Overview

overview

8

Static

static

3

2024-09-30...ye.exe

windows7-x64

8

2024-09-30...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 11:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-30_c96f3f07da3e5552934c819a507d2f7b_goldeneye.exe

  • Size

    180KB

  • MD5

    c96f3f07da3e5552934c819a507d2f7b

  • SHA1

    b35d1bac83b6d42dadc4f6e08496a101126e9d6c

  • SHA256

    7cb6e5e2475ca67435cff45fa3cbd19944070343d154f5675cca2b5982b1c8ef

  • SHA512

    cc5b5a08e9fda2111530c0b2ef8a003b3b942036853926c0b011c8ab9eba02b755427137c73e919cf27c084bfefdc45f7766cd5a972f3ce151e9a416c9c4cca4

  • SSDEEP

    3072:jEGh0oMlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGul5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-30_c96f3f07da3e5552934c819a507d2f7b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_c96f3f07da3e5552934c819a507d2f7b_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\{9572BED8-237A-4d4f-982D-F2CD965C0D59}.exe
      C:\Windows\{9572BED8-237A-4d4f-982D-F2CD965C0D59}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\{03A348C4-1B6E-4734-8D38-72CCEA8E510D}.exe
        C:\Windows\{03A348C4-1B6E-4734-8D38-72CCEA8E510D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4732
        • C:\Windows\{4F77675F-0573-46ea-B098-68C194286324}.exe
          C:\Windows\{4F77675F-0573-46ea-B098-68C194286324}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3688
          • C:\Windows\{5EECF65B-0DBF-4105-A288-AB325E80451A}.exe
            C:\Windows\{5EECF65B-0DBF-4105-A288-AB325E80451A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4472
            • C:\Windows\{E162564A-DE4D-436b-9D96-D4D2D0640913}.exe
              C:\Windows\{E162564A-DE4D-436b-9D96-D4D2D0640913}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\{34ED890C-89A2-4d0e-9D50-6B3D484AECC5}.exe
                C:\Windows\{34ED890C-89A2-4d0e-9D50-6B3D484AECC5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1276
                • C:\Windows\{231C6556-B90E-4cfb-A4AD-765785A4B5B8}.exe
                  C:\Windows\{231C6556-B90E-4cfb-A4AD-765785A4B5B8}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5112
                  • C:\Windows\{7E44AC53-4777-460c-B190-B295515C44D2}.exe
                    C:\Windows\{7E44AC53-4777-460c-B190-B295515C44D2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2412
                    • C:\Windows\{3C5494CF-87EE-4af8-A8FF-0B34479B5F4B}.exe
                      C:\Windows\{3C5494CF-87EE-4af8-A8FF-0B34479B5F4B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3680
                      • C:\Windows\{B01FEBE7-F3CC-4402-9255-9FE7CB6DC200}.exe
                        C:\Windows\{B01FEBE7-F3CC-4402-9255-9FE7CB6DC200}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:916
                        • C:\Windows\{A4878A1A-BBDA-4714-B1C8-D5F4F18AFECA}.exe
                          C:\Windows\{A4878A1A-BBDA-4714-B1C8-D5F4F18AFECA}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3456
                          • C:\Windows\{35ADD432-C72C-49ee-83FF-C7AC223AD7A5}.exe
                            C:\Windows\{35ADD432-C72C-49ee-83FF-C7AC223AD7A5}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3648
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A4878~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3336
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B01FE~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:884
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C549~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:5036
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E44A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3528
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{231C6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3516
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{34ED8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2516
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E1625~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:5072
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5EECF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1716
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4F776~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4144
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{03A34~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9572B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1040
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5012

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{03A348C4-1B6E-4734-8D38-72CCEA8E510D}.exe
          Filesize

          180KB

          MD5

          cd77ac339a22c66ba022340ae92218e2

          SHA1

          a782a47c41286409dd3743d9f37f86030d1b4d80

          SHA256

          3abf055b9a0e4972148b23e36840b58ead4d654aa00ad8f028dbc2541f50b5f9

          SHA512

          94f3eb1593835aa629573ac9fba17cb463b2069413272cc31e1dce56794a60eea967ba80b1a94a6ca4cfb6ee16a69ca6a1f4277f890d03c02a3ab3dc8d406147

          Download Submit

        • C:\Windows\{231C6556-B90E-4cfb-A4AD-765785A4B5B8}.exe
          Filesize

          180KB

          MD5

          5c7d76161ba7df6fed77f5f90c3bdc16

          SHA1

          af6a6f76408fde30a2b9c08344032f5d9f895f55

          SHA256

          75ee2e58aa4402f3ca9c45ac0b4074f843f1457868761fe42113a62b55582938

          SHA512

          d196e23d1e0e75ae6ccf98bcf6a410d814e1dd17a8c78341c46b78364fd0feb88098138cdc8b1f1e9284b8fe2a27910fbe078e1867789157da24925e745ed493

          Download Submit

        • C:\Windows\{34ED890C-89A2-4d0e-9D50-6B3D484AECC5}.exe
          Filesize

          180KB

          MD5

          7802bee9f77d9945cf52f115c70b115f

          SHA1

          2b675459a3692d5feebcdce4589de06481debf50

          SHA256

          8f5df7ebfdfc54d667b1b5513f49973d60902f2bd9a1ad52c69c0992eae54c53

          SHA512

          1801dd847dc4ed8cd3349c415e1ce740eed56490a3ec96779d6f48247a80c38de0ae76a9025cac413efb4d3bda31d6efee4ac922a6a032b19cd9a0b2d325f1a4

          Download Submit

        • C:\Windows\{35ADD432-C72C-49ee-83FF-C7AC223AD7A5}.exe
          Filesize

          180KB

          MD5

          1cd6b8331a1cfa6b19786846b24fc858

          SHA1

          c3e5002d07718580c251c8b36d9a7e06b99d6e77

          SHA256

          39f9a6597a94bb0f5a006056ef607e9a678b8a8b7778c8ab530abd764daeb6ed

          SHA512

          f00df10a76c5c9495fbe3bff64ebeff8597f06dc58ce790fab610880d327fae90efbcd30ce49e3f057b4527b1295706aa1327de44a63c91b38ad52d927f3b153

          Download Submit

        • C:\Windows\{3C5494CF-87EE-4af8-A8FF-0B34479B5F4B}.exe
          Filesize

          180KB

          MD5

          6f8f5551f262932b620b382661424cbf

          SHA1

          c2b2f2156e6b7da29efea980519bd3a9dc9204e9

          SHA256

          a5c3224f4285bade1a4e2d828ea9a491d652419705f8389f98c3a48cb9171656

          SHA512

          d0666b4bc40c98cff835daaa10bacad2dfe957cb46aaf035869bf25ca509a44a6631fa069885ba47cb24e7d3ac4d0cebf5a53fa172f844a8b7020226fde5ae4a

          Download Submit

        • C:\Windows\{4F77675F-0573-46ea-B098-68C194286324}.exe
          Filesize

          180KB

          MD5

          7d77d7f5776b17a10fd7d6f3264e9d82

          SHA1

          8c6d40d3f2555ea86db4e68c7eabd41145c7ca82

          SHA256

          cf70152d4130b39b94f1e699344ab131bc6dbbb41fd548a66182b77808985e6a

          SHA512

          a72444e8253b2986fdbb686ff8766b2e66a0d6775ddb85ff2bc485f3907dfc120dfbe302aeab80770342ebdb74df07c50d76e33e2fdb0cecadcef3740fccdc89

          Download Submit

        • C:\Windows\{5EECF65B-0DBF-4105-A288-AB325E80451A}.exe
          Filesize

          180KB

          MD5

          b81fd448aa73d5ce02601cce803ced98

          SHA1

          88110f8918321b5e181ee6d67a7299f145ee2828

          SHA256

          6c1b628473cfe576ef8c4d4bee4ac3083b9272b86da77c45d56edd6bdb03b916

          SHA512

          d5836242ab4426c2efd6960f4b0f4baaa75494fd377797fe6e1323efb3d5c763a7bcca476365025ae5d74a563aef4a9ce07db0293d3a427b61f044a251d3af5a

          Download Submit

        • C:\Windows\{7E44AC53-4777-460c-B190-B295515C44D2}.exe
          Filesize

          180KB

          MD5

          bd4f5113304474e2ae261be0a51e2b54

          SHA1

          dd6b91cff1da77095daac4ba275d438936ec11a8

          SHA256

          2b89d9632dbb6154daee5af0ef81ef647f30ca0399b1aea8db8fa7c8ff0a9ffd

          SHA512

          2d22ea7ff18ca4e927e30c194962e54dcda7ae532d2376948ae52b26ca27f3bd989ac236bdd99e9a4c5eb213c3823f14afee9058794586c681782934597886de

          Download Submit

        • C:\Windows\{9572BED8-237A-4d4f-982D-F2CD965C0D59}.exe
          Filesize

          180KB

          MD5

          0fd00772feb482269d84d568ba8799c6

          SHA1

          fc755c363f5f031a333a37305bed5132da31631d

          SHA256

          3db31b1657f68fefbdded43e34708c10c1859f2e6cd40a1c6827a8a1b9cea6f2

          SHA512

          d0b75ac4a30ca8dec60c3e1be7b4082d3d3c4bc951bbbe69947f42cea6f122053f061a09742258a5977ef55beca5facba9c14e9a73b5329c45b466e8dec6b27f

          Download Submit

        • C:\Windows\{A4878A1A-BBDA-4714-B1C8-D5F4F18AFECA}.exe
          Filesize

          180KB

          MD5

          132002b407f27584d159742bbd5ead29

          SHA1

          b3aeb8f415a86ff1735594691a4ffb4f1fc09ae6

          SHA256

          8eed5d3a4633ad0152ffd55fa82e5675141b569da92f7b0ae61b8be48e4a909b

          SHA512

          c7b0a090a5159e2d3f82cf440bbf256daeaacec75753998cbd3ba6a08fdb795dc1241b21c4b759118066325a7b61fc965132213bb324986045588fcd78d128c6

          Download Submit

        • C:\Windows\{B01FEBE7-F3CC-4402-9255-9FE7CB6DC200}.exe
          Filesize

          180KB

          MD5

          914ac13cee069fda085b1d6a8f68fe44

          SHA1

          88c952745b33e3d801a2dbbc4458dc5d34354ea4

          SHA256

          4595ffac594cd387891531eb638320287445e2293094d3514d5c4236ecda6958

          SHA512

          b24771c7c03a443eec798cebd8da6b5dfe920aafffaa2a226803609ab0704ffa7213ce7ef8530045d4b65783b19e4ed8e45b4af2f218889a915108391665c998

          Download Submit

        • C:\Windows\{E162564A-DE4D-436b-9D96-D4D2D0640913}.exe
          Filesize

          180KB

          MD5

          fa0744ac456ead1b11c159bf62d76899

          SHA1

          27d07a805ccf3d5a0f67b9f62e543e4cd2572c23

          SHA256

          66c29be65d1f827813d92f258bddbd4904e6564bbdc4663274ff0e05462a7878

          SHA512

          8e5bc6c7b7e5dabf025f774d7d4cb94f0b03b6364c1b12201d8336f25d029d327194b536942080a9091b7d93a9f94c252b1c71711faf904db00632b5282f0cd7

          Download Submit