Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_40bcbe119ccfd48e671045168f7aa393_goldeneye.exe

  • Size

    168KB

  • MD5

    40bcbe119ccfd48e671045168f7aa393

  • SHA1

    afed5e046b92e51d6afe09a0577c0f036c08cbaa

  • SHA256

    6ab42f1159080edfaa7e82697a2bc09de0276aaf484690385d18cb7dbe055454

  • SHA512

    ecfd76d7036b23892839e7b483b152ee8501f225c346c5f9ce8a5d621dc538528a2cae2a1ec3df6425fadb607e8bdf3586abbd5bd9d1a712a548b1f76bb2f5d0

  • SSDEEP

    1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_40bcbe119ccfd48e671045168f7aa393_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_40bcbe119ccfd48e671045168f7aa393_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\{06B9132E-B463-4406-9DC9-9CCA6EE5C623}.exe
      C:\Windows\{06B9132E-B463-4406-9DC9-9CCA6EE5C623}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\{57C94160-566A-43e0-AE64-E6DD7349A3B2}.exe
        C:\Windows\{57C94160-566A-43e0-AE64-E6DD7349A3B2}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\{02CA13EB-5312-4c72-858D-5484CB3D3E72}.exe
          C:\Windows\{02CA13EB-5312-4c72-858D-5484CB3D3E72}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\{B417D356-E064-477e-8265-7BC837BB8FA9}.exe
            C:\Windows\{B417D356-E064-477e-8265-7BC837BB8FA9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\{2FB8F9B9-4040-4420-9F38-4AD33762A6A1}.exe
              C:\Windows\{2FB8F9B9-4040-4420-9F38-4AD33762A6A1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1560
              • C:\Windows\{045424DE-8C66-4683-91A4-623DBAF33BAF}.exe
                C:\Windows\{045424DE-8C66-4683-91A4-623DBAF33BAF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:976
                • C:\Windows\{74FBD7FB-7D9F-471b-ADFA-DA28CAA6D0F6}.exe
                  C:\Windows\{74FBD7FB-7D9F-471b-ADFA-DA28CAA6D0F6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1904
                  • C:\Windows\{750B39AF-F13C-4522-A850-4B74C786AEDC}.exe
                    C:\Windows\{750B39AF-F13C-4522-A850-4B74C786AEDC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1644
                    • C:\Windows\{CE9EEC86-64E7-4a7b-B947-49F4A6836B24}.exe
                      C:\Windows\{CE9EEC86-64E7-4a7b-B947-49F4A6836B24}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:572
                      • C:\Windows\{AED64E64-85E0-43aa-BE54-675E254D4481}.exe
                        C:\Windows\{AED64E64-85E0-43aa-BE54-675E254D4481}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2436
                        • C:\Windows\{AC8D702F-F9BB-45f1-8121-6251B58E1683}.exe
                          C:\Windows\{AC8D702F-F9BB-45f1-8121-6251B58E1683}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2192
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AED64~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2216
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE9EE~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1096
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{750B3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:972
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{74FBD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2616
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{04542~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2784
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{2FB8F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2696
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B417D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2324
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{02CA1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1948
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{57C94~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06B91~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{02CA13EB-5312-4c72-858D-5484CB3D3E72}.exe
    Filesize

    168KB

    MD5

    9378cadd0243c9b88d0948cf14ccb5fd

    SHA1

    5c2b71004d5ec213355843d29f5535ff1e55d26d

    SHA256

    f7db23e69e1feacbe86b9f3017d14032a59ecd60da09e2bf1cd1e5e16a14e00a

    SHA512

    7aa89aca893707c3fe205455c1e23b9457f0f1055e160418d7c703d151126b361e280bfbbb2e70313694c46ab2d30b906b339cb673d02055abfdaf21c84ecaaa

    Download Submit

  • C:\Windows\{045424DE-8C66-4683-91A4-623DBAF33BAF}.exe
    Filesize

    168KB

    MD5

    4387fbb8f627269e0db2406679417b27

    SHA1

    8f166b62c6b7eae54d306dd34f32fa110cc7df32

    SHA256

    ae67f2b77a3ef9dae337f4490d399d11ef270d426e1e0ff92ed7b8f01983a9e2

    SHA512

    245af8470645ad7f4249d2c43cc6c172318150849c3abfebbcaf244eade44a78efe15fbe7acfec2c581b60588b8d9192c2ba77a8c178654f0c65c74667c9da86

    Download Submit

  • C:\Windows\{06B9132E-B463-4406-9DC9-9CCA6EE5C623}.exe
    Filesize

    168KB

    MD5

    ca08a3a1462dd63de40609ffb1c39ef0

    SHA1

    6d8f3929d24342c783146a0583ea1990bb3b1a01

    SHA256

    adacf5c8e798d2f76f9415a106c60b1a551918853c8bd8ea6b6b18cb94beb0e7

    SHA512

    2f94ef014a6dec534580139464abaddfbef4b280a61f357c57a7ee98e2fe7fd38c238050ec5027530cc8e951c9bcf4214960efc85ab67b312e8da8c2e3e6729a

    Download Submit

  • C:\Windows\{2FB8F9B9-4040-4420-9F38-4AD33762A6A1}.exe
    Filesize

    168KB

    MD5

    bd1108d154f8e879ee8c74b81025236e

    SHA1

    fc79bac165326695c9fc2d2be14af9acb4b33678

    SHA256

    b873636c61440dcc50d81ed4a229547f4d70c26a294c18a6f399833527191b7e

    SHA512

    8588e89a92b4804cfb96ade627ed5b831df438d3b94a00a8aec53a5bd4fdcd3f21430bcba20b173a7e4bcb8fa958f9b68f1b61a0243a124dd588c807bdc642cd

    Download Submit

  • C:\Windows\{57C94160-566A-43e0-AE64-E6DD7349A3B2}.exe
    Filesize

    168KB

    MD5

    d19fd38177eabd0396aaabcc719aa76e

    SHA1

    c35395cb461b10094af415f4f6a0cb252efa0d6e

    SHA256

    87524ad75fa353e7dbb52b83464b9a06e4ef8493b398638ec2309dcd325e4e42

    SHA512

    8c380ff2dd0ab85857bb3b591e5618baaaa7acbdf4a3bfc6d66b796ef1b8a9a526522256959be474ed4c2ef220517c73d48b7c9c79ed7052dfd3d8f786822e84

    Download Submit

  • C:\Windows\{74FBD7FB-7D9F-471b-ADFA-DA28CAA6D0F6}.exe
    Filesize

    168KB

    MD5

    a1158a915da442eb08d4756ec340edf9

    SHA1

    fb193cbf60405025bb3c31c6d5b083bd9b6ddec4

    SHA256

    0e82abebb2e6ad4e8969a3e4566dc8697744cfd2639fb5f986a7c13f16e8f7df

    SHA512

    197f891dad313fa9e5d976373a8c35088d221a1f5f3c668d6dff10f58d573aa11a33cb1b911a2a753147aba09656fd8be92c8c10e5730a65962b1353ab01a631

    Download Submit

  • C:\Windows\{750B39AF-F13C-4522-A850-4B74C786AEDC}.exe
    Filesize

    168KB

    MD5

    558ccda10f85d8ca026a39aa2cfc8705

    SHA1

    96256b303cf841420d813a9d6ac78fd207289159

    SHA256

    532c9898b0ac977b798d703901474f7472245f0581313df906052160050b8e5c

    SHA512

    1324275bbf223a1dacfd59991f4af676f1d066a188359dff5f2460eccb1faee48e41eb9db6ba1cf6b7a35a9d544e8a7f0c972408f0e5801475549b682d618618

    Download Submit

  • C:\Windows\{AC8D702F-F9BB-45f1-8121-6251B58E1683}.exe
    Filesize

    168KB

    MD5

    e93d68088097d52bd1731169d605c98a

    SHA1

    7c89935b0a245dd3f770657eef26763619d29f47

    SHA256

    27e4667f15fb3149e95446d03711740b28840d846e0aba74f9bd580ce8c5acd6

    SHA512

    031c5d7594e76a581aaa8e4642a52fb710c9d13b482a66d7834c714eb7aa661b3273204825d0805094759c85b75ec6d3a63e37d53569afbd2cf131bb5a9a655e

    Download Submit

  • C:\Windows\{AED64E64-85E0-43aa-BE54-675E254D4481}.exe
    Filesize

    168KB

    MD5

    413ce62e10a80d209bc55497cde8aaa8

    SHA1

    6f41ef26fdcddd39720a98ad784796de9bb03c0f

    SHA256

    3f5d0dc887927ad93d5dad6838cd7c6100b40a61f9a45e36a83f501a6c58efde

    SHA512

    9de5db0bb4edc01a529ccd739774517b12a95cc995c503820094d6abca45f767c97b6664728d424b65a5cc2d4fa74debad670b827d65c5979d7c89591c71e8c0

    Download Submit

  • C:\Windows\{B417D356-E064-477e-8265-7BC837BB8FA9}.exe
    Filesize

    168KB

    MD5

    778dc2fa304ced25e166d7e549bc9ad7

    SHA1

    d5adacf5cf2061e9b28487c33bebf3d5f2cfb148

    SHA256

    551745d7344b1cd005ca7f3cf787caed26c063216b6dfd12be8cbbb90f50053e

    SHA512

    a2bbe3589c94b0879f2d55fa9cf832794f8518abacf63ecb3dabd297e6220030a3e4181b0f72866e14314dee508950a367e102e97dd4a93521a9c5f138b1e6bf

    Download Submit

  • C:\Windows\{CE9EEC86-64E7-4a7b-B947-49F4A6836B24}.exe
    Filesize

    168KB

    MD5

    492ff58e8f0e64f621b6bb1d81dece09

    SHA1

    18fa1d45076e595157ac3b28845490345c4d7ac1

    SHA256

    aead9e934cb1e06b4430273506116e0227e3bfd51feb235f413cb1fb5ce2e214

    SHA512

    6323da76dcd84702bd86da39a49cfce394e8d8454f6c189466e0fd9d4a83505c6f5f5d05ad08522027739df07292964e543758175249a064b19d690b201d2125

    Download Submit