Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe

  • Size

    192KB

  • MD5

    5f06f55a35c44b0ba1ec576d24f6b1a8

  • SHA1

    05931824bf747d5dd9b9e65c78dc0a70cd5e912b

  • SHA256

    33d746a47c9b11938bd230c292dc521db27e111b8ad0ffce4ed8e941b6915d8e

  • SHA512

    2a61ac1f5a4ac2bd5c643790a28639e86423ed1fbc11ddfd9d339e169b5da73ea7fff138cf8606472e4fbb5915400ea6f506eb85e57cca07680bac5292534ede

  • SSDEEP

    1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\{755590C9-484F-4b76-BCE0-80307A783FA6}.exe
      C:\Windows\{755590C9-484F-4b76-BCE0-80307A783FA6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\{4FD9BDD0-5244-4cbc-AA04-24472CE4423B}.exe
        C:\Windows\{4FD9BDD0-5244-4cbc-AA04-24472CE4423B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\{B3549D8D-7B35-4ddf-BDD5-B7999CA12A44}.exe
          C:\Windows\{B3549D8D-7B35-4ddf-BDD5-B7999CA12A44}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\{6699E42D-6D43-4a42-87CF-B54C2B296357}.exe
            C:\Windows\{6699E42D-6D43-4a42-87CF-B54C2B296357}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\{B696FD95-BEFF-4c74-BA34-7AFC30EECBD8}.exe
              C:\Windows\{B696FD95-BEFF-4c74-BA34-7AFC30EECBD8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4100
              • C:\Windows\{528A612D-5533-43f0-85CD-F3D03FDDB88A}.exe
                C:\Windows\{528A612D-5533-43f0-85CD-F3D03FDDB88A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3600
                • C:\Windows\{6A968BDE-9E19-4b2b-9D89-06A062294F9B}.exe
                  C:\Windows\{6A968BDE-9E19-4b2b-9D89-06A062294F9B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4616
                  • C:\Windows\{36FB9EF3-81B0-43da-A39F-5E6A6258DDE0}.exe
                    C:\Windows\{36FB9EF3-81B0-43da-A39F-5E6A6258DDE0}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1576
                    • C:\Windows\{ECDF47F4-7668-46ef-832F-A3BB492D7C73}.exe
                      C:\Windows\{ECDF47F4-7668-46ef-832F-A3BB492D7C73}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1932
                      • C:\Windows\{89E9B1E8-296A-43f9-9283-2DCBACE3C9FF}.exe
                        C:\Windows\{89E9B1E8-296A-43f9-9283-2DCBACE3C9FF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1048
                        • C:\Windows\{2964B1BB-FB22-45d9-BE40-D6F43B47A298}.exe
                          C:\Windows\{2964B1BB-FB22-45d9-BE40-D6F43B47A298}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4992
                          • C:\Windows\{74181DC2-A6CF-46c7-BFB3-D1B77B8A6800}.exe
                            C:\Windows\{74181DC2-A6CF-46c7-BFB3-D1B77B8A6800}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2964B~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{89E9B~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4400
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECDF4~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:5048
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{36FB9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3200
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A968~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4340
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{528A6~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3952
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B696F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4704
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6699E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3460
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B3549~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4FD9B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4076
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75559~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4800
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2964B1BB-FB22-45d9-BE40-D6F43B47A298}.exe
    Filesize

    192KB

    MD5

    b341b30b827456254d638863e30b49c6

    SHA1

    5636e527c0dd6fd23773cfc5950dd30ca8cde7ee

    SHA256

    83e1ffcae01452a997e0c35114360eef297f3ced8d3f9570a0931f924880101f

    SHA512

    8d8f1251d33e522879688c918404808fbb75076c1d91eafafe49aa31e908868c4b8d375bbe49d9e8e6e393eaf9f2edc12274b70cfb44fa94f42731fab3e999a0

    Download Submit

  • C:\Windows\{36FB9EF3-81B0-43da-A39F-5E6A6258DDE0}.exe
    Filesize

    192KB

    MD5

    172467cbf0bad14e98d1276d42dca213

    SHA1

    53d1c860ad2422fad7be8572284028fad86e58bc

    SHA256

    34497f5eeb7b4cadc8685afd321cdc6b7cde6d699a8e06f992c62be25ad1a4a3

    SHA512

    0be35d3fba55a01f26e90ace1b5de55ca35125bb4e8592a3058ccc14d85bebbf2aaec3f423c6a54b29ffca6c90df93e7355ec75880dd3e07c61862086aef3202

    Download Submit

  • C:\Windows\{4FD9BDD0-5244-4cbc-AA04-24472CE4423B}.exe
    Filesize

    192KB

    MD5

    160ad73d830a7f2b7d48e757e505c47b

    SHA1

    8fa2cfbf603448a35f3cd1cc28381639bb841ca2

    SHA256

    95a09cf5172543b1e928107a489087a2316662d14a93fdea0ca78cdda50739de

    SHA512

    1590f92242963c484878f756845db359f2d3c177a451f3b651f156ba2d5af8a6010fe9807ba51ff715ccecd32fd60bf2f59dd15c13ad6936863fd408630cd348

    Download Submit

  • C:\Windows\{528A612D-5533-43f0-85CD-F3D03FDDB88A}.exe
    Filesize

    192KB

    MD5

    bf3eb25c7087711f3eb077de09e591ca

    SHA1

    0731f511d0e87eb5c11e69025b975d7004f72940

    SHA256

    6623880c50c92c59c9af67d8d367733fda075fc46714fbff8f2357fda6e6613e

    SHA512

    90f7f43ae76f62626c6091534523ccebfbe3282e4f88c3411b68d60e137e0e1f9783b77728ea20442b5bd29c04a4124e92b0c1bbed5c826ab36bd0263bea5ce4

    Download Submit

  • C:\Windows\{6699E42D-6D43-4a42-87CF-B54C2B296357}.exe
    Filesize

    192KB

    MD5

    28aa4f7fd0cb0448e1cf904141089699

    SHA1

    21caeec41fc9532f244d4d04cb14da88bc7b5827

    SHA256

    59203528dfec5f4a814300d228b5d723f7ad678c1ad476709317add13ff95919

    SHA512

    9083b97739937fd391177c1864879546328cf5d85beb342b18f7530e4ca871787eb1dd9973b49287874e85a6b7338957f4860c4ddf0bbcff560320ac6a899292

    Download Submit

  • C:\Windows\{6A968BDE-9E19-4b2b-9D89-06A062294F9B}.exe
    Filesize

    192KB

    MD5

    be8c87ee518782b70f6f69afeecbf11a

    SHA1

    675b5f115b6ac8cbffe54cf25e4cfc2d2c3fdf30

    SHA256

    a14f639a58e4c2bf655785c220b948363c64dc089069cda2f2a9abdbd0a8621e

    SHA512

    dde81d8ffb951dec67dda931cfc9ebb04d5968c998c2311a581b3ec42a27a19be9bddfe38708f474682f7adf113168ea56b977e0c5b8429500fd0df0ebaf080e

    Download Submit

  • C:\Windows\{74181DC2-A6CF-46c7-BFB3-D1B77B8A6800}.exe
    Filesize

    192KB

    MD5

    11b4a2965c438d7919f619f0078bf960

    SHA1

    6fbfad22736d9fa96bde0dcc298c8560929dd5fa

    SHA256

    2dc0a75c1272c2119a819a807b644ef423bc144384e8abf06a7f4d2c10f38fb7

    SHA512

    cf8bf1c981d71db377c6a8e82cd07e11e904b07069fd243b481ab4e50547a69d092440dfae85655a123e97bb852bf993c75731b63bbeb6ac3ee0df1482a577fe

    Download Submit

  • C:\Windows\{755590C9-484F-4b76-BCE0-80307A783FA6}.exe
    Filesize

    192KB

    MD5

    e4f5d73a01ccd05b3f144cb10f8aa6a6

    SHA1

    b36af377548c9b91f2064b56962baca067d567ac

    SHA256

    823609956c2dc9041277269cddb324546d1a940d1a3e054253693c45dfd7dc32

    SHA512

    4ba6668a1b2daf8001bb535aee2cca66bbd8e6104a1e4c719f8fd39188aa7eeada3b73c43b3888b653b6de42fcc1e57fd0316d7743c72e3c6c6f80d3a3ed1e49

    Download Submit

  • C:\Windows\{89E9B1E8-296A-43f9-9283-2DCBACE3C9FF}.exe
    Filesize

    192KB

    MD5

    c2001f5ea5d3bd7afbc891f1637f2192

    SHA1

    145c2bb5f8df7473aef59f0a6f471766576f0023

    SHA256

    ea5dbe60e3334d76f5a3ca6a69e5ff076a3192d1581850279bda7027a171c182

    SHA512

    d0d252a7b45739cd4d3a3d35f09b1bd7dca73bea14386235956881dbed457dd10d7e63e701bdc2b1ae8171e802b1912e7eaa0250c26ef52f1ba761dce51d4970

    Download Submit

  • C:\Windows\{B3549D8D-7B35-4ddf-BDD5-B7999CA12A44}.exe
    Filesize

    192KB

    MD5

    c558434d05ab5a2551580a801423fc0e

    SHA1

    ddeccdaff2ce6d388314e2814e6df87e67bb0ceb

    SHA256

    0e23186b0b8279207d0d4dea54b187821d6102195dcba06a38fed797e3013bc0

    SHA512

    8ef66c53a5beb8ffd748e01e00c147ecd3320de4a6c1f77bf749e60be2a6ab98cdbfcc5fec9509bb5988f4b7237f754396ecdaf470f6347e1e76fa8dadb0c1d0

    Download Submit

  • C:\Windows\{B696FD95-BEFF-4c74-BA34-7AFC30EECBD8}.exe
    Filesize

    192KB

    MD5

    7d5df01f88eeec773401ea2cc552076c

    SHA1

    bd15857d2cfd415446ffb9d4e87457fb892be9ea

    SHA256

    e15fc7e6df623dbb1fd6ced770825622705eded135800c81b3cb51a94fa90461

    SHA512

    9081164fe5a2a56ab63b84f9e9ff4ae5a913b6c5a5fc3ece1c8068ac96a6ff4ea6afa83f8bff13f0a773488f7e446d3971aab6969a9343d1e7a56c619a7b863c

    Download Submit

  • C:\Windows\{ECDF47F4-7668-46ef-832F-A3BB492D7C73}.exe
    Filesize

    192KB

    MD5

    b0519216fcfda66e0d690e99d8f925df

    SHA1

    224606cea8765a10d177f4ed2f83f9a3a0619072

    SHA256

    7cafac2c0a60a0e75f1ff8b79a9408f65b30d8af63a3e88e50e76ca3cd7c12f9

    SHA512

    70458f0c199d6e665168998a50869d75cbfec7f8dace446417befb9f46932308dc3f05110fd02c4a6b2f735992b4d16eeadcf450260f62ab6416eaab8d762322

    Download Submit