Overview

overview

8

Static

static

3

2024-09-29...ye.exe

windows7-x64

8

2024-09-29...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 09:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-29_920e191788282171ef9e5d69ff76cb45_goldeneye.exe

  • Size

    168KB

  • MD5

    920e191788282171ef9e5d69ff76cb45

  • SHA1

    95bf8d4e49b254af17f8325fede96b3a293d06f0

  • SHA256

    176bc3ca2b32f8bdf27f1e9fd2311a3a445b682c4335d008024835ed5b579f43

  • SHA512

    ed6b1f563a9b946ec498b46a18e1da8aecf460efb16f8535e8c83ad8741f1cd06541997f9942bd99a4a58714a7a14e07e7f1bc243184422a64bccca93c7556ab

  • SSDEEP

    1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-29_920e191788282171ef9e5d69ff76cb45_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-29_920e191788282171ef9e5d69ff76cb45_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\{14E9C4BC-F690-402a-AE91-2D8DEBACEAFC}.exe
      C:\Windows\{14E9C4BC-F690-402a-AE91-2D8DEBACEAFC}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\{71DA273F-806E-4f2c-A928-1154888F7F24}.exe
        C:\Windows\{71DA273F-806E-4f2c-A928-1154888F7F24}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\{810C81A3-A2CB-466d-8A0C-8E2942017F27}.exe
          C:\Windows\{810C81A3-A2CB-466d-8A0C-8E2942017F27}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\{A65F6831-9DAC-4553-B2C2-2BEB39FC617A}.exe
            C:\Windows\{A65F6831-9DAC-4553-B2C2-2BEB39FC617A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\{32D444BF-573F-4b19-B9E4-87D2F8FFB9E2}.exe
              C:\Windows\{32D444BF-573F-4b19-B9E4-87D2F8FFB9E2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2904
              • C:\Windows\{05B4FC28-6B17-41d3-9CAE-F3309430B54A}.exe
                C:\Windows\{05B4FC28-6B17-41d3-9CAE-F3309430B54A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2412
                • C:\Windows\{C71B01D5-D848-4371-B705-A84598EE332E}.exe
                  C:\Windows\{C71B01D5-D848-4371-B705-A84598EE332E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1632
                  • C:\Windows\{07A54374-BA7D-4f15-ACFD-D5FFEBFB816A}.exe
                    C:\Windows\{07A54374-BA7D-4f15-ACFD-D5FFEBFB816A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1380
                    • C:\Windows\{86E37644-0955-433f-89E1-F7CF49F88D75}.exe
                      C:\Windows\{86E37644-0955-433f-89E1-F7CF49F88D75}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2440
                      • C:\Windows\{F2EAC4D0-B6F8-4215-9592-2D76C8FC55EB}.exe
                        C:\Windows\{F2EAC4D0-B6F8-4215-9592-2D76C8FC55EB}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:344
                        • C:\Windows\{B01D0CAE-F553-42a1-9E00-D158BCA1696A}.exe
                          C:\Windows\{B01D0CAE-F553-42a1-9E00-D158BCA1696A}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F2EAC~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1344
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{86E37~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:304
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{07A54~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:348
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C71B0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2924
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{05B4F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:836
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{32D44~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1388
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A65F6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{810C8~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2584
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{71DA2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E9C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2240

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{05B4FC28-6B17-41d3-9CAE-F3309430B54A}.exe
          Filesize

          168KB

          MD5

          ceeba654badc52a7791b1fe7c89ea2b5

          SHA1

          21e4b0066d5575e9d6d4fa95f3f2970af33ba89a

          SHA256

          dc092d2728f9d5ca7af120e018da60a7226517d0408c90f710c805ac5b24a8f8

          SHA512

          822589534ec2531eb7ced79a5ac91812e04067e0667721a7a1e225a963916dee64421717a64d164fff2ffec01797fb8a738e101e4a095a137b126f626ff20dd9

          Download Submit

        • C:\Windows\{07A54374-BA7D-4f15-ACFD-D5FFEBFB816A}.exe
          Filesize

          168KB

          MD5

          719a8df5ba97b93d2cecb85c0b7073f1

          SHA1

          3e16704dce99776b56de0614728f38b12abf4a54

          SHA256

          06d6cb662cee4ddab27d02ed3931235f08978b8e6a3d543bd869150ee06d00a3

          SHA512

          4eda691664c4c1949277ba8909eec9cc72c04a28dbe2edcf1c18a2e0c88b464f091b1fd589c00eb9bc9c6e8c26545f52af73f06241f0167b00471ffee905e286

          Download Submit

        • C:\Windows\{14E9C4BC-F690-402a-AE91-2D8DEBACEAFC}.exe
          Filesize

          168KB

          MD5

          006b53febe3e5b4f9230443d98fc90cf

          SHA1

          608ef37a99880ae8ac9fff758acf42f122b05720

          SHA256

          99c29173cb834605d234704bee5bc6bde55f35cc89a1d2011ef54b7f07f16f79

          SHA512

          727ecd6b9beffe5d854823b21b8df4390e04734876c60a6ae5a7ca5d28c87b78e1975c5b493e438b2736c5deed62b379741905789d65f7e12e10106864c39d27

          Download Submit

        • C:\Windows\{32D444BF-573F-4b19-B9E4-87D2F8FFB9E2}.exe
          Filesize

          168KB

          MD5

          16d58577715f173995423c2349d31bce

          SHA1

          3cbf73a9b75dfd176aef34ef2f274e53ca522f06

          SHA256

          952faa7bef1b8f4957564953a78c260a6f31e0a16cf667a9b9cf035d158faa02

          SHA512

          858ea5779b51f1283c4f0cbc4e8a1da276303aa85c519bdee4076d50b27e6b26ad6b9d6259bf3422a833ccf95bcdb39f2ed5fc32d8d296e733b32706192c1c7e

          Download Submit

        • C:\Windows\{71DA273F-806E-4f2c-A928-1154888F7F24}.exe
          Filesize

          168KB

          MD5

          6e3e2e81b23cd5ab3085c70fa7e0f106

          SHA1

          b45c398165f1ab68feb4abf33f7a0dc332d5f306

          SHA256

          569c6994256c0ce1cb0f9e2d46195e4b5b42d40cf682e00dcab884eb6fb685ce

          SHA512

          997bfd844fd5db00e70c6911854e76b9ca7958beac11fc105b0e3e9ad25ddcdb70987812a018a23964479fc99cf0afee64c14b2937d7ceaa30da1c6cbd7a8f6c

          Download Submit

        • C:\Windows\{810C81A3-A2CB-466d-8A0C-8E2942017F27}.exe
          Filesize

          168KB

          MD5

          a3a0559b6e333ba9b209574d6f3c49e1

          SHA1

          5d899c446fe86509edaddf29940abe8b52a7e4ae

          SHA256

          d3415576353b695de4095a9544c4923a521e89086d011ea67b2ddadf3b9f4738

          SHA512

          0afa3eea13d8bfecd022a5784f1d0e98f792f5f0e0748e3fdcfbf239e48432fa450fb1ef0f7b6480bcf75a33927a9749f0fe0519107583f6a95ba28f6bbec8be

          Download Submit

        • C:\Windows\{86E37644-0955-433f-89E1-F7CF49F88D75}.exe
          Filesize

          168KB

          MD5

          cd427cef40bab824cd00e3c381215fc6

          SHA1

          52c86aa33c1486301c8f71f747a72a1880ee289b

          SHA256

          eaf4c49618a6b449f3834d36b021ac966c5e905ef06fc8addc33452ef88ce2b5

          SHA512

          b5067a8c75b7201db98f4a5ab7818b39b947721bbec7b8e32a0e7439028a45f15db101e9f9fe74a73578e6150b7feea399ae073dd88fdc36f670560049498ec9

          Download Submit

        • C:\Windows\{A65F6831-9DAC-4553-B2C2-2BEB39FC617A}.exe
          Filesize

          168KB

          MD5

          405c31a35adef7e02ad9e75ad8fb1a5c

          SHA1

          62b87b7dfbd57471c6b33ec730a639c27d26472e

          SHA256

          faadf076e62d191c1ee3088006f90c9d1f4895fd192bf12a67953f8a6986942f

          SHA512

          2a10c31497287010f78fc405fea0ca0079dd86e14fe1fad3dc0fbdbf68efa9e913b1bbb26e40724b30144c1facf2e5ba417fbdc5d5a1fb42309528274968681d

          Download Submit

        • C:\Windows\{B01D0CAE-F553-42a1-9E00-D158BCA1696A}.exe
          Filesize

          168KB

          MD5

          59bc828a37b12f05072b17ec32b44f2a

          SHA1

          342371b83e9835662cb5b3aefefa325c6cd080a7

          SHA256

          e9f7f8677721399d682541577085659ae93b294cb42446abd8bce227f79a70eb

          SHA512

          fd8e985e31ce28c4daab5c1cbd15331d7c48ced1603901056a11fbcc3bc63b69d7bb84db45a4d72d5ca96a62d485145ea03dbd0559e68475cd26a41e028e1b36

          Download Submit

        • C:\Windows\{C71B01D5-D848-4371-B705-A84598EE332E}.exe
          Filesize

          168KB

          MD5

          ccd219afa47d09f468b119f34eefb497

          SHA1

          b9babec0c2cfbae8023a07b2738a2cbef8a12ca3

          SHA256

          4b91941ff35fc8127c023668f22b98748ce2489ccab1cb99a3d857eff0522fb3

          SHA512

          5958d9a2b407e8b4a20bee8571d84d3a348722ec3837ba2a0b066f837c9373585c222512e4ec2ba6f90d1450a9fe3d72316cb3394371874e55d1a3c34ca03db7

          Download Submit

        • C:\Windows\{F2EAC4D0-B6F8-4215-9592-2D76C8FC55EB}.exe
          Filesize

          168KB

          MD5

          73d3d10755cd55e7be76c3bc323929a3

          SHA1

          aef89db59a0604598fc8a7de18816bcd8f264548

          SHA256

          35efd304613faf1934ee45e04e21a37b8e15b245a3774cbc4ce2c2b063bd55b4

          SHA512

          8f8589ec118dbb11efb6f317349be1aa917229dd180d1be4f754d600f6974bb76d6e6e6fb72d8af1b5416e6761eecce16f97d615473754fcb05e08b154ff39b2

          Download Submit