Overview

overview

8

Static

static

3

2024-10-02...ye.exe

windows7-x64

8

2024-10-02...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe

  • Size

    192KB

  • MD5

    4d4c4beb28cdb26fc9e135713c74482d

  • SHA1

    c8c120fd7352b22c69ae8c8498ea627d67182b5b

  • SHA256

    755308bee753dbd1021527b66d26ecfe178cbc31006aee4cf17a07dad014cacd

  • SHA512

    f39a7f65b1f4f02d379667478c4e4da03d833c420dc8c29a3eaa6798671d4ce2fb74ec357caf7f529213eedc7373a662ee5628059ac0b4a018ee79a1ae59c7c7

  • SSDEEP

    1536:1EGh0oSl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oSl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\{E1C0550B-6098-4ea7-87E6-845100D695B8}.exe
      C:\Windows\{E1C0550B-6098-4ea7-87E6-845100D695B8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\{CE853C90-6170-4e11-AB11-0CD214C23B84}.exe
        C:\Windows\{CE853C90-6170-4e11-AB11-0CD214C23B84}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\{D525414D-F9D9-49e9-BD27-E1C6EBD0D975}.exe
          C:\Windows\{D525414D-F9D9-49e9-BD27-E1C6EBD0D975}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\{673D2B57-BF29-45f1-836A-BDE5FE03AD90}.exe
            C:\Windows\{673D2B57-BF29-45f1-836A-BDE5FE03AD90}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\{E03F346E-D623-4933-A07D-69EFDE54B176}.exe
              C:\Windows\{E03F346E-D623-4933-A07D-69EFDE54B176}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2160
              • C:\Windows\{9C730939-007A-4d36-AB36-49781D610624}.exe
                C:\Windows\{9C730939-007A-4d36-AB36-49781D610624}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2964
                • C:\Windows\{6A99A0F6-5AD8-4805-AED0-F567BB856072}.exe
                  C:\Windows\{6A99A0F6-5AD8-4805-AED0-F567BB856072}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:844
                  • C:\Windows\{77C988B1-0BC8-42c0-B7D9-5B81A585251F}.exe
                    C:\Windows\{77C988B1-0BC8-42c0-B7D9-5B81A585251F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1384
                    • C:\Windows\{A82A6224-F7FB-4496-A0F9-C5297619F953}.exe
                      C:\Windows\{A82A6224-F7FB-4496-A0F9-C5297619F953}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2164
                      • C:\Windows\{A5CA1E26-6BD0-4e73-B531-D7B18495A006}.exe
                        C:\Windows\{A5CA1E26-6BD0-4e73-B531-D7B18495A006}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2092
                        • C:\Windows\{2F481A0B-DE81-4504-AA46-ED7A33F87DC1}.exe
                          C:\Windows\{2F481A0B-DE81-4504-AA46-ED7A33F87DC1}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CA1~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1944
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A82A6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2668
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{77C98~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2432
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A99A~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:896
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9C730~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:784
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E03F3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2804
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{673D2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2196
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{D5254~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2568
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CE853~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C05~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2F481A0B-DE81-4504-AA46-ED7A33F87DC1}.exe
    Filesize

    192KB

    MD5

    83174ac6e4fa7bfe3954967ececedf0b

    SHA1

    e331b1b6e9ff0b656c991f6286d0a91889fcfce9

    SHA256

    68702402ec2a1f5b0848964edec124b94247aa6f566f48f3448ecf7a545827da

    SHA512

    2af18f664ff7aef61306a1e08c45c25841830c347a5f1441cd321181f12b2192c98a7c910432da5d1ee8ba7d1ef67c37e70edd44f449ffc7b5b2b88a5088d34e

    Download Submit

  • C:\Windows\{673D2B57-BF29-45f1-836A-BDE5FE03AD90}.exe
    Filesize

    192KB

    MD5

    6dc771ccb5527d4529b2c7a85993fdfd

    SHA1

    8d87676ed7ca2739c44c250f30aebd75d5c1dbad

    SHA256

    490c1d2e65875aa1092898737e04c6023f0a01f1021a1bca7b39dcf4726f771d

    SHA512

    970d2ef4a95100da99345959e68ca9997a505bdc4414d11974d302a0b9e981bdf5d2fb608e56190da6f63342b02ff6c22cce2ada1b310d25f5dbe75fc65fcfe2

    Download Submit

  • C:\Windows\{6A99A0F6-5AD8-4805-AED0-F567BB856072}.exe
    Filesize

    192KB

    MD5

    3f2c5488779a413789eda32da4636cb6

    SHA1

    f560777b89ae723cd135b8980ad8bb9401d17ea9

    SHA256

    962fc0c2cdd7b0bb6a90a3e5df491784a644933f152233dc68394d511af11639

    SHA512

    9ba81d74f7ecb535801e9520a12f9a0600df4f2271e347da8ac5f834ad31b4dcf63d397f86606c14d2b2a68e5e7df10dc185e0f104a6104da90bea948e3665ff

    Download Submit

  • C:\Windows\{77C988B1-0BC8-42c0-B7D9-5B81A585251F}.exe
    Filesize

    192KB

    MD5

    ce942543a89070e6205dd8f0a1accd0e

    SHA1

    eb003db6000371adf50c677f7424c8545c2864fe

    SHA256

    53bb7b432b4a2cb07fc4f8883ff955b5870e5bb42abd1cb485da25476b6a2601

    SHA512

    e379b7b51b3dc52078b5cf701aeb87788aa605449a3bdc8c384d03af058cc01f18374e127e26bfc4d091237bf4611322e7234309f412a516984960b617edfc51

    Download Submit

  • C:\Windows\{9C730939-007A-4d36-AB36-49781D610624}.exe
    Filesize

    192KB

    MD5

    58972b0060a1338204c4e5ec3d7cb5f6

    SHA1

    4684298dfdd8fc291070917794a94d165481eeee

    SHA256

    354e37e70cc049b0e2489f4680b2668ce1e808906f11ff1a7e194a60092f96f8

    SHA512

    b0d0cb409a8a72538208fc9ebe990c913a2947ce2098089d21cf40b2bf0dd71ce72f6b420fe4584a350fc76c387dbe71fbe4bdbd43554f99114bd549497debce

    Download Submit

  • C:\Windows\{A5CA1E26-6BD0-4e73-B531-D7B18495A006}.exe
    Filesize

    192KB

    MD5

    c76c1b02bb84f314a15db106cd4b064c

    SHA1

    ab8b04e94b140b9ad3b7af6170fed85d17e9571e

    SHA256

    d23e0b17ebc8615b3912db4ce1a8fa400c4be700b03d09f3abf731674500ece3

    SHA512

    6709da19b60cebd4a9264fcee46759e6eacc655d8a156c76a8a21b89aa9c57401689eb79ba9aea6b56f59da6ad08559eaf20f8108932fe2d47f1bffcfd95a9ed

    Download Submit

  • C:\Windows\{A82A6224-F7FB-4496-A0F9-C5297619F953}.exe
    Filesize

    192KB

    MD5

    3690446ec1f7ddd0c79917092fe1e577

    SHA1

    d4a96cf36e7a9f7cfd91f36beb805e48e5f22fe7

    SHA256

    2526098f6168c015046dd2e4a7338d2f06f3eec8c591ba3e4231d652d37f6fb7

    SHA512

    bb0d393351e9c04d020680dd555b680055e5f2c7e1b0a7db23fad6db37013cc5512a3d6a73b21c89804d55788931534b2a25324db7f556beb01494bf53a9f6ad

    Download Submit

  • C:\Windows\{CE853C90-6170-4e11-AB11-0CD214C23B84}.exe
    Filesize

    192KB

    MD5

    699f0aa669ff2d2dbacd0aaf07640896

    SHA1

    dab89013490536b0cb6c910188b8bcd1ba014313

    SHA256

    123b9be56fda28c727886bb1718d449afde92e49c1341be5c37e283051815a8a

    SHA512

    68f0e2270e75fb0f4395cba07a41020d531f287a4a3f5dc1e65a54c2521b6c869385582a38ce758b039efa6ab2fca6cd27c7112a8d6d9ab44c0179b742b80913

    Download Submit

  • C:\Windows\{D525414D-F9D9-49e9-BD27-E1C6EBD0D975}.exe
    Filesize

    192KB

    MD5

    6ed49330f416d04f1094eed7d4ecb03d

    SHA1

    a55236b1f238dc0ca9106f8891ce6913481de513

    SHA256

    ffd5fb9de33cf3b736a7d8227d313231d41307ceeed4afbc3d0932e2aae1600d

    SHA512

    e3c1a79eab9ccea0f03c93c9ce9b1eb69778eada15977754b96d209cc6b27b2ce898bd4396591103b7fa73672739cd5d564653111b069b522139220262e8e021

    Download Submit

  • C:\Windows\{E03F346E-D623-4933-A07D-69EFDE54B176}.exe
    Filesize

    192KB

    MD5

    795ceda0f739f767c6ecf1429dce13dc

    SHA1

    1d67b53399af2c2f8d7bb24dbed33691dc327eae

    SHA256

    4bb596d91e7d5fbb7006b2ff2b44bdc025a288ba2ec796248e405ca3975e1776

    SHA512

    cfa3c3cfc254c65a6ffc4953f5edb4123a888c7f0ad907ca84e9d4203a51ce5af23eefb77ea963db58394db912ee9997712a26662a3e1f224e3493389aa0a310

    Download Submit

  • C:\Windows\{E1C0550B-6098-4ea7-87E6-845100D695B8}.exe
    Filesize

    192KB

    MD5

    c56d1334fb7e13279d705a9d5b18bd4d

    SHA1

    74998e45aed4f404547a522303e11b6805d56773

    SHA256

    da526297042b43595a03cb493e3df41b41437a733155268166d7045b92fc13c7

    SHA512

    3436b6b6b85ed265ba6e18a8ba282e2dfcafab7e94950b053878e6075df3db9703b98417521c0a4606291521597fce64a9b09c9b79d6003ee3522e1c7ec7612d

    Download Submit