Overview

overview

8

Static

static

3

2024-10-02...ye.exe

windows7-x64

8

2024-10-02...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-02_f7aa20ee477587f5e0d1e39b43a09fb6_goldeneye.exe

  • Size

    192KB

  • MD5

    f7aa20ee477587f5e0d1e39b43a09fb6

  • SHA1

    9a67f6ffda515d4f78c05758e9d17f916c243d22

  • SHA256

    ca1952270c44abd4d6fbf81557211726efade33817e07c4a079af72dd352ae7a

  • SHA512

    c046d80c8389d45139c728c9b8be013d5d630b5bdb3fa447bc23ab41f3d8a5a8e7cceb8257a9aad30c8e35a326d3411c70962efeccf01c78004794d5187df01a

  • SSDEEP

    1536:1EGh0ogl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ogl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_f7aa20ee477587f5e0d1e39b43a09fb6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_f7aa20ee477587f5e0d1e39b43a09fb6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\{373602ED-3F6F-41a1-AE37-948F7516043B}.exe
      C:\Windows\{373602ED-3F6F-41a1-AE37-948F7516043B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\{880CDCED-FF3A-489a-86A2-E2378EEF75B9}.exe
        C:\Windows\{880CDCED-FF3A-489a-86A2-E2378EEF75B9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\{4BE3AAEF-2D4D-488a-905A-6D4E9295B48C}.exe
          C:\Windows\{4BE3AAEF-2D4D-488a-905A-6D4E9295B48C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3852
          • C:\Windows\{A2411F5F-AE76-4c97-ABD7-180B35BE84DF}.exe
            C:\Windows\{A2411F5F-AE76-4c97-ABD7-180B35BE84DF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3160
            • C:\Windows\{FD5F8AF2-BC3C-485a-8C52-D2B2041B1369}.exe
              C:\Windows\{FD5F8AF2-BC3C-485a-8C52-D2B2041B1369}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4192
              • C:\Windows\{7EED830D-68F2-434a-ABB0-E9D3DBDF56BE}.exe
                C:\Windows\{7EED830D-68F2-434a-ABB0-E9D3DBDF56BE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\{03ED41D8-AFCC-434f-91FF-BE55A2B48CE1}.exe
                  C:\Windows\{03ED41D8-AFCC-434f-91FF-BE55A2B48CE1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2184
                  • C:\Windows\{06CF7E1C-58CD-4773-BB6E-921E18E6BCB2}.exe
                    C:\Windows\{06CF7E1C-58CD-4773-BB6E-921E18E6BCB2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2020
                    • C:\Windows\{67D4DF2F-A357-4f2a-93BC-EFCB9C93E44E}.exe
                      C:\Windows\{67D4DF2F-A357-4f2a-93BC-EFCB9C93E44E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1592
                      • C:\Windows\{7818C4B7-E7E2-45cd-B1CF-F6CC9F9627DC}.exe
                        C:\Windows\{7818C4B7-E7E2-45cd-B1CF-F6CC9F9627DC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4700
                        • C:\Windows\{C25116E3-6E05-4fec-861C-3CD545DDE7F8}.exe
                          C:\Windows\{C25116E3-6E05-4fec-861C-3CD545DDE7F8}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3520
                          • C:\Windows\{F66FE6A9-1809-4ee7-8299-5B9123CA6C4E}.exe
                            C:\Windows\{F66FE6A9-1809-4ee7-8299-5B9123CA6C4E}.exe
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3300
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2511~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4336
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7818C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4308
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{67D4D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3668
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{06CF7~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4276
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{03ED4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1148
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7EED8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2144
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{FD5F8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1784
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A2411~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE3A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5016
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{880CD~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37360~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03ED41D8-AFCC-434f-91FF-BE55A2B48CE1}.exe
    Filesize

    192KB

    MD5

    1de2cfc2dc4bf87dc77783b0feeda87a

    SHA1

    34e3c8177db9f99fc1309de6253bc65f2ad7ce3d

    SHA256

    77b2dcb6ad24e812853372208c7d5ebad74eb4ff9cefb0719830a35250c23189

    SHA512

    91f6e8f1c74eeef45e0799a693a2b2f332a55c9668d3376fe2e50e491aae0a9b4cef16fdc81e1dc962fb4be9f008c7838e915dd7f74a141163c0660a52f48d79

    Download Submit

  • C:\Windows\{06CF7E1C-58CD-4773-BB6E-921E18E6BCB2}.exe
    Filesize

    192KB

    MD5

    ceab16141160dff199368e04af4cddf4

    SHA1

    a055c1e057e11c8081dcce128bd3610818a57182

    SHA256

    46e5f0c8cb3ceb9dd105f41fb5914f6f6dfaaad6a84342dc03be6355ba6c5f65

    SHA512

    f72f8adf6f05077101a62e34ab1bd105306c1af6e676413b249ba8aebf57689954e1377c59afc9490669aa6c49351fc2f87ae768e43f6ae3127841b1b8dab525

    Download Submit

  • C:\Windows\{373602ED-3F6F-41a1-AE37-948F7516043B}.exe
    Filesize

    192KB

    MD5

    96ce1d86166e3b36a8f94f2c66391ca4

    SHA1

    afd9dc1830b9f55ddc591dc9c84664c4a84473bd

    SHA256

    4efd64f85f6d0128756a31b7311d092e0a183ddfcfe4afc5c738684dd00f4f58

    SHA512

    47780d9cced5592de7312f964ddda5b9e064e993665ad7c7510cfe7fcffbd05236d93dfa3e89de61f299c97b2790aa36b936fefaceae94c6d6d902dadb0555dc

    Download Submit

  • C:\Windows\{4BE3AAEF-2D4D-488a-905A-6D4E9295B48C}.exe
    Filesize

    192KB

    MD5

    ec5a369e6fc37321563531bde99d9cba

    SHA1

    76e3f3ce57b66c0d72087b963b8a3021a062c87a

    SHA256

    eb2af34970491c014a17f97bf7b12294d6c1581c4107989b9b963ed61d971859

    SHA512

    05fb77c4245ed4d438f08ac030e9e2927f306b6ea9e000736d4216aadc4de6557a9bc1c5b1d061914ded00a727b0d1d5bf5275191bb2f957645f31c32eb61693

    Download Submit

  • C:\Windows\{67D4DF2F-A357-4f2a-93BC-EFCB9C93E44E}.exe
    Filesize

    192KB

    MD5

    6b0d10f9005cf1eb56a25d05efdc650f

    SHA1

    65f9980510ede237be5738182186367bdf5db095

    SHA256

    9e36be6bd63cb4400f2c4d2a03a32803fe40d55bd90bdf9a30d46bca9f2ec844

    SHA512

    ecae0ff5f80c97494c1fa01a5b4c1efd9d4884103617f8fad3885f6aaa0bf21c0a7900ed02828b1da5b937702815169cd0d5e86afc7e5aaa45bc2cd5330e7b64

    Download Submit

  • C:\Windows\{7818C4B7-E7E2-45cd-B1CF-F6CC9F9627DC}.exe
    Filesize

    192KB

    MD5

    b71ccdd5dfd5bdcf7f3308fe0f187cf4

    SHA1

    7e00e6d8bc701ecc21290b2dff7b1dad4cafacd9

    SHA256

    6107a53a1ea78500f40f0cd43689cae3369711804dfe80ef5df8c1d6a9bfb4a0

    SHA512

    db80ad546f5eedfd932edddeb45c408b03a16924e0f3e754aeb4c5c6aefb1ea11115e2c50311ad7b989142c271b47c1f4bfa66265ae2ab58290d65296f524b3d

    Download Submit

  • C:\Windows\{7EED830D-68F2-434a-ABB0-E9D3DBDF56BE}.exe
    Filesize

    192KB

    MD5

    9029e3ea3afbb788b4d3abffe8a4a674

    SHA1

    84169ec67dcdb39508e66ecda4334420d2baf55c

    SHA256

    6dfe428c8ae60b9db6094837860d5726928fb807eb361a0c654ba6c4d8fb14f4

    SHA512

    dfe65a95a32e0d2628ec5275819cdf3d3ab53f9bb28495ecd897ea1e3966d0f1e20a7102244bcec257d51c4ab2382d14b229b8182028c5c6f1aa51cf657dde75

    Download Submit

  • C:\Windows\{880CDCED-FF3A-489a-86A2-E2378EEF75B9}.exe
    Filesize

    192KB

    MD5

    965273ba595b36ab0ce258f18bf71e1c

    SHA1

    71ede22b3aa1ec677a9a3857fff5717d221c0967

    SHA256

    18c896608bc5420efc991478c8e707d4496cee65cacca818e5505096789001ad

    SHA512

    3cf0dcd68b937b50c928ccf8851e43b8ba094fd29a709827d1e9b1660ed3a6c1113cd3305abfdaeae359985df2a0993b29a762b6cc8c730760703515bb61c77f

    Download Submit

  • C:\Windows\{A2411F5F-AE76-4c97-ABD7-180B35BE84DF}.exe
    Filesize

    192KB

    MD5

    916126c7fd1835b030eb3694dbb058e9

    SHA1

    1a2df994892243ac526a94ff3391943f99202444

    SHA256

    7383b0fcebe807ecd3f459e6b84896b393192c5e5f33405c88d1b45440e76be7

    SHA512

    c4572da90c217a73f44b7d534b3923bf28d83e4502c12b682f11e50ab4a844778509c8758d1c18262cca8ed13cae477c2e5484a42c561dbc5e024e4b6cb8ddde

    Download Submit

  • C:\Windows\{C25116E3-6E05-4fec-861C-3CD545DDE7F8}.exe
    Filesize

    192KB

    MD5

    d256392aa3e703e9dd8e20f1121021d3

    SHA1

    ec5b439ee09a397d16ae792448eb2e7436ca26d8

    SHA256

    f38331ad22e34e485ae86d90eefe3eab7ae6d4267d1df3b8f0a8627bed479801

    SHA512

    9a613350948c4c9d06ff8a6b04d7639c26a838473df3b10012ff0e0c1fe82273da9eb5fe9ec2f193e1fc04682904e7f32f821b075a94b3a2c7ccda4df2b7bf52

    Download Submit

  • C:\Windows\{FD5F8AF2-BC3C-485a-8C52-D2B2041B1369}.exe
    Filesize

    192KB

    MD5

    7fc3b25a1e537622625c3217bc324ee7

    SHA1

    a171a4dcebe9c6ee7b7ce6d04b6a0477ea165976

    SHA256

    27641cc4e207d9e9c1bed8bff56cfbebcc5093befb15d4873a8da732eb224f06

    SHA512

    b60725fa31c9295147c39b33e58a96514995dc1feaaf03b98cce1e76675222113bef54d3fd41c92449d523b2486abf05373131d330d0f20332407d8e7615a6e5

    Download Submit