Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe

  • Size

    408KB

  • MD5

    d14ba25a6b9216e29ea7c09897a9033e

  • SHA1

    c129db851911266f41dea28a7e1dc2923869f74b

  • SHA256

    41a574da9509dcd9c8f081751eef4440ec4b393e7874684e1d5ac6eebd1ec097

  • SHA512

    51d4a6e7ddfb76fd12a1d284f333afcfb2c52cc99e9bf5f6c1baeff966560ea5a2ad88046c78d802f2fa42aa5c5a89cf2a20761f049eefb7690cc6445631d2e6

  • SSDEEP

    3072:CEGh0o9l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGrldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\{945D29B0-AEB4-4e66-AEE3-82072C19B3E0}.exe
      C:\Windows\{945D29B0-AEB4-4e66-AEE3-82072C19B3E0}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\{0B7B7670-B74E-47f8-BE8C-97010D6F5763}.exe
        C:\Windows\{0B7B7670-B74E-47f8-BE8C-97010D6F5763}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\{3DC8BB09-A796-4ba5-B5F0-DBAD53E074A3}.exe
          C:\Windows\{3DC8BB09-A796-4ba5-B5F0-DBAD53E074A3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\{D7942DDB-5FBF-46e7-8E01-AE1B234ED52D}.exe
            C:\Windows\{D7942DDB-5FBF-46e7-8E01-AE1B234ED52D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\{85FCE002-D584-4a79-A382-D679DE537EF2}.exe
              C:\Windows\{85FCE002-D584-4a79-A382-D679DE537EF2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Windows\{A38D8630-18EB-4b2d-A2D4-9069C54D438E}.exe
                C:\Windows\{A38D8630-18EB-4b2d-A2D4-9069C54D438E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2068
                • C:\Windows\{CEAE2DE3-1BB5-44e6-B850-A939DA275B7E}.exe
                  C:\Windows\{CEAE2DE3-1BB5-44e6-B850-A939DA275B7E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2380
                  • C:\Windows\{FB82183D-3FF0-4666-A00E-BEBB6DFAE405}.exe
                    C:\Windows\{FB82183D-3FF0-4666-A00E-BEBB6DFAE405}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1992
                    • C:\Windows\{1463BDCE-E73B-4555-9EAF-1DB8606CEC3C}.exe
                      C:\Windows\{1463BDCE-E73B-4555-9EAF-1DB8606CEC3C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2024
                      • C:\Windows\{4638F66C-5116-45b9-962F-C3D59F4FC645}.exe
                        C:\Windows\{4638F66C-5116-45b9-962F-C3D59F4FC645}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2696
                        • C:\Windows\{106332EE-DB03-4b46-8AB1-595D6EAC28FE}.exe
                          C:\Windows\{106332EE-DB03-4b46-8AB1-595D6EAC28FE}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2344
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4638F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2828
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1463B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1616
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB821~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1944
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CEAE2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1792
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A38D8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1344
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{85FCE~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2952
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D7942~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2492
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3DC8B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0B7B7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{945D2~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0B7B7670-B74E-47f8-BE8C-97010D6F5763}.exe
    Filesize

    408KB

    MD5

    5c11b36f55ef62150c89099422f8e393

    SHA1

    89e246565807318feb45dd2f31e09c11233e129c

    SHA256

    6bb4b5d861193d4812b91cb2541d081c1995f525d5d39754915bc7397b6d3934

    SHA512

    2fbca11656ce5f86d37b1edc8604bcd68047326d250782217023b0d69000f6cc723e2bca098bb66d8e0d61b9ba42373cc64c57fea37306c3eb8548778da48132

    Download Submit

  • C:\Windows\{106332EE-DB03-4b46-8AB1-595D6EAC28FE}.exe
    Filesize

    408KB

    MD5

    504226c64f7809f32017c9fd20d5dbba

    SHA1

    b6e76855fb9049a299adca7b105662f2cbe8b093

    SHA256

    b67d3ae3e8a51b4a468088502f36f09b86a044f2c900955180801dc72177d72a

    SHA512

    61f858ef72992209a1c9234cd2543a28e38777415db969569973a681b1cf7a4a057acf2821609a1789672f23bd65e15791a1c2e756bc7136bd91c7cd83cb9626

    Download Submit

  • C:\Windows\{1463BDCE-E73B-4555-9EAF-1DB8606CEC3C}.exe
    Filesize

    408KB

    MD5

    7ba6d1b2499015b76878ec5135862c39

    SHA1

    90c310df496f3623fc56275ebdc4795f271c6645

    SHA256

    47f617c941314cbe45bb076c43c7ed46497e3843e4b6ee56bec3463217eff4a5

    SHA512

    4be0fda46ad8ab2c7e3b0778d9d93f80c83fab9b7503430985b13168e6c51aa02f4ed1aebbad48cba515784874280236b22ba3cb262c0b6b5e7cb23124370597

    Download Submit

  • C:\Windows\{3DC8BB09-A796-4ba5-B5F0-DBAD53E074A3}.exe
    Filesize

    408KB

    MD5

    bb8199c7e6bd8b526c47c1c906468961

    SHA1

    ef17ebb2455eca02c1c7d781244d5757e88e2552

    SHA256

    ab071eada838d6565347835775a29265eb773599320720a9c760f8bd527acf48

    SHA512

    35f0981546ac48de2c9bc11789a1bb8c1785bd20fbaeb08b5ba4b289bbdd47b80bf2b77f8644d0e234ec16f4fdc72406223b2d3a9ed0275ee737342f6e396277

    Download Submit

  • C:\Windows\{4638F66C-5116-45b9-962F-C3D59F4FC645}.exe
    Filesize

    408KB

    MD5

    6899b49a362546eb5fe9cbc1d523d7e4

    SHA1

    6282b9078d8ca90f992d3ce2dbc3b1a963bd487d

    SHA256

    4816e5e6786bbcbd889d85517a81c5c92b3bc71f7837f078bb14f6043c065d49

    SHA512

    4fda244d0771db4688e7bbf82f59dd881516d5a7ce21caacfb32fa77f07ddcf5a0f3c6d71602063fb01e9b39a019c2931146b50a450b00c9c265ed51e5498700

    Download Submit

  • C:\Windows\{85FCE002-D584-4a79-A382-D679DE537EF2}.exe
    Filesize

    408KB

    MD5

    9f1b1c3d7b40fec51787ca5b17aefde1

    SHA1

    50f32dbb0f5c4f08912d490fedc2ac1efce41f3e

    SHA256

    7b54db9aa7b5c7ce97586bbeb5fac498a30ca44ea4a5b74f73fa4c3eca7ecbf3

    SHA512

    897f597a93782c34b93f9fd8def44aa63b071f53bbf0419c7ec6f061ef62f6dc2455c38e0f0af8701d066607b894d605bb107afc1731b97f21ee2c0da357817a

    Download Submit

  • C:\Windows\{945D29B0-AEB4-4e66-AEE3-82072C19B3E0}.exe
    Filesize

    408KB

    MD5

    bd6861c1230286c9e84b0e9f0ed56b3a

    SHA1

    08dab43ebadb209f9c41406cd04ebc6627cc2e8f

    SHA256

    fa7c20deafdfa60186819b344082aee1f9c6afebc5bf9cf99c5c445f9cca5a66

    SHA512

    2454d57ec50c768b8fa401340f62f054462d3a409a254ab2fbd422fa71bcb021cf8b65e2137af7f26d02c6b9b532a006de1771b138dc3a90a6f129ef8189c898

    Download Submit

  • C:\Windows\{A38D8630-18EB-4b2d-A2D4-9069C54D438E}.exe
    Filesize

    408KB

    MD5

    05aa29f9448745ab310c3a8c33660a23

    SHA1

    da01fc71756e2668b9895f319667cf6d3de3c44f

    SHA256

    8f2a8a24021a20141e328885fb5c9e51aaf5c1a40340f6de94dffde3b12c771d

    SHA512

    cb9c963cade105107537f36b6b20c9eb7beec7b84426eea04b50b8cc4622011def5d09ef6e8b212e29101e82390fbb765f3cd6914a0ad74d8faa4405d28bcd35

    Download Submit

  • C:\Windows\{CEAE2DE3-1BB5-44e6-B850-A939DA275B7E}.exe
    Filesize

    408KB

    MD5

    741fca1b2dc3654ab4f91196220699d5

    SHA1

    701944e20d2922d4eccd863d3758a4b9e2f2bdae

    SHA256

    fafc8d150ffab2e9de6ce249c79159ce547a48c91f2b6968f69bc44844929cec

    SHA512

    eae589ae60f8f82bc679b332ae273ab86f3f6635c3e45243b33835c9d5006f669ff528d99122687140e339c8ee394e0eeaea83a731470f81e3b0bced16a7122e

    Download Submit

  • C:\Windows\{D7942DDB-5FBF-46e7-8E01-AE1B234ED52D}.exe
    Filesize

    408KB

    MD5

    d3c89f283dd2dab675d771868e9e0ee5

    SHA1

    15a754a041e4713a26acc8ae64f872d8d828761b

    SHA256

    e942d122c618fb4e2642d09ae8de6a872a49ec0a302090e6731efc0e6604f150

    SHA512

    d1386a06eab0f0441f4aefdf52f42a8c77d6b65d6a94fadb49fa61e842d967ad7c9699e0b7cff69a2ddc6392985b41dea5ccd4f2d4513a52824853d337bce0fc

    Download Submit

  • C:\Windows\{FB82183D-3FF0-4666-A00E-BEBB6DFAE405}.exe
    Filesize

    408KB

    MD5

    589d6d344c65856cffb25357b46b7914

    SHA1

    cf3e6a75c23e366471934ac5109e341832ca147a

    SHA256

    bac0f3439aeb606bbc5d393e5ad7a65b80d5037e6b7661d3c02200646bf73b93

    SHA512

    2ff88f5984e42ab692388b74d5986e8ed313180c9597f1f7344e866a72915333cab0ed76d72bf8e6af4f8b63068f694d107c3a0b87a8605bcef34c983cc8532d

    Download Submit