Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_bdee278f036d2b64b87ffbb2cfd921d1_goldeneye.exe

  • Size

    380KB

  • MD5

    bdee278f036d2b64b87ffbb2cfd921d1

  • SHA1

    1ca624d17d2c87ee6a716041a4c5d42c2a1f735a

  • SHA256

    16547b4802e5229ef2d66cca3002c64f2011a49014015a6273b4e492fe3d3709

  • SHA512

    a4ec5e1ce7d0a9ab69a6e51e59f530741a11cfca4da745bde3ffc9f1c3c7a8b1b1074a4361017b21680f577e761a1f94da6eb8f4be6e9db46395abd3a9818de0

  • SSDEEP

    3072:mEGh0oxlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGnl7Oe2MUVg3v2IneKcAEcARy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_bdee278f036d2b64b87ffbb2cfd921d1_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_bdee278f036d2b64b87ffbb2cfd921d1_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\{5B6B8676-2E39-4109-B2DA-A0FE39481848}.exe
      C:\Windows\{5B6B8676-2E39-4109-B2DA-A0FE39481848}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\{A1364166-4DFE-4946-B03A-A56F8F3B2553}.exe
        C:\Windows\{A1364166-4DFE-4946-B03A-A56F8F3B2553}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\{03AB166A-AAA9-4bff-8FFE-C24E5554A703}.exe
          C:\Windows\{03AB166A-AAA9-4bff-8FFE-C24E5554A703}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\{BEC96927-3734-429c-A78D-49D15A8C6664}.exe
            C:\Windows\{BEC96927-3734-429c-A78D-49D15A8C6664}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Windows\{A6E80F4B-57F6-44c5-BDD3-BA3D377E68CA}.exe
              C:\Windows\{A6E80F4B-57F6-44c5-BDD3-BA3D377E68CA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:640
              • C:\Windows\{F2E9669B-CA4E-49a6-A638-5CCCEA1FD57E}.exe
                C:\Windows\{F2E9669B-CA4E-49a6-A638-5CCCEA1FD57E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3232
                • C:\Windows\{EDFEC23D-B3A2-4f98-9684-884D2122B598}.exe
                  C:\Windows\{EDFEC23D-B3A2-4f98-9684-884D2122B598}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3928
                  • C:\Windows\{ACEB4642-3B8A-46a2-8C50-42AFB84D2F9C}.exe
                    C:\Windows\{ACEB4642-3B8A-46a2-8C50-42AFB84D2F9C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3840
                    • C:\Windows\{05E19FAF-BA43-4235-AFAA-0B7DCAEC5242}.exe
                      C:\Windows\{05E19FAF-BA43-4235-AFAA-0B7DCAEC5242}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1444
                      • C:\Windows\{5CFF5101-9816-4572-BFD5-9244125FEE6B}.exe
                        C:\Windows\{5CFF5101-9816-4572-BFD5-9244125FEE6B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5060
                        • C:\Windows\{A93F46B9-1DFD-451d-9D1B-6E0619DF31BB}.exe
                          C:\Windows\{A93F46B9-1DFD-451d-9D1B-6E0619DF31BB}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3444
                          • C:\Windows\{5D1404EF-B074-4ee6-8717-4B1EB1BE7760}.exe
                            C:\Windows\{5D1404EF-B074-4ee6-8717-4B1EB1BE7760}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A93F4~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFF5~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3516
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{05E19~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1616
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEB4~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4100
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EDFEC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1032
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E96~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4972
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A6E80~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2920
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BEC96~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2728
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{03AB1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A1364~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2284
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B6B8~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2844
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03AB166A-AAA9-4bff-8FFE-C24E5554A703}.exe
    Filesize

    380KB

    MD5

    b1dad5ce638fb73ee4dabb3816bc4973

    SHA1

    94f2771742789975f9c9061301b58d5f10766d23

    SHA256

    1611dc264a3cbb8d651e332dbba3e47c2b80d73400c6cc2995749b9cf6866a21

    SHA512

    2f4ea9d9680a4cc1cd6f5cfe46ad2eed79d9962fc0f1dd998d6043f9a2ae33957eaf412500f6b07cfaf1d3b71a41eddebb9caf3b6dadc5ba5c9a9bd1a1a4940f

    Download Submit

  • C:\Windows\{05E19FAF-BA43-4235-AFAA-0B7DCAEC5242}.exe
    Filesize

    380KB

    MD5

    6f19e7ee7b97260ee3405d3c6a39b8b2

    SHA1

    6629d50d2804aa1ca5256d814a6a060343835b1b

    SHA256

    2e024c29316f4b624546f72478991c88005be2de4b965c3192a5c46cce89b03d

    SHA512

    aa508e25bd79b0621f0b43531a08c1f63485703d3ff406a5cbd8932b692cf5d1e6d32e1be94d76720fd100189049522a41902db28042ef6e0b643f4badf8de47

    Download Submit

  • C:\Windows\{5B6B8676-2E39-4109-B2DA-A0FE39481848}.exe
    Filesize

    380KB

    MD5

    7c792e879a2d5804ca0b8bfa49dfa3a8

    SHA1

    5f3a95af3958c907100f866dd11338815a3f0fb0

    SHA256

    a4bf5b240bd7a6c86961c5233ce69281e4a4afb50a4c9f7dc2950c5366bb8963

    SHA512

    7e68ff1e7506aa49bb8172d58c2ff356b9ef732fee8509fb908aa4b96fb332674a5e12907e71b15f96635f1b0a558452fc9fba2c826d856ebed2745ebab56fd3

    Download Submit

  • C:\Windows\{5CFF5101-9816-4572-BFD5-9244125FEE6B}.exe
    Filesize

    380KB

    MD5

    29674dc0a48b8e648e16f8ffba4f080e

    SHA1

    e7c7aa420fdf17301a3424f70122405d32baea35

    SHA256

    1145863d12bf04835913e8ce06841f52213fc200e773d90916dac917b4a95a75

    SHA512

    8750009e9c155e3599559a90e4e8acede625b6a6b3f187d4f898f0cd94e461dcfd9399afc17d034d5bf77dd07a449c5472272837d2f24a880a4b7fb7e78dbce8

    Download Submit

  • C:\Windows\{5D1404EF-B074-4ee6-8717-4B1EB1BE7760}.exe
    Filesize

    380KB

    MD5

    1553c6fc95cbf8c201edd0e4cb2c878f

    SHA1

    568d29adb95a8771afefd15014f4025ed7e56162

    SHA256

    d82e21c4c57cc56cd8eeb69b64f8a62c65d240bd8f97f207df280433aba77c16

    SHA512

    e14e4cc8cd4ba7da73c4d01e814a0aef16b4d5332baf8774b16451629e74f0554c97ed2cb95d4d3ca6660bf0e11ce2feb1b6ca8a145a413e02d442e8736b4602

    Download Submit

  • C:\Windows\{A1364166-4DFE-4946-B03A-A56F8F3B2553}.exe
    Filesize

    380KB

    MD5

    576b0895cd91e11c874d1778c7dcf8ef

    SHA1

    90f076ea29051b0e75db5ac8458beb16681e5352

    SHA256

    d73b6e075d07beea29ae13dbe40014e1c724f00659a849d393dedbe20d1f4ee8

    SHA512

    ed0f1d82fd2eb308a742b645d6115521c93a9dc65a3651592501d64fda3981f708feb34769db5b310353fce4f3dbbc4b6d2c842b5842d53fe7ec0d7f6fec04ed

    Download Submit

  • C:\Windows\{A6E80F4B-57F6-44c5-BDD3-BA3D377E68CA}.exe
    Filesize

    380KB

    MD5

    62323499219c0e000c2ace70bc42c87c

    SHA1

    7de84e5ddb846228e907bbd0697103621f00ea8c

    SHA256

    2b2f20d2c2ad519d36619d42b760aa54be29700a0b8feb5ff9c8d5dbb8103610

    SHA512

    d74b10c4b39bfdda9ff28a9ec814fe2fe50f34bc1e0e20b7947035c14183b33152baaab7ec9d4941cd47fb4390e1fceebec839fb7ea79276dea23b8837047e21

    Download Submit

  • C:\Windows\{A93F46B9-1DFD-451d-9D1B-6E0619DF31BB}.exe
    Filesize

    380KB

    MD5

    568a252437c6a00a2d1f9b8a096e3817

    SHA1

    53fdc90fb96e4a03a2d22d4b011d21e41a9da583

    SHA256

    ea62d577e755deec898b1354e80a79772f5d4ea9089a779d2dfcd01ee2b42bb1

    SHA512

    f9c3aa67fb4f31522cebdce6d29cfc5aadefc952566a500dcac424ff9834a627ff4d055e85bcd16e48f6a275fc338c3e49efc2da73164212f1bd8ce6e2fe48f0

    Download Submit

  • C:\Windows\{ACEB4642-3B8A-46a2-8C50-42AFB84D2F9C}.exe
    Filesize

    380KB

    MD5

    5c24cf57affd4b4d049aedb5fd5afc54

    SHA1

    f385ed373b60dbc2b4c2415f75be45a4b2377376

    SHA256

    b472768fb962da4d9860817787f22270bbeef8e5e0599e94f5e7d325c74661be

    SHA512

    1b701e65036ab04c3473f220db6d9012752c782425a5e8d64d6ae4ab5ee9ebfa54c4e21286014d92e4e72552165dc13b1da07aaac552b43dd74e41726fccc5b1

    Download Submit

  • C:\Windows\{BEC96927-3734-429c-A78D-49D15A8C6664}.exe
    Filesize

    380KB

    MD5

    122523656c2937d44dfc837492e253f6

    SHA1

    576347449282e40cbcd1d6dbb67b2b755d43cd0c

    SHA256

    88189b8f8fdf6a3d9caa501c89bdfc95f3592bee34a8e628a46a74a25b5cced7

    SHA512

    497c09bdbcd842c1e1589dfb642c1bf54fa2693ab6dd58e1a42d1dfd3ffaea8a5b8e77c21ca2526c4550c4722001ef5d2bc459ef8e372eafb00a2d02a09fe7bc

    Download Submit

  • C:\Windows\{EDFEC23D-B3A2-4f98-9684-884D2122B598}.exe
    Filesize

    380KB

    MD5

    7b6af423215f773845491c365a5a1e55

    SHA1

    390de662b7a95f5149ef1c8efee034a398a11972

    SHA256

    5fc81c4c484918f1ec1c000a3ded510b8a4132fb29e257e6b10373d6695a293c

    SHA512

    b7aba2fa123d1fb5b24411777c3845b0518ddcacfc0b8da7b8c3c7d566d4cca35466efe39782cea2ae78b27072664aaeced9318943dd48750a4329e36dffa9fb

    Download Submit

  • C:\Windows\{F2E9669B-CA4E-49a6-A638-5CCCEA1FD57E}.exe
    Filesize

    380KB

    MD5

    60c6f8f9f24836f89340be8bc9b37f2a

    SHA1

    a6d035e2ac24400e68f0ed1d5a4ce873d99a930b

    SHA256

    43e7012f83a262c1b92cccfef0a21ac75540b96ecb6264286a6ef7423973f0ad

    SHA512

    0e070eae35da4d207a3f369ef2caa29a056369e6b387ab30ebea77ea520cd9486dbaa9fbd1cc4f0c7b1ddeb756c7d259773fa6bb4f3e4e66eeae3bf93a159fd0

    Download Submit