Overview

overview

8

Static

static

3

2024-10-03...ye.exe

windows7-x64

8

2024-10-03...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-03_2194bed34b1f83205e1a29f254a17962_goldeneye.exe

  • Size

    408KB

  • MD5

    2194bed34b1f83205e1a29f254a17962

  • SHA1

    2715207d806e38d4a0534f5f58a127d28165b7d5

  • SHA256

    2f9d7603d8dac08ee46dd7b636f81c2742ef4458955bc6b36573aae123c62901

  • SHA512

    ee9d4dfe70c4ebb0dc77d95f223a18babea6324516994503c9c52a78dd55dca7843337da907189c2b03f2958b63e920aca1fb6ed139dfcbf9c6e1d9f8b0ce01a

  • SSDEEP

    3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGQldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-03_2194bed34b1f83205e1a29f254a17962_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-03_2194bed34b1f83205e1a29f254a17962_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\{B5DECAA0-B53D-4047-97AA-D6EDE351FCF4}.exe
      C:\Windows\{B5DECAA0-B53D-4047-97AA-D6EDE351FCF4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\{018039ED-63EB-4d0c-A578-8330DB2E6290}.exe
        C:\Windows\{018039ED-63EB-4d0c-A578-8330DB2E6290}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Windows\{1F928C90-22E3-4915-ACE4-2CCC3985A884}.exe
          C:\Windows\{1F928C90-22E3-4915-ACE4-2CCC3985A884}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\{D8043F68-125D-4ea8-85AB-109AF08F2C0D}.exe
            C:\Windows\{D8043F68-125D-4ea8-85AB-109AF08F2C0D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\{A9D67998-B00E-4111-A019-7001D0A11ADA}.exe
              C:\Windows\{A9D67998-B00E-4111-A019-7001D0A11ADA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1284
              • C:\Windows\{203A7A66-BC1B-4de2-A00B-A999A63B28BC}.exe
                C:\Windows\{203A7A66-BC1B-4de2-A00B-A999A63B28BC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4160
                • C:\Windows\{400C1B8D-7672-4b79-894A-F2116A226FC8}.exe
                  C:\Windows\{400C1B8D-7672-4b79-894A-F2116A226FC8}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4440
                  • C:\Windows\{59632AE8-2843-46fb-9275-1D3EA3B3E908}.exe
                    C:\Windows\{59632AE8-2843-46fb-9275-1D3EA3B3E908}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4832
                    • C:\Windows\{05B51FE8-AB56-445a-B9AA-67595889BA1A}.exe
                      C:\Windows\{05B51FE8-AB56-445a-B9AA-67595889BA1A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5008
                      • C:\Windows\{C7A38A33-146E-4359-B6AD-84F05EB9C45F}.exe
                        C:\Windows\{C7A38A33-146E-4359-B6AD-84F05EB9C45F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3768
                        • C:\Windows\{B99AA63B-DA7F-483d-85C8-0FBED9C8465B}.exe
                          C:\Windows\{B99AA63B-DA7F-483d-85C8-0FBED9C8465B}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3636
                          • C:\Windows\{B42C6539-05B7-4bb6-8F63-AD398F05027F}.exe
                            C:\Windows\{B42C6539-05B7-4bb6-8F63-AD398F05027F}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3256
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B99AA~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A38~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1460
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{05B51~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2136
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{59632~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4100
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{400C1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2724
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{203A7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A9D67~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4024
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D8043~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1032
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1F928~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:208
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{01803~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5DEC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:4556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{018039ED-63EB-4d0c-A578-8330DB2E6290}.exe
    Filesize

    408KB

    MD5

    9e9ae3f47a1903799425f6e496ec3ea4

    SHA1

    9c7292b3ed892506711953daefc9103e1e251171

    SHA256

    3cbaeaf66761682652f0ff2f3723509cae1211ffaba2bc008fb9653c5091e613

    SHA512

    1386fadb0cd0f48fba1c92c34374d8541552e27ed816fb411dd84253774272dfd1c52d97eb4ecb71f2e30cdbeea999aa8f66388d944731a955e4e62492336233

    Download Submit

  • C:\Windows\{05B51FE8-AB56-445a-B9AA-67595889BA1A}.exe
    Filesize

    408KB

    MD5

    b80d690212f09cf114ad81dded013ef8

    SHA1

    863bf31938e0509ed3bd4ec3f4b06b91f1f1bb29

    SHA256

    18e0c6f88bba1b2a0ad317f58686b790df0690521d86be574a090b8495a41165

    SHA512

    c36eaeacd667b59826983ba1797aea3efa2596134da1670e6f89afedf636a9c10dcb1de737565c4a23ebdc897f890ffc61b06ec4b517fa229e88405f84674b1f

    Download Submit

  • C:\Windows\{1F928C90-22E3-4915-ACE4-2CCC3985A884}.exe
    Filesize

    408KB

    MD5

    5d410cd12f96c5892ab4849fd7aaeb00

    SHA1

    7c05bff50384a35dd46df90ae5518128c35dcf74

    SHA256

    bfd6dd0219f2dd3854c8b504317b7692ee257d42a440be0bf9cee337c1f210a8

    SHA512

    0b41c261ba0a3bcead8fbf14fe064fce2e01862a57a3905509570944fcd5a2a731c1ae41e7f7920c8e122778eab68f1d8fcb554104f4b420ce8e46bba8779942

    Download Submit

  • C:\Windows\{203A7A66-BC1B-4de2-A00B-A999A63B28BC}.exe
    Filesize

    408KB

    MD5

    b2acf2ac097895e9f2918fd270d3eba0

    SHA1

    803c8608d5ba4f2492fba1cc218f085ae297f687

    SHA256

    5cc6f484debdeb01e6f633e51ea3479c38c79e467574c0ca461f2804e53bb3d9

    SHA512

    682a255b3d576fbd68dfeb2d12fcb57786a2d30d6d0e40228531a3358a1265c6613bcc64c7b8223b3f03961d291575a67ffbbe961165d5efaf432dfce7054f2f

    Download Submit

  • C:\Windows\{400C1B8D-7672-4b79-894A-F2116A226FC8}.exe
    Filesize

    408KB

    MD5

    7febdc6c0c3beec5c7de603514909617

    SHA1

    9daf68d30a76ba3eed511fed23f99f5a7b16810a

    SHA256

    83e767637da09be4030ccd29fce585432cf68998e3c09616ad821f7c31c1fe71

    SHA512

    3531406d1d76f363d34b67b755a95ae1cbd2c7067d3382c4ebe18f802176192d5b20375bf8ac3ef35b6d87925bde51598cb086f8797490ae73e8ecf43616c1b0

    Download Submit

  • C:\Windows\{59632AE8-2843-46fb-9275-1D3EA3B3E908}.exe
    Filesize

    408KB

    MD5

    aaf825839f293cd3f0f2fc3546adaf9e

    SHA1

    c57d8d82bcee2c63d5860c900f896f2e7f798deb

    SHA256

    32eb4ec58751405525676e04c896932026e73c61ed44996d8159a371bcf99cf7

    SHA512

    c81ff55a8bb8e5ef196975defaa471b5b77b7c57c7281911803267d041e2edcbe306384e65043e5419f32a2a66f94efdd82faeec97a01243717c3cc467f5be36

    Download Submit

  • C:\Windows\{A9D67998-B00E-4111-A019-7001D0A11ADA}.exe
    Filesize

    408KB

    MD5

    52e5f6df99179a8385acd3e9b6dfe1ab

    SHA1

    e2e2db993ad9d3c62c64d37e8847dfbe88f1ac53

    SHA256

    385e33a1a28aba38a580dc0ade181c060d0dfdcb20f167340aa84f44d85c3dc1

    SHA512

    f9cd6ced075f69038edc0da18056bc5e6f9211c6dcd959fb266a1ac8e9d7141f345637c0752f3c80fe6651407c133f408ddb4104f1ca59748d9894f1f47ddc9e

    Download Submit

  • C:\Windows\{B42C6539-05B7-4bb6-8F63-AD398F05027F}.exe
    Filesize

    408KB

    MD5

    17d3ebdc0af7f43f7bee736fc2a06a64

    SHA1

    35f84e1a7a55285c523edfd85e69ce86a1d996c5

    SHA256

    a81b8de0c6e357c6086063aa7760d33dc3ef4259702d7a32b16c2d9d894bed48

    SHA512

    32b5aba12f704f7e1be8e6762041540816e1514f4c1cdab72b1c4df39b6114d57ea79b085199b706729397149728e370a99efb0c60e19a18403f58240865a0bf

    Download Submit

  • C:\Windows\{B5DECAA0-B53D-4047-97AA-D6EDE351FCF4}.exe
    Filesize

    408KB

    MD5

    7845bafeb347c387647a48f991a54741

    SHA1

    e58384a2569b9044f29180ea94ea1a3e1def4a4e

    SHA256

    16efbbab770c7dc6b444aa4073b71bf61831121589da35921dbc244dee26b00f

    SHA512

    1d4e0de429229336dd07e4f27abc8a9bedabfb097a963f85a7d8137e4622c30a34624c0baa249ece287581557ec10009ceeaea80858f42e47c7a8a0c376e7ce8

    Download Submit

  • C:\Windows\{B99AA63B-DA7F-483d-85C8-0FBED9C8465B}.exe
    Filesize

    408KB

    MD5

    0981fa3f2e53e6ffc1291a473d6cb384

    SHA1

    e1b8d809ab4993f033b389850fbcc752731da9c3

    SHA256

    da4ae294a78955fab10c22ba5abe0dfb9fe9dfe8dd54df19be3d00e219f9ad5e

    SHA512

    3c8a5309145f626f768b66761d8cb247b65aa366e9a0f23740324bc932b5ac1ec4cea199039203553e44c56a549ba0735cb0a0e408f46cdafac193c1b6e4207f

    Download Submit

  • C:\Windows\{C7A38A33-146E-4359-B6AD-84F05EB9C45F}.exe
    Filesize

    408KB

    MD5

    264d302fa2708e9b1bffdf340ff3c737

    SHA1

    c866383cef4bcbefc40ee0704e5401ff84bdf918

    SHA256

    ebd6cb8464528dd3605472988a328ac8ea8b8b751abee59454414389a94439a3

    SHA512

    584508ac5416f42dd293b6151dda867dfcb582822f17a0c93d341cfa7c9b49f7686d3b3e1405b1d72febad688601581aa41bde123a5c261e7c064254a4801e1e

    Download Submit

  • C:\Windows\{D8043F68-125D-4ea8-85AB-109AF08F2C0D}.exe
    Filesize

    408KB

    MD5

    7a75e237eeb91f16e39e99687fa14e68

    SHA1

    154dc94cb0ee2cc29fbae23822e8aeb6ea62d305

    SHA256

    c29a740d5009b3a0d758d5cdd6c0251b985d86deb00df97aca770bb688441e9c

    SHA512

    a35ddcdc5c03d6023db00dbda2ee3e3e2d3708dbe4eadefc704118314d873b43ba93ad422a266c600ae37133ff1cd720047f0f12881b260a98ff7df9891b2859

    Download Submit