Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe

  • Size

    168KB

  • MD5

    5c761811ce80777d2517a1adc9e860b3

  • SHA1

    a7eafbf7e6fb9ed33f1af9c66a2398dfd562835e

  • SHA256

    2109f3a395e920ae23089e8ca60ec74928d9daa3e0719cd60e6a6c53ad766f0a

  • SHA512

    c58237fc7d747bacfa5148a14fa8fc411e4d3c75ae74d109b71802ba67077107fbb956a0c27fcf5f91d7e4374c83cceddc38be0d91b38e1ce002814353173786

  • SSDEEP

    1536:1EGh0ollq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ollqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_5c761811ce80777d2517a1adc9e860b3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Windows\{76B20C08-3369-480a-BB2B-7672B8DC3DB5}.exe
      C:\Windows\{76B20C08-3369-480a-BB2B-7672B8DC3DB5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\{B0365817-EE95-4b0a-9E61-97716F810C23}.exe
        C:\Windows\{B0365817-EE95-4b0a-9E61-97716F810C23}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\{374F0ED9-7B8C-4553-9A84-F3014E6578A1}.exe
          C:\Windows\{374F0ED9-7B8C-4553-9A84-F3014E6578A1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\{CE4615AA-344F-40c1-973F-C872D1D6D7B2}.exe
            C:\Windows\{CE4615AA-344F-40c1-973F-C872D1D6D7B2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\Windows\{03D4E428-95A3-4377-A1FE-B1E6F9C70072}.exe
              C:\Windows\{03D4E428-95A3-4377-A1FE-B1E6F9C70072}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2236
              • C:\Windows\{125D6B88-8116-46eb-B6C7-63FB539119C9}.exe
                C:\Windows\{125D6B88-8116-46eb-B6C7-63FB539119C9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3728
                • C:\Windows\{ED7A1C24-9708-49a5-BF49-FB7C6F87D609}.exe
                  C:\Windows\{ED7A1C24-9708-49a5-BF49-FB7C6F87D609}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1012
                  • C:\Windows\{D3CE93EF-BC2F-413a-BAA8-36B1B6E26FA2}.exe
                    C:\Windows\{D3CE93EF-BC2F-413a-BAA8-36B1B6E26FA2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2736
                    • C:\Windows\{7C12E217-5CEE-4b19-9289-A3A8C1569953}.exe
                      C:\Windows\{7C12E217-5CEE-4b19-9289-A3A8C1569953}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4712
                      • C:\Windows\{BBE0540C-083A-412a-B404-B8362C027CE2}.exe
                        C:\Windows\{BBE0540C-083A-412a-B404-B8362C027CE2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:368
                        • C:\Windows\{A35EB159-2ADA-46cd-8617-F9B806F97202}.exe
                          C:\Windows\{A35EB159-2ADA-46cd-8617-F9B806F97202}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2868
                          • C:\Windows\{8F62FF87-D38E-4a8f-BB99-D7BE7D63F780}.exe
                            C:\Windows\{8F62FF87-D38E-4a8f-BB99-D7BE7D63F780}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1060
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A35EB~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE05~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4596
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C12E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4628
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CE9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2536
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{ED7A1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4928
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{125D6~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3128
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{03D4E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4184
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CE461~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3116
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{374F0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B0365~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1644
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B20~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03D4E428-95A3-4377-A1FE-B1E6F9C70072}.exe
    Filesize

    168KB

    MD5

    6a88ad106ff0b0ec3a0df3366c150691

    SHA1

    7b0adb4ccc906f2d4def681f66ac56da2c311371

    SHA256

    a9bb5c28e6de9ee5b7346413e3c527b6e07465120a84b8653f2805842a722c28

    SHA512

    d59c43cbf4920b7f1605817c8b3fd358ef8572d12a19dfaa7ee818951a7bdf828568e44bc4091635ad8c8d0dacfb9a7a01c53ea799f7a61e939365898fb60199

    Download Submit

  • C:\Windows\{125D6B88-8116-46eb-B6C7-63FB539119C9}.exe
    Filesize

    168KB

    MD5

    ac0363690467164789a7bd795193a20a

    SHA1

    d1bda7bdf1948e2a9f6a273d797ce0775ab479d3

    SHA256

    378cbec72f1c7b45aa357fd91e00e4f7eedda438dce787d29df336e14880848a

    SHA512

    df9b7c18422fcdc97d48e8481a251e40bf53b03b8615a4706affdfd2a7e33f2101fd6fdeba45d11e744384b24d2e759f1fc42194de571b0ef1fd61b1b04883af

    Download Submit

  • C:\Windows\{374F0ED9-7B8C-4553-9A84-F3014E6578A1}.exe
    Filesize

    168KB

    MD5

    8535c579349eb91f5bb93dfc526e4061

    SHA1

    b726e04422e63211251b54503f45631f47eb39bc

    SHA256

    7a0ba365fe7574fcd0dcca418b27ab19fb2659fce604bdee5f4f4b17ed3aa311

    SHA512

    7a2127c81769857c552619db0ec349822f95c1b60f1c7a6715de1857e4572ecfeeb4d14b9b15df6f03f04b80b62debdad4e11608e78b1c47c519f152bf520113

    Download Submit

  • C:\Windows\{76B20C08-3369-480a-BB2B-7672B8DC3DB5}.exe
    Filesize

    168KB

    MD5

    527aba9472ce513ae7d977392d2cf5fa

    SHA1

    fe8917bd2d118ea128ac12ab6f5bc2856b19f3cf

    SHA256

    7c61ed552129035b6cefb3c15b2379a643c3f67048fe01a484756cc0d02c6d5b

    SHA512

    fe698dee73b1cacbeae39b13b58f8b0fb092af8eb2c6acb1cfa8a4e51d062276a5566967b81f81695e1ce341728c7df2993b8d87a5943a8e4600b7100ce314c9

    Download Submit

  • C:\Windows\{7C12E217-5CEE-4b19-9289-A3A8C1569953}.exe
    Filesize

    168KB

    MD5

    1f0ed780e639b6c7bdcc17d80e826682

    SHA1

    68fe8511cf5f21bd14f8bc4c70a434faaf204f15

    SHA256

    e6ed73d2937e840944b6feb1db996e573fbc918db147ccd4a8f11baceec92237

    SHA512

    48d993a298c38f201a69960f5324bd0c869d5ef33cea1b48d5ef5de893bf1ebd1772f30184278975e96962ea652ed59e903a32841bc323446ce40ecdc7bfc3ee

    Download Submit

  • C:\Windows\{8F62FF87-D38E-4a8f-BB99-D7BE7D63F780}.exe
    Filesize

    168KB

    MD5

    5d686a36955e25c5f59671e57fb3bab0

    SHA1

    a50a17878b4a9613ba3a0f0f3636f82d78421e3a

    SHA256

    c36ee2fb77e7576a8036127de6a77271f56006edc73d82edfe796d63d7022723

    SHA512

    0ffdd79c029b301dcf69fad5b277b0089cdd0624619297761b4038dde59d0a421705d8fd286f72b15adca92dfacf432cc48f2593e497f76807f45664f69265a2

    Download Submit

  • C:\Windows\{A35EB159-2ADA-46cd-8617-F9B806F97202}.exe
    Filesize

    168KB

    MD5

    a4adda2201fa37e32c4db359870f6d07

    SHA1

    e1581a22829b8eb35a3d4c30bdbfcb9daa1186a5

    SHA256

    e634d83247284c5543a312e50e749f24905d05bc30f905a20891cd001a24c124

    SHA512

    3784afecfcb6b2c8c2bb827b05873a080c79680c4c9c9f217b85cd6248e12cba69f6af0ca328a6974830fbfa0df32c04923838c2a5367a9f1edf95462dda1672

    Download Submit

  • C:\Windows\{B0365817-EE95-4b0a-9E61-97716F810C23}.exe
    Filesize

    168KB

    MD5

    f342b7adf588180c4d0e645ce93dfe5b

    SHA1

    58cb310937e502b549d7556d7441ac66b000576d

    SHA256

    7fb0d746190e0ec0cd99a87823ea86c1609710fbe6e5b8c3b597756658bd7dbb

    SHA512

    c20c3726211ea9a102d814773baffe1961cfc380ce9118115061a2ebe526d8fae30d2e6152067fbb3efe55c2d97ac5b22f79c1547bc7b179438c5fcf9316b30d

    Download Submit

  • C:\Windows\{BBE0540C-083A-412a-B404-B8362C027CE2}.exe
    Filesize

    168KB

    MD5

    b8fa4ce673e81f9e3b5321031cda4bf1

    SHA1

    dbbf29c96fb3add3b34b4eed00b08a2a332458f4

    SHA256

    d297b361e984bfcf14faa4de5fab8cee2cc83b90c2da0f51172467c548f1e65d

    SHA512

    b9b0be389da868cc5e8f1c4bd4a6e481c3cf0f42bac7b5a26b230bca6bfc0061918009f799386960399bb4e39ea97423497a0a3613cc58515c28b3e3af0d1ec7

    Download Submit

  • C:\Windows\{CE4615AA-344F-40c1-973F-C872D1D6D7B2}.exe
    Filesize

    168KB

    MD5

    30cc10ba48c56ff51ca7212b4971c681

    SHA1

    cc312e202cd9e2eec87c901f85addcc9880f8a8d

    SHA256

    da305f2ef0b04c8a85af2a2bac96e326a66cee275b6224eabc3acc76cf441868

    SHA512

    e43a0e5ef3519de49190aa3fb3225aeab67818551b4e10f9c1520263dea8f29db7c6586cdf186bc8764da26fcf22161e9aa27610fcc50734b9d397a10424189b

    Download Submit

  • C:\Windows\{D3CE93EF-BC2F-413a-BAA8-36B1B6E26FA2}.exe
    Filesize

    168KB

    MD5

    fced9ccaeb62005f4751b7a0d3dcdc3a

    SHA1

    48b32ed4c69b1eae0725b1b5a97904f4c281de4f

    SHA256

    edcaaa73919bd4f13fa6b35e8f9d5571533b46648b05c8e339e7945b86154ba7

    SHA512

    701de409b05e71797348301700ed0bce1dae24acca6e7a06db442556f188ea98150365e2a71913a0d265a2d2b83e452da2f4625c2cb4026864d4a4bbb40fc172

    Download Submit

  • C:\Windows\{ED7A1C24-9708-49a5-BF49-FB7C6F87D609}.exe
    Filesize

    168KB

    MD5

    d13054f90b5bc629198cf83e14fdab3f

    SHA1

    6b56d13939cd06ebcfecad16d6e35e96b2007fd5

    SHA256

    28420d250b3116929fc3e8149e11ea33fbb9e84819e693eb3394ac952c3027be

    SHA512

    50552145994f589483937fa5b52f61643003a327b715b001c2da8727bb09a098350633514de0e1305c62640a6798e6d45f3f3e5bd98bc11e9e0db0495131c317

    Download Submit