Overview

overview

8

Static

static

3

2024-10-01...ye.exe

windows7-x64

8

2024-10-01...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe

  • Size

    180KB

  • MD5

    583e131dc564f0999013a64a9650035a

  • SHA1

    a8d4d870e0a7906a71d75b23c78ac49be090419c

  • SHA256

    556e04cd1a93577543dbe66c07ee8e826f07efcb17e0050d34838e1f7a0e8bb9

  • SHA512

    c2f6adc683a5b1573c5184c94ed0083d827b2628386ebe3733534564b5aed4ef6287cdad9aefcd83b0fc6f2b56c517b356d210cf1800f66233d11730f460ab0b

  • SSDEEP

    3072:jEGh0oolfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGal5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-01_583e131dc564f0999013a64a9650035a_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\{696328C9-4EAD-498d-B40A-DC706F2D8955}.exe
      C:\Windows\{696328C9-4EAD-498d-B40A-DC706F2D8955}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\{7E6CA8EF-0C4E-4cd1-9352-974EB8D85C59}.exe
        C:\Windows\{7E6CA8EF-0C4E-4cd1-9352-974EB8D85C59}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Windows\{F2268079-9E50-4692-A3BF-870A720BEC43}.exe
          C:\Windows\{F2268079-9E50-4692-A3BF-870A720BEC43}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3984
          • C:\Windows\{3EC86697-8C19-46bf-8510-0994BDC272A8}.exe
            C:\Windows\{3EC86697-8C19-46bf-8510-0994BDC272A8}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\{D3DA443C-F2EF-441f-A99D-71D739A4495D}.exe
              C:\Windows\{D3DA443C-F2EF-441f-A99D-71D739A4495D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4884
              • C:\Windows\{88B03305-0CC6-4c6e-A965-0C5C79BB0DB4}.exe
                C:\Windows\{88B03305-0CC6-4c6e-A965-0C5C79BB0DB4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4012
                • C:\Windows\{B432F317-4E75-4441-A41C-11975938B6CE}.exe
                  C:\Windows\{B432F317-4E75-4441-A41C-11975938B6CE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4368
                  • C:\Windows\{A1E451C2-E0DF-4aa4-A078-93D28F7F31D8}.exe
                    C:\Windows\{A1E451C2-E0DF-4aa4-A078-93D28F7F31D8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4084
                    • C:\Windows\{476622F9-017B-4044-BBC7-A88D4B1915B3}.exe
                      C:\Windows\{476622F9-017B-4044-BBC7-A88D4B1915B3}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4080
                      • C:\Windows\{671B4BC0-5E21-4075-957E-E61CC33B3EFD}.exe
                        C:\Windows\{671B4BC0-5E21-4075-957E-E61CC33B3EFD}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2980
                        • C:\Windows\{FE74EA03-8BB1-4334-B12A-80995B1EB4BE}.exe
                          C:\Windows\{FE74EA03-8BB1-4334-B12A-80995B1EB4BE}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3196
                          • C:\Windows\{981C7918-8FA3-4763-ADC9-22256ED66A11}.exe
                            C:\Windows\{981C7918-8FA3-4763-ADC9-22256ED66A11}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:520
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE74E~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{671B4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3720
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{47662~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3680
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1E45~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3520
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B432F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2188
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{88B03~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:220
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D3DA4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3144
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC86~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3040
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F2268~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6CA~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3096
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69632~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3896
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1528
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
    1⤵
      PID:2932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\{3EC86697-8C19-46bf-8510-0994BDC272A8}.exe
      Filesize

      180KB

      MD5

      6c90c1de03189b0e2d8f261b2a818949

      SHA1

      28666d773bca6e1b838354b413a2c4543aefbdde

      SHA256

      43d799c6612d9f742bd943a671723065e8b7c11992218bb39d55c0259fc3aab3

      SHA512

      78f915fcd2e13c5d163f46e1ee33109186708e28614efc07c9ffdfc56733759997c722f05f72975f8a200371dad358200d7de6881cf9b4ea45ba9728abc9a752

      Download Submit

    • C:\Windows\{476622F9-017B-4044-BBC7-A88D4B1915B3}.exe
      Filesize

      180KB

      MD5

      d72c68d575e7a93267ed0d82b523a683

      SHA1

      a9cd94f80c7456d92112d236e84e0d823757ad4b

      SHA256

      0ede84499c6185714db06d9fea3189338536b877072a11902d0422d35f786a2c

      SHA512

      c26d52c41118ac9ee887b0671be653b7d7ad7031e2cc017290708fd3a2bde4002b3a57ad2adaad644b795ee86ceb3089d96bf4f9349a52a0a9be40ab650e8417

      Download Submit

    • C:\Windows\{671B4BC0-5E21-4075-957E-E61CC33B3EFD}.exe
      Filesize

      180KB

      MD5

      ab686f60fef1cb35b9555eacc13c1fce

      SHA1

      59d366a8830ff8fa1e23b6ad00cd6d54ff8ca411

      SHA256

      ab67a13b826054b1734d67fcf7a9ad23c6c3a9738ca549b9d4cdbe8e471c619d

      SHA512

      4254697a07e586c72fa943e0cc48eee2167c242aa54b4d615c49ee6cbe8107703c7261530943691263bfe265736173a1aa891ff80a42af39ea8acd149240c7fb

      Download Submit

    • C:\Windows\{696328C9-4EAD-498d-B40A-DC706F2D8955}.exe
      Filesize

      180KB

      MD5

      db35ebc3293df6488d33f6c3502bced3

      SHA1

      2321e05646d2cb664baff28a890d30085a964187

      SHA256

      45da5b911626498e2d5ac632a58f243545139d6917d678c7876ba9a08db9c0d0

      SHA512

      9f89b749f8011316efa8f4534ec53356c97ad048b4f4548ab5550a64796a635685d9ba9d6255efb5021a0ef38362749a2bab8c262a34acaed78fa26301cbea0a

      Download Submit

    • C:\Windows\{7E6CA8EF-0C4E-4cd1-9352-974EB8D85C59}.exe
      Filesize

      180KB

      MD5

      d5f21e5ec5d30af451ec485efbf2f377

      SHA1

      3c9fb58e7570435138bc272a53a4188a939494cb

      SHA256

      4dea0e0f562787ed24fd470d86fb1100b4efd065075f3b61a9fb994f51162989

      SHA512

      bd09176ccf09ab1b3ee795817025f8e11b39c3e85ab4fd08f771224d9cbc6c9ec01dce43b491a13e8c2d65bde0bbb914be93ff22559fe52d7c0b01b54b6e3e4b

      Download Submit

    • C:\Windows\{88B03305-0CC6-4c6e-A965-0C5C79BB0DB4}.exe
      Filesize

      180KB

      MD5

      0adb8a80e474e8e4ac84c2f1f8e9a237

      SHA1

      4f8f69c6101e3e0d6e3b057890dfe6cc6537a254

      SHA256

      21ec86ebc1a4f457b3fb424ffb555413bcc9248c5721db3c716c23f047a86c24

      SHA512

      bc7ea7299e93279191f338729025638481ec7c5bdef39d4129665a783a44578f1120fbcfdb6ecc716b8de24d868e94aa867daf2faba9dde4ee80e6562e26d44b

      Download Submit

    • C:\Windows\{981C7918-8FA3-4763-ADC9-22256ED66A11}.exe
      Filesize

      180KB

      MD5

      c5c72a89e7f4ac6657ebec9ac3a31258

      SHA1

      5130d672fa29ee047acb3291875270c83813153c

      SHA256

      e1f373444a5079c15d5974acb9240d46f2d33ea818046aed6c8b5bcc0600b4c9

      SHA512

      ef6c6632e542e729a10c8e32254182bd787c8c55c8715f8a469d32d10a627e778d11414a568e3078e295aaeac45925dd6fcd67a1ccff59a05b6958b14ca19dda

      Download Submit

    • C:\Windows\{A1E451C2-E0DF-4aa4-A078-93D28F7F31D8}.exe
      Filesize

      180KB

      MD5

      5b2e942d7450a27560bc4888c4468488

      SHA1

      fb6b8e98ac044011605267ca723bacd4322664a6

      SHA256

      b5b186e8763ec3ac7754d1fd2cec60afd9445c06985da4f58f9109ead0c0be21

      SHA512

      9132adae9874df003574848ee5bf8eb8ebd2737f2e6707cbfcc39e4099712daa89efcce072f577ca78b14e430a9ca6d0b8d67ce2b44fd41a053c12e21b84d051

      Download Submit

    • C:\Windows\{B432F317-4E75-4441-A41C-11975938B6CE}.exe
      Filesize

      180KB

      MD5

      83df2f5730713cea920c8a0759910c93

      SHA1

      6ed85e53f7250491ff36038e0c6198be1b781ea1

      SHA256

      be02713824b745dfaaf46d9dc4790d7f03bf1a7762df22b0abac6392ffb0c2d4

      SHA512

      b15d530644624f4baf285b014712670495010f65e2be22c0cb087e0e6e280796f9b6a064a36c279fb38575577dd688c9a53967b01190970320be3c4fd9f28708

      Download Submit

    • C:\Windows\{D3DA443C-F2EF-441f-A99D-71D739A4495D}.exe
      Filesize

      180KB

      MD5

      4894bbdd76e00592a75ee2028d83b7b2

      SHA1

      bf9d63a8c07de9d2291bb2316d450254b9d797eb

      SHA256

      842430033cb4920d154531f0b8bc6675fd87f9680f9df98abbe71ea99c60cbb7

      SHA512

      ccf3b3b130901843650792560515c6660d3d100a107083a7b5c9310158222d166555b9d7894818f4525d5bb584890ffa354b5e5557219ec02ff1e75c71db9cdd

      Download Submit

    • C:\Windows\{F2268079-9E50-4692-A3BF-870A720BEC43}.exe
      Filesize

      180KB

      MD5

      2306fe77867d810a2ded90feaa4ece70

      SHA1

      11e492ef095d6fbbff4e0e22b02f173670d6e5fe

      SHA256

      71ddc82bd971c1f2df9407546535f043b33175861e86ec46f9ae61e157910059

      SHA512

      118b0c9cc86736c96e2e39886967ad4a329fba435b6aa3dd637938f1c7ab417fdf096386f13e83b9238e8c4fe5ce50dc22aed754441b036da205d3891f316b72

      Download Submit

    • C:\Windows\{FE74EA03-8BB1-4334-B12A-80995B1EB4BE}.exe
      Filesize

      180KB

      MD5

      f1261fc7f34a3415366501512f8a3242

      SHA1

      6f18ac9f754b6ac0f1c42bc5f3cae7017f9883a5

      SHA256

      74bc1015b326e07ff8bb2159dc99b920fd0baad0022175d375a80cc989939862

      SHA512

      577de490e1e2f8942cc417c3c08d62e036caca04755394836dd4e2612925aa9b263e91982b57d20039d97576de1d59249656d4361e698644c5ed54e3fb27aac9

      Download Submit