Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe

  • Size

    344KB

  • MD5

    cb4dbd5c7dde73292365646f690f9805

  • SHA1

    66e64c458f36f6ae3a0e2990dabdcbaa42e181d3

  • SHA256

    b5e9fbca5bdcab701fa432622e34ef8b5c5d8324222fdc97cf981f53f59489e8

  • SHA512

    152dc39650017fee5b6530c0a897ca2d0c4d1807cea09a68b2fe87dd0e9c8aa9139920ff6ac247dc848d0f22050f330567edfc615f46b68435ecf296438a932e

  • SSDEEP

    3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGzlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\{1B33DA8C-AE98-48f7-9886-97D4EBFE90E9}.exe
      C:\Windows\{1B33DA8C-AE98-48f7-9886-97D4EBFE90E9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\{3ECA7FE5-548C-467f-8981-F6E15C4CE15E}.exe
        C:\Windows\{3ECA7FE5-548C-467f-8981-F6E15C4CE15E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\{11E6F2F2-D4FD-4627-858C-AF4375790603}.exe
          C:\Windows\{11E6F2F2-D4FD-4627-858C-AF4375790603}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\{5B89A9BC-E6FB-477e-A7EA-EA91DAD78011}.exe
            C:\Windows\{5B89A9BC-E6FB-477e-A7EA-EA91DAD78011}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\{E50D06CA-09A2-4219-B936-F0C6BFCFAC31}.exe
              C:\Windows\{E50D06CA-09A2-4219-B936-F0C6BFCFAC31}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2604
              • C:\Windows\{CA4BCA5F-B2D4-46e2-97F1-B9F06A6A03E8}.exe
                C:\Windows\{CA4BCA5F-B2D4-46e2-97F1-B9F06A6A03E8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2084
                • C:\Windows\{09700418-0EC3-49a5-B35C-C8ECB8E8A447}.exe
                  C:\Windows\{09700418-0EC3-49a5-B35C-C8ECB8E8A447}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1516
                  • C:\Windows\{7D56F3F0-2D31-479d-A559-4D01A436A8CB}.exe
                    C:\Windows\{7D56F3F0-2D31-479d-A559-4D01A436A8CB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1456
                    • C:\Windows\{33F4FD94-6618-4c05-82BA-FF1EB2F28F40}.exe
                      C:\Windows\{33F4FD94-6618-4c05-82BA-FF1EB2F28F40}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2924
                      • C:\Windows\{9D470964-292B-49b8-B211-60B66CC37D23}.exe
                        C:\Windows\{9D470964-292B-49b8-B211-60B66CC37D23}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2984
                        • C:\Windows\{B6D15907-3C82-441c-AEB3-89DB5B8524E3}.exe
                          C:\Windows\{B6D15907-3C82-441c-AEB3-89DB5B8524E3}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9D470~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1308
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{33F4F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1396
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D56F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1312
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{09700~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1884
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CA4BC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2888
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E50D0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1656
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5B89A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1636
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{11E6F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2700
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3ECA7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B33D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{09700418-0EC3-49a5-B35C-C8ECB8E8A447}.exe
    Filesize

    344KB

    MD5

    413723a372fd2e45ace0ebc90d5ef48c

    SHA1

    619a055dc8bc6497e27b0c9c7222382136b5b49e

    SHA256

    6250fe3e9beb2dd8b2a498edd6bfc0d961b7c17c86985e36652f84e6e8415250

    SHA512

    a2b2e330e5d002c51ec95cb9f8e6396a5dfef4c8811963d1c158db1515610c35c8a8ce2bd4532b4328af3d3488b60a4bc8fc850cc019cbac27e86e490652761b

    Download Submit

  • C:\Windows\{11E6F2F2-D4FD-4627-858C-AF4375790603}.exe
    Filesize

    344KB

    MD5

    f4e0a521136e3d19d8a8a1b2a81d3296

    SHA1

    900f79ab1c6a580e195fd2f4bddb5248a916bca8

    SHA256

    b7bddfe3b38e6c1ba626506742303e0fd924e7bb62a489c115c631125d1c9c2e

    SHA512

    73aa1d7365c621a97b87e3bb1baeec62c0a3170f2a7ec044f368fb83d957beebd066d266a12bba474cbd422ad0e5de34e97ae2a24f783c1a3609c1f7bbd42d1d

    Download Submit

  • C:\Windows\{1B33DA8C-AE98-48f7-9886-97D4EBFE90E9}.exe
    Filesize

    344KB

    MD5

    af8f1d632538df986e88265d1096fe44

    SHA1

    d24df76806d95ae012e2c4305795bf47a2d5b132

    SHA256

    88d96e5ed5c34494f5fcf7fc1eaf5b1f1c3902dba7db20aad712f458b02f45b7

    SHA512

    fb246c3e9815c07e0fbd39a7e9da337663b42343b43c2b520910d666366ebcc335c916bff5bbb4faf62f79fff8d172e92161a2c8830ed3662578b2feb033d543

    Download Submit

  • C:\Windows\{33F4FD94-6618-4c05-82BA-FF1EB2F28F40}.exe
    Filesize

    344KB

    MD5

    e84ed9e91b371f95e5d050ea0b1ab458

    SHA1

    c23c81211226f8bab017f3729c58d8035d869949

    SHA256

    49934fbedf632b0f53877e895e22da9de0d3fc785e739db06c221073111878d4

    SHA512

    fcf8b72df043deb78efd36a1001d6efe0c4571481d605718d3cf38b9ffba2bd26766dd01e2552231ae259dba95d74e94b8093227d036f6737eb1ff50eb13442b

    Download Submit

  • C:\Windows\{3ECA7FE5-548C-467f-8981-F6E15C4CE15E}.exe
    Filesize

    344KB

    MD5

    31a37f4d0bc9e5a600d645aebab09134

    SHA1

    a8ff529857cde12bd047d6dc942bef398a4ce6c7

    SHA256

    2aa5b6161b263edb6177c96915fcb08e631b82d25bc20278153b51ae50c0cc19

    SHA512

    4e47450800c5d938486d075760203c53e7a84611f9ca35c08cc38c04db412e3a990dc69b20a980750f57bb172bda68bcb286075ad1cdbb4176c6c55bd097c8dd

    Download Submit

  • C:\Windows\{5B89A9BC-E6FB-477e-A7EA-EA91DAD78011}.exe
    Filesize

    344KB

    MD5

    53df31064bb90d6f13621c31f1f7bcaa

    SHA1

    f127c475ebdc5be427686149b2b57605bba6c0ea

    SHA256

    79a2de43cbdfc919109398cc98cb6807bcdaf2fccff5f56315885ae5e6443b0e

    SHA512

    33fb8f1d1a12e5c723a77353ed8d5f7c3b2c53245a83442f70984cb8b8daba8a55f69fad302fbbb38c7ea421d58b64aa2a4cd868f6cf185dc4800074dd6f3666

    Download Submit

  • C:\Windows\{7D56F3F0-2D31-479d-A559-4D01A436A8CB}.exe
    Filesize

    344KB

    MD5

    e034dafcdba211fd1e47ae594cf7548e

    SHA1

    335425e57d6d13ed09e9f6ce0e8720f1495606f8

    SHA256

    aa873343e0895082a12f6dcfb2e7dc24d1918276c580d318e258df30a61f88bd

    SHA512

    e506d96f14ed31257be352294b911d471d187125a8b18ac86cfd5ce481ec4ded83818b11ad933cee8746cfa78d6936032a077df48380fd944d20a54a8665e102

    Download Submit

  • C:\Windows\{9D470964-292B-49b8-B211-60B66CC37D23}.exe
    Filesize

    344KB

    MD5

    17310a1ee792603b09795beeff9abbf6

    SHA1

    33f70219746ad9e05264bb437f0b876d8d513251

    SHA256

    479ef95c6805a42ce98910661465d73c820e6f33c717c875d0c71e0902783856

    SHA512

    9785ab4478cf8c290de6c7ae8af2751bc94c5103bc5ca9589e240ec787c8f8d1f94b114f58210cb619ff7af113590ed47395262ce378c2ec2ebd8bb36b07a657

    Download Submit

  • C:\Windows\{B6D15907-3C82-441c-AEB3-89DB5B8524E3}.exe
    Filesize

    344KB

    MD5

    5e9ce1eb9ecfad235d04dec23ef575fb

    SHA1

    a888114a1ff3c27410190fc9c854d71e8aaa9908

    SHA256

    ed603403f33d45f2ceababe524a72b2bde56c94de0a3a3772912d7fecfde9d57

    SHA512

    278301b5bbffe1653807fe5858b8ca493775ab65edc86e33876e19e31fbab79213f2d6a4f6baa86bba5fc1cdcd14ada0c95e535baeb5b73c080e5810ea7108dc

    Download Submit

  • C:\Windows\{CA4BCA5F-B2D4-46e2-97F1-B9F06A6A03E8}.exe
    Filesize

    344KB

    MD5

    b6f62e399fea4e9b941eb1dee9ff58b5

    SHA1

    4751aced1a5b17e746685119633f14a108013380

    SHA256

    f7fde9986699dbc62cc6fd5470381010d66bdffb7033f27b1cf52ba8a3b96874

    SHA512

    f0be606428434eb6f8eef7dd200c6f17f949842fa0910d9bf3cf3287c9da31c2c3db2b16051f00e57a6fa8c1e1ff302b821b6f8507a01606902cd6fbc3672105

    Download Submit

  • C:\Windows\{E50D06CA-09A2-4219-B936-F0C6BFCFAC31}.exe
    Filesize

    344KB

    MD5

    5e904b7647658b6e2bafc8370d5c51ed

    SHA1

    745571973e99369cb67bc3d142e6a6325376369b

    SHA256

    72b314aaa4855d30b3a3f62e121fcf083abb0153b7bb184be0c1793fee9c7c8e

    SHA512

    2c2c09e649de0f230e9b09e153cdc0e935f9c2ea23c79179545969b4bd2658b4a925f867dbfddf69591b656a777a48d7e84077561a41bb79de3c59eed31dfde9

    Download Submit