Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 16:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_0af04b1464cac136d4751623cb5e9566_goldeneye.exe

  • Size

    204KB

  • MD5

    0af04b1464cac136d4751623cb5e9566

  • SHA1

    343d724612a6aea0497d209d5e8e9598b3225375

  • SHA256

    e4756e309ca934b9f86665f8a9a00b45e0bbe99bb4223fa34f978d897b1c188e

  • SHA512

    32d17af415e1072c6832bf99b034571d53a341fd42256ca8488999f803aa3cef1943844a79ba0faf6caee7581379161083a219ddf015feeeadbf0d8b34539b34

  • SSDEEP

    1536:1EGh0oVl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oVl1OPOe2MUVg3Ve+rXfMUy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_0af04b1464cac136d4751623cb5e9566_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_0af04b1464cac136d4751623cb5e9566_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\{863208F7-A7EB-4b69-91F1-28F64A2D1CBB}.exe
      C:\Windows\{863208F7-A7EB-4b69-91F1-28F64A2D1CBB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\{1341E7A9-1AAE-489f-8E7D-C9AE567C3696}.exe
        C:\Windows\{1341E7A9-1AAE-489f-8E7D-C9AE567C3696}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\{B7A62729-0759-4a53-815E-B4CB342A003E}.exe
          C:\Windows\{B7A62729-0759-4a53-815E-B4CB342A003E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\{8C0262A5-0716-4e22-88F8-78A8F813C960}.exe
            C:\Windows\{8C0262A5-0716-4e22-88F8-78A8F813C960}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Windows\{EB785B52-C94F-44f8-A6A4-68295D389C55}.exe
              C:\Windows\{EB785B52-C94F-44f8-A6A4-68295D389C55}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2640
              • C:\Windows\{E154FEC9-EB8D-4815-ACA6-E8E3A4C0374F}.exe
                C:\Windows\{E154FEC9-EB8D-4815-ACA6-E8E3A4C0374F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:768
                • C:\Windows\{951BAD9E-FE10-4a42-8945-FD6BCD5D83F9}.exe
                  C:\Windows\{951BAD9E-FE10-4a42-8945-FD6BCD5D83F9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2352
                  • C:\Windows\{B2323B13-A5C7-4d74-A183-D116FC0CF429}.exe
                    C:\Windows\{B2323B13-A5C7-4d74-A183-D116FC0CF429}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1184
                    • C:\Windows\{28057D42-9FD9-44be-A731-E7CFE2906F3B}.exe
                      C:\Windows\{28057D42-9FD9-44be-A731-E7CFE2906F3B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3040
                      • C:\Windows\{DA58B511-F07D-4c11-BCA2-E95BA9DA95FF}.exe
                        C:\Windows\{DA58B511-F07D-4c11-BCA2-E95BA9DA95FF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2184
                        • C:\Windows\{2523986D-8B2F-42ab-B862-5111C79B8895}.exe
                          C:\Windows\{2523986D-8B2F-42ab-B862-5111C79B8895}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA58B~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1632
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{28057~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2416
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2323~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2920
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{951BA~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2780
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E154F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:532
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EB785~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8C026~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A62~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1341E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2332
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86320~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1508

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{1341E7A9-1AAE-489f-8E7D-C9AE567C3696}.exe
          Filesize

          204KB

          MD5

          7ee345b69eb78849e02a0e75ac6de14b

          SHA1

          079709b34182f247d2f05ad4fdbba72a67e75001

          SHA256

          25e2f2e0e4a2f1d6e624e931c5f33092c5612a15c7b2fec23c38be429ef6f935

          SHA512

          b39aca1a34df742d5bb5da1b008ff2ee66d1b5b390786b4820fdace46afd134f66439cb6a467911fb6f083f9a0554c648ac0ba76b8d3a676c3f1b7bb511b768f

          Download Submit

        • C:\Windows\{2523986D-8B2F-42ab-B862-5111C79B8895}.exe
          Filesize

          204KB

          MD5

          e347b108598a2cadc58464d6ed456cd9

          SHA1

          b34dfb81adc07b9c2990f28140e2a797ebab4e9f

          SHA256

          3acbf3fd17b6c18c8743d0b155f60b9ca74558f404234b40b54936fb433bc7f5

          SHA512

          92097ae27cc20bb5844876164f5e04522d333e9568ae6c4ecf7b3d94ab99ebcfab5160b3766cc8d43f72d257fe9595ff683d96fad3c594bebbb42baaed450ae5

          Download Submit

        • C:\Windows\{28057D42-9FD9-44be-A731-E7CFE2906F3B}.exe
          Filesize

          204KB

          MD5

          b672c97b5a3e930852a07549232b16bb

          SHA1

          be4025851b6b1e35f9f362345d617e4257dfe195

          SHA256

          c08730d69b9797969baed3b280cb63c67299cef2933577de9c431b710d15d189

          SHA512

          270a39934a13ac6289bb618594bb95a6ab04c36d2e4d13114bfb1a22f0bf0efeeda946f23f40514b128d934c4f8f3a7b30acca3180928a57caa1d9b0046aaeef

          Download Submit

        • C:\Windows\{863208F7-A7EB-4b69-91F1-28F64A2D1CBB}.exe
          Filesize

          204KB

          MD5

          ebe27cc95978318fee07c73d96589250

          SHA1

          ec03678b3014dcccd2252143026a7a98b04c560e

          SHA256

          4869c07119abfcd6b27d24a52a2ec174572959fb2a94f311f32439310a969a4e

          SHA512

          19ce5c7fdee4565a6fbdafb8630a4661dcc9b50ec82a41e6a4dddee28ae6b6df601f2411f15d8f701e301a7d39302a3121a4e03ac3cc340c1eb12d2f071922b3

          Download Submit

        • C:\Windows\{8C0262A5-0716-4e22-88F8-78A8F813C960}.exe
          Filesize

          204KB

          MD5

          b07d303aa8aa0dd7185b489dea347c14

          SHA1

          eeb0b4c2f0e42b5cdbbd83d39120c88800af4654

          SHA256

          888119837c654d8bf0f3abea72a139e9d47f1fef7906e4f5c5a84157d9b8c11e

          SHA512

          7cc93b5884f202ed2edb5c4a292616c90477c30ac042793f1ea74cd238ae0bfd9da93dd3390db67190d159a82610194f28b984ad94e477f970ba0698958bc4c6

          Download Submit

        • C:\Windows\{951BAD9E-FE10-4a42-8945-FD6BCD5D83F9}.exe
          Filesize

          204KB

          MD5

          54498f4163ff39c5501cbc4293e6b373

          SHA1

          5d5b57d7f3108f0875ef068505282c7ed68ea3da

          SHA256

          583f389f7bca26829a9a68193d7542a368386f1cf8f217770b1b8edee1f5e309

          SHA512

          51b97fe42a1715f54769ff5bd4b49b4c281e3d981a038311eb358506c3191eafe23f993a58a0850adfe21f954eab4a6b4da021d206a214e136947dcc91899d45

          Download Submit

        • C:\Windows\{B2323B13-A5C7-4d74-A183-D116FC0CF429}.exe
          Filesize

          204KB

          MD5

          efb20b0f3e8f2f704fcddd9be77abe57

          SHA1

          06a56e289aab431dc09d563707ee7ad6dc19953f

          SHA256

          7d30c37e12d0d2ec4a1b8aa449fcd59555106dd6239e4e81193b924e67984beb

          SHA512

          b70c8f161b1b30bfc1752b4c553567fceb714b53d74db81f01fdc357139887463762894ced5779dd809ba75a450f5cfe6149cafb874af93e96d32c0e84835f83

          Download Submit

        • C:\Windows\{B7A62729-0759-4a53-815E-B4CB342A003E}.exe
          Filesize

          204KB

          MD5

          1f0f6792f6f82f100ccfb34fbe98f886

          SHA1

          0d1c88baeaae35616bb5a948d801e6ac912a21f0

          SHA256

          734e2bbb31593d0c1abae9444087ee2c4d9defb4eb7ca31211683446a072dc2b

          SHA512

          562c9e1e2d53933af3d4be47f2b5628b5773b49b1aabc09b3e09627051d62416cd22130b57a16aba6e5891c9dc7bc9d82f1fcb2a523939a96c0882a3688457e4

          Download Submit

        • C:\Windows\{DA58B511-F07D-4c11-BCA2-E95BA9DA95FF}.exe
          Filesize

          204KB

          MD5

          d14641e3637967e3ab7bdd39fb4aea56

          SHA1

          bbbe29347523b42dae3607ce31aaeb123e4be794

          SHA256

          66e5d335f160b1f6bdc924742e4a38152d69c003ddc3aa3b0c7268f30703ea3a

          SHA512

          8575efd5c150abada7bba4c249faad2696842e04b344da1c879d0a97c180fa9e35ba817f601e394586223fd8913fbacf70d283b070c6c5c82719541eeb9575b2

          Download Submit

        • C:\Windows\{E154FEC9-EB8D-4815-ACA6-E8E3A4C0374F}.exe
          Filesize

          204KB

          MD5

          987693b8adf06961aba6cf0daaa15dd9

          SHA1

          252a3d3bad7884d54b8f3d9bda4315bb4aa76e40

          SHA256

          394210ec5c36b33739314bd5d4b80278868619d5edb6315ad7b1d1352d82d72a

          SHA512

          28f37533da35b2c241ff40a5a1562558e8e00eb6cc230741e6326138d282183de8c4cb2cfee08b9178860e7ff9dd0ec30214e26a6849a5185f80f26d9edcd549

          Download Submit

        • C:\Windows\{EB785B52-C94F-44f8-A6A4-68295D389C55}.exe
          Filesize

          204KB

          MD5

          21d5d2504bda1a543e5ad700f4126e39

          SHA1

          4c922effc3ff314d830204e29d1f36dd928aa5d0

          SHA256

          fe359ef2257dff185a5c27d0ad7ef50dbc2995f4f9809d926ed6bdbd26ba66df

          SHA512

          63f835183879276af1f003f55c2cc73e46ec65f3b08ab9f93183cc19779528b0db1b80b4521014e56155ec10b1682c1e4ae4580b9e0fb1c6fb3d99441b2326c3

          Download Submit