Overview

overview

8

Static

static

3

2024-10-02...ye.exe

windows7-x64

8

2024-10-02...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-02_2272453e83f1488d2843ca4571ebd83a_goldeneye.exe

  • Size

    168KB

  • MD5

    2272453e83f1488d2843ca4571ebd83a

  • SHA1

    87a8136313c75611cf351195f3c466f3c0289b13

  • SHA256

    6bd0807c8128210f819a9746d6e9fec4898f08da76d1a1b5e532b66f3862aa2d

  • SHA512

    e2635fda5339e9bb074919555ddc8b5dfe72e7b0a2df9e430f2a7ef742b7b7ec9c1a7b89d208f8d15e6d66a37c86ee97b7b09fe91fbe827aa7239ecb66724dbd

  • SSDEEP

    1536:1EGh0ojlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ojlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_2272453e83f1488d2843ca4571ebd83a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_2272453e83f1488d2843ca4571ebd83a_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\{790F5B4E-5E58-4f85-A947-5A6925F5152D}.exe
      C:\Windows\{790F5B4E-5E58-4f85-A947-5A6925F5152D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\{745ACA9F-8345-4fbd-8BE1-752FB7BB6972}.exe
        C:\Windows\{745ACA9F-8345-4fbd-8BE1-752FB7BB6972}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\{A46EE884-954C-4e06-8518-5BFF54344EA1}.exe
          C:\Windows\{A46EE884-954C-4e06-8518-5BFF54344EA1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\{1ED7625D-03C0-4268-81CE-27D73D3F7AD5}.exe
            C:\Windows\{1ED7625D-03C0-4268-81CE-27D73D3F7AD5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\{ABD33993-8FD1-44d8-AB53-1F7898880FDD}.exe
              C:\Windows\{ABD33993-8FD1-44d8-AB53-1F7898880FDD}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\{D72BE49F-F218-4b92-AB8A-90647B60E9EC}.exe
                C:\Windows\{D72BE49F-F218-4b92-AB8A-90647B60E9EC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:112
                • C:\Windows\{076042CF-589D-4f04-BECE-636F7B80B56D}.exe
                  C:\Windows\{076042CF-589D-4f04-BECE-636F7B80B56D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2808
                  • C:\Windows\{56B3D190-4648-4ed9-B832-7957F66A4C40}.exe
                    C:\Windows\{56B3D190-4648-4ed9-B832-7957F66A4C40}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1748
                    • C:\Windows\{4596CC4B-E1AB-4c0d-B81B-81372D09A541}.exe
                      C:\Windows\{4596CC4B-E1AB-4c0d-B81B-81372D09A541}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3008
                      • C:\Windows\{3C298CD2-EBF8-4a7d-BC3D-4E89F4CDBBAB}.exe
                        C:\Windows\{3C298CD2-EBF8-4a7d-BC3D-4E89F4CDBBAB}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2164
                        • C:\Windows\{2D718CBC-CB0A-430d-9049-0DC9B7CC40BC}.exe
                          C:\Windows\{2D718CBC-CB0A-430d-9049-0DC9B7CC40BC}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3C298~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:668
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4596C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2340
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{56B3D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2984
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{07604~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2700
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D72BE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1940
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD33~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2964
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED76~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2684
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A46EE~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{745AC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{790F5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{076042CF-589D-4f04-BECE-636F7B80B56D}.exe
    Filesize

    168KB

    MD5

    55b33a052556f22053c29844dccb7c46

    SHA1

    48dcea99b98e621a138398d2d2be1c2f4afd29f2

    SHA256

    824ee31a2b88a6a685bc8b5726160e6bcbdeecb89d470f70225e5575384b1f9f

    SHA512

    127ffa1ec5639131e0acf2302dc06879dfa95270602d6e90086096543551e5d86e80b0d7b502ce4b925240bf4cf8e729ca38d45bd9700ddf6326781e05b0339a

    Download Submit

  • C:\Windows\{1ED7625D-03C0-4268-81CE-27D73D3F7AD5}.exe
    Filesize

    168KB

    MD5

    1ffebee07ec8d24fc9e526554f5c28ea

    SHA1

    1f32ec3f437a6f06ea6c097584ef55bc9e4c3df3

    SHA256

    01d419f40dab6835841a08356e17d18d47b6aea90a7b96343af22c1104ed3102

    SHA512

    8f15be58bcaf562879cba6444fc6ed521aeae98b05367afced46f98d9e32973a9a1e4c490d5a833fbdf4bbc72ad29a2865ff1b6802131d1e7ab7b573d65a61e0

    Download Submit

  • C:\Windows\{2D718CBC-CB0A-430d-9049-0DC9B7CC40BC}.exe
    Filesize

    168KB

    MD5

    50c0b968725c5bf73dac1c2434c2423a

    SHA1

    17286ac5ccce72f55c9ea69bd69d153bd5022832

    SHA256

    6b98f712a8aa4f6d272d0244e3d26e00c8d59af9f9c2f8f27bb901a30a7dc883

    SHA512

    979d391568554958cc4ad41d5704c7316cc0d2504100ac3b68dd25a724de08f908dd131ea6671863cd6f35fb8bd9cfbf7f40510637aeed28c6bb626f563ba846

    Download Submit

  • C:\Windows\{3C298CD2-EBF8-4a7d-BC3D-4E89F4CDBBAB}.exe
    Filesize

    168KB

    MD5

    4d67113e87d914a0ed7696ec0d1a526a

    SHA1

    55798702554943d09779ef62bb5c4f3e11da487d

    SHA256

    4992f9f940ff48f922bc667125d0ec71c95b915890d8988612bc96224a4f1db8

    SHA512

    e3d1d1b0b682c2584c7f5668fdd1079193131aee7c230ae6c9fd2af64851b47123246aafbb658b14bc86d35bc834b55760556b0cc597eddd883023c9b0e0162c

    Download Submit

  • C:\Windows\{4596CC4B-E1AB-4c0d-B81B-81372D09A541}.exe
    Filesize

    168KB

    MD5

    9118996f59dac6434199446007e20e09

    SHA1

    ccdd7d20f433fb742af3ce70f8a8c1d512302b36

    SHA256

    d568a610449bb888d417bca3b0f37e8e8db7eeb719393348a1b3dcbae55b27d8

    SHA512

    bff709b157a4657bedaf3729c744f6f984c9df528081b1c08f934e878e056b451bed3315f126408407498868b56a93e02ed97955e59fe5bea91d45e02ee680ca

    Download Submit

  • C:\Windows\{56B3D190-4648-4ed9-B832-7957F66A4C40}.exe
    Filesize

    168KB

    MD5

    24fca419b43af8cd12d60749e1e49c83

    SHA1

    437a4e1a9fd794a26493a42ce507ca6da8fadcb2

    SHA256

    8d826e19c6429243f597177a2e66f53386667209639b62221b84810c4fc148d7

    SHA512

    cc68ac84ca636595aa6503f84129f8f97aff9aad8d023a4908e162cc58d5d6eee038a7c0381f579b1f5a65c95ee16b00a8d124f68034db93054bcaaafc00aec8

    Download Submit

  • C:\Windows\{745ACA9F-8345-4fbd-8BE1-752FB7BB6972}.exe
    Filesize

    168KB

    MD5

    f14aeccbb99365feaf131888e30544a2

    SHA1

    8c98281a02ad0e6c207122979890a7ac7f8724b3

    SHA256

    49cdfd8ac87c7969da50203c9f9552967a55170be28250b04d635940cbec83d4

    SHA512

    e72d205a4354dc858a36ecb072bd79cf0d81b26d61162fe39af3bbc8289cda08afdafb0c23a19c8979bccce627a74114b030d7e56b99cacd671f378572074b84

    Download Submit

  • C:\Windows\{790F5B4E-5E58-4f85-A947-5A6925F5152D}.exe
    Filesize

    168KB

    MD5

    cc6ad311a493d21e7463284008df4dc1

    SHA1

    dd6346e4bf299f956f5592ed2571aa243405e956

    SHA256

    6be0c105f5a01bf9f03cde9d7ea9652cc596dc5d36b1caefb739a7f009cfcde5

    SHA512

    3ecd8d23d2a8e8da96ed9d2312aaaa3fae257bb1bcb5ddac7e305c13bdcffc2a10542fc6407c1895644cf5a437d798f166c2523f9c948a9e151404cb50c57b4e

    Download Submit

  • C:\Windows\{A46EE884-954C-4e06-8518-5BFF54344EA1}.exe
    Filesize

    168KB

    MD5

    c845892d7bc23bd36dcb605cec8f58a7

    SHA1

    6e1b7f557f4a043f3c4fede8e0980ed88bd545ea

    SHA256

    00776f73d1401bf3ff2ffc9bbf7a3c2869a30aff668a47f8ce2c541788b71afe

    SHA512

    dc1370a634bee482208500c7db7df8c45f64bf9357df7ea737299788e2284c9a9372cc8e11e73a128d1a2e09c5e3de4e224db6db982c5eb315f3a45e224164c1

    Download Submit

  • C:\Windows\{ABD33993-8FD1-44d8-AB53-1F7898880FDD}.exe
    Filesize

    168KB

    MD5

    5baccbff786b58b5766aeaf31f61cbef

    SHA1

    c1220609335d0cef88a654bf1e10c3cabf61b6b0

    SHA256

    12b2a4af9fe278f095b436962e4bd8674c6c92ec58a551b03316f19bfd1e3d9e

    SHA512

    b8f94353ec6f80a4d9de35393a985ba3b8c5526894d128c3e2ed664a73a00c80276349aea16d969e905bb584e8aeb7b4da88ded7831f0905584b654846857a4d

    Download Submit

  • C:\Windows\{D72BE49F-F218-4b92-AB8A-90647B60E9EC}.exe
    Filesize

    168KB

    MD5

    f1453765f6a0c6fd8c426518ef4704d0

    SHA1

    f329cc4617f4f1e13d8b92f525022fa296e883b1

    SHA256

    ce297fdcb38d612e56544957aa0dda4a7d1c0a3a339e40a6d6810c3b19ebc55c

    SHA512

    99db1b99e5f5a396f2ea65415985c9ed7e250e55ccd0e93a0797433880fb6682391d298bddf08e91359478b5e3c27525900c99bac22a7dc65bd44aded861b809

    Download Submit