Overview

overview

8

Static

static

3

2024-10-03...ye.exe

windows7-x64

8

2024-10-03...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-03_9b2873a4d8bd6f827729c90bca9dfa1e_goldeneye.exe

  • Size

    408KB

  • MD5

    9b2873a4d8bd6f827729c90bca9dfa1e

  • SHA1

    7e31e311470aec882fa9c26fed0d0c11f5d52b90

  • SHA256

    21b9615e6d5a6e78889bc9009a8a4484c889c61f281acb77d66c20146cfd23b7

  • SHA512

    fc86f382ce553dda935159b0c0b98f668b6d9eec5709adaf156ecda362b7baad7a5bc4653d9c8a06de833daee010bd1eb4babf9608a12211145e1c87b2a7e2e4

  • SSDEEP

    3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGxldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-03_9b2873a4d8bd6f827729c90bca9dfa1e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-03_9b2873a4d8bd6f827729c90bca9dfa1e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\{D5476A5B-9456-4265-9D0B-518144CC216B}.exe
      C:\Windows\{D5476A5B-9456-4265-9D0B-518144CC216B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\{52F33E81-767F-431f-8D65-F891C15F5CD7}.exe
        C:\Windows\{52F33E81-767F-431f-8D65-F891C15F5CD7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\{0BE46D1B-9D59-4062-93CA-853D112C6784}.exe
          C:\Windows\{0BE46D1B-9D59-4062-93CA-853D112C6784}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\{12207460-FF02-427c-B672-38090A6B390B}.exe
            C:\Windows\{12207460-FF02-427c-B672-38090A6B390B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3432
            • C:\Windows\{47C911BF-EA03-42aa-BD0F-1ED092827723}.exe
              C:\Windows\{47C911BF-EA03-42aa-BD0F-1ED092827723}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3876
              • C:\Windows\{BDE49BE7-011B-40ac-B616-BB575E3E5272}.exe
                C:\Windows\{BDE49BE7-011B-40ac-B616-BB575E3E5272}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2968
                • C:\Windows\{0C0DBABD-EDA3-4d07-ADA9-7A5365B81D3E}.exe
                  C:\Windows\{0C0DBABD-EDA3-4d07-ADA9-7A5365B81D3E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2844
                  • C:\Windows\{903E9646-E348-42ca-8A94-E852C124C1B6}.exe
                    C:\Windows\{903E9646-E348-42ca-8A94-E852C124C1B6}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2388
                    • C:\Windows\{3AB1D3C7-FBAD-43cc-8A7C-F126158D29B4}.exe
                      C:\Windows\{3AB1D3C7-FBAD-43cc-8A7C-F126158D29B4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1876
                      • C:\Windows\{F70E2F1F-CA28-4703-BE17-DFC90288734F}.exe
                        C:\Windows\{F70E2F1F-CA28-4703-BE17-DFC90288734F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4892
                        • C:\Windows\{BD6E27DD-3975-4feb-9B67-F11668B8AC53}.exe
                          C:\Windows\{BD6E27DD-3975-4feb-9B67-F11668B8AC53}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1116
                          • C:\Windows\{2A846628-A500-4e32-B526-EE9A5E2C1FB5}.exe
                            C:\Windows\{2A846628-A500-4e32-B526-EE9A5E2C1FB5}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3812
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BD6E2~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F70E2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1020
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AB1D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2428
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{903E9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1964
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0DB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1180
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE49~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2960
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{47C91~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2468
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{12207~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2508
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0BE46~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{52F33~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5476~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4960
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0BE46D1B-9D59-4062-93CA-853D112C6784}.exe
    Filesize

    408KB

    MD5

    9f25419db1b4e1b2d59c72290619d800

    SHA1

    0aa8dc3014ca9c50a23aa305206063d1c94065c2

    SHA256

    98b740b10f2d7e7db67a73ec4dd6fbb271e5a26015a9a9a6201b369eee3c5e6e

    SHA512

    6f382954c313cc6a6dbc9d2d9b11bfe9e62c5d4ed962810f8c6152c76982d319caa1c801540ea733f6fc9bb656836f01a54f8541a28ab6d61fcdb9b132903b19

    Download Submit

  • C:\Windows\{0C0DBABD-EDA3-4d07-ADA9-7A5365B81D3E}.exe
    Filesize

    408KB

    MD5

    4b200ee4165e56e72abdb58f43993dcb

    SHA1

    21a71eced76c5e249d76dd29e2911ba23b758ea9

    SHA256

    c82fbf2a34ca2628d2f2c5a26b616fc594e088d359944e0bea476ea3a5ace336

    SHA512

    e60a01cbc87d2fc97a84b69562c1ddd5cf14fce7ffacb8380be1dcf9783467ac60626e4b72749d66baf2f18059a90185c6f48c813c2825585d4dffb55b4af493

    Download Submit

  • C:\Windows\{12207460-FF02-427c-B672-38090A6B390B}.exe
    Filesize

    408KB

    MD5

    0d8bd24af2887e7ed02284f6c1fbf528

    SHA1

    50f1714d54eb878b58bc96f50d785f692120424c

    SHA256

    d8e15ab2aef96ec52a3aaec59ae129a1659781109b2245f014375a18ba142fca

    SHA512

    7a0090d81a3e4c4eb69a5669247467b10e9861020ddefb16b2ba629600d9f16ea597493fe05411a1410f6c2a569b20c43dcd18a4169b60372a71361c27387365

    Download Submit

  • C:\Windows\{2A846628-A500-4e32-B526-EE9A5E2C1FB5}.exe
    Filesize

    408KB

    MD5

    20dc0d523f85aadee4cb89ffa21f6d17

    SHA1

    68e3b859234c62c9d25afbfa3d1cb3dc377a8572

    SHA256

    74b83f0ac498f2add6a02d25cb9bfd80875fdd64c2bcd41711694d0778ce9140

    SHA512

    17a4d6fbce1d75af56ca734f8577bc529ba386342c5479ec3ab7083af53eeb703df8660c63f817675e4d36d4bbd6bb4c3baec3a73298c149d7525683e609d272

    Download Submit

  • C:\Windows\{3AB1D3C7-FBAD-43cc-8A7C-F126158D29B4}.exe
    Filesize

    408KB

    MD5

    5b1ac48ea3def9e0329a9c312d4bf76e

    SHA1

    96e846667008e6a67048b88b7a47d3f59d3a3649

    SHA256

    e8d55316b76762735a64c29b49d53898fc4e3db3a89b30f86faf1be19fb76a71

    SHA512

    619c2092e80f5d0427c302c1bfa729bf1f958c578ec7d04104b7026e5661965473d963f1fa5221c322aefacb3d6e1f8ab190ca3a51777a038e5e6f33a02115e2

    Download Submit

  • C:\Windows\{47C911BF-EA03-42aa-BD0F-1ED092827723}.exe
    Filesize

    408KB

    MD5

    42d33e1d528ca3f159d423d3f2ef7f84

    SHA1

    75735e33aafa388f8acd7d63b350533447564772

    SHA256

    eaedeed233cc00467c86647f968da3cac12352698f4d3c917d96d6d1b383b5b7

    SHA512

    1c7afe0749c11b5adea913dd34d9ee2f9ad3e937025c6fc6a42ec873b593a75e899b743ec8c1f9e9728266aeb47af143ff31ad44b979e3ea40c3e1dd6a39ade4

    Download Submit

  • C:\Windows\{52F33E81-767F-431f-8D65-F891C15F5CD7}.exe
    Filesize

    408KB

    MD5

    944fa46beaaa36e8174913a419584c0b

    SHA1

    e0354735f8c3e3e98d9835225f82e428116c8f48

    SHA256

    563c0e462e19139636b3c8fc7f09ee75e18fbad651c18f95cd394a50acd04e62

    SHA512

    3976f1d4ec18ddb1005eab54684fd12741ee53e93f65713e8c2913b612d8294c2dbc30e1f2e928da6c0acc483689efc65e63d300c09d91854e53fa6a516833d5

    Download Submit

  • C:\Windows\{903E9646-E348-42ca-8A94-E852C124C1B6}.exe
    Filesize

    408KB

    MD5

    fe574d7ffce8ba18a221915a8c56424e

    SHA1

    f1f5060fc6db0902b57fcc4ba76f78434b8f0fae

    SHA256

    a9134b47a5aef3263f36c2788a992def41115a9ddcfe7625493fc72a96142ea9

    SHA512

    cba58311114ce9a1ca0618c05240a6e5e58195b8df67b18ba24937b1d4870226f8cd4a308764c5a3f263f9d485df5db85cd8a19f6c59ed8e19359ddeac30ae7e

    Download Submit

  • C:\Windows\{BD6E27DD-3975-4feb-9B67-F11668B8AC53}.exe
    Filesize

    408KB

    MD5

    aa59423c99934ffb648a78deffb91207

    SHA1

    38386a3e90fcab51b665e9a8414f0baa41da096a

    SHA256

    99f183839be7b3aadbfb83dbd7ed8990f6abb6502d6ab5a34e8e48297cfd328a

    SHA512

    ec4ea08bb573a989a5c11a6ba0233d63ea00379b8edf5df2a2d8b0d9786a6c9596256f86977c8ae2d41b0267738b8d15f6f0781f0923df2de645979004abd8a3

    Download Submit

  • C:\Windows\{BDE49BE7-011B-40ac-B616-BB575E3E5272}.exe
    Filesize

    408KB

    MD5

    9f51350b4879eb4a200879c1b523e3ec

    SHA1

    64fff8280af8728079c8bb90ce5343d7a25c3e62

    SHA256

    047ae60a68fc8a4b4ec6be0c0e45ceb21c25d4d06c97526de32a035cf2418fc0

    SHA512

    caab752da9379b31db12564e2840c8ad97e5dc5c103d97b0429e32879ac6e4cec6b1cb3c1160ae0b53f8bcc5db527103e0590a8901a5e30cc2d098dff1ead5c7

    Download Submit

  • C:\Windows\{D5476A5B-9456-4265-9D0B-518144CC216B}.exe
    Filesize

    408KB

    MD5

    480b6709234ce437e807c492e7b4f498

    SHA1

    29d0724181f3fadaa058f453a443dd4f4f3bd5dc

    SHA256

    7fd5ed02feaa212162344129a829b66afdc0503c624d2e1edee8758a64241ba1

    SHA512

    79ac7ea29c3b024621c9c725359ff5b895908899372621881de44cb708a21445250508cbd7ae238d7ddb577b4c8b6c8a088eb8d789b71145dd274022b118a848

    Download Submit

  • C:\Windows\{F70E2F1F-CA28-4703-BE17-DFC90288734F}.exe
    Filesize

    408KB

    MD5

    715545294f56c8e174bf1f0125ab7254

    SHA1

    12343f5ed7411a0af5652157cc30f88a30c894e3

    SHA256

    ea22972efd185220af128b2fe4c5d956ecb4897f84e9f1f6d69794edba9d89aa

    SHA512

    17301f6c59e2d6e8fa8051365ffe64ca4e27fc87c7663f32e965f0c30a6a5053dc1c64ffed654b48428206d80a6e200739339a537608d0d95e4f0a47d39aaccd

    Download Submit