Overview

overview

8

Static

static

3

2024-09-15...ye.exe

windows7-x64

8

2024-09-15...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-15_9cd2c36f8f7bb063cf9d87e417d6733c_goldeneye.exe

  • Size

    216KB

  • MD5

    9cd2c36f8f7bb063cf9d87e417d6733c

  • SHA1

    f3dc848bd2f1c99ef5caca715290fe57608058e9

  • SHA256

    7b0a319d943664637b7d620b9593823fae5f3a9a737abe494470035f9f2e1fc8

  • SHA512

    26de0a3f7bb5263c50c5556d2383ff6f7e5c2760bbd62f50e687f43494789261f151c38e8c927a3912a9e4da3b37b149af9e776d93675edd6c1a11c4e880697d

  • SSDEEP

    3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGclEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-15_9cd2c36f8f7bb063cf9d87e417d6733c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-15_9cd2c36f8f7bb063cf9d87e417d6733c_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\{22AE7F4D-9FDD-432c-9CE3-9F0DE50423B9}.exe
      C:\Windows\{22AE7F4D-9FDD-432c-9CE3-9F0DE50423B9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\{AE42792D-2D04-46d3-B86F-899C17C420C5}.exe
        C:\Windows\{AE42792D-2D04-46d3-B86F-899C17C420C5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Windows\{141F7D42-AF92-4644-A74B-DE380F49B646}.exe
          C:\Windows\{141F7D42-AF92-4644-A74B-DE380F49B646}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\{2BDA31CB-B9D5-451d-9836-064989298DB1}.exe
            C:\Windows\{2BDA31CB-B9D5-451d-9836-064989298DB1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:792
            • C:\Windows\{7F9C01B7-0B42-41ad-915D-23F36EA8EC79}.exe
              C:\Windows\{7F9C01B7-0B42-41ad-915D-23F36EA8EC79}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\{9A4B3BF5-5EAC-456c-851F-F73E4C13BE83}.exe
                C:\Windows\{9A4B3BF5-5EAC-456c-851F-F73E4C13BE83}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1568
                • C:\Windows\{9F325E3C-5C0D-476b-9A14-7AA6DC8C2326}.exe
                  C:\Windows\{9F325E3C-5C0D-476b-9A14-7AA6DC8C2326}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Windows\{54C11290-4FED-484b-A09E-AEA63E3AC839}.exe
                    C:\Windows\{54C11290-4FED-484b-A09E-AEA63E3AC839}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2808
                    • C:\Windows\{B1619B8B-661C-46da-B92F-AF0ED3A77E69}.exe
                      C:\Windows\{B1619B8B-661C-46da-B92F-AF0ED3A77E69}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1752
                      • C:\Windows\{7E07CB80-76E1-43ed-A586-E5AF67932539}.exe
                        C:\Windows\{7E07CB80-76E1-43ed-A586-E5AF67932539}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2420
                        • C:\Windows\{29167C24-51CE-4802-8A76-B36E9EBCBBB6}.exe
                          C:\Windows\{29167C24-51CE-4802-8A76-B36E9EBCBBB6}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1748
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E07C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1488
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1619~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2692
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{54C11~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2052
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9F325~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1456
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9A4B3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1856
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7F9C0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2004
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDA3~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2956
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{141F7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:604
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE427~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22AE7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{141F7D42-AF92-4644-A74B-DE380F49B646}.exe
    Filesize

    216KB

    MD5

    66d5e32c9303c40a05b37a247a1f72c9

    SHA1

    799c2a88b54236bfcc44fbf936b466bfcf958f60

    SHA256

    9e007b247270b7332874997ee5a43ee206785dc4d3410d2c2b18d648c97abe73

    SHA512

    593877d9aeefc21dac6cb0b9222517280554613a138f1cbd61336037f52b8db9fd2b6122271b0c8c122842102cdfb96f17963b5bd2e271a515c1aad4dac7afd3

    Download Submit

  • C:\Windows\{22AE7F4D-9FDD-432c-9CE3-9F0DE50423B9}.exe
    Filesize

    216KB

    MD5

    efdfd839600c39ba9c480bcfb3bbe035

    SHA1

    75e6b3553f80faff47bdd64769593e059418b47f

    SHA256

    40802cdccc745d44cfb247d43d04fd6f6e84ab5761d73446a910156ff3633700

    SHA512

    62b1967b9e43c96ca109154351b71cd5b0fc4a3f54c56a8d5e8a6f05f08364f6968affe4800030c60dc5099fa96b22b0962792c55b88d3476b1ef89531f4d12b

    Download Submit

  • C:\Windows\{29167C24-51CE-4802-8A76-B36E9EBCBBB6}.exe
    Filesize

    216KB

    MD5

    ac2d33631a821e9c3e3ae4a1b8a3cd13

    SHA1

    0371c44a408c47acc27b7d9744ac83e10b08caee

    SHA256

    025c83255c02f741d8087f63d1003b9d021e95e9c0f7b7f529988c4d29ce7bde

    SHA512

    c54d741728f8bc964d683e4b28bfc5186115cfdc40eb22e9b44e12782bb37cc7859a22999d84321e81707b0eee8118fabb38de4c2162053e41b59a316f819d87

    Download Submit

  • C:\Windows\{2BDA31CB-B9D5-451d-9836-064989298DB1}.exe
    Filesize

    216KB

    MD5

    aa37f3e61c504780d84d2e654e653274

    SHA1

    ab6e66da83cd02eff48e4b0a06d25f14ed4acbc2

    SHA256

    f7ab4f7cea12874d8ae9b72d8829693b2c00a255829a6ce63664b1983578f094

    SHA512

    56e77cb983f3b225d31f7b43d6fe248bd6d85c3063fb2469037cc5f9d48c2bd054570ec56c3f4fe17d2309ab38b2c4d85ab1bc560856dbf59d0c3232c479d923

    Download Submit

  • C:\Windows\{54C11290-4FED-484b-A09E-AEA63E3AC839}.exe
    Filesize

    216KB

    MD5

    6ef9862ca9dde759f243dc3f2dabb0c9

    SHA1

    69a51007f60d4f1afd776898898200fc7c600b98

    SHA256

    5a6516520c63fa5645b382e64c5f63945dd99f53144f4b6a0d7c363367653497

    SHA512

    7fc149b1008caf3bc849e70fbc05d427da1c3df7b4bf938fedeb79c13c624d8dcaa7f716c20f2b63fde49b2f7cffb2066804ca99934e4623133da7e1672fe058

    Download Submit

  • C:\Windows\{7E07CB80-76E1-43ed-A586-E5AF67932539}.exe
    Filesize

    216KB

    MD5

    33a3a67ed76c88d7b95a5778e1ddebe5

    SHA1

    6642feaabadc60e34d9c7a6d284cef24c9dcd2a5

    SHA256

    4236fd7b763409c0f3c7080066a450a1fa62b29b75d62edded1ba21f4df4cde0

    SHA512

    3471d8f3819e8491fbbe80681668cbcae5493e8699be0d1f08e048b8a316161a848406f57d763bc0005492d5ad90f848a5c6c10dc7ec3f16e658fc542fb42133

    Download Submit

  • C:\Windows\{7F9C01B7-0B42-41ad-915D-23F36EA8EC79}.exe
    Filesize

    216KB

    MD5

    796041e07b6c574b934407ec74573783

    SHA1

    4ad5e05be84bbe8510c8882c4b3f0741d30df980

    SHA256

    cf1545af65e02c024fed5acbeab52df67a162b3695224025ab6393754f27f426

    SHA512

    941ec36f2c7493dc22a90e4d862c757ab98bcc2c086dd8ba09277bea4246ffcadbf12a7971a870dbe6aeaa2f701705aff19e74718caefeb1c03e8ee5b9230fee

    Download Submit

  • C:\Windows\{9A4B3BF5-5EAC-456c-851F-F73E4C13BE83}.exe
    Filesize

    216KB

    MD5

    a9ff6c53e025b45fba9c13c1ac4f5edc

    SHA1

    4a43d5da1bdf656d9481dc97c428d95e32fc97f2

    SHA256

    1c669b7f51474a76375d94ee194771a8ac77557deb16514e0b04a94c5729b952

    SHA512

    4e5a2c84e74b86290013f2213085eb4a1090b50ffafcf217d6faff593fa1c6546e797d0fc99320c33973af51a4a56d0cb60a0988558188489e602b4bac43b87a

    Download Submit

  • C:\Windows\{9F325E3C-5C0D-476b-9A14-7AA6DC8C2326}.exe
    Filesize

    216KB

    MD5

    685aef4bc5c3ffcb45a3ced20065002c

    SHA1

    d5bd65a46224c4e579b9add59067341a073dae37

    SHA256

    648b56c093e9f0c4dd05c38387a6ff74be19db002837aa05f4a17575ec6082e3

    SHA512

    667a31a2020253637cf63a8fb0e3bd0969611bdd1aae15f51c1b379c6e6953c4ccc0be93e89c3842016f3ad5961d0c1f10a291f1f797d950cab845a438930c00

    Download Submit

  • C:\Windows\{AE42792D-2D04-46d3-B86F-899C17C420C5}.exe
    Filesize

    216KB

    MD5

    29dd4e118c195699d0bc4de50bdc9cf9

    SHA1

    f1a8587d9603c85e28fe6caccf1d1503126f7e63

    SHA256

    1312e6841fa2b6638d892377539792d30dd6469b339d11d2cc4c546de8608b54

    SHA512

    1ad30a891fca1e5b56ec45413bb73da3b6c08749283f61ac6010fc8010b2f3d8d8b3135cc51cde14b77a67e9118607aab116efdddd93102b1968b2a93adb6a49

    Download Submit

  • C:\Windows\{B1619B8B-661C-46da-B92F-AF0ED3A77E69}.exe
    Filesize

    216KB

    MD5

    cc91319bcec254d26bbb84c3bb0b9975

    SHA1

    2f22bfe0a2a40fcfed7143b2631d5a2855177e91

    SHA256

    a57a82c4d74db7dcd9b4c029f0492de10e42c354bb8d4e1c04ec333d7d3c7ad5

    SHA512

    22aa42e925302a35de7aea048d8e79336293f68bd6b0df98a8d4ee622e735de4c83cd747879c5d81fe3438983510fe152f4a83aab92635b6efa287e78df6dbb3

    Download Submit