Overview

overview

8

Static

static

3

2024-10-02...ye.exe

windows7-x64

8

2024-10-02...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe

  • Size

    344KB

  • MD5

    6e75a3e3ede151baef946c72c10b833f

  • SHA1

    802ec20fd6ee59038aa5d0b49c064e06a9e260a0

  • SHA256

    31864bf157da452bdbfe1fc080dcae73eed265b8ebc90753c636a8378674b9f3

  • SHA512

    c5eccfaa724a510a98edd3c2d0c37e91c066542658ac50cb9d37c4b89f6ab04167fdf008686dce23881001d0e64942586fae223a05dbf990d616903e4c7d0d51

  • SSDEEP

    3072:mEGh0ohlVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflVOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_6e75a3e3ede151baef946c72c10b833f_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\{BE203C1B-B35C-46b4-9106-ED49BE7D50BD}.exe
      C:\Windows\{BE203C1B-B35C-46b4-9106-ED49BE7D50BD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\{0052EF3A-1BE7-4930-8AF0-111E931B78FF}.exe
        C:\Windows\{0052EF3A-1BE7-4930-8AF0-111E931B78FF}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\{B6713AC9-D320-4217-B760-32E667D7F35B}.exe
          C:\Windows\{B6713AC9-D320-4217-B760-32E667D7F35B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Windows\{9FEDA379-A227-4f77-8DF0-3B5EC579711D}.exe
            C:\Windows\{9FEDA379-A227-4f77-8DF0-3B5EC579711D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2964
            • C:\Windows\{D75C8656-C2AB-4a75-A511-0678C237E20D}.exe
              C:\Windows\{D75C8656-C2AB-4a75-A511-0678C237E20D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4468
              • C:\Windows\{54AD42A1-31EA-461c-94B9-D434745F82E9}.exe
                C:\Windows\{54AD42A1-31EA-461c-94B9-D434745F82E9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\{6533C8C6-776E-4e06-B80F-2846BA2505DD}.exe
                  C:\Windows\{6533C8C6-776E-4e06-B80F-2846BA2505DD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1488
                  • C:\Windows\{46D8D0D8-2A3E-4ed5-B5D0-F6340B8A5409}.exe
                    C:\Windows\{46D8D0D8-2A3E-4ed5-B5D0-F6340B8A5409}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3208
                    • C:\Windows\{3D0B317C-3838-4b8b-8EA3-34E56DE2C1B3}.exe
                      C:\Windows\{3D0B317C-3838-4b8b-8EA3-34E56DE2C1B3}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1976
                      • C:\Windows\{7289CE7A-1876-417b-9CD9-7C9046B2267B}.exe
                        C:\Windows\{7289CE7A-1876-417b-9CD9-7C9046B2267B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4464
                        • C:\Windows\{87F7F4AB-7C76-497a-9936-AD5C33BDDBFA}.exe
                          C:\Windows\{87F7F4AB-7C76-497a-9936-AD5C33BDDBFA}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2288
                          • C:\Windows\{45F3CEA4-97C6-40c4-AE86-A17F68E03BB2}.exe
                            C:\Windows\{45F3CEA4-97C6-40c4-AE86-A17F68E03BB2}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{87F7F~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1892
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7289C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3604
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D0B3~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2100
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{46D8D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4940
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6533C~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1240
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{54AD4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1720
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D75C8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1476
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9FEDA~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:392
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B6713~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0052E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE203~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0052EF3A-1BE7-4930-8AF0-111E931B78FF}.exe
    Filesize

    344KB

    MD5

    f78b34955431deead23eac3584f94fa0

    SHA1

    6a00e4ddf7dea74ef850bde9c9dc1ce870a0eec9

    SHA256

    9871efe9e5c5727ed564b142b440c1dfc179765bb9025c649bd5b5fd4aecc490

    SHA512

    f1af3949cca35bfa6fcaa2e9d6cc25524ebc2a5f02f2c6a7cd695eb203fa79d175d31c2759585c9d5efa13d1b93760936bc46de177aab674370223df68c306c9

    Download Submit

  • C:\Windows\{3D0B317C-3838-4b8b-8EA3-34E56DE2C1B3}.exe
    Filesize

    344KB

    MD5

    8c1dea68f5b4365f44b55846d992b387

    SHA1

    75857d231832b266dcd8159839dbc9906dd52df0

    SHA256

    67dbd4eabebf3988b070f9a29179b1cbeaf170bb35447d97f8622a7f5ed40370

    SHA512

    46e6b4db4a1e086d38ef74e785e2e6875b86d091ccda0977ea78f61fab98564d3258d2f2fbb502c610bec0be8eb410663e5e3428f90b6696a008ffdeff849de3

    Download Submit

  • C:\Windows\{45F3CEA4-97C6-40c4-AE86-A17F68E03BB2}.exe
    Filesize

    344KB

    MD5

    4b7f479cfce1c315126cf0022582d149

    SHA1

    dea61b8d330aa637fb3864bc7fe6f45c7a1fc7c9

    SHA256

    0009c60edf92d3cb4d985dea043e880cfed1e295c173d709fbe764dd4a94aea9

    SHA512

    0d53c844d54ec60350c854570f678e49bf9e255a05cd4c15ec64016d40a61245ee3b7759e46ffa13907ba897da6c7bb62d3a829a325070fe3f308ea1b43f24a1

    Download Submit

  • C:\Windows\{46D8D0D8-2A3E-4ed5-B5D0-F6340B8A5409}.exe
    Filesize

    344KB

    MD5

    705bd9aac214f030909f6c1ab1fcb4c6

    SHA1

    284a287290a17dbf73c2058649e5c5f5db7e99c2

    SHA256

    e40659287c85866b366fe9d14ce241bc0e89713e5837b5e5baa2a6e2425b3562

    SHA512

    82358b2247caba939c719e1ecbde9bd04ef16b8e9de2bceb925389b970cab7114ee8ca8652b115f69a8e48091e6401dc3a4c7bc516db6496859b0981a87c5819

    Download Submit

  • C:\Windows\{54AD42A1-31EA-461c-94B9-D434745F82E9}.exe
    Filesize

    344KB

    MD5

    8c3d8af752ae836987c63ed97ef81846

    SHA1

    9deca414e27e8f888957afb2a3da7c581738ef04

    SHA256

    a20cbafb0db7e5896ca0f2d2248857ff2549008de260e9426c17fa7821ba331b

    SHA512

    138d154b36c665de24fd7c0f6bf32f8f4ad917b596252373d57c484f5da2174497ae3f59af69e1862ceea631d241100a6161bb50eba4e8edfb0f11977a993262

    Download Submit

  • C:\Windows\{6533C8C6-776E-4e06-B80F-2846BA2505DD}.exe
    Filesize

    344KB

    MD5

    51325390af4885f9a4eee7153735d1f9

    SHA1

    41d06c150516d4ff19b3639d0324775c3ffb2e40

    SHA256

    666aa5f7fd8f5e0d57ccd3ca38f78ed96d24895508bde7bb727defd47df38dad

    SHA512

    1f4062b3a1039462b0477d65f906483b6a8acd93d7ffaffcf4daff4a350654b3da5545d96912604a3f9a0545706148c61977fb217159bdd98f1d92dfc608e686

    Download Submit

  • C:\Windows\{7289CE7A-1876-417b-9CD9-7C9046B2267B}.exe
    Filesize

    344KB

    MD5

    319ef92e1d7493be873f6f6751237965

    SHA1

    f60b1907a70ceb2f4773609fd42875a9a5964bde

    SHA256

    8a6ae810ff414f0f952c2254235b7ef80ee2f50c2b5e36f45dc98c2d258879d4

    SHA512

    ed6a9f23b8ba64027ed6c7fab44978fa7cf89f94f914718d277d26c406f7009cf2a7e76d7c535ad50d5ce6bb2f5e025647e80c818abb3fc673ccfdd3dc9b3965

    Download Submit

  • C:\Windows\{87F7F4AB-7C76-497a-9936-AD5C33BDDBFA}.exe
    Filesize

    344KB

    MD5

    2987d2d11c1fa006a37634dea67ff06f

    SHA1

    b510c4fed321d208241b8c588a9c6581e43fb042

    SHA256

    4184868180c169883073b77ce169f114d4a1690935318934682c19c07e741bd6

    SHA512

    de914b7d9043fb7247304a74a81f8fcfe50f7482e548a3e65a9abf6f64181cc325e0ef1eadbf02b4ab15237a4353f205e72ca455698a478371f527e5f121d396

    Download Submit

  • C:\Windows\{9FEDA379-A227-4f77-8DF0-3B5EC579711D}.exe
    Filesize

    344KB

    MD5

    becbb62b5eaf4c13ac24889299ab3171

    SHA1

    345f90e77c8a46135d132769f371dbee82965031

    SHA256

    0b6efdec102ecfd58aca01e3064c93e2998080605a660375aae2a3f4aacda934

    SHA512

    7ce4603edd5b07fc131fb02b33a0a0e8c2c8ec43a64c472fa9a26c6f5d8173181911edd65938d066bb5595dee71b19fca7ece9e847d6c30047b56c94a93910f5

    Download Submit

  • C:\Windows\{B6713AC9-D320-4217-B760-32E667D7F35B}.exe
    Filesize

    344KB

    MD5

    0590def2538b6507f91da9476270c9e5

    SHA1

    14b4064c7600d3cf6a3e1e02303b215625f92833

    SHA256

    97135a91ae14ca347e858c9faa0de10d4405b43bcb8480304b31d3177d148765

    SHA512

    b44c99a0cfff231c2882a671bdbd66122867dd7906b5693327a5f50deff5f51926407117ff928ac8013ab406cec2d2c7b6980f2665154523891b3e76aee74e32

    Download Submit

  • C:\Windows\{BE203C1B-B35C-46b4-9106-ED49BE7D50BD}.exe
    Filesize

    344KB

    MD5

    24e2360cd6e990391a75152bb52d282d

    SHA1

    09a137cfcfed01fa6fb4cb85c8c0c6615a30edd5

    SHA256

    7b80b1b4baa5ca2c851fb85930a96543846df2f80e52f0da81fd96a1dabe088f

    SHA512

    cd8101be652bf6654e4a47440e1b4e361c735bdc9e35d9dc1298b0dd3e5e2f77eb6ba435350e963a85b907da57086d5ee5c0cc90faaaf7b4c3a021316b555451

    Download Submit

  • C:\Windows\{D75C8656-C2AB-4a75-A511-0678C237E20D}.exe
    Filesize

    344KB

    MD5

    7efb1a375c38620ecd00e86d41c53f1d

    SHA1

    dc3ec33b9ce0dbdacbcbcc1ca7d360912b5555f1

    SHA256

    4f61e10e8ef6316a28dac69d99f85325835031a945e1eb8a3264c413da9a8604

    SHA512

    8507fda2e915f7f9eaeb9b86b8a455a9dace85c83e6ded7feb7e869adc5073c2f53bbbad6f4e8b0418ae07ab23749e072f4fec9ff5674e6fc7fce1c5db5073a9

    Download Submit