Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_7f8431dd7750cb5a01b73901b0cc6991_goldeneye.exe

  • Size

    168KB

  • MD5

    7f8431dd7750cb5a01b73901b0cc6991

  • SHA1

    0e211c2a4f2e0c152f6bbdf651cf26c71f4bcfdf

  • SHA256

    fc29a70bf74832242e2ab3d42fe59e4fd34c361f6c5041a950122d33c37cf6ff

  • SHA512

    177e5f7fdf629c16e0b3e3b1d07e6657745de4e61cfeb426466c3e6a9b94d25a7db305c94439367b3c4f09eea8a51e46f791035c0ba6843b40c2d21df33af212

  • SSDEEP

    1536:1EGh0oplq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oplqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_7f8431dd7750cb5a01b73901b0cc6991_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_7f8431dd7750cb5a01b73901b0cc6991_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\{75C2F2DF-C8F5-49b4-B5D7-CC91A85C1622}.exe
      C:\Windows\{75C2F2DF-C8F5-49b4-B5D7-CC91A85C1622}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\{404E4D67-D20F-4e51-8DF1-4583D57B2C89}.exe
        C:\Windows\{404E4D67-D20F-4e51-8DF1-4583D57B2C89}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\{6C28E6B9-0C7C-4af2-846E-F351379B5825}.exe
          C:\Windows\{6C28E6B9-0C7C-4af2-846E-F351379B5825}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\{0D95E73C-0110-4bc2-BCB3-02C18821D125}.exe
            C:\Windows\{0D95E73C-0110-4bc2-BCB3-02C18821D125}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\{259569A4-F7F7-4e33-9894-7EDC1880AA39}.exe
              C:\Windows\{259569A4-F7F7-4e33-9894-7EDC1880AA39}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2300
              • C:\Windows\{9DC86C68-CB17-439d-B1FF-02605B97F7A3}.exe
                C:\Windows\{9DC86C68-CB17-439d-B1FF-02605B97F7A3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2240
                • C:\Windows\{EF9458C6-4931-4cd2-A4BE-19D17D849713}.exe
                  C:\Windows\{EF9458C6-4931-4cd2-A4BE-19D17D849713}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:324
                  • C:\Windows\{1840F6FF-1EFF-4d09-90AD-5DE9B815E11A}.exe
                    C:\Windows\{1840F6FF-1EFF-4d09-90AD-5DE9B815E11A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1608
                    • C:\Windows\{809516E9-B291-4899-A1AD-9A1C7679961D}.exe
                      C:\Windows\{809516E9-B291-4899-A1AD-9A1C7679961D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2080
                      • C:\Windows\{146227F9-3DB5-4fc7-8FE4-F6595FDDBBDD}.exe
                        C:\Windows\{146227F9-3DB5-4fc7-8FE4-F6595FDDBBDD}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2560
                        • C:\Windows\{844DFF05-0AA2-4a25-B07D-3AE3A17F499D}.exe
                          C:\Windows\{844DFF05-0AA2-4a25-B07D-3AE3A17F499D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{14622~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{80951~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1780
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1840F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1052
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF945~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1732
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC86~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:592
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{25956~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:588
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0D95E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2924
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6C28E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2640
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{404E4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75C2F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0D95E73C-0110-4bc2-BCB3-02C18821D125}.exe
    Filesize

    168KB

    MD5

    89c8a7afacfb18c3e213bf82b3a99c05

    SHA1

    2544171fa19483a8883c2799f3a7dc7932738b6c

    SHA256

    b8e6c73c0737c3c22bcd7a84c9665153dc658c677e795e3fde101136629ea016

    SHA512

    844dfe79c02eb78a23a184ed3d17cc27566fb9c4a0574f221e9bc3a471e15045d8848cc32742a1bc3e75bb8a22c7dee7aaa88d697ea001bad322c88fe577726f

    Download Submit

  • C:\Windows\{146227F9-3DB5-4fc7-8FE4-F6595FDDBBDD}.exe
    Filesize

    168KB

    MD5

    9627ce631500e198a50789d5125c18a8

    SHA1

    96bab6b124e0426af614d0c79d26eeed7dcb3ded

    SHA256

    99f0feb2a47830d54b706d11d630183bc7ab057cd37be47f61fb73ee6a4fafa0

    SHA512

    9ae40e4369640c01c05e57ee30c4403ae37b540e479ae3016776e90349c915475eb60c3d75dbed3f4683f07de5aa62c1c57b5e2f3fd4b748922b6c8f13e4e42b

    Download Submit

  • C:\Windows\{1840F6FF-1EFF-4d09-90AD-5DE9B815E11A}.exe
    Filesize

    168KB

    MD5

    61137bcf7eb6b163c769ec30a5da51af

    SHA1

    c5f47f652f096033501a8ce65103bc4ffa7f421f

    SHA256

    6ddfb091005bfc399f4bae1be9ce70e2991aaa548c04ad03d75382267effc461

    SHA512

    2debb0c42b469f91abb8f108a170164f77907b6dbe2411a5cbc3d09725d2db2012fbb50bc20c28ab749fc602355caa63e942ebb1baa8fa1d8186bbb7433a3bb5

    Download Submit

  • C:\Windows\{259569A4-F7F7-4e33-9894-7EDC1880AA39}.exe
    Filesize

    168KB

    MD5

    4d4c839b3689ac4e0cabcadb94145dbb

    SHA1

    cf7e41ed7d1936af9f49898d5ea01f273f57a97f

    SHA256

    a1c0862a11c8713885e8f4f6d0a228758107aa2dfb6e1f84c3b87d82f710b63e

    SHA512

    00a4aff5d72c15bab6f50fc3a47c432b012586c7220f924066be860c48248960476f12528e8f9129cd340f46824e6569dc739d8c5c71fa8a7e808ea3f24adf07

    Download Submit

  • C:\Windows\{404E4D67-D20F-4e51-8DF1-4583D57B2C89}.exe
    Filesize

    168KB

    MD5

    b9aa986def7c94ce93db2f195b3fb213

    SHA1

    2e85728007e32eaa490e607d9893f4e711cf843b

    SHA256

    1f41aee044ab665ca713614137f0aa0d2099ce6fa90a0cf13a59641072974ca3

    SHA512

    6759f5551b26978c5747ba94ea5222ac3651995fd606d86728db4813117bf123db1f7000fc50539a7bbe50fbfd15b4a9e01381085ca290363a7d4ac43cd48076

    Download Submit

  • C:\Windows\{6C28E6B9-0C7C-4af2-846E-F351379B5825}.exe
    Filesize

    168KB

    MD5

    7c63af7ef0e7ffeeef9be9cdacbb851e

    SHA1

    337f9c4051b885ef57c1111a86beea7a81f22809

    SHA256

    74269c0442ecf3e4e4811dae25b718285e259b3ff90d77d362d62864a667b919

    SHA512

    6a988edc0117ab915fc750afec6c48d82c54686daccd5d45b57506043c82b4cb5cceefbe7057a4c576eee8b72fe62a60167bfc6fc78c7145c1f8870f8f37ce9e

    Download Submit

  • C:\Windows\{75C2F2DF-C8F5-49b4-B5D7-CC91A85C1622}.exe
    Filesize

    168KB

    MD5

    94b7bbbd78cd8e7c3726aeeca9ec6f38

    SHA1

    71dcf5bba89b629e53c6c24c7e9bf0dc9a01134d

    SHA256

    8497243901c8c53debabe4a1420e0537fc7e1ab3a428a62c19aab3d16d7bf3ee

    SHA512

    67353d55dcfadeb2da3e268fd5de2289fc6cae6ed354566e20a4cad34f4729a9907e8faa6b64f2ce964c5244d62af961c36ba137480eebaa92624e1dd53ca3ea

    Download Submit

  • C:\Windows\{809516E9-B291-4899-A1AD-9A1C7679961D}.exe
    Filesize

    168KB

    MD5

    78d4f47271f6829ca3e310ba7068eaba

    SHA1

    7e69857fa8eeca9910142abc6968ce1cb785ac4b

    SHA256

    a7e7033c5f0c3265390ad0f92d791bf4d040ed7069c745bae076602ea582c8c8

    SHA512

    f935171ada781c0fc73fb60688eb6c1404d5536b3e9a152525051ec4e57658a3c79866de7d5ffbeebbb8c1133487637cf1afd2349307f99b9381964c487eb12f

    Download Submit

  • C:\Windows\{844DFF05-0AA2-4a25-B07D-3AE3A17F499D}.exe
    Filesize

    168KB

    MD5

    84ec6b749a29708c79d38ba3a06530f6

    SHA1

    bff182930497191700f1ba5553ef2b0ad94f10a7

    SHA256

    9b7b5c3ecf1eebfb4e17654bf1d365d800c52379775c860beca1e4cf05cdfb46

    SHA512

    644a91bd5db189ce642c2f690d4fa8f8d31f31453ffb18c905f5bd4ea81fc810cdee6bed65f83be49dd9724d5f1221a97bb15da770eea689adca470c65972341

    Download Submit

  • C:\Windows\{9DC86C68-CB17-439d-B1FF-02605B97F7A3}.exe
    Filesize

    168KB

    MD5

    399e38d5d1bc6b15a460dacf8cf03a4a

    SHA1

    62c080b0ec42d6a6dace4b16ffc1b188787198e1

    SHA256

    38ff578ec262b80127c95aa0698cc37e252708a90b45b50a6e793c1e2cc13f1b

    SHA512

    978e9e85672dd8fcece584d3444a12f7f3caa4682d02e8f2a3d1643e899e612606612cf51b0d59b31f6a57e9f026e395be9213971b2404c2e7fc60a6fab09802

    Download Submit

  • C:\Windows\{EF9458C6-4931-4cd2-A4BE-19D17D849713}.exe
    Filesize

    168KB

    MD5

    44c615efbd148ca521eaf88b3ccadc1d

    SHA1

    7b94e0acec0b19d3a96c134df33fd55dfe0f6eac

    SHA256

    b90e66bdb6ec7e2ed87e71481d0dcceaabb4850e6ca6772ee4db106887c13816

    SHA512

    78ce53255e5710935526c08eeeaeb1090d0cd08f7909f5832f813e5582fee604a89a69bf13ff9ec9e286bd3dc8f13e2a27eb3360347f8351e7ef2b54ee0f659b

    Download Submit