Overview

overview

8

Static

static

3

2024-09-14...ye.exe

windows7-x64

8

2024-09-14...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-14_da4e6443e63b01262b4f3389dbe34367_goldeneye.exe

  • Size

    408KB

  • MD5

    da4e6443e63b01262b4f3389dbe34367

  • SHA1

    7e01ebf58b583f0011a067c024abf43bc8291da4

  • SHA256

    99a32999bc342c5733ff5a842da819113b8ca3fb5d2d1ec53632e17abdd10f12

  • SHA512

    ccc0b134e69d558fa0145def078084c6ffb768e659cd8f5fd5d3f6d0440cb628e37c9debd1f1c49ac880726e8d63a488058503179d6ca393944119b1c30f2481

  • SSDEEP

    3072:CEGh0oGl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGIldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-14_da4e6443e63b01262b4f3389dbe34367_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-14_da4e6443e63b01262b4f3389dbe34367_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\{66A419AE-0D49-471e-8147-B75F0EEDEE6A}.exe
      C:\Windows\{66A419AE-0D49-471e-8147-B75F0EEDEE6A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\{558548B9-05D3-4b60-B922-D4E075ABC54B}.exe
        C:\Windows\{558548B9-05D3-4b60-B922-D4E075ABC54B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\{4AF0EE0D-C75E-44f2-8934-5ADE6F5DF244}.exe
          C:\Windows\{4AF0EE0D-C75E-44f2-8934-5ADE6F5DF244}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Windows\{82B58B20-64C4-4937-9F2D-11F00546C14F}.exe
            C:\Windows\{82B58B20-64C4-4937-9F2D-11F00546C14F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Windows\{9A12BA33-726F-44c0-8E6A-B08CD306DEB1}.exe
              C:\Windows\{9A12BA33-726F-44c0-8E6A-B08CD306DEB1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:636
              • C:\Windows\{CB25068B-6BB8-497a-AB81-C72ECA70290F}.exe
                C:\Windows\{CB25068B-6BB8-497a-AB81-C72ECA70290F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3324
                • C:\Windows\{16D461D1-8553-4f86-9983-5E4A669E162B}.exe
                  C:\Windows\{16D461D1-8553-4f86-9983-5E4A669E162B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2172
                  • C:\Windows\{1E79A6E9-504C-4723-8C3F-BC25C963143E}.exe
                    C:\Windows\{1E79A6E9-504C-4723-8C3F-BC25C963143E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2180
                    • C:\Windows\{9D89B3BE-6DD8-4fb3-BFA7-2199D15D6390}.exe
                      C:\Windows\{9D89B3BE-6DD8-4fb3-BFA7-2199D15D6390}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3364
                      • C:\Windows\{CD09CE08-44D6-409d-979F-C613587610FF}.exe
                        C:\Windows\{CD09CE08-44D6-409d-979F-C613587610FF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4848
                        • C:\Windows\{56BB40F5-44BA-4092-96A4-15C14EE47EEB}.exe
                          C:\Windows\{56BB40F5-44BA-4092-96A4-15C14EE47EEB}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4152
                          • C:\Windows\{D009A62A-4AC3-4258-BDE9-DD03A2142CAA}.exe
                            C:\Windows\{D009A62A-4AC3-4258-BDE9-DD03A2142CAA}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56BB4~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5064
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CD09C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2364
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D89B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3404
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1E79A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2932
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{16D46~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1944
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CB250~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4792
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9A12B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4212
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{82B58~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3884
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF0E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{55854~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A41~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2864
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{16D461D1-8553-4f86-9983-5E4A669E162B}.exe
    Filesize

    408KB

    MD5

    331187615c36dc520aa7824ac855e546

    SHA1

    8dfee1b6519117079e1e1d0c21a06e2afe74769e

    SHA256

    2ee3aaa694ca00a5aa7ef419a5d7bb4bcbcdd86b2fc531666323f4cfcf521dbd

    SHA512

    ed8e611d6a062b7a091387d6f20848c26be9907cb2c54149b77dce3e8699132c947b29e98e57e2cf58a093f7e07e8aa9dbd5146f8ddf73f8d17010ed4fd97d62

    Download Submit

  • C:\Windows\{1E79A6E9-504C-4723-8C3F-BC25C963143E}.exe
    Filesize

    408KB

    MD5

    d5e476fa84eba25c22dc9dc23140979f

    SHA1

    5249a8772e74917dd9696e473a0fdd33c7866249

    SHA256

    7a802f377687b75a5487b40635117898d9027746c340961abebf33e4209c1ee1

    SHA512

    09061c37c1b2f46c971ceb025db29d48dcf8b9f4bcfbffec750e4105b9bb4920e07927f92729652c3813167d2a812ebb435aa57d5512f13f7db0b0b05ee190b8

    Download Submit

  • C:\Windows\{4AF0EE0D-C75E-44f2-8934-5ADE6F5DF244}.exe
    Filesize

    408KB

    MD5

    821d71012066c182042676cc9b27dc6f

    SHA1

    6c53a0d166ccb4e1d2c1a3629eff01df2e3fe0d3

    SHA256

    7c5740add97b99e5232c2277f193a66bee92d0ec506c8d5eecd60cdb281a6780

    SHA512

    d9a1fc4c59e278f749394202ac40f2a386d2aa6d1b64c4cc4d9018eebbc0d19780212d943b97e76d8120d71a7c28319c8ae03b717556166a54a131416991010b

    Download Submit

  • C:\Windows\{558548B9-05D3-4b60-B922-D4E075ABC54B}.exe
    Filesize

    408KB

    MD5

    82bee61e2294935effbd8644dd16081b

    SHA1

    690e872db3e63a6a135bc1f4cb2cd6805563da7b

    SHA256

    872258f2c66d82c45648d75d5db174fd4765920e9231ca38f5b61ea2282db2a5

    SHA512

    060abe007acc22efc82084a4903b776d21e114a561744c5bf410a1c9b58ca6b96dad90b8533a10e428f13f5467ee482e9388632c9c417f20b39df786139fabc7

    Download Submit

  • C:\Windows\{56BB40F5-44BA-4092-96A4-15C14EE47EEB}.exe
    Filesize

    408KB

    MD5

    dda7d59c808963a9f8fac57b25a70d38

    SHA1

    1e5a7f51120fdba4df291d92d01bb5c9b0aecaa9

    SHA256

    a07fc097c1784f5bac464b62b4ecab7bbbaeb232f9087233c5874db6cd777a7e

    SHA512

    57f2db8337c9bc970e94e8f58e6a24d5227ec7409e5975bb51d53251d3de8f38879d7812dad830406be269f34521451ec035830835b1b06861c0c8792f36d3a7

    Download Submit

  • C:\Windows\{66A419AE-0D49-471e-8147-B75F0EEDEE6A}.exe
    Filesize

    408KB

    MD5

    bbb468528cb538bb116decdf17e2ea23

    SHA1

    5e7a05c18b99467244e0cf170712d624fcb14ef8

    SHA256

    eef7f1e46cddd4a44e299375f23fb71f4a5e2e379d9109d7e79c74a37a92aaee

    SHA512

    5a790620273de5212e86337cd7496f1f432f909f304d576d52f35543e4cdb24d1cf7ee4ab018787da8475e7dace11d4132093f8a2015b08791b12f052b716827

    Download Submit

  • C:\Windows\{82B58B20-64C4-4937-9F2D-11F00546C14F}.exe
    Filesize

    408KB

    MD5

    0122c8d0fcc1fff2378ce8f4038c8a00

    SHA1

    49d533c0414b9680598ca48bc7361c51bc2d4d12

    SHA256

    8e15001851fcc32416a254ba5535f48433f4d77be652b6f03a99de12e81ca8a3

    SHA512

    5b339a6ee51d7180be4a2cf7146ba805d4ca9a983454b0100e4132b7008a97bfc36845d50e25aec69f8ffc7c460e106daf4c8ecfba4339603c32c9b9e88609db

    Download Submit

  • C:\Windows\{9A12BA33-726F-44c0-8E6A-B08CD306DEB1}.exe
    Filesize

    408KB

    MD5

    01c62d168254d0fecba01ddc9256e94a

    SHA1

    6187520ebe1468b856c831cc39e3efdebb072fd6

    SHA256

    3ba55a69f3508f85b50e04378b1481fdb8a644298106f53e0177a10a8d04954c

    SHA512

    9bb70ba75d233c953b0532d8fe1711fed950b3680cd556fd8252c2a0dc3bd4f8d1478751c1247a488f89543cd933e13fa5f509ef9a379406a59c2a60c6625077

    Download Submit

  • C:\Windows\{9D89B3BE-6DD8-4fb3-BFA7-2199D15D6390}.exe
    Filesize

    408KB

    MD5

    41e7b60d71036c841daac34835fe1084

    SHA1

    17efb794305908045047f57e21ce224788ba6547

    SHA256

    b9b8f2af5e0b1c991b39924fb97bacfcb868fe810ec6cee4fa1a29221d47ee36

    SHA512

    255f9be2da74747bcec585256d27fa893490c59f308489d3da26e7ada1c7a73e21eb11e2f8871425bdc62cb4f8c861d7d5ba7e6401e0099fef75c35ae008ff3d

    Download Submit

  • C:\Windows\{CB25068B-6BB8-497a-AB81-C72ECA70290F}.exe
    Filesize

    408KB

    MD5

    681afcb3640e629d6b15b3e4b4b84018

    SHA1

    7cacf33a73e1644e06da5e3e29b96cb2d06c8f0a

    SHA256

    95a7c502a0d9f233bb09576e4e3ae5c8597cecf6ceee02fbcc24c666ce1dfa91

    SHA512

    905b11b8c034efc6a99f91c5e26633b7461350a6e8018f531ce93fd5c979da31edb4a7664b8b83d39ebf469d83b65c87c36b3901baf915219443c42f93c031b2

    Download Submit

  • C:\Windows\{CD09CE08-44D6-409d-979F-C613587610FF}.exe
    Filesize

    408KB

    MD5

    40b1278c06d514f4fc72cce2dc1fcadd

    SHA1

    6a33c5fee5f065f62ca2e1a260a212d9ea658e21

    SHA256

    f38bc54d40bd3f38f2b4425d55b6677897d649de9b3d681c606c34c1e3f7c1aa

    SHA512

    dab800062ed36bea175ebc0b4cf385a18f1dad2f3513df113baacda90378df9462d2c76b6a4ffcc57b46fd52c3fd22824fbb95a45d203ee013d017856bbcc6db

    Download Submit

  • C:\Windows\{D009A62A-4AC3-4258-BDE9-DD03A2142CAA}.exe
    Filesize

    408KB

    MD5

    e29f5dd4be45d3b3e79794f47b3771c1

    SHA1

    44947d6e47d7360f76903edceb03b9f62cc2b75e

    SHA256

    78896db9cc95c4e89950f6af222b72d0c051666a8293a6097eeb925fb0f34c65

    SHA512

    b33f9a8b8e9aed91ef61242747432ff58023a05aa80fb6a60c27b794e8893649329e6615f8e9f02cec78004da54d1f0be59ededc550ee636cb18b8e3bcd8665b

    Download Submit