Overview

overview

8

Static

static

3

2024-09-28...ye.exe

windows7-x64

8

2024-09-28...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 07:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-28_92bbce83df24a8a102ad32f356ae33cc_goldeneye.exe

  • Size

    408KB

  • MD5

    92bbce83df24a8a102ad32f356ae33cc

  • SHA1

    80b388f31861fdfd78ecc631ceacc64fd05fd510

  • SHA256

    9f6179230c40ed5a80e40706152d6776d004affc564e77895ff40e2eabc13d5b

  • SHA512

    811e24940032c2ee1602c79f55ee471952896e4029ae02b1b28d5935727c9cb57fe5f948aa92ea40a32e46f466e16dd7c981485ec9f060b2e64d95748f0d7ebf

  • SSDEEP

    3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_92bbce83df24a8a102ad32f356ae33cc_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_92bbce83df24a8a102ad32f356ae33cc_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3392
    • C:\Windows\{2F55D821-DEFD-4842-B75B-FDC3B6DAF036}.exe
      C:\Windows\{2F55D821-DEFD-4842-B75B-FDC3B6DAF036}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\{F9140102-7F25-457a-AAA2-09D9FFB83444}.exe
        C:\Windows\{F9140102-7F25-457a-AAA2-09D9FFB83444}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\{8E39BB71-27A6-48a0-A504-0198070BD4C9}.exe
          C:\Windows\{8E39BB71-27A6-48a0-A504-0198070BD4C9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:244
          • C:\Windows\{ADC25263-966F-4f24-AFB5-6BFD479A2CD4}.exe
            C:\Windows\{ADC25263-966F-4f24-AFB5-6BFD479A2CD4}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1388
            • C:\Windows\{50C2B16A-1DCE-4b02-8CD3-C716AD2A002C}.exe
              C:\Windows\{50C2B16A-1DCE-4b02-8CD3-C716AD2A002C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Windows\{3C4AAA3D-FFEA-404b-8694-E8CE79C982EF}.exe
                C:\Windows\{3C4AAA3D-FFEA-404b-8694-E8CE79C982EF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4024
                • C:\Windows\{9E4599AB-A7D0-46c8-A8E7-7D367FEE7E1B}.exe
                  C:\Windows\{9E4599AB-A7D0-46c8-A8E7-7D367FEE7E1B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2900
                  • C:\Windows\{0014BD38-D68B-4d26-960C-48E4DB026C1C}.exe
                    C:\Windows\{0014BD38-D68B-4d26-960C-48E4DB026C1C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2616
                    • C:\Windows\{16B03795-027E-4c74-9D4A-39D3511BAE74}.exe
                      C:\Windows\{16B03795-027E-4c74-9D4A-39D3511BAE74}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:996
                      • C:\Windows\{D782619B-82B5-406e-9B8C-ABD9CBEA7752}.exe
                        C:\Windows\{D782619B-82B5-406e-9B8C-ABD9CBEA7752}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4452
                        • C:\Windows\{3EBB1A55-114E-469a-95FB-EFD2A79A7208}.exe
                          C:\Windows\{3EBB1A55-114E-469a-95FB-EFD2A79A7208}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2312
                          • C:\Windows\{48248A06-09F3-4fa4-ADCC-F344698E1AB8}.exe
                            C:\Windows\{48248A06-09F3-4fa4-ADCC-F344698E1AB8}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:704
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3EBB1~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7826~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2080
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{16B03~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3552
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0014B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4204
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E459~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4724
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3C4AA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4508
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{50C2B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:972
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC25~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1668
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8E39B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9140~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F55D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{0014BD38-D68B-4d26-960C-48E4DB026C1C}.exe
          Filesize

          408KB

          MD5

          a576a7f803b84310884e6a57e882420b

          SHA1

          66390b11ff3223edb97fbede9b3c78d9e41b045c

          SHA256

          15971e711e9a17760c0f55f31e316c8330c10596c665b9d76657e778f0c1963b

          SHA512

          739f60d3e77ee69376f6fc5e837ce3b78ba676650f0c947939e36ebc89f450ff18da7c3e02c32302be482e6ab06c9db0bba0872ccaff9e20dd2b2bc90bc51771

          Download Submit

        • C:\Windows\{16B03795-027E-4c74-9D4A-39D3511BAE74}.exe
          Filesize

          408KB

          MD5

          c7f6f9b130c808ffe3d6a002184f12d1

          SHA1

          8de1c999f163808936556d897213226e2d8c5df8

          SHA256

          6659dc141da5ed07b0387baf9f5833715fef9afc700a906186b7380c839174ec

          SHA512

          d657281d68e23cd6b0fd5bc876b06f10955e1c352799264e6f4ac1b8f0df655d566bf7369792039c90d7259da6525f5c1def14bef6c8a20542a793eddb4368eb

          Download Submit

        • C:\Windows\{2F55D821-DEFD-4842-B75B-FDC3B6DAF036}.exe
          Filesize

          408KB

          MD5

          a8f88d853a73dce8a401c2d4dfe15600

          SHA1

          239165434662048eab1953c1d32f64565b0e7bcd

          SHA256

          6463b974ed5d000bca3e55c78c6bb39e0b8ce7ddacd6c17d6e1a1232166addfb

          SHA512

          6c98a19403b6ff8d9e4ac87d20fbd784968bde6cc5059ab76011e62972fa5725489edf08709b54d6c8cb6f65c5adeefbc44474323ac9d73e1026db7b389a0ab4

          Download Submit

        • C:\Windows\{3C4AAA3D-FFEA-404b-8694-E8CE79C982EF}.exe
          Filesize

          408KB

          MD5

          42da83bc3b3158c5e791e175b0367424

          SHA1

          7e956993cb7c259313de5b51c811e11a631e2f8a

          SHA256

          d5d863e522c74da2f8c0a96ff81823b124a5ef9cb07eebc0966e8403b43017e9

          SHA512

          3ec6fbc854068572298be57457d0022535675708068ada7755411ffb1a1e0efda93d0df53af45d1aabcf85a0c128d631e489b0e027eaf6fc860ad2e190c20e4d

          Download Submit

        • C:\Windows\{3EBB1A55-114E-469a-95FB-EFD2A79A7208}.exe
          Filesize

          408KB

          MD5

          7c1b13b347ea95f6268a5389d8c03743

          SHA1

          38366f686ec7a89cde691a392b84c8178a3fb427

          SHA256

          0b293c23c5ba2b4f81629fc7d97673c336e77b3aad2c7e202ac47c5b8eb41664

          SHA512

          517d6141f16fa68641a4caa9bc9665f42f0c43deba95b7efe17471eaa2bdeef8e8b19c7368e279eab49d4054c4086d13619f229a8235e399e0e3f65ebe2d4714

          Download Submit

        • C:\Windows\{48248A06-09F3-4fa4-ADCC-F344698E1AB8}.exe
          Filesize

          408KB

          MD5

          8618522fcbcf479574bd27f565a83f91

          SHA1

          eb30084df69b9a0fcd3a38f33f0eec0215ae3f60

          SHA256

          a8c8965a8466b05104633e627f25831a96a2c5747c2121d89f97336c3da264d7

          SHA512

          4bac1d4a78402d6885ef17c27ce73a0ab80cc3b0cadb2229f4a6dc1d78c04dfb29220c07cb2c5f5e67a9fd3db2151057297219b41101a15ffe5c7597904bd116

          Download Submit

        • C:\Windows\{50C2B16A-1DCE-4b02-8CD3-C716AD2A002C}.exe
          Filesize

          408KB

          MD5

          5dce900d6f6809e2e0c53073a8e5f203

          SHA1

          58040c1b5afd291ae4df130faa0ca2e12822fae2

          SHA256

          b8206250d4f271d4df5f6530f0766385856b139ccc37bdf57ec4a3bfb19a4f52

          SHA512

          24cc6e048fb7cafeb31aacd3a145422c861ce45054e7c18012d7894fbc36771ec5b04269b56c348b009f71f796349b056d9cd7f0c210536aaaa4c96a2f573f1b

          Download Submit

        • C:\Windows\{8E39BB71-27A6-48a0-A504-0198070BD4C9}.exe
          Filesize

          408KB

          MD5

          14265e5196d570eee8c8d2d8f49b469b

          SHA1

          b0a441296d3f70ed535fbf6e20e14adcad7e2ae4

          SHA256

          4deab5de20496c854217ebc914cfa89373557795aa85274c2898213ccaf29435

          SHA512

          291cba4a18e199cb8e6da77421464482f8e0cf1d6f11d4ddcd8f8ded4db9947476f690b5964cb37914e451ae0794650412c7dcf29d40bbd90b1531add41da780

          Download Submit

        • C:\Windows\{9E4599AB-A7D0-46c8-A8E7-7D367FEE7E1B}.exe
          Filesize

          408KB

          MD5

          18f74f9857d5457bf70d7446fbbf4e90

          SHA1

          57d605ed9807b8559943af751159943fe3dc4559

          SHA256

          8e3205b52a714d48f4170426fe0e9b45d43e43d5d6be0d402ef8785b23a9c454

          SHA512

          d911931ebf3e21dcf59f7c6595c87c2784abd46003b9664278a9d68714826ccc56a777d78fb22574dc623af2eb149ed9010c7837d7d852e2689ce9672029b127

          Download Submit

        • C:\Windows\{ADC25263-966F-4f24-AFB5-6BFD479A2CD4}.exe
          Filesize

          408KB

          MD5

          cc5c71012cfab21c328f772e0a636752

          SHA1

          76978cbb3dcc37afabcd01faf3850626d7f132f9

          SHA256

          0789ba06f8cbeab5903a37854aedb0a74e158e328410fd70156341dd03a45901

          SHA512

          8620d26ff11890c70a1cdf7c7e96421f5254364092f88204f25f3cd8e8d3b4939fb52002526118a088df31bb32f311fc445420112be9bfa3ead745b421b1cba3

          Download Submit

        • C:\Windows\{D782619B-82B5-406e-9B8C-ABD9CBEA7752}.exe
          Filesize

          408KB

          MD5

          c379c9fa26e7682caf984c6db54e55c6

          SHA1

          3ddccb09a280e0bfe412e3fb6a6891f8282496e9

          SHA256

          37754434d7593e6556fb5895eb9229632d8355a32d1293adc90c83f0da09f3dd

          SHA512

          9051ea4e9f77cd195a9200fafdf82d1693114929beb9272fdcd25ffe798dd9b5936e6f4dedc8925decbe3692bc9948c41f23b9dd4bf8ecb8b71fd9586292d1e6

          Download Submit

        • C:\Windows\{F9140102-7F25-457a-AAA2-09D9FFB83444}.exe
          Filesize

          408KB

          MD5

          7dbb8fa5c9a43eeb3a57993085a9c532

          SHA1

          1c6631696086136e45e0d2e0a2291e555e828c68

          SHA256

          a54894a042d8ddbb534dc78eee27162393ad895c0773261021b26ce1abdd5666

          SHA512

          45b01b20f21fad0cfc236d219f265fb23437dca9a2a38ca691e14896cd54f7a6eaf064dd1a4f9ff57bdfa903ef203625ef35d14e85520d1414bdc0f2b47a300b

          Download Submit