385769e3fe13af5d0526c7cd42310dd7b055

    SHA512

    c57a54ff2e901c55d014e530c193784c8ca7633955fbf72b7b9fba9f54a0e6dc3acf68293b2bf8b6ad650992a2ffe36261fa2d7a704bec31e753f0bd894190cd

    Download Submit

  • C:\Windows\{3323B02F-7F05-4870-92D1-82430D8D1D90}.exe
    Filesize

    344KB

    MD5

    2070291906b5ff6a066b53c6a52697af

    SHA1

    2bb65caf2bbc1759a24cef0c5fbe3e3fbd846018

    SHA256

    256617bc0e0ecfd2c62f9692f1499b8b671ec394d4f2a63cd0c68950207c9c19

    SHA512

    f76fe0df108fc92badd7dcf8287c10907c09adcaf23d62f79b2c51cad386e6d1ffa5c6d7e2ccc671abbc7d6673249adf537c210c828c4a76253e40d8d2ce419c

    Download Submit

  • C:\Windows\{7285AD50-8399-48e1-9EFB-BB95ED6CB6DE}.exe
    Filesize

    344KB

    MD5

    efa1d301aa0e1dc6725bb839e919171f

    SHA1

    996b48995d97daa0d94779aa11e34f3f4d1f501c

    SHA256

    caab7a56860e7dfb7450a9b669adf1cd30233ff6c7cda47a33be039306fe9ddf

    SHA512

    a9866f2afd463c3fc3c8138e65d1964de6bf017f14436b63640007b5dd145f4a06c1d8674e58783a4c5cace4ab790116f3c39c75c76a5321875b60686e15d967

    Download Submit

  • C:\Windows\{733F70E3-5804-4a33-B2F5-9A684727D93D}.exe
    Filesize

    344KB

    MD5

    e5b6df7e5ea016e4abec835fd4ce4632

    SHA1

    975db96b50170a914957084446538e64a1b6e905

    SHA256

    7dedc647b75a0fe2acf34f7e70833b8dd29b617ef6c62c0ef5731d4e0e4f2803

    SHA512

    302556a62ec45bc005439b59103a2a2e3b9a9a2fd792228914b7eaaee77c59c4d58993e684314b5a6cb12569ea5217f5890f91415abc3891daf3453edf76d1c4

    Download Submit

  • C:\Windows\{7E1DFCEE-A490-4e9a-98A4-B5A04C2C9307}.exe
    Filesize

    344KB

    MD5

    22bd7f4b1d70e98b3dac85c00fbae9de

    SHA1

    13142cf419ca097434cb9cb8f0c244e1d709c650

    SHA256

    21b4f473e27ecca6ff0c514f20617fa04a286b7cc315f3e98c87838194c486b9

    SHA512

    80a3a92fe724efd4aa6b17337c6e981fbf4a033d5790117f6b1a2938a23605c8944b6d2aafc9c0cdbcabbb9a094fdf564ee5b6696d3bd643b5c53b48804e7563

    Download Submit

  • C:\Windows\{926C952F-7F14-4688-833B-E37CDD9D1A00}.exe
    Filesize

    344KB

    MD5

    d54ff679d82565a8f155776bebc12bbd

    SHA1

    0bac68ddd906633d3730465cd02d6658c4fceb12

    SHA256

    6c0c2bf205d6095fb1b2faacf4e278f7ff36e42cdac57bf8b15ca7e2e41ffceb

    SHA512

    fc557d95fb94a5bcedb64083ccccab933d1ce3e4ab225772af6a380726549608ce5bfbad8d9d0f8bcff5e9a6de5b0f7dc49a346f4fc0be5ac2f521b245353b39

    Download Submit

  • C:\Windows\{9A9194FE-E2CE-49e8-BAD3-4B9FBAE4732F}.exe
    Filesize

    344KB

    MD5

    89ef26845ac85c1826bc33a14e1ba0c9

    SHA1

    685e50b91bdacacb17245c2ead17b0f3c101a87f

    SHA256

    1ff9977af3c114b5ea552f8e7fa6d73d643ccd728c35b59e4fede64a7d8734a6

    SHA512

    c3dc8a2ecc538eadd5233b4a454dfb4f5c3c3ea4e0c1ac6e64787a3f9696cb1fa33c5421cf05df3e28b9de487acd7b97dda4c01dcceedea4d3a217dfb3ef2917

    Download Submit

  • C:\Windows\{9F4EFFBD-56E0-4b7f-872B-0B142A271C74}.exe
    Filesize

    344KB

    MD5

    b721207049a2299a4b231de027f0e55c

    SHA1

    0accb479c0745d2a651a74f24ae4e2df8d5cdc15

    SHA256

    59fcf9746adf188db750ad16404abb13fc23da9d7f7a9a41692794739ce15177

    SHA512

    d7889b4dee40c5e7e96e98b039535603c1d0034240fdda308415354cfc9cd2a9632f7b83c1071a2435e81824dbc0b2b6399df118e0b7d445a80da15d13421b74

    Download Submit

  • C:\Windows\{A5BE4744-2C9C-461c-8F79-814B8847C10D}.exe
    Filesize

    344KB

    MD5

    6cdf2123e7e57372bb2341157d97617d

    SHA1

    53cfc6b716faa3f8f604d948bd693b7629a3686d

    SHA256

    7a29a392cd6d139b13206ddc90bce56c2c692caf2054499cac82a0ea2eca85b6

    SHA512

    8f94da6ec8b2ebde1e9faf486c14ab548b232c126864995ca123dd940da1afdbf91a36a16a79212afe9a24ddb5bd93588ecba400ea7712111101f7a75398435c

    Download Submit

  • C:\Windows\{ECC888A6-A297-4fa1-A610-8112DA2ACA34}.exe
    Filesize

    344KB

    MD5

    8458384e715a629da33e816094fadc91

    SHA1

    827a199c56fa4bbf0e1aa6700c6e4a584ebd4ac2

    SHA256

    0dd6e4e29f417a5a21ddd5df42def569bed188fcd7ff33fb47082d738922ac3f

    SHA512

    b4425fb8046d71a07d2ef9832ee517cef0d402f660204e0ab28553dc1d4dfc5f702553dcfc153b1e5da84e6c6817ec2b74a298534368fc164ecfd1cdb23e44f1

    Download Submit