Overview

overview

8

Static

static

3

2024-09-21...ye.exe

windows7-x64

8

2024-09-21...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-21_1647bc7800de220ae22272f0226f5b37_goldeneye.exe

  • Size

    180KB

  • MD5

    1647bc7800de220ae22272f0226f5b37

  • SHA1

    671eb6f1e331a6751c58e0fadfc14e019865552d

  • SHA256

    9af74d3ddbb234e34576832d18ab62f0f2ae1d2e4505897d4923737fff6fa687

  • SHA512

    3fe3e8d831fc2652bceedec1e6223ec01285b290be1c59c7120ede088fc6e44424c8b5894accd10233abf0deaee9f9f1d01837e3ee6bd77bc1a6ee250a1a59f4

  • SSDEEP

    3072:jEGh0oOlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-21_1647bc7800de220ae22272f0226f5b37_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_1647bc7800de220ae22272f0226f5b37_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\{177ACF8A-6D34-4831-87B7-1DA775DD76BB}.exe
      C:\Windows\{177ACF8A-6D34-4831-87B7-1DA775DD76BB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\{C1241110-100F-4214-A430-F89F71AE68A9}.exe
        C:\Windows\{C1241110-100F-4214-A430-F89F71AE68A9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\{1148F95A-4D12-4976-9500-B8E7EB6911E3}.exe
          C:\Windows\{1148F95A-4D12-4976-9500-B8E7EB6911E3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\{5A6B0A7B-94D8-460a-B3E2-F7A72CE7AFF2}.exe
            C:\Windows\{5A6B0A7B-94D8-460a-B3E2-F7A72CE7AFF2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\{A255D877-EE11-47fe-BB95-B11E20B2F937}.exe
              C:\Windows\{A255D877-EE11-47fe-BB95-B11E20B2F937}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\{1BCDB1EA-475D-4e11-A13A-31BFA60336B1}.exe
                C:\Windows\{1BCDB1EA-475D-4e11-A13A-31BFA60336B1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1932
                • C:\Windows\{E6E415B9-80ED-4001-A8D3-F61977084398}.exe
                  C:\Windows\{E6E415B9-80ED-4001-A8D3-F61977084398}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1896
                  • C:\Windows\{6C0BE88E-7173-4f38-A947-02494C912670}.exe
                    C:\Windows\{6C0BE88E-7173-4f38-A947-02494C912670}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1752
                    • C:\Windows\{B1B09DEB-91A4-4068-81AF-B1A2C84345B5}.exe
                      C:\Windows\{B1B09DEB-91A4-4068-81AF-B1A2C84345B5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2528
                      • C:\Windows\{A1B72F90-8A78-4475-AD30-536BBA6B846F}.exe
                        C:\Windows\{A1B72F90-8A78-4475-AD30-536BBA6B846F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2952
                        • C:\Windows\{F58BB6FA-2D83-453c-B7C9-381E48A645B4}.exe
                          C:\Windows\{F58BB6FA-2D83-453c-B7C9-381E48A645B4}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B72~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1832
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B09~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2780
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C0BE~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1916
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E41~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1812
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1BCDB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2384
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A255D~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2212
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5A6B0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2924
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1148F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C1241~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2332
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{177AC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1148F95A-4D12-4976-9500-B8E7EB6911E3}.exe
    Filesize

    180KB

    MD5

    4e9fab20e16158026d2e107a1a3f14c6

    SHA1

    d051a67dd9c6938d23343c172e589ed2e94d17ca

    SHA256

    d02a2bbbf62854d2244474ffc066d54f573a59bb25314680f8b47f2cb62002bd

    SHA512

    5511cf61d6560f880e4e88d576633e704eeab5c19f4f570468dbe975b96f9b767f3beab6cb4942515cd92b0dd4ddba67fed37060dd4a664409ed800c9e12de79

    Download Submit

  • C:\Windows\{177ACF8A-6D34-4831-87B7-1DA775DD76BB}.exe
    Filesize

    180KB

    MD5

    93f602878f15e1ad65f2f34c9e0e6edb

    SHA1

    5b2829a60deb8dd38745cb46965aaeaef07621c2

    SHA256

    ed81e638bda262a228f8d7323ccc21beeac9dd8b8cba75423732c0a4a1547df1

    SHA512

    6dbdf5ecb38c07ac10b9eae8d9cf50fd31edf9ba65a6c4172435e177d9d90a644c7916746785f2d64a2ba0a3579fc99aad87a236c93931e06d668c6d2964351d

    Download Submit

  • C:\Windows\{1BCDB1EA-475D-4e11-A13A-31BFA60336B1}.exe
    Filesize

    180KB

    MD5

    f23d8d7501a60bc90a0ecaa37f09e7cc

    SHA1

    081439b0efea2bcd2dd9e93938d31780f8017e9d

    SHA256

    b18e04d04b39302e706a5d79ef1dc30da8c16a6b3f73aa7352e7388b80c4f7ae

    SHA512

    c79e118d531e0dfca909044439bcae551c10c723a3db11fa523fbffcf5baa5720e91176c98d50a18b74b15c1f47591d1424fcf9bc99ccfe8efdacf91ddc15e51

    Download Submit

  • C:\Windows\{5A6B0A7B-94D8-460a-B3E2-F7A72CE7AFF2}.exe
    Filesize

    180KB

    MD5

    458d538791ff922edb84cdd3d3136ca2

    SHA1

    68068a161cd216bed55c95281aa6e608b93fb02f

    SHA256

    6bed297c91be028345ec2691d3f979d32ed0ea7ac5189b8800d9028977789516

    SHA512

    03a89363b89f73ecfa9334c7485b0929916ae750310c2f0e7a1a4e405e15a1dca3ff1913dd2f8f66d3e2da37561ac754cdd8ed4286d358df47cc27ab74a2fccd

    Download Submit

  • C:\Windows\{6C0BE88E-7173-4f38-A947-02494C912670}.exe
    Filesize

    180KB

    MD5

    451981305e0b5055d1a5b0a668c85682

    SHA1

    21a5f4ad7b8a6f8d7f328204111d3842d81eaeb9

    SHA256

    c6868327b2d832dfc171474be9749e46dbb4ee4fe5cba0cd43c4908391d48eef

    SHA512

    db26422f277a9805d48ac71632e6313ae97fead0237adcdb3f76f0522da1e16e44ffd14885c27c2e2988b65f2bade4143315693402c69ff9dad98b5deddc7b55

    Download Submit

  • C:\Windows\{A1B72F90-8A78-4475-AD30-536BBA6B846F}.exe
    Filesize

    180KB

    MD5

    1a396fcd835c362b7df67b1fded8c2e0

    SHA1

    ba2e18f86555aa9a0e12401daef196d101cce7d5

    SHA256

    b64a5c150a185d15894dd145f1cc4cc00a3b6cacff415372baed0af5cb83ab77

    SHA512

    f1ee35354fbb38e51e354fdf92156826871b6a4829ba8cc703084ea4fb94dc5d9c0fac12721e967e192450fadace3985f360f0654e6876ea2415ca5aa87b098d

    Download Submit

  • C:\Windows\{A255D877-EE11-47fe-BB95-B11E20B2F937}.exe
    Filesize

    180KB

    MD5

    a493131b67f32e1733ddd290a1191340

    SHA1

    b5d9ad01800f2e42b06f6e0c03e14c79248fe759

    SHA256

    0fb3532141b6ea8b5626745a04b51653a7520f7eca0afb3f27ff81ea1b435b2d

    SHA512

    b59913522763e8b09d7dc624fbb8e58e3b5a685107eb06a80e0034aa351972b51d09eb97ab9da8db5641864c1904a84af80763ffdf2ec5c7b7bdd02613249cfc

    Download Submit

  • C:\Windows\{B1B09DEB-91A4-4068-81AF-B1A2C84345B5}.exe
    Filesize

    180KB

    MD5

    94f99762d8829df7b55737c3097bf1ed

    SHA1

    c9395c5e7337aa0a4dfbbe8a23943a07de270af5

    SHA256

    0ec98617fa1a67c20ef4881fd8d2746d2e723f03c21c454d4ff824b2650f6f80

    SHA512

    7d77d6dff1baa77332b54996e480a6c1814e1dd6dab1f24387b1a127012670b189f4544b3347f4624834f427a293efb5091fc9f0900e5b5b804aaa26d5e8af80

    Download Submit

  • C:\Windows\{C1241110-100F-4214-A430-F89F71AE68A9}.exe
    Filesize

    180KB

    MD5

    727f2d17a679e50e24e4bd7f327d433f

    SHA1

    8777c30605339dccd2e71e915d7e840c0ce40c1b

    SHA256

    8a7a6a1cae02abc5323d7c47d0123d1b39c83014287c4a4d0d46cecc4f89affa

    SHA512

    5e2fa9cfe589ce3e65632fc2611d5b28fba01bb0b8d284d6a0bc45e9db501874e6501519686e363a73c5dd92bffc6185ea4dbb214d681d3bda5f603aeb158b96

    Download Submit

  • C:\Windows\{E6E415B9-80ED-4001-A8D3-F61977084398}.exe
    Filesize

    180KB

    MD5

    229344aa12068655d7776c72e343347d

    SHA1

    6cc5a7384ed7d2fbb4a3af6dbc0efa5412325ae1

    SHA256

    04f02c58585bca560a6e0df3bc3fbd4436b66c3945086fc770c6b5f03a1edc91

    SHA512

    83dec7d1a30266949b8a2007280b6819b7c1449c0ca54f8a60c60398b0ee2cf2682068d6834fba2d8ecf7254275e5e2df497b2e5c4bb266dc05aedaaad8442a7

    Download Submit

  • C:\Windows\{F58BB6FA-2D83-453c-B7C9-381E48A645B4}.exe
    Filesize

    180KB

    MD5

    eb34be88be5cf1334dc86a857619a308

    SHA1

    79882be892837f181b5052b13d7c6da85242af55

    SHA256

    5cab9db838e1760d7987fef4a7afcd4ca4b7360113dd9ebce4a73d2ddda98b6e

    SHA512

    5b2864aea5406a38a7387517db576452b98720fc952655690b927c01878c4c6a63a38fce76fcca30a5bdc373108a01c5e9062d1b8c765babb3f6b248ae216de6

    Download Submit