Overview

overview

8

Static

static

3

2024-10-01...ye.exe

windows7-x64

8

2024-10-01...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe

  • Size

    372KB

  • MD5

    14b6b14a4638fd2a041364710e48cfd0

  • SHA1

    43430afa6bc2db36cca902c7613ffca3151ef903

  • SHA256

    feff2466a92f4bb5cb464c9906cee2bbd40439c202c0c6b0c51fd03aa6b1e4dd

  • SHA512

    925de9f30829e8eb82a4d227bce8a991b22749daa24e0275ffa66db6951da87b21ce878dd254ae41eadc3815d9ab4dea5aa3844a7693778100af30ec8a109cb7

  • SSDEEP

    3072:CEGh0oHlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGRlkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\{A99BC8BA-73C9-4c35-BDD6-34D01362832F}.exe
      C:\Windows\{A99BC8BA-73C9-4c35-BDD6-34D01362832F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\{E0831A82-667E-405b-A83B-83824FD5CB2A}.exe
        C:\Windows\{E0831A82-667E-405b-A83B-83824FD5CB2A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\{E3885671-558F-4662-B1E1-E9B13F7D4B37}.exe
          C:\Windows\{E3885671-558F-4662-B1E1-E9B13F7D4B37}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\{79C2310D-7019-41f5-8ABF-16B4A4A1310B}.exe
            C:\Windows\{79C2310D-7019-41f5-8ABF-16B4A4A1310B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\{6A8CC29F-737B-4909-A692-93D1A4B1B750}.exe
              C:\Windows\{6A8CC29F-737B-4909-A692-93D1A4B1B750}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2772
              • C:\Windows\{832025AC-B775-4e2f-B059-BEAD309DCA32}.exe
                C:\Windows\{832025AC-B775-4e2f-B059-BEAD309DCA32}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\{18A8CA31-DD02-4726-9C2C-78566ADF6083}.exe
                  C:\Windows\{18A8CA31-DD02-4726-9C2C-78566ADF6083}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1896
                  • C:\Windows\{67EE00E8-009B-41cd-9AE7-D3D0F39C3F17}.exe
                    C:\Windows\{67EE00E8-009B-41cd-9AE7-D3D0F39C3F17}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1708
                    • C:\Windows\{0A9C8098-72AF-40c3-B353-3FA68957E94A}.exe
                      C:\Windows\{0A9C8098-72AF-40c3-B353-3FA68957E94A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1788
                      • C:\Windows\{F02D62B3-935F-4c56-B165-8A9F4E1FBE3B}.exe
                        C:\Windows\{F02D62B3-935F-4c56-B165-8A9F4E1FBE3B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2400
                        • C:\Windows\{5EA086FD-7537-4fc0-B12B-2F074E6780EA}.exe
                          C:\Windows\{5EA086FD-7537-4fc0-B12B-2F074E6780EA}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2292
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F02D6~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:444
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A9C8~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2152
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{67EE0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2948
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{18A8C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1312
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{83202~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2004
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{6A8CC~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2856
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{79C23~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2652
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E3885~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E0831~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A99BC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0A9C8098-72AF-40c3-B353-3FA68957E94A}.exe
    Filesize

    372KB

    MD5

    08dd673094e01365646f42094b3a0967

    SHA1

    568adbbdee30b01539d8b2d5b8b26be930981a51

    SHA256

    9a8f938da9d030004cc4ed3158fec1281eee43dcf6fea054e5f9fdaf2bf14ed8

    SHA512

    b9e159fe1de6bbf971b396fd78ae20372a4a4af1ced0a46ec236325275143c48d2bfffca6ba4f719f575b3cf369d7d79ec181ef0c6cd4a9c1e799f9ae2d648b9

    Download Submit

  • C:\Windows\{18A8CA31-DD02-4726-9C2C-78566ADF6083}.exe
    Filesize

    372KB

    MD5

    0399e4f3f4239906ffbdf9461ca1862e

    SHA1

    d8d8f0eab8956877abece3dbfb5559d279d4fc69

    SHA256

    65a8e04678181c147ce186d2e7c7f67da478b2fc74ce211ad08a16e535cbe9df

    SHA512

    6848247bd7ba6be9c77cd149ecd706cf47b6dc33d5c522146d50623a2e72440906a6ad8ac4027a1e1a477614e8fa8120e8f401ce97a2485397fc37bcccbc648b

    Download Submit

  • C:\Windows\{5EA086FD-7537-4fc0-B12B-2F074E6780EA}.exe
    Filesize

    372KB

    MD5

    7581918e7aa8d8ed0cd2e311eb843379

    SHA1

    d882a2ebff04068ec698fdeb48a3ced93bfcaa3f

    SHA256

    0691fb44b0a730e2cec9a6d647bf684d263f6a1baf11aae2d3bf280fbde287a9

    SHA512

    e0e7ce5be4c72120671e55f701532ca59d77363f4c9b626439d8640915f2eace98f1f7c129101e5b97cb52562889f1ff216e09e72ef2ac7290c8f0c0ac4010c4

    Download Submit

  • C:\Windows\{67EE00E8-009B-41cd-9AE7-D3D0F39C3F17}.exe
    Filesize

    372KB

    MD5

    948904f3c5ebefdecb741c11daa55fbe

    SHA1

    c053d1c52d1cf7359a2f88cff252dd6e7d88c05f

    SHA256

    a171a21b7327d91d8b253de5286895b67254a64da89e6baf9162212ccf3a387d

    SHA512

    9ef08640550992831d8d9cca775dc0728024ba7c7c3716bb732281e9a291663c1a0b69f671b2b7db1b528136c86a454dba56a5a82655e82ebf9b8a570e2e8f0d

    Download Submit

  • C:\Windows\{6A8CC29F-737B-4909-A692-93D1A4B1B750}.exe
    Filesize

    372KB

    MD5

    aed853dc7c5275f7267076305400d7d4

    SHA1

    af9e528e982073a951c8525d27ce41820f137412

    SHA256

    77517ca10f0be031712d950461a7cc0c09298a9b458b07a323f3ba626864afa3

    SHA512

    109f15acfd418b75a40b97a14e6a336ef0208e3516de61ecd9798707dd21e1c157aa50ca9d875d4e70ad6beba660286e0bbc03446540f9153fc8a4661238e06d

    Download Submit

  • C:\Windows\{79C2310D-7019-41f5-8ABF-16B4A4A1310B}.exe
    Filesize

    372KB

    MD5

    37d36ec02c9d3db7da7f52080ebca4a9

    SHA1

    b3d78e854ab3f7e84627f7e844efb64191b64593

    SHA256

    c77123e3738415ac1d9d51083a2b1236682cd9d9fcdbf3538ad80f6d7bec5397

    SHA512

    c3297ecf5af47b12137559c191d0034547f7cd1b25a95fccb6c54deb622e43792d1533af25e93fb7d31cf59762e05aea9ad07a0b6d2829c9f2bf09657b41838f

    Download Submit

  • C:\Windows\{832025AC-B775-4e2f-B059-BEAD309DCA32}.exe
    Filesize

    372KB

    MD5

    f45557d8add6fefcdda9f3f4354c5600

    SHA1

    180d96dc4cf74d2f2b1115363e6b1175077398cb

    SHA256

    737d20c862171a139521f89fd5d67fa3029c7f376280b927f034eaf4497321d2

    SHA512

    a2057ea65e87c2b51720c67a148e655f7b8610f19d7ef8b949c6ee37872107c15f823cfa05dea55e6baf8d4766483a204b2a851700881e6d4eb1eb7d95184810

    Download Submit

  • C:\Windows\{A99BC8BA-73C9-4c35-BDD6-34D01362832F}.exe
    Filesize

    372KB

    MD5

    6458140af1557182636f4ba5d436d1e8

    SHA1

    d40e59d0f628368780fa89ab7a191093d3a4133e

    SHA256

    3a52f16944f281419e374d84d1ea634aa9b1b96498dccc16fc6a2a565b870342

    SHA512

    bd7142eee988dc5014048c492ed148a4ed02c972dd3ba47078989be6e0066e82f4522011036059ee804b320838b3956b67bdafc7f8b75793bad4294c0b9a6772

    Download Submit

  • C:\Windows\{E0831A82-667E-405b-A83B-83824FD5CB2A}.exe
    Filesize

    372KB

    MD5

    f71ac2f0dec3d3259d4055388097c769

    SHA1

    4100c04854158fd976fd91acc76e1c799b567cb9

    SHA256

    7fcc694ac85e999ed224e7af78ad4e250f4416aa8ca4dc6742f30bf6fa094b8c

    SHA512

    4711fb6f19d5a2f6d5d6f28ecfaf0f13e65936abe75d00c14ed8f77bf02f7beff7b9b104ae138f58c6c8bbf41a1f726a7bdf268ceb4a7340c8f046f2f7da0910

    Download Submit

  • C:\Windows\{E3885671-558F-4662-B1E1-E9B13F7D4B37}.exe
    Filesize

    372KB

    MD5

    399466c77b4aad0271ab536ef1dbef07

    SHA1

    c2b90807447c16cbccf4f60a659b7a737cf20be6

    SHA256

    2c93efdcbea31691385dfb5f31afdf6922c8fddf4154f36e0addfd93d86f2c8d

    SHA512

    84d09acdef95dd677789d119df09e87eea8cc9bdab8aed7274de9641f49bee011e2c4167e215f13277f2b4c1be70a3bc199476c9e8b7dece04fb2f46dfe70ba0

    Download Submit

  • C:\Windows\{F02D62B3-935F-4c56-B165-8A9F4E1FBE3B}.exe
    Filesize

    372KB

    MD5

    9f9ded61167b6bc7fc960a169755e2c2

    SHA1

    aec9f2cf72c390e276e4366e268420c5fd486614

    SHA256

    49d97b6397fa2f44e4815cdb6d4737e1c6e422f1d52f3d14a20d4c7d8028b8f1

    SHA512

    4d203afb0440b22903ee26a2406091d7901b7240769920beabeee93db70b6751099207c72b1e04ead39ee309305829a6fedb29fd4925b4a276c4867c3dfb4288

    Download Submit