Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe

  • Size

    168KB

  • MD5

    a80dabf659d32f1291733d0bfd9a8787

  • SHA1

    ae8364364fb2873a26641bd8a1be4c776a221c8e

  • SHA256

    72a2ca06af4ddbbcfe583c635a5ff039e006c6e5d658cff114226f599eed8c50

  • SHA512

    612157d2df64df07bc9cf4b9b9d68be5db76b0e01680ddf870235887bde607c7e7c15feb19232a4c3d696460f01e6bff86320b0da324debbe70c6582763b3dd8

  • SSDEEP

    1536:1EGh0oSlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oSlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_a80dabf659d32f1291733d0bfd9a8787_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\{16938679-306F-4298-BC94-8082C2B5CED3}.exe
      C:\Windows\{16938679-306F-4298-BC94-8082C2B5CED3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\{5C395026-DF68-49f4-8EE4-36005E0D5924}.exe
        C:\Windows\{5C395026-DF68-49f4-8EE4-36005E0D5924}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\{F4DCE912-41F7-44ed-8BAC-73E8723C71EB}.exe
          C:\Windows\{F4DCE912-41F7-44ed-8BAC-73E8723C71EB}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3472
          • C:\Windows\{D9F07D45-5744-4940-818A-0C2BDB9C9F23}.exe
            C:\Windows\{D9F07D45-5744-4940-818A-0C2BDB9C9F23}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\{D2B62AB6-22D5-4913-8A1E-2E6BC6C0BEC0}.exe
              C:\Windows\{D2B62AB6-22D5-4913-8A1E-2E6BC6C0BEC0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\{CF16FE49-E93F-41b1-A9EF-EB12F7AE8DA4}.exe
                C:\Windows\{CF16FE49-E93F-41b1-A9EF-EB12F7AE8DA4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4388
                • C:\Windows\{E0C9721A-4F78-49b1-A9AD-808584D07DF3}.exe
                  C:\Windows\{E0C9721A-4F78-49b1-A9AD-808584D07DF3}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3880
                  • C:\Windows\{48915553-5C57-4aa9-B4B8-ACF5F0A262BF}.exe
                    C:\Windows\{48915553-5C57-4aa9-B4B8-ACF5F0A262BF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4208
                    • C:\Windows\{BB0F813F-7C7D-4699-812D-EFBAEDD0FA89}.exe
                      C:\Windows\{BB0F813F-7C7D-4699-812D-EFBAEDD0FA89}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3316
                      • C:\Windows\{8C4FEA6C-41D1-4259-A305-B8DD5ED1662F}.exe
                        C:\Windows\{8C4FEA6C-41D1-4259-A305-B8DD5ED1662F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2336
                        • C:\Windows\{6629C955-5D9C-433f-AF66-E77DD73A4884}.exe
                          C:\Windows\{6629C955-5D9C-433f-AF66-E77DD73A4884}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1516
                          • C:\Windows\{951D6418-CBD0-4f41-8129-D8A84FB1E24A}.exe
                            C:\Windows\{951D6418-CBD0-4f41-8129-D8A84FB1E24A}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3572
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6629C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8C4FE~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4924
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0F8~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3080
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{48915~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4816
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E0C97~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1068
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CF16F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2116
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D2B62~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4152
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F07~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1908
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4DCE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3184
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5C395~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16938~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{16938679-306F-4298-BC94-8082C2B5CED3}.exe
    Filesize

    168KB

    MD5

    1eca6bed5f445c2943d1efcf2ab5c9ae

    SHA1

    a0f874cd24bc44ec212a4d9715a9eb4de683c9d6

    SHA256

    17cd0b4877560a4f6d52c94234a8a0c08eac814fb6f33b8fed596509cc36d3ac

    SHA512

    2f6a82f6e5675ef3c429b85f13fdbce98f962dc7930fd5b813fa60aa5fd5af9954dcc59e79dbe2a3c37960b273ff8e64622ca917192affcf173502e251117466

    Download Submit

  • C:\Windows\{48915553-5C57-4aa9-B4B8-ACF5F0A262BF}.exe
    Filesize

    168KB

    MD5

    c768ad00ab8f04ca6e98ca7e3d20d19e

    SHA1

    1b89f89b47a06c7dfc45e5b2ea1452355cc21ba6

    SHA256

    ed6b5f92f2ea8932cbf4f0ed656802130f09684d60afe0bad18cb4ba90ffd555

    SHA512

    c179c4f3ddabe10e0ea9daf72b742f7fa1a68a970df6f248b7baff846fefcf97f8da6722232628874f3bc68b12ee8612a7f4853433f3eb5e01b0f76f9914184e

    Download Submit

  • C:\Windows\{5C395026-DF68-49f4-8EE4-36005E0D5924}.exe
    Filesize

    168KB

    MD5

    678cdecbe5813169349f29377878e0ba

    SHA1

    e82e563e7e5857727eec60dd08afd58d52041ffd

    SHA256

    2cffd49df6921cefcb9fe2d010533b4c47003b7b927d4b7b8de35790041805d5

    SHA512

    6b64aaff48fa0da181b82ea65e728cdeb370ef338abf6ab8164c959fab630d32def6f77bbbf338e1dd1d9457033b633b6f9ae0e4a9a3865ef5e2f8a0418c36b5

    Download Submit

  • C:\Windows\{6629C955-5D9C-433f-AF66-E77DD73A4884}.exe
    Filesize

    168KB

    MD5

    6848e81b3916a03a4376cbc9f5a7e0c4

    SHA1

    cd3decd5099bf38b0299d2f9e251a0d6640dbdb0

    SHA256

    84ffc119165a30c7c76bf447929eb81284890212840116dcfde6a13bfbe84904

    SHA512

    ba99642476027fd274d586c0616896d0d60a3970e9e2e9a92eb5b061d714d0624de1e70ab796f160ccbebe7cc1e11fb262a629103492f2df77aac823c49a2567

    Download Submit

  • C:\Windows\{8C4FEA6C-41D1-4259-A305-B8DD5ED1662F}.exe
    Filesize

    168KB

    MD5

    46a5e91272e4bc6144883af9eb1535f2

    SHA1

    931b66a6ca1177db23a70bbfa9a2fff69ea910b3

    SHA256

    1e4c201e4172d79d8b10e3c1387a76f2cb01668495ff4b55b9a227a41fe8f3f2

    SHA512

    942c763223c6b3fd2fb80f69a5e8e65a84f29721d2369f9b618bf8a26d7343de69f25945054fca6acc24f45383b10c86af8f4fc88ee26f495273d92c705d93d9

    Download Submit

  • C:\Windows\{951D6418-CBD0-4f41-8129-D8A84FB1E24A}.exe
    Filesize

    168KB

    MD5

    60cc2db1bd0a846d39efef0d8ab97359

    SHA1

    965f30a627877de6651e3a759ce92b789fd72cc1

    SHA256

    67c9d6b2473fe6b7303e3c50fcef7f15b60cc2a52a53ac480bed0488e52c7caf

    SHA512

    32376b85d1284e373552a30460adcd0dd8ddd87c843f5c6cd9d3dec03756db21aa167759fcdb0c812d23d08a637e9601a85e20bcdbf5d39069d3724752cf8a6d

    Download Submit

  • C:\Windows\{BB0F813F-7C7D-4699-812D-EFBAEDD0FA89}.exe
    Filesize

    168KB

    MD5

    ae6edc0b97a83c88905ee96d92c8962f

    SHA1

    d19246de18c5a4904ddcfae2b376bfe274b483cd

    SHA256

    baa3f46fbc4be5c685b5078d5f1db0ae706be946da5ec66ade18dfa983e5543f

    SHA512

    8939a045757b5b15aacebe7653890773dad62a1234f8b970f26b2a8b9594946f8cd2518b01f695f99804b5eb6da18f2fde99a629553630e8d1b998c4923fb9e5

    Download Submit

  • C:\Windows\{CF16FE49-E93F-41b1-A9EF-EB12F7AE8DA4}.exe
    Filesize

    168KB

    MD5

    94fe2ae79f875db2e57049af87e70399

    SHA1

    3330a03c8e18d9ca5b168e32c2e5fbfdfead4798

    SHA256

    f22dad8fbae22d56790072d6331d84b03f847fbd72ec143a5cd5ecb212e6ae25

    SHA512

    09b0c501a0fc8a8549a405f9550aa72041747a6b7bfc8bfc3726c5bf96da5a8e3f182122de830fdebdd6e01bb6818332a0e743bc66ff7a33ab2d0e0a056d8ec9

    Download Submit

  • C:\Windows\{D2B62AB6-22D5-4913-8A1E-2E6BC6C0BEC0}.exe
    Filesize

    168KB

    MD5

    9273e5e45a521de50489bd5199c50aa3

    SHA1

    ae29f313340b74c9f436410e617d4c4012354156

    SHA256

    aa646d5703fabf2bdbfcc7d84704f9f8d8ca37fe9c6e0738f6f69ed099eb7bfe

    SHA512

    b9a98c3e4d43557d02a0b08a425a1cfad314eb1c1a171a04e4f626d5c1d75865c961771c2d82216686d13308aa283b54f2f92ec853db830f74fc43ec9e8938d4

    Download Submit

  • C:\Windows\{D9F07D45-5744-4940-818A-0C2BDB9C9F23}.exe
    Filesize

    168KB

    MD5

    08aff29f564a04f881e78a8ff2095cc8

    SHA1

    bc325787e1221937f0d65cd301e87a68501e21e2

    SHA256

    8de640867f7190827e8e9db91706e3c79d9b33d94dbf73d61574371a87b06abc

    SHA512

    e370ff58f3db3fbaf8d986c2a98c9ec91a5741dc738bc26e81340ce5c510d34b1d23c07de9ab36f0bbe538d5f07daf07202ade6ccb9f740322f136f7be2c95c5

    Download Submit

  • C:\Windows\{E0C9721A-4F78-49b1-A9AD-808584D07DF3}.exe
    Filesize

    168KB

    MD5

    2c6a8282abc9b58a29c51a31b783ae2b

    SHA1

    43167f49c10ad1ec7524c7c9fb8dfafba6c8701c

    SHA256

    7999fe902823d6509e95e43a0c182871ea46fd6bfabc769a2b41c184fb317e5b

    SHA512

    42e2741b6cc57755ff9910ee29f7c1d514173e99292c869459e71e66636a2c3626b21a06136fc6afbdba61ec4a311f9af46b3d86cd81cb6b5bbbebe20ac71e0a

    Download Submit

  • C:\Windows\{F4DCE912-41F7-44ed-8BAC-73E8723C71EB}.exe
    Filesize

    168KB

    MD5

    665d4b913c2a8a9dceaacecc5097e90e

    SHA1

    2745904b260bcc3f60f3871943839a48d24e40a6

    SHA256

    b767e84dcefa087954f47abc9ef25581cb16019c5feaba1924ae421689565238

    SHA512

    7264b0d82a5baa45fd186310081ce5c18a8007f8d8ef21488f264e869dce85ff0fee02e1fd84c80e333c20e0a079786de1faca354bd4800132037181cd435a40

    Download Submit