Overview

overview

8

Static

static

3

2024-10-01...ye.exe

windows7-x64

8

2024-10-01...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe

  • Size

    192KB

  • MD5

    a8d82a2ebd236a7eedfefe6a561489dc

  • SHA1

    3bb3397eefccae415898f39538d6982dcf9ddaca

  • SHA256

    2a23a96b0916b6424da55d684b8f6ea2e6542910d6ec76c8de6cb526cdbc5101

  • SHA512

    1bbc9510f5f287384e45ac18532bc83a8899dd802fa16bea1893def363db00b420ee92bc1498bbb60032d78dcc16836666d1f82a172895be5487a89a2430fe6d

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\{55DE1AB4-11CD-4510-B793-C7DC02F0A671}.exe
      C:\Windows\{55DE1AB4-11CD-4510-B793-C7DC02F0A671}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\{4491F9C6-A4F5-4d47-A1F5-02172B56CAC5}.exe
        C:\Windows\{4491F9C6-A4F5-4d47-A1F5-02172B56CAC5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\{67C1A92A-9068-41c2-806F-C7354C6B64DE}.exe
          C:\Windows\{67C1A92A-9068-41c2-806F-C7354C6B64DE}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\{8EFB6975-332B-4619-A3F2-53E2EA29BE99}.exe
            C:\Windows\{8EFB6975-332B-4619-A3F2-53E2EA29BE99}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1160
            • C:\Windows\{495D8FAA-CA14-47cf-82DF-A14E89CFD1F4}.exe
              C:\Windows\{495D8FAA-CA14-47cf-82DF-A14E89CFD1F4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\{818C5A4F-1F4E-4c3c-91B9-C2971C0624DB}.exe
                C:\Windows\{818C5A4F-1F4E-4c3c-91B9-C2971C0624DB}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1284
                • C:\Windows\{6A1F69FD-8DDC-42dd-BB01-96DF8D559AC4}.exe
                  C:\Windows\{6A1F69FD-8DDC-42dd-BB01-96DF8D559AC4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2728
                  • C:\Windows\{A6B85ED3-DF18-47a1-9164-B7C8EBE17C46}.exe
                    C:\Windows\{A6B85ED3-DF18-47a1-9164-B7C8EBE17C46}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1696
                    • C:\Windows\{C4B66ABB-3C04-4c33-A838-1F66C3BDB9E5}.exe
                      C:\Windows\{C4B66ABB-3C04-4c33-A838-1F66C3BDB9E5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1632
                      • C:\Windows\{EB171081-8ACA-4e6d-B5D0-FF53EA37932F}.exe
                        C:\Windows\{EB171081-8ACA-4e6d-B5D0-FF53EA37932F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2992
                        • C:\Windows\{213D1142-1D60-434d-B2C0-55A720053B04}.exe
                          C:\Windows\{213D1142-1D60-434d-B2C0-55A720053B04}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB171~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2520
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B66~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2144
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6B85~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2108
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A1F6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1064
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{818C5~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:944
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{495D8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8EFB6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2372
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{67C1A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:532
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4491F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55DE1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{213D1142-1D60-434d-B2C0-55A720053B04}.exe
    Filesize

    192KB

    MD5

    5bce25d8d948db48a4c0e6c4813aa5c1

    SHA1

    6e435e59f49546cfd6c91dad15f2466ca141d471

    SHA256

    e26f1ab368ecb289ed78582b4a17de9ba6f10d4d7684218cff36f7718f846c1f

    SHA512

    e3047ec09e041ca382dcc7eb6ee75ffd7ab97f581804f6aa1d65f3a374fce25476af75bc4b055cd1c07c8b52edd7fba4d302ee53b61b30c41e538b42f22ece34

    Download Submit

  • C:\Windows\{4491F9C6-A4F5-4d47-A1F5-02172B56CAC5}.exe
    Filesize

    192KB

    MD5

    8f9f872515cc58b8d0a361f4f587d6da

    SHA1

    c3877727f52a276f354f5f14caf7cd920d2b2a60

    SHA256

    c58edbf8dcfd7a23e3e13de8daa1c147e28eec4bca37bb6786cc727f2a6edc5c

    SHA512

    1165265a1e8a7c71dccfb17f9d5c0b9d5b16950ccf255904b258a76ce412c4f20e8efd4f0e1242b048a60a9f306620439737126e298704468275f31db17ae916

    Download Submit

  • C:\Windows\{495D8FAA-CA14-47cf-82DF-A14E89CFD1F4}.exe
    Filesize

    192KB

    MD5

    a02ad9c3e1a7c20b7462c6053e84e357

    SHA1

    e96d6e8323e53e2389d88e6887211a92c2010a0d

    SHA256

    95bb9e6687099f94aadffa3953869cad5200d2cd44397d1de4b358dc6b0eed48

    SHA512

    4abe668aaa8407906d03f909dd6598db84e333100033df3e29fa912ff20cc7723f189b6e471b3875d7c6e3eccc45025678ea0f4af03eb3635070aafcbc83f901

    Download Submit

  • C:\Windows\{55DE1AB4-11CD-4510-B793-C7DC02F0A671}.exe
    Filesize

    192KB

    MD5

    e2749f7197c60298dfb22cf0293ee604

    SHA1

    bb3862def5a7f20ed65be70c08d4bff6024afb75

    SHA256

    572d179c38812877559f0517f2697f5546bf6d52eae08c93250fced360cf022c

    SHA512

    90a97d21f06c708b4fcd0f21b8aaef3aded05fd9800ae5197c63ecdc36f9c880115c3f65cd12fffd124badc9d5fa2136851edd9e4393e7d69884ed5a462dc6be

    Download Submit

  • C:\Windows\{67C1A92A-9068-41c2-806F-C7354C6B64DE}.exe
    Filesize

    192KB

    MD5

    31fff9c623a20d6ade24dd0bb92126f7

    SHA1

    948c4a1bdf7503f16dfc232cdc28a0464e0937a0

    SHA256

    956e5920838189afd3e1e9015237a8ac92d63860062ea8887da4ae027a45975a

    SHA512

    c3980e17f3c49d15a638b62852bc8586fc4bf4192ce1dd71e6af836d85a782bc9d6dc9d889c3d15eb0e11486a22d02b4c71a40d036022f46027142faf4377728

    Download Submit

  • C:\Windows\{6A1F69FD-8DDC-42dd-BB01-96DF8D559AC4}.exe
    Filesize

    192KB

    MD5

    da91e27a8570840d50d03b73b346fb6d

    SHA1

    77dbf99803358888bfa75344f41c25ae778dc449

    SHA256

    87a271168684289bbce2f074c5d8113061c70b41fc9b077e3090cac9411fca03

    SHA512

    9532d34df6eea940f333102c19cbaad9f53f145166366a73f2532f56fac3475d0fd208827a6babfa0e14cc9cd2a1e1d1c2e16ba82b8a9cf446c850306b441355

    Download Submit

  • C:\Windows\{818C5A4F-1F4E-4c3c-91B9-C2971C0624DB}.exe
    Filesize

    192KB

    MD5

    931d1304a56a6491e4c127dec93b3af7

    SHA1

    112cbd27c3a0dbf3698b5e0c4207b6dc7f8596f1

    SHA256

    5169d049d56196d13d8fe71cceaf20658f5d066efc93c1a3559ea03871b1b179

    SHA512

    ddd06f8d56dd2169cbc2bad5ec3bcfe73193b93b4b13d525354b6f87bd3ce936a4a9865a319faff0c60646e97e9f7f5a8126609a544febc02a67ca03063d1112

    Download Submit

  • C:\Windows\{8EFB6975-332B-4619-A3F2-53E2EA29BE99}.exe
    Filesize

    192KB

    MD5

    e14469a846c8fa7d0d8328d221ecb968

    SHA1

    368691a7c89ed88e8fdc53f2c2fcf63f9535124f

    SHA256

    f7563e546bc39e670406a1b3e76e952b15d3e0889df532aea6b882706d20531e

    SHA512

    83c0b697c75026b2dbf220980d9da507278e802eac6372d235b8fdde5de3b1b3f053e85ab84cd72d0ac8289200e3c017ef4a699baf1422a2ae601159e6321633

    Download Submit

  • C:\Windows\{A6B85ED3-DF18-47a1-9164-B7C8EBE17C46}.exe
    Filesize

    192KB

    MD5

    cc1f5978a7bdf3c92adbe84874f6aa7c

    SHA1

    0e5c13508e14c3af0ce19a61809d491843507239

    SHA256

    70536b88588d1b3fb0855c8d150caae6f62f3a5f67ffc4eabecef31c8797f626

    SHA512

    2494ccbb675fbd35329833eca8b71fa7fbe22093b7840d73bc9ffc0d9d12f32c29ef6ab70d215108e3e3c3cc6227de793b8bb8dc346c7d3a684858d54fb57aea

    Download Submit

  • C:\Windows\{C4B66ABB-3C04-4c33-A838-1F66C3BDB9E5}.exe
    Filesize

    192KB

    MD5

    60096cf604ab5fddf5455c15bac1d5da

    SHA1

    5c03e47c583c794c70c9a1659ff94abf3d87212d

    SHA256

    eb2d97e07d59ff1cea3f091297d9ac4a9b92e52fc3c1dcacb48ab86b6c9ab388

    SHA512

    52d58cb46bbdad162d613251ffe943c716eff9b02577ee77632da64044a92cdf6a4a0c2530e8a3b027e1b5b6ef844ef5e3ffd5ada1e84ab7f95df98456340325

    Download Submit

  • C:\Windows\{EB171081-8ACA-4e6d-B5D0-FF53EA37932F}.exe
    Filesize

    192KB

    MD5

    de9ccc2de8ee1d04ea9c08f6d31e839f

    SHA1

    20e041648e1b82de4c29371c9631e519e0a8fdb0

    SHA256

    6f83fbb1d5d22a67f85840f1f2dfdde27478a88c8f7342d07a9e66ad3388917e

    SHA512

    18f690b084b26531d3da47dc18e3f0ae0cf3d99e4685e7d0d5022ac9e7954272b5999d18a9b55bb604a25a78eebd69a8d292494c0ad49e092c51c886df4cf05a

    Download Submit