Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe

  • Size

    408KB

  • MD5

    dd4ed534b64b42ac4f8712c374d54637

  • SHA1

    caa09116861ef24e59789e76c9750d009e9c4edd

  • SHA256

    c75c9d8ebfa71f99779a10d3c34f44ccb4645847cf613c83c4ed093b9321c5a6

  • SHA512

    0a47fee1c13931ed2c519413dd876f98b9b46371a2940a18fb903621f26e55c85930804026992315519ee458c50f3481509311866ddfefbecfbfe9777c8e8b02

  • SSDEEP

    3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGPldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_dd4ed534b64b42ac4f8712c374d54637_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\{53A36104-DF59-4a19-96FD-C7B14247D761}.exe
      C:\Windows\{53A36104-DF59-4a19-96FD-C7B14247D761}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\{3154B901-6089-4963-BC3E-E9A8A203D16B}.exe
        C:\Windows\{3154B901-6089-4963-BC3E-E9A8A203D16B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\{FDF511E7-D370-4976-BAE7-0AFC2F053E61}.exe
          C:\Windows\{FDF511E7-D370-4976-BAE7-0AFC2F053E61}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Windows\{9B7F5328-8EE6-45b5-9486-181CBE09F124}.exe
            C:\Windows\{9B7F5328-8EE6-45b5-9486-181CBE09F124}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Windows\{CBD4FEAB-4CE2-4047-B01B-9FF2859A7567}.exe
              C:\Windows\{CBD4FEAB-4CE2-4047-B01B-9FF2859A7567}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4560
              • C:\Windows\{5474250A-B5C8-459e-93EC-ECAB6F251EF9}.exe
                C:\Windows\{5474250A-B5C8-459e-93EC-ECAB6F251EF9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3216
                • C:\Windows\{D05BB621-55F8-4af3-9172-E2F319FD5B75}.exe
                  C:\Windows\{D05BB621-55F8-4af3-9172-E2F319FD5B75}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3880
                  • C:\Windows\{2385FC17-B3DF-4326-881B-F5923A009C8D}.exe
                    C:\Windows\{2385FC17-B3DF-4326-881B-F5923A009C8D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4380
                    • C:\Windows\{F8DBAA1B-566C-49df-999A-04E55D88905A}.exe
                      C:\Windows\{F8DBAA1B-566C-49df-999A-04E55D88905A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2696
                      • C:\Windows\{71995554-6114-472c-B017-4920E731F496}.exe
                        C:\Windows\{71995554-6114-472c-B017-4920E731F496}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:548
                        • C:\Windows\{398E8EFB-6A55-4ff1-9CDD-1BC3B0AFF471}.exe
                          C:\Windows\{398E8EFB-6A55-4ff1-9CDD-1BC3B0AFF471}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4028
                          • C:\Windows\{FA339E05-737E-47bb-9E8A-384D0F390818}.exe
                            C:\Windows\{FA339E05-737E-47bb-9E8A-384D0F390818}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3756
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{398E8~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{71995~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3092
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8DBA~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3472
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2385F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1548
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D05BB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3888
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{54742~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1772
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD4F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3176
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9B7F5~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2616
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF51~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:400
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{3154B~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A36~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2385FC17-B3DF-4326-881B-F5923A009C8D}.exe
    Filesize

    408KB

    MD5

    fe8a76bcf1b24b9302377c93a7449edf

    SHA1

    f29e112132a2a097943f3290f927ddc8edba3faf

    SHA256

    db282418f312c3b489ae004f2b6989f9614919049d3817dcda7808194f7d2e0a

    SHA512

    b58750cc1d5193338d3709b6d64999b6b90f7691c3cc37fd16beae01d493f6a6ba9d7d9f17781536821ee9baec2229beda46d3f271b8d4daa88dc724e067db82

    Download Submit

  • C:\Windows\{3154B901-6089-4963-BC3E-E9A8A203D16B}.exe
    Filesize

    408KB

    MD5

    860e3114fe2f5778b03abf0d708143d1

    SHA1

    b964040e78373fa7444c008e4aa4828618b89dc0

    SHA256

    7d8d6e547ceb443e53480b59a1cfdd7deab4601c985ac35fc77effb7f235989e

    SHA512

    4b1421aa16029cde095bb689e40decc2f3b4788ff761e0112d63b0e35dd318a1817447fddf7caf111177f42543e2e98bc5350a84eabb38c4b758223764ab51e1

    Download Submit

  • C:\Windows\{398E8EFB-6A55-4ff1-9CDD-1BC3B0AFF471}.exe
    Filesize

    408KB

    MD5

    7aeecb15d24b6480f37f51bdc6606b52

    SHA1

    ab457a84534be98293df590a0ad4e0aefcf50d8d

    SHA256

    38fd02238d5cfe35ecf893ab8b96380e41663372ae11e5d92f2bb661c69ca876

    SHA512

    0fdecc82f157e4e51cf8461bc90be1e9356a7784375d755ba8b008e92ad0a9b0ee9e6ee153c2cb000b246cf8e54e8d1da0a62f95d22e646b17e42083e3dd5cc0

    Download Submit

  • C:\Windows\{53A36104-DF59-4a19-96FD-C7B14247D761}.exe
    Filesize

    408KB

    MD5

    81d32c8aa1d12a90cf2d4fdcaf3940ac

    SHA1

    bd5c0feb0303eb57feb97cdc85b296a100d4076a

    SHA256

    cf28a7705bda2522fe25a61e68530d0a294ae44449843770bf74517ae4049863

    SHA512

    baa12722416a1c4694ec770f8b10c0c4d146638321edfb040b71526480f8b021574af38933e9f74655d50a1d8b5b62e2b9d1e48a12018910efa7940a9cd5e434

    Download Submit

  • C:\Windows\{5474250A-B5C8-459e-93EC-ECAB6F251EF9}.exe
    Filesize

    408KB

    MD5

    66d744bac2891970a91e35e0025c69eb

    SHA1

    253c8e2afe9601cc76d914aa854f2cb2edbf5da9

    SHA256

    6c10856745bae5c3963703635d454976ff888ac2e75caccc9d985c4aaa5c5676

    SHA512

    8bd6a86da7337a4a53e4a345ea6f0f4f2cda631fa4efb25331974988dbe02cdae1d2483169440247a9cb767cbae5ad43f0c233a60e8a628f8170ecc39ef6e11d

    Download Submit

  • C:\Windows\{71995554-6114-472c-B017-4920E731F496}.exe
    Filesize

    408KB

    MD5

    b98d2bb8e6457858ad75050abe8cd3e4

    SHA1

    17e0e7fea7da6637d170bd6e1a8f1cd6f72a7af1

    SHA256

    f82d295c149091ba19835dbf96afdbcabedd653ffaf467f43dde55421d5461df

    SHA512

    97c2018977ece9bf82faf07df56d7ccab377d449594fbe05a3135f8c58174a33d435a11d7acdb66cbc13cb498c755cf36eb6ab4b0ae1f61d5e769dfd7168e7c2

    Download Submit

  • C:\Windows\{9B7F5328-8EE6-45b5-9486-181CBE09F124}.exe
    Filesize

    408KB

    MD5

    250c8a4ab7b3fe501ceeeabb3f95d73d

    SHA1

    8c8600159823ce2689001fab5eff33451d81b9eb

    SHA256

    f5f667d4db2b62d71406ebc799875943d61521e31f8aed5b5265b3a8b5924d3d

    SHA512

    c047c5128cfb0c3cc3db30d704e58c7947d6c561c0520c40f0448e50279509c97a1e08b681828720d6e03207e40c6c7556f266fa480be6c56df7bf0998c16e56

    Download Submit

  • C:\Windows\{CBD4FEAB-4CE2-4047-B01B-9FF2859A7567}.exe
    Filesize

    408KB

    MD5

    230ed6a6793fcbf19aa0e4c58f039401

    SHA1

    17295f084c5f2be327792b47bf348d02373892e3

    SHA256

    0cbe4b37775bb0411e989679687ab41d6779aa6fb88b032180d74542f6f6e2e9

    SHA512

    69dcac98c8395c97c06014829257961f2c81a14771d5c164c94ec553d06f6d93083cf20c364479b2da595ac823fdf1169245b71f59cc9b5865d4a90f2959d0e1

    Download Submit

  • C:\Windows\{D05BB621-55F8-4af3-9172-E2F319FD5B75}.exe
    Filesize

    408KB

    MD5

    301cc4915fd1708be62fbced2cd7f8ff

    SHA1

    95d9adfcd92b8bb4f980b7d1916aa4f0b29363db

    SHA256

    e57fdfa65d13bf035029f0f98ad8a87d292d6859a1fe06350e4669c9ecdbb7f6

    SHA512

    6021b4001c5a10c1125ad9f915a99af3ee9113cd27db8da464612c9dea9e4db2cf73f6d5bcc6ac469fc647913d767da7e9fb55621319aa137e2090f1ddbf73db

    Download Submit

  • C:\Windows\{F8DBAA1B-566C-49df-999A-04E55D88905A}.exe
    Filesize

    408KB

    MD5

    c6f868364b0cb7eb7d3afe266f4a5bc7

    SHA1

    717c876616f59e0f4e854d8d598281b833976637

    SHA256

    f1b86077c6c6abca17154e1581a990f77d2c0cadd7dfb77e7b888ccb3338700c

    SHA512

    60b557e9db2781f781de69972e49e28124db3efa2bb0eea1f5f70464054987cfdb0fb2b438ca10c168e65a08518649af8501cb60501fdd266edf06b1dd05ea0a

    Download Submit

  • C:\Windows\{FA339E05-737E-47bb-9E8A-384D0F390818}.exe
    Filesize

    408KB

    MD5

    875dfb8ec90c578cc74b437409e0b3d8

    SHA1

    e868b15485cfd3d671ea84337ae0b519d2dbd0f9

    SHA256

    cbcacd049a98653a7225dce67da07db22851f68c9044fea58936c5b7e0481588

    SHA512

    f8bd34d2c1c227aad96dbe87567b6e561bb02d8b398b397c81335e978099045ac54c70f5c90970a814d7cea24ad54988de001c3a40608f540bcdd24bd288f373

    Download Submit

  • C:\Windows\{FDF511E7-D370-4976-BAE7-0AFC2F053E61}.exe
    Filesize

    408KB

    MD5

    011945da21d3c4f3bd7aaa836f24eaa0

    SHA1

    29e17767e80eb6d4894bda126bf395acfb586a88

    SHA256

    93137bf6bd4a1314f987bcf678cec80b5667814a74e3b60f97c8edb766331c5d

    SHA512

    3b1001c83c6a4e10cbb70f7491c7123f44feb3866456b70873f0d77ed19c04d251962464f9788fb3772aafdb68ec466bd2f47d5d515d151715bda684536b3b44

    Download Submit