Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_86b25fb8369730f05988170d045795a8_goldeneye.exe

  • Size

    204KB

  • MD5

    86b25fb8369730f05988170d045795a8

  • SHA1

    48bd431286e35040e00d575cf6e439e1659cab52

  • SHA256

    2995327fd49ea37f2a518b5116f4acb872321dee7b7fad3aa9ea9c445b8a926b

  • SHA512

    b842865701c062ac45174ee2602d88a92bee735aa88be78a0333fab4e572a6a423df29d2bf2b015ff8efdf34592a3ce25da24b4aac91669f43231bfd57d3d59a

  • SSDEEP

    1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_86b25fb8369730f05988170d045795a8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_86b25fb8369730f05988170d045795a8_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\{4A5F87E6-5596-497d-A0F5-B99820E41D6B}.exe
      C:\Windows\{4A5F87E6-5596-497d-A0F5-B99820E41D6B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\{A34D8467-CBD8-40d2-A269-47C3E9CBD66A}.exe
        C:\Windows\{A34D8467-CBD8-40d2-A269-47C3E9CBD66A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\{8C9060B1-B5B7-444b-B38E-805AF3384845}.exe
          C:\Windows\{8C9060B1-B5B7-444b-B38E-805AF3384845}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\{AF4343C1-323E-47d2-BBAA-20C24AF00CE9}.exe
            C:\Windows\{AF4343C1-323E-47d2-BBAA-20C24AF00CE9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\{3AEE1FBB-6E47-4880-8C1F-E23256877476}.exe
              C:\Windows\{3AEE1FBB-6E47-4880-8C1F-E23256877476}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2156
              • C:\Windows\{01C40A95-FDAE-4757-A67D-4A9895381957}.exe
                C:\Windows\{01C40A95-FDAE-4757-A67D-4A9895381957}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1100
                • C:\Windows\{7934123F-DCC2-441a-AC06-2057B8F23274}.exe
                  C:\Windows\{7934123F-DCC2-441a-AC06-2057B8F23274}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2836
                  • C:\Windows\{756EFA5E-D615-47ad-A165-3150D3241F5E}.exe
                    C:\Windows\{756EFA5E-D615-47ad-A165-3150D3241F5E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:376
                    • C:\Windows\{AA6AF2B3-4884-4776-84F8-7B0FCAD9CB3D}.exe
                      C:\Windows\{AA6AF2B3-4884-4776-84F8-7B0FCAD9CB3D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2188
                      • C:\Windows\{E38AA1FC-15D3-44a1-AAA0-AF732FA524EC}.exe
                        C:\Windows\{E38AA1FC-15D3-44a1-AAA0-AF732FA524EC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2300
                        • C:\Windows\{0D56BAE8-E4EA-43ef-8455-5258F7CA18A5}.exe
                          C:\Windows\{0D56BAE8-E4EA-43ef-8455-5258F7CA18A5}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E38AA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:812
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA6AF~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1596
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{756EF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1772
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{79341~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:672
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{01C40~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1672
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3AEE1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{AF434~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3016
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8C906~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A34D8~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2168
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A5F8~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{01C40A95-FDAE-4757-A67D-4A9895381957}.exe
    Filesize

    204KB

    MD5

    55ad29131cc3ab0d4383ac47442ae850

    SHA1

    8960f41624ae863aee13e4b07968e99953917e60

    SHA256

    594ff0c76937b86bfacecc72a940fa08fa5e106351b91fc258356372bc9c321b

    SHA512

    790a226e7efeead74e0e4824f58a82105a48b16f97f1742331850efcaae596c99a9813ff4093d351e79d9bc84f0b23aaceeef6ad33be2f727c59eb5c1d3a1f22

    Download Submit

  • C:\Windows\{0D56BAE8-E4EA-43ef-8455-5258F7CA18A5}.exe
    Filesize

    204KB

    MD5

    caef213db88fc9a782397d2de3a7b142

    SHA1

    41846ac1bc90ec6fa2c0087fc86f9cb6b93b484c

    SHA256

    b1de68e316042e152d28226ad7fc704f75989ef9013d49098f5b7c020e193622

    SHA512

    2d4c1884d3eff45b158e71dfba2b7740d389de88b2f0308469bbfcc869b7d04fdfdf1c2c7195b03f4ac83a631af6f00057f107c175e3773329da9a2a43375110

    Download Submit

  • C:\Windows\{3AEE1FBB-6E47-4880-8C1F-E23256877476}.exe
    Filesize

    204KB

    MD5

    b65342bece9d7fe7ed103d1b8717ca29

    SHA1

    e54f2c50345fc1f916af6b76502a774e2356fffe

    SHA256

    6b39e855e4e4226129e4ad7f572d90370015053bd7bd889c46fa8e9072f5cefb

    SHA512

    e9cd2e7cd4653203f8229741732e302589bd8d567566fce0c1ddd75a11657c8866e8e435c51def4d3c3185df7db1fda5f487b65029351a0b1304a57066594c6b

    Download Submit

  • C:\Windows\{4A5F87E6-5596-497d-A0F5-B99820E41D6B}.exe
    Filesize

    204KB

    MD5

    0d1421bd195210ae99a3a0752a9d0f2d

    SHA1

    3b28612bedffb9f71c9a6332cf9d6f2203010606

    SHA256

    f452d4de74d0e8181949d2db705e48e81fbd73d69fe221ce0ca0a841f1930a01

    SHA512

    5801c4e644be066db9f05d3905626076a96c982863206985ecde8741121790f137b9471ac7d989aaf6d107a1e5123397305d78c167e5df0068b41db6e38975e5

    Download Submit

  • C:\Windows\{756EFA5E-D615-47ad-A165-3150D3241F5E}.exe
    Filesize

    204KB

    MD5

    d25afeefe4ac673227bd7d40f44e0ef9

    SHA1

    2641e0f8af2c0d19c3595b852e07cbdc378f4b47

    SHA256

    37d02995d3ad8f0b064520d41fda3e89f4d42eb5f301d128665ff356d40fe300

    SHA512

    c0dcc9ccdd59df91d049ecebad68c1083fc99e90fdb497bd2f728f69c60329eaaf1dc07cb6dc0b453a007a9000d6405ff79fc040aeded250888f6fbebb764902

    Download Submit

  • C:\Windows\{7934123F-DCC2-441a-AC06-2057B8F23274}.exe
    Filesize

    204KB

    MD5

    7df6f5cd91b4d8a5c89a02ca272f3fa6

    SHA1

    d846d10dace6a2ffee2c98b8815b90f3ba046a2b

    SHA256

    cb1e544ecf99633c9a66fe1ff879a756db7d11cb054251e456f4068924d3a756

    SHA512

    c40c65099320d24cf1938af487cf18a687cc8f87071fe60242db1984e2bb819ac1b5f1f0d7ea7bc55981931d539fbae4ab0631214a89f595307407037ace25f3

    Download Submit

  • C:\Windows\{8C9060B1-B5B7-444b-B38E-805AF3384845}.exe
    Filesize

    204KB

    MD5

    e6b49210ae0be06cbe2db0253cd36918

    SHA1

    894014a742d0410f24db166a33104795714bd498

    SHA256

    722310ff325cab29d82ec99350b5f522309833fccdafb54a41a8f4acdb1dc935

    SHA512

    1f630a2aa789f1553b75bbb3f759fad343e6bd0479db73511d950f8d5cd87171e20cf411eeda3b93c3109e03fd8eeac601eaf08b264d62aa1289a2c89d99f0bb

    Download Submit

  • C:\Windows\{A34D8467-CBD8-40d2-A269-47C3E9CBD66A}.exe
    Filesize

    204KB

    MD5

    7b1dc04d9f255986cccf6d98bce7afe4

    SHA1

    7ff493c903a1df7c688578675d6e5a0cc79f7c35

    SHA256

    1fee847e7ee74abd6bd5afa5977430a123bc9deb2b4d5b27fa3f47f4d191f800

    SHA512

    5354cec8d6b34af66f06933c17996c6e8524d948929482b196f6dc52023e8b57223c8dc1995f6cced665814b596d1bfefa08caa049e6ddb0fc6cd472b89d49a4

    Download Submit

  • C:\Windows\{AA6AF2B3-4884-4776-84F8-7B0FCAD9CB3D}.exe
    Filesize

    204KB

    MD5

    18acdba07543933ae2fb655e7c47c244

    SHA1

    8580dc32355c02bb872c6ffac16f138a761cb28a

    SHA256

    f3df92dbe613b97994be2952cbdc3badb649777969ab8e25d42cc6051df3e7ff

    SHA512

    4c5b445fa1bc034bd4002fea43fca0236fe06ddc69b5582bf59f209ce557a418b76e209909ce9f3a3f115f2bfd650fd198fc242327a56f4e40f6feacf739fdb0

    Download Submit

  • C:\Windows\{AF4343C1-323E-47d2-BBAA-20C24AF00CE9}.exe
    Filesize

    204KB

    MD5

    5554fc3506b7a686ec782fc0dc0ac928

    SHA1

    485cb75ca7618d13784119b88e194cb48ea2c307

    SHA256

    a92e243754cc753da5688311364628b3677477d3c80ab84993b4994191054ee8

    SHA512

    91b8b591694e7758b1e6b27d88459e1dbfda6bd7e24dcf0a350b3d2b662214b5a8151274b9a7e5ba5204500fbe20edb3a2671b372816cee52aa2675f0be4eae9

    Download Submit

  • C:\Windows\{E38AA1FC-15D3-44a1-AAA0-AF732FA524EC}.exe
    Filesize

    204KB

    MD5

    879d9b9fa2933bd9f198f96c9a835697

    SHA1

    bfcf0d82127c726b43f1f118a89eca636e9da66e

    SHA256

    0ec0df0f3d10f85ec9a425936ea0fbdcc09698666f5310e25b92940cac8de362

    SHA512

    524c8e58bce0c7a4fc515749ea2b68376f0e357550a4af05e2412c840458b8e1a85a49f8fb382cb76865ef68d857323126adf25324f03ed2d5b86fc35ade16db

    Download Submit