Overview

overview

8

Static

static

3

2024-09-30...ye.exe

windows7-x64

8

2024-09-30...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 21:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe

  • Size

    192KB

  • MD5

    89c431d79273e416067e424e07d41278

  • SHA1

    1d2d6e85d73ca85178b97e247c0748d5ddb944da

  • SHA256

    cbda0c3ad9a69e4bdca46a720daca2a72e0dc8f10283bfe11f220297fdb9c88c

  • SHA512

    920e131c10edaeb9c280aa1b06420b989b325a0d98a1e8028768be5f961f3e2601a054c1bee89eace04fcb945b5490f1d650be179be9527a3dd4f83da4aee345

  • SSDEEP

    1536:1EGh0oNZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oNZl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_89c431d79273e416067e424e07d41278_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\{07283493-B7FF-4376-9900-12EFA17D9255}.exe
      C:\Windows\{07283493-B7FF-4376-9900-12EFA17D9255}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\{200F743E-782E-41e6-8F01-1FD87C92D865}.exe
        C:\Windows\{200F743E-782E-41e6-8F01-1FD87C92D865}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Windows\{B5429E23-AC46-49b8-942D-355C03E0EF77}.exe
          C:\Windows\{B5429E23-AC46-49b8-942D-355C03E0EF77}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\{5EB624EC-1EAC-4a4a-97B2-51287B3E42C4}.exe
            C:\Windows\{5EB624EC-1EAC-4a4a-97B2-51287B3E42C4}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1500
            • C:\Windows\{64F2257A-A410-4b24-BBCC-BF74DE25E15D}.exe
              C:\Windows\{64F2257A-A410-4b24-BBCC-BF74DE25E15D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2488
              • C:\Windows\{3606896C-8425-4cb8-B9D4-0D1C76A77EAD}.exe
                C:\Windows\{3606896C-8425-4cb8-B9D4-0D1C76A77EAD}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3332
                • C:\Windows\{65B3AC1E-5E6A-4090-95AB-412D38525552}.exe
                  C:\Windows\{65B3AC1E-5E6A-4090-95AB-412D38525552}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4988
                  • C:\Windows\{5230F970-0658-4042-B8D5-F0C4F84C55C3}.exe
                    C:\Windows\{5230F970-0658-4042-B8D5-F0C4F84C55C3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:668
                    • C:\Windows\{EC0E6A26-07FB-48de-8EAF-2960A9D00549}.exe
                      C:\Windows\{EC0E6A26-07FB-48de-8EAF-2960A9D00549}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4936
                      • C:\Windows\{12D63119-E639-4a43-8B6F-0FE5281D039F}.exe
                        C:\Windows\{12D63119-E639-4a43-8B6F-0FE5281D039F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1312
                        • C:\Windows\{75299028-2668-4ff8-A05B-2F8DD6AE1CAF}.exe
                          C:\Windows\{75299028-2668-4ff8-A05B-2F8DD6AE1CAF}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4648
                          • C:\Windows\{9F728DBA-523C-4496-906E-480C885B9899}.exe
                            C:\Windows\{9F728DBA-523C-4496-906E-480C885B9899}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{75299~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{12D63~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4844
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC0E6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4900
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5230F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3588
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{65B3A~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4212
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{36068~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3556
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{64F22~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1764
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB62~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1940
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B5429~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{200F7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07283~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4332

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{07283493-B7FF-4376-9900-12EFA17D9255}.exe
          Filesize

          192KB

          MD5

          4a93ab78ccbc49f480c7d222289a287c

          SHA1

          52f9382f1db5edbcf98b80f34b12c3385a9ea772

          SHA256

          15b2685297d46f06721692555ff9c20d22686ff42899ae3e1eb0e46bcff3abf4

          SHA512

          a67771ee2d10667b2b1cbcd4e9f9d319dddcdfb80a9cbb1e6015cf81abb48aec27d1984357276820699fd99a3660845e103c4f4d419483e3f8b61111c6dd0cc8

          Download Submit

        • C:\Windows\{12D63119-E639-4a43-8B6F-0FE5281D039F}.exe
          Filesize

          192KB

          MD5

          d0a8c4b023bb95d6fadf18efcc7a7481

          SHA1

          7b5f1ea0435bc2a87715751f3945e2831fbce938

          SHA256

          6e300ebd08fdc42d4bb4b0b29a1041cb6a463dee9f88e9799780ba01421663b3

          SHA512

          c717ae98a37eba6b746b4687ddaea8027e928c03f9cc5df56e5b1060944d8f06536c0f6e3cf9bae0f26feb7f547d0059c2ba436839dec858dda81fa3fa8fa66d

          Download Submit

        • C:\Windows\{200F743E-782E-41e6-8F01-1FD87C92D865}.exe
          Filesize

          192KB

          MD5

          bfffc6ea06a6669fa89ed4186ff04768

          SHA1

          cacf8ff8f4002d43a49834c8ab032fd943ae4d8c

          SHA256

          2d2e6f21d63322b615c5f0899d07ff7791118dbf1fbca40ac8c4d53ddb392ce3

          SHA512

          b3d0987c4ff8cfee7322d81c06e556ed1059b69483090e5131768cf0de67bfa7045d52ca1169b9c66ada87341973584f0c672fbd7a0b4705414d5cfa6a55a3c0

          Download Submit

        • C:\Windows\{3606896C-8425-4cb8-B9D4-0D1C76A77EAD}.exe
          Filesize

          192KB

          MD5

          6f37d0e7078bc81051d8f4239bc35b35

          SHA1

          90c82de7f83a51faa2e52768f13fd347d42e9d04

          SHA256

          57d70ce7e9535a0e02bee2f0c73055661123df344c3108c2a99532a2ae96d432

          SHA512

          dda1e65507ae660d0fe8686b8173932d9733ca95e7a5e7cb20187e8d0cee1c1d8b7e3ee6aed0e0dfdbfd8aa75ef94d88d789a9d3b93a42b4454f9e49bf4e16d6

          Download Submit

        • C:\Windows\{5230F970-0658-4042-B8D5-F0C4F84C55C3}.exe
          Filesize

          192KB

          MD5

          5af88f3763a77051d2c460433cbb7e97

          SHA1

          85b9b036b9c1de4d6103d6ecd5cbd8d0d4025749

          SHA256

          b873f029e6367cbfb2627b6c834d4bb08a9b4c4db10556cfc96f82b72663dcc2

          SHA512

          69775480e19218e5acd5edbd2a22883d34c3b2ec71829791959001da6e10938f61e60c75b7e5b667e3261a161b9886fe87a733b2d99c67fee1a16915d9bb7165

          Download Submit

        • C:\Windows\{5EB624EC-1EAC-4a4a-97B2-51287B3E42C4}.exe
          Filesize

          192KB

          MD5

          34b7a73fbc61eb70351b242fa3d1ef95

          SHA1

          49f9bb3ad93ac541945ba15268389ba0370bafd5

          SHA256

          42f3827a773a0cd681a62cd893661a95ca550b84e0d97239fe75b222296300ad

          SHA512

          6b422d8596b1b148f782fa4ae2086d0b0c501f4f2c90e5c0443642456ea28bf21da0ce683243595aa6ea986553e8df75d9577e136132708ea35c69f03a14b3e8

          Download Submit

        • C:\Windows\{64F2257A-A410-4b24-BBCC-BF74DE25E15D}.exe
          Filesize

          192KB

          MD5

          3d03258d28abb7ec55bc2e0e4b81ef8b

          SHA1

          80e0fd8455b1ccb27e5b5865be204c8081c3da1c

          SHA256

          325264b1052dc49bc5a234d42c0039991aa2159d6df46ed0b1eb703784f117ab

          SHA512

          f08f08821126ed791c08120d603d2bd6f79bef363a07db0f48b55776def189b31808cc8f8a2b90555c1243ef5b7a8d335de15ab99f0c1efc756c707d9047ef0c

          Download Submit

        • C:\Windows\{65B3AC1E-5E6A-4090-95AB-412D38525552}.exe
          Filesize

          192KB

          MD5

          a2d6ef48b61f26b3f680b41fb08b6963

          SHA1

          1c7a7eb547689cf9c944207c7eaf4722aa1527ab

          SHA256

          22f7c8a8d89dd49e761e745344ece9412e5450bfc70d4a433feed270bc7e7eee

          SHA512

          e469aa823d885a369f9d72d8f47339d6adc35bdaadfebf4586bf187fb6015f7dde860ed77e54d301ce001dc13afdd44b14014e7a5cd4917a7bf116368600fd26

          Download Submit

        • C:\Windows\{75299028-2668-4ff8-A05B-2F8DD6AE1CAF}.exe
          Filesize

          192KB

          MD5

          5ed876bc670c8dd3b44e65518bd32592

          SHA1

          93e7fe20d8352b198783b21a7d7bd5b3dcda24e5

          SHA256

          ddacd8c253631dfc0eb7023bcea6652e4ba2808e82a636f15885a40aa2019562

          SHA512

          f264df612bfe3904a5f95a467944d8f73dd03aa03360176d21b01ba686515aaae2f2b1c580f84cc931e4dbe1e15442ca3b2b690cdcff6c48c842bf088d0c2100

          Download Submit

        • C:\Windows\{9F728DBA-523C-4496-906E-480C885B9899}.exe
          Filesize

          192KB

          MD5

          e5be61511a51f6d7c811309d93109ffb

          SHA1

          7fed3ec71fda50a280c6ec7e104274ff3635406f

          SHA256

          0d5d8571121b4cf80aa107f99c7add3622bd6471589dba4f184284f2d6631a0a

          SHA512

          02261535a2d110528c4b138900480b05594704f8a6e0b09c98b23370f942072b635262175403abb77febb017f3d0fb495eac29d0db51f639cdd61a762e533b2e

          Download Submit

        • C:\Windows\{B5429E23-AC46-49b8-942D-355C03E0EF77}.exe
          Filesize

          192KB

          MD5

          4c558b17db8739f1b8b6ec7824474147

          SHA1

          a38d0b7cd1d9d8899f3d554159b81e68b16bc8a1

          SHA256

          b2c984206bab1682ce52475020eb8ece73629f4a3e291c52d838406f053b2393

          SHA512

          c5990b11b4b7e6b978bb0a1a38e532865a6deba42f650a09fad725afc730b9035e2a8a5252603cea795e85bed111e44337e1e63b74b6a66dc776e7878be19b73

          Download Submit

        • C:\Windows\{EC0E6A26-07FB-48de-8EAF-2960A9D00549}.exe
          Filesize

          192KB

          MD5

          53c09fe34e77da66119b551f63adb884

          SHA1

          226736da7897dae2870bd4a4c9aed510b85b5b81

          SHA256

          ebf36b9c035d97fe7b8276036473d9af46e56c3480fb3c76e1b765dc660659f7

          SHA512

          8f7f63b6fe5f1ffdae5e099b701e97778b08f1d2c806e2e8897251b59f1269eff6fd9dbf5dd3726d200c7260b8839d973d42bc4fbad238ec6ce8eec565b62abb

          Download Submit