Overview

overview

8

Static

static

3

2024-09-29...ye.exe

windows7-x64

8

2024-09-29...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe

  • Size

    204KB

  • MD5

    56542454145bd6940ff909166b00a7da

  • SHA1

    9dddb319d36425b3d240a7e78ccb61fb10f688e3

  • SHA256

    04cfd8d3388d252b68ced2784b4a8d49ba751be51a3f0fa7b5510814b8f72bbc

  • SHA512

    92ccd4117c0e3d56537aa460804d23330aefd63023b7db06e1d60b974bee79be8248444452dc92c5ac82cfc93b820e2584871cf203d1bde48df00e247dbc0825

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-29_56542454145bd6940ff909166b00a7da_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\{B1B0C913-EE87-4faf-BC48-0E9966DE6C1B}.exe
      C:\Windows\{B1B0C913-EE87-4faf-BC48-0E9966DE6C1B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\{1D567E6A-790C-49bd-BA08-5716F1936519}.exe
        C:\Windows\{1D567E6A-790C-49bd-BA08-5716F1936519}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\{796ACE98-4E4A-4ecd-861A-13698F015827}.exe
          C:\Windows\{796ACE98-4E4A-4ecd-861A-13698F015827}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\{0F904E7B-85EA-458e-8A56-317F7A8CB31A}.exe
            C:\Windows\{0F904E7B-85EA-458e-8A56-317F7A8CB31A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1416
            • C:\Windows\{65875551-BE58-48c0-BE21-0D5034807F34}.exe
              C:\Windows\{65875551-BE58-48c0-BE21-0D5034807F34}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4236
              • C:\Windows\{5F577E50-3A50-4542-9C24-B3B841C5E10D}.exe
                C:\Windows\{5F577E50-3A50-4542-9C24-B3B841C5E10D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1644
                • C:\Windows\{CB1C3B9B-2913-4b9d-8670-E8F4CD7D7CF0}.exe
                  C:\Windows\{CB1C3B9B-2913-4b9d-8670-E8F4CD7D7CF0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3200
                  • C:\Windows\{43DED986-3F40-4374-AFB0-387801380D3D}.exe
                    C:\Windows\{43DED986-3F40-4374-AFB0-387801380D3D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3328
                    • C:\Windows\{454651D0-E252-4067-BBB0-D1F30DE0E7FF}.exe
                      C:\Windows\{454651D0-E252-4067-BBB0-D1F30DE0E7FF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3016
                      • C:\Windows\{00C2F592-A342-483d-8922-AD4CD5C1D1A3}.exe
                        C:\Windows\{00C2F592-A342-483d-8922-AD4CD5C1D1A3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2012
                        • C:\Windows\{0021A4CD-537A-488c-A8FF-9FC7C4B967CF}.exe
                          C:\Windows\{0021A4CD-537A-488c-A8FF-9FC7C4B967CF}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1100
                          • C:\Windows\{7DFEDDA7-5EE8-4549-A6F8-379DD03653FC}.exe
                            C:\Windows\{7DFEDDA7-5EE8-4549-A6F8-379DD03653FC}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:5104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0021A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:468
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00C2F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:812
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{45465~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4588
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{43DED~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1056
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB1C3~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3912
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5F577~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4288
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{65875~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1140
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0F904~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3640
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{796AC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2580
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1D567~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4732
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B0C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0021A4CD-537A-488c-A8FF-9FC7C4B967CF}.exe
    Filesize

    204KB

    MD5

    3663f6df385dfe7e63a75734ae7fb3c1

    SHA1

    37e151743c277485d302c4c7a9c237c262d56a8e

    SHA256

    6fa490c6a7173fb5bc2bdbbfac20b0945df9a0001b6513e49256e62f3f6eb62f

    SHA512

    e3daffdba33e1ee27fadc913c1a51690f5e560ee6777c6ff45089cdee8c640e4d8ac4e8b28d9811db27b8948bfb56adeb77e971a749481c92e7b8261b65b8bb5

    Download Submit

  • C:\Windows\{00C2F592-A342-483d-8922-AD4CD5C1D1A3}.exe
    Filesize

    204KB

    MD5

    da82199f9ff9b1292b6df1232ae0f3df

    SHA1

    a4efea7e4b362f6a5a5057ffb610e80101ad2f10

    SHA256

    09d0cc1e58f1183803b8262a8cb6ad6adfa1c1b0f2cc9c1f071de99bfab3b300

    SHA512

    e9206f7596e9d2ed62021084d3be7fec496a8584b295c8cd41cac7f2b806f90dd4d28697156042d001a258eea1bb2b6a14b4b854eec3ccb24569cffe3be9545d

    Download Submit

  • C:\Windows\{0F904E7B-85EA-458e-8A56-317F7A8CB31A}.exe
    Filesize

    204KB

    MD5

    4a9ad52900cd61feeb25d34ba422ab75

    SHA1

    9ac5f966ea66f31c595d4a330fdd9d9afaa2af12

    SHA256

    f811946cc3c8fcfc93f5ffb0f707f4eeaaed1d25ee7929ed0c2b5276f36fdb39

    SHA512

    c624f0ac2389793b4fe8b4086c6df8c0c940a165dc8b14d217cf8f103b8d437f020848b0bb10948de74a4130eca449b4f06dc7f12b8b8f87bb2cbd5b17091318

    Download Submit

  • C:\Windows\{1D567E6A-790C-49bd-BA08-5716F1936519}.exe
    Filesize

    204KB

    MD5

    6f0dcb802d837f09b858de3c9505773c

    SHA1

    c931f8800e125291dc5f67b47192b0ae5eb8fb5a

    SHA256

    9dd9053490c047b7a39742f69fb982dc85ea4d79c56444b395c968154f6a840a

    SHA512

    eedfed081a76b9abbedfeecf13320f78486fdb1214e41f47a128bb0a31957025543750f66cdae02c17433365df6f6ee50d9c00f9ba681e9b4a38bac1dcd2aa1f

    Download Submit

  • C:\Windows\{43DED986-3F40-4374-AFB0-387801380D3D}.exe
    Filesize

    204KB

    MD5

    e2ae400acb0307e15785d04bdf8ccf3e

    SHA1

    6f8bb4e65b27d9bf57656067c31e7edb7a4718a5

    SHA256

    4581015e105d73bc5c78437e8590afdaeb7cb6fc9588f2c6321245cbcb00a9c8

    SHA512

    a4ea9bd13ad5a015d47762f9cb1ee238678c561cef0ad9182ece5992bd0b23dca68a9041f7e2b36e2659f1814a9727239291d1aaf19a56dd9c6abff259d05f6f

    Download Submit

  • C:\Windows\{454651D0-E252-4067-BBB0-D1F30DE0E7FF}.exe
    Filesize

    204KB

    MD5

    7288ef62baf0d971ab67541b582f1438

    SHA1

    c850e66399970d33dc1f8152a4f8e49cb537fb7b

    SHA256

    176245ec0b92477a71948337cb8738367e707f39737f149527756170f7dc926c

    SHA512

    c35e39ee400b473a80aa3e9dfd3bf10cbe2b086bd26375561d676951ce4cff8901944bdf5151a1e6b7bd470229e4c9cf39ac45e14f2eee80cde6b43fde7dd838

    Download Submit

  • C:\Windows\{5F577E50-3A50-4542-9C24-B3B841C5E10D}.exe
    Filesize

    204KB

    MD5

    02b74cdeb5c88d737116fe9be27e1856

    SHA1

    856a751e26472ff9aea41a985c454146e4b650b3

    SHA256

    5f1fe6d2057ed3233a28adb2ae44add9fc4b6286dba350987f4ab4bc7602e694

    SHA512

    b2e880e9278e09e0be89db57557566fe154cde8ca727076d098d291972fd9cda14339dd7887ae4ded99de045f5f0af8175aeeb90ad9eab659277c470810daeaf

    Download Submit

  • C:\Windows\{65875551-BE58-48c0-BE21-0D5034807F34}.exe
    Filesize

    204KB

    MD5

    497eea26ba8055801bc9ea72833b382d

    SHA1

    df301910a0ace436690e2783abad2b27d9e07b82

    SHA256

    bebd6710959877ccf56eefb6f45843efa9e2495fcbc48d31de96dc2a651627fe

    SHA512

    b936b2746f91a9261f39725573a1f8faed951a905f4ad0c574e802564713712d5f6a9720e6128e8668f710aef4be91299bf7e7bf7f7fd10f38c4864b01fa891c

    Download Submit

  • C:\Windows\{796ACE98-4E4A-4ecd-861A-13698F015827}.exe
    Filesize

    204KB

    MD5

    534b9a6150463ea23103fd59a97706a3

    SHA1

    34c4aa867528e3a93e06e77a7dc8fc01d2dd7db4

    SHA256

    184afe2f7a88aebe3ee65897b540ef77220df0ca754469ab2388a6234f168ef2

    SHA512

    fea373ed5a961aebcf95decd95c06384260b63a35f31022faf4024157c1915caba2441d1f606419ab3b80edeb80207841853311329d411a296829a0962299557

    Download Submit

  • C:\Windows\{7DFEDDA7-5EE8-4549-A6F8-379DD03653FC}.exe
    Filesize

    204KB

    MD5

    aa66c55b48b819e76e5996cafc2d93ce

    SHA1

    4d21f33795f211c0774bc3a034c4873d20830626

    SHA256

    fe7530191f7531ad58425fb8d756e598f0c940019478e859629e94649d538ccd

    SHA512

    681ea7b78b97b3be31dae4a836a96f17ec89add28a4a6f0727d07de136aeae0de59c677939896ad8e57eba9737682394e4b3beb919e9b40a04fb616c76c87f43

    Download Submit

  • C:\Windows\{B1B0C913-EE87-4faf-BC48-0E9966DE6C1B}.exe
    Filesize

    204KB

    MD5

    c4bed2abc6af686e49c803ce75c701b9

    SHA1

    7d7e009112bbbdeb49075de07c446284d966f1a3

    SHA256

    86ca9aa6f754be48fee1d09ce683dcca90afdcb8a5b9e8253676c25c876a10af

    SHA512

    ca9e8e17a5826dc4f32ede3e90958c981f4c22b76da17f591cbbfcc4fdac12fc9cb1667f74643a92124088c98daa8fe240851db6a434b0335ce12296ca397150

    Download Submit

  • C:\Windows\{CB1C3B9B-2913-4b9d-8670-E8F4CD7D7CF0}.exe
    Filesize

    204KB

    MD5

    09d54fd86e46d5a1673bbf4f89a77193

    SHA1

    c8403585bfc0f5fa932427471c250f22c1a736ca

    SHA256

    ea62b9a7e3b9fe1bc7bddac5436956c119a96af922bb05377886314ea9308d51

    SHA512

    8e3db21588ba24d2dfadd6a3ba375771fccf94b6761168d408c86dbf10a230251696a61dd845bca7e7cae4e2c9cdb1ac8eb84be81b4b711cd972a5ca4126c620

    Download Submit