Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_86b25fb8369730f05988170d045795a8_goldeneye.exe

  • Size

    204KB

  • MD5

    86b25fb8369730f05988170d045795a8

  • SHA1

    48bd431286e35040e00d575cf6e439e1659cab52

  • SHA256

    2995327fd49ea37f2a518b5116f4acb872321dee7b7fad3aa9ea9c445b8a926b

  • SHA512

    b842865701c062ac45174ee2602d88a92bee735aa88be78a0333fab4e572a6a423df29d2bf2b015ff8efdf34592a3ce25da24b4aac91669f43231bfd57d3d59a

  • SSDEEP

    1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_86b25fb8369730f05988170d045795a8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_86b25fb8369730f05988170d045795a8_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\{FDA0A00A-652C-41dd-A574-2AA5CCB4F51B}.exe
      C:\Windows\{FDA0A00A-652C-41dd-A574-2AA5CCB4F51B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\{0AF1E8EC-64F0-4ca1-9542-3F46D8951FD8}.exe
        C:\Windows\{0AF1E8EC-64F0-4ca1-9542-3F46D8951FD8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\{3AD1C96A-CD4C-471a-B499-2BED92620CAA}.exe
          C:\Windows\{3AD1C96A-CD4C-471a-B499-2BED92620CAA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Windows\{D04D718E-8101-4502-8309-2B8A4603D0F3}.exe
            C:\Windows\{D04D718E-8101-4502-8309-2B8A4603D0F3}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Windows\{06030CB8-372D-4040-A800-77D94D1F328B}.exe
              C:\Windows\{06030CB8-372D-4040-A800-77D94D1F328B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1404
              • C:\Windows\{2AF2F0D7-3F19-4f78-AD46-172E183EBCC5}.exe
                C:\Windows\{2AF2F0D7-3F19-4f78-AD46-172E183EBCC5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:224
                • C:\Windows\{CD5B05AE-31C5-4583-95FB-8E2BC8ECF437}.exe
                  C:\Windows\{CD5B05AE-31C5-4583-95FB-8E2BC8ECF437}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3180
                  • C:\Windows\{2FB0ED5F-AB95-4604-8651-4F16A57B2073}.exe
                    C:\Windows\{2FB0ED5F-AB95-4604-8651-4F16A57B2073}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3828
                    • C:\Windows\{467B613B-54F7-4b37-B532-A1360EA077F8}.exe
                      C:\Windows\{467B613B-54F7-4b37-B532-A1360EA077F8}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1080
                      • C:\Windows\{DE3559B0-D866-4757-B10D-41E5A4ABC0C2}.exe
                        C:\Windows\{DE3559B0-D866-4757-B10D-41E5A4ABC0C2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4480
                        • C:\Windows\{41F064BB-CD43-4b6d-97A6-C717B892B4F5}.exe
                          C:\Windows\{41F064BB-CD43-4b6d-97A6-C717B892B4F5}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3652
                          • C:\Windows\{2648B358-B110-48d9-A43D-74DC91CD23C4}.exe
                            C:\Windows\{2648B358-B110-48d9-A43D-74DC91CD23C4}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3200
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{41F06~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3280
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DE355~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3928
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{467B6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1956
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FB0E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4268
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD5B0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF2F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4556
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{06030~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1328
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D04D7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3532
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3AD1C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF1E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA0A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3280
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{06030CB8-372D-4040-A800-77D94D1F328B}.exe
    Filesize

    204KB

    MD5

    b15496db85616f5ff992558d5a9b0fc0

    SHA1

    e8128757c9dc9f6efbfa29f33abd193800867abe

    SHA256

    695abe5e0b79944239323c29e040e881171c569503c6595de78cafb92638942b

    SHA512

    1f9964b7b73c4e57dee13df072479c1c0f46a0d7de31a7f206d43fb94e0959a55126dea4c3aca92528e20a7bac6bec39ceb8cc628f1d500163fbab42c57e97a5

    Download Submit

  • C:\Windows\{0AF1E8EC-64F0-4ca1-9542-3F46D8951FD8}.exe
    Filesize

    204KB

    MD5

    a2a5508f4ef93e7e59aa5332a697c34e

    SHA1

    e743dc5c41fd19f9edf1bdc7040bd520244a545a

    SHA256

    f324c1ac586a37db0146e14c9cc46b0615ef3fa9d808c78c51401fc23ecc4155

    SHA512

    9eae3a8b2fe2ead842a94beb4d477f646e38b90db73b4eb8f6243954e46d7c672c28be533b299a4ebb53a285d59f6b1134f25d205989c9423788e27e676ce4fb

    Download Submit

  • C:\Windows\{2648B358-B110-48d9-A43D-74DC91CD23C4}.exe
    Filesize

    204KB

    MD5

    2781024d66f7aa6e874d73e4592312cd

    SHA1

    93089ec245c656bd8523bc6e71d46071265b22f2

    SHA256

    804097d1e6cf5db2bfe2ec08dc7e1e6b0ff592eac2dc5ab6c373f1ffc85d6262

    SHA512

    a8885ebdd79fdb6d034f22f528dd0d8c65bdbcd098b9e4c0371a0ca5991bbb1de334dc6f99d5ce2391d3d3d94b106f0b54ca27391622fce875c6fb5c1003756b

    Download Submit

  • C:\Windows\{2AF2F0D7-3F19-4f78-AD46-172E183EBCC5}.exe
    Filesize

    204KB

    MD5

    c757050c6806c2175d047a7c8a789330

    SHA1

    36336e7cf885d93213abdb9ba26a13f612a26485

    SHA256

    eacc0d187a87764b07af4efe626591a4737861dbeee0926091875c36a988b455

    SHA512

    0305bce14ec775029563093bf5c81a74f8d9f4108d6491d6df2a16bcfe67922ccc5c7bbe6e33f31248208e8ff612df74c760fae090e51e4ba39df3130e377e00

    Download Submit

  • C:\Windows\{2FB0ED5F-AB95-4604-8651-4F16A57B2073}.exe
    Filesize

    204KB

    MD5

    c59592554a6bb315e09e97fbd93e29e6

    SHA1

    50a77742a1a49e9b5d81a11d8d1c1e2566c74334

    SHA256

    3eb844a0f731f37e60cef9e3246bd2264401bd98531fa718dc45eab5e2cf6f9f

    SHA512

    93d522dd25c98209ec42bfe15f4365f17813397c4359eaa23919a30343b47c4ed1dd375fbc302144467072e8326f682bd6aa6481da728c3e58e942ca4aec84f2

    Download Submit

  • C:\Windows\{3AD1C96A-CD4C-471a-B499-2BED92620CAA}.exe
    Filesize

    204KB

    MD5

    e9f65cf67c055b94ecdf8fce646ca316

    SHA1

    8861b80056416a514702db6c8d9b0c3d73ef286f

    SHA256

    5d4abc794ff21e20b8d4b8a5b83bad03bef053a236c36416cb2e2b0851c2e0a0

    SHA512

    2f8067d198a92a76665a0b4f4b7041e59546b895b4e0913ac6942120c715fa3bb52d6f197b7813b51658eec9a943bd6080ff2cbbfff349da5b498aa344687c79

    Download Submit

  • C:\Windows\{41F064BB-CD43-4b6d-97A6-C717B892B4F5}.exe
    Filesize

    204KB

    MD5

    aab47848fdddc85e1f531fe1bb516f7b

    SHA1

    ba3aa5a94dfcec9bd9d7cfd6d4f57fc8efdf6cc1

    SHA256

    cc875289dbd6570f4bacab8e536eea24566ab70196ea1e33861fd87b90c747c7

    SHA512

    4939944438fa237a523f4953b0e0c4bfe6e4a37dc3834dd0d7e41cdd8201f8bcba87848e77d31a7a9a46876e5a5ba961748c94d85a6e299c4603984e5ce4a04b

    Download Submit

  • C:\Windows\{467B613B-54F7-4b37-B532-A1360EA077F8}.exe
    Filesize

    204KB

    MD5

    9aadb98f97bd6c354033380c0cfcc27d

    SHA1

    d8a6f27995734282d359c6a28d47af1434017b62

    SHA256

    c74ee6307132a508912f38d0e5613c60efefaf7242b24a330a57eb6ae32f9fc5

    SHA512

    0090b305c17a451b5e22b4bcf02be051bc8be6c1e7e32f3cf708e5216f0e12318550a3b948ee70c2436a51b38c13a2b125038719cb01bbe4eb23e771e069d391

    Download Submit

  • C:\Windows\{CD5B05AE-31C5-4583-95FB-8E2BC8ECF437}.exe
    Filesize

    204KB

    MD5

    33f30eb3c7ece3fb625a174f965271ca

    SHA1

    ea6ffa35945f5bde20019e0cf59f1ec02d00fa97

    SHA256

    78a0f3df3aac9bc77bf3a4a6b28d1221f61cb48bd028b26eaffea48240320652

    SHA512

    3f2d6315f85181b57b2273c68290cdf50eeb0a6cd2b505cd779d804354ea771df59e71bf72820d3bbd647d6fc26e71d1a1c59721eb13acf1852d13b9b3b6cd83

    Download Submit

  • C:\Windows\{D04D718E-8101-4502-8309-2B8A4603D0F3}.exe
    Filesize

    204KB

    MD5

    7d8e3350b2f73177f71f9c6d64b2200f

    SHA1

    b6b5db88966d88d13086fa3b446fe05a315fc67d

    SHA256

    d7e81f7b5d96ac47aa5cb26be4b4b1123b2883bb552208e3dc984ab6eb008c17

    SHA512

    8b5da4579bd6a65e3d98c3e2b9223e21976a64f7b82f86a7fe9499e4d57fb8fcc78eb7aff23836b52829f6cf5feff91ba5cf462c0661cc85c01e83bfb385c774

    Download Submit

  • C:\Windows\{DE3559B0-D866-4757-B10D-41E5A4ABC0C2}.exe
    Filesize

    204KB

    MD5

    4f9102b3a934a0ca0ee9de95bda15b58

    SHA1

    0299dd1aa0ee6388edec5ffc6203a22a264cae34

    SHA256

    d1a597d2aa750cca7f3059dd5c8dff183c6c77373ef66e82bf2ab51fb29e4131

    SHA512

    849a99b1f78e2d823e3e79b6d53a2c8766bf1c57a004613e16fef89a283338f68cc2ec862daf8c9a8b15744bf73a824bcb859b0c0dbc5b41b1f5fa6a8fcfb876

    Download Submit

  • C:\Windows\{FDA0A00A-652C-41dd-A574-2AA5CCB4F51B}.exe
    Filesize

    204KB

    MD5

    f3928f6b0aaa051b770b207fed9ee0c8

    SHA1

    9ef808f2f3c0f22fd62d36fad2a355a4dd0a3c2b

    SHA256

    2be4921810c3963551f44a787c878fb1d9695cdf21f76af8112ee552fbf0ccf6

    SHA512

    c32e44df50578a732c7a9cd034c40c53b7d7b42aa068d662272aa2478c3545dc40e5a6d6413be98cfd7c25d2065365479618cd9f1e6389d42eeaeb1f19e9e86c

    Download Submit