Overview

overview

8

Static

static

3

2024-10-04...ye.exe

windows7-x64

8

2024-10-04...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-04_ad96f850339386bceb93b2f2d744a9c9_goldeneye.exe

  • Size

    372KB

  • MD5

    ad96f850339386bceb93b2f2d744a9c9

  • SHA1

    42ba679a7ef9b200e97042036d2d35243c44a3c2

  • SHA256

    8a19c5d2550e57284eea3e573df7248b3ec8c13da96d1d60176fff1ccdf2e00d

  • SHA512

    69f973d30cd4d70521980dc89abd16ed3422b190e6b0e1144759b16b97450bb744cfe0dca82690a0b7067c8e36758033b24880c520e12fef2b00a536ae9ff848

  • SSDEEP

    3072:CEGh0oxlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGnlkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_ad96f850339386bceb93b2f2d744a9c9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_ad96f850339386bceb93b2f2d744a9c9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\{8B13AB6C-05EF-49b0-99B6-DDBBD2D07DC6}.exe
      C:\Windows\{8B13AB6C-05EF-49b0-99B6-DDBBD2D07DC6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\{ECFB1810-F974-4084-814D-CCB85AF64D9A}.exe
        C:\Windows\{ECFB1810-F974-4084-814D-CCB85AF64D9A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Windows\{299B38B6-9B6C-49be-90B6-01C59B1989E8}.exe
          C:\Windows\{299B38B6-9B6C-49be-90B6-01C59B1989E8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\{F877F513-4616-495c-A8A7-D92D752DE49E}.exe
            C:\Windows\{F877F513-4616-495c-A8A7-D92D752DE49E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Windows\{CC15CE35-1B8D-4054-BF29-34CB6EAB2D0E}.exe
              C:\Windows\{CC15CE35-1B8D-4054-BF29-34CB6EAB2D0E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1312
              • C:\Windows\{4102076C-B806-4207-A519-405DC51E0166}.exe
                C:\Windows\{4102076C-B806-4207-A519-405DC51E0166}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\{5BAFAC22-F8C4-4aaf-82D0-6A36FA020C96}.exe
                  C:\Windows\{5BAFAC22-F8C4-4aaf-82D0-6A36FA020C96}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2916
                  • C:\Windows\{3FCC52A5-B8FB-409b-8966-4132E07C1B6D}.exe
                    C:\Windows\{3FCC52A5-B8FB-409b-8966-4132E07C1B6D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:824
                    • C:\Windows\{4F575AD1-6F1E-4ab4-9022-562392E8C241}.exe
                      C:\Windows\{4F575AD1-6F1E-4ab4-9022-562392E8C241}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2296
                      • C:\Windows\{9070ABE8-9006-4842-B992-DFDC258276A6}.exe
                        C:\Windows\{9070ABE8-9006-4842-B992-DFDC258276A6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1664
                        • C:\Windows\{B9CA2B7D-CC6F-40f9-8411-9ACA924BA006}.exe
                          C:\Windows\{B9CA2B7D-CC6F-40f9-8411-9ACA924BA006}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9070A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1868
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F575~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2940
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{3FCC5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2036
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BAFA~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2136
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{41020~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2360
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{CC15C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2888
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F877F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{299B3~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{ECFB1~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B13A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{299B38B6-9B6C-49be-90B6-01C59B1989E8}.exe
    Filesize

    372KB

    MD5

    61a8235228d6d02167cbb115a95be8be

    SHA1

    ac580ac58ada8196e488795c1568321afddfdac6

    SHA256

    c9ad43cc181c6db5496776191468ed846fc7038f49af241a92156e42a13d0d4a

    SHA512

    48b810120b8d2778a56334a49b62d1114c9f1ecb5b383b0090fa637263e423d61c343fb8e3487fa5655d4c2e410e3abfa3122c854b9e5547aea9aa6a31843dda

    Download Submit

  • C:\Windows\{3FCC52A5-B8FB-409b-8966-4132E07C1B6D}.exe
    Filesize

    372KB

    MD5

    04b356bebe7f3cb3624cc4fa8d28ec12

    SHA1

    40034101f9003845af29db97a81eb31f6f10340c

    SHA256

    ee807ac7233ba94c4d7381aeae76db8435f91b50259e75170f569e574ad60e94

    SHA512

    fc6e75f47396ecd81cb71f57c71d5814760f5d02a36b0c46714cfcc3855b8999e283b7c7ab71a2984e13d9503ccdc8599f9fbfab7a5b78551b6e5b09e5f7b939

    Download Submit

  • C:\Windows\{4102076C-B806-4207-A519-405DC51E0166}.exe
    Filesize

    372KB

    MD5

    dc1d3bb3d63b5444ebd3292564c94d29

    SHA1

    972a55a8266aaf62f759455bf281445a437f2cfa

    SHA256

    8d5ee5a35ce3b155ddb60b5b03168ab1fed43e77bc3990ae9db7a7055628f677

    SHA512

    07119f105cf353bd80d6c32a9849b5d096a8755ed518fe7ec3dadbbc4da5883bbf14d66a47ad25e24ef342f51d1af01a23f86ac21e4b203f25eaba8130616ead

    Download Submit

  • C:\Windows\{4F575AD1-6F1E-4ab4-9022-562392E8C241}.exe
    Filesize

    372KB

    MD5

    7da230c22bb3a60efda5128c5b620b7c

    SHA1

    f90883f816248fced14bc35a84ef5c0fbd4b3316

    SHA256

    dc0fb5cce53cd759da64a8282b9790a0d12623f3973d1eda632321931806707e

    SHA512

    527d707c5f2e63c1e10ca3964de9966750a8add9995dc10fa1586040b60b04b00b542250365c1fa26b0c1c1567ee158f59c87ee3b004a2cd244af07458f7d632

    Download Submit

  • C:\Windows\{5BAFAC22-F8C4-4aaf-82D0-6A36FA020C96}.exe
    Filesize

    372KB

    MD5

    6f4807680f5d5ad5c951c4d45c7bfd2a

    SHA1

    b2b0d16ead5eb80858c5fb79d245cba76278f4b4

    SHA256

    a093769f2c0e45d659d071067e9bc958e6ed94ec7c955b6dc540bc9e3de9e33a

    SHA512

    6b34c334eb0c71d10dab2c88e8b3a341015e047559c9a6f7d77199e7f66ceb1d3cb489125a5e9e6da61aeec62fea8825bb640b76d0438c12404b3a3bdad7589d

    Download Submit

  • C:\Windows\{8B13AB6C-05EF-49b0-99B6-DDBBD2D07DC6}.exe
    Filesize

    372KB

    MD5

    436dd29b696ed9419a506d995b14d289

    SHA1

    169e2f47b1e93d7d7aed9ac072d48b13949ade53

    SHA256

    719deeacf88ca35a08e47b6862f862c97806f3f159370c30f9c451f947fdc6e4

    SHA512

    e6b090a4834306df7d2b4363c2528fc91d29a91a7ff80ba70375cbe76c805d232605202753e4736265f082940114d6fd477bc7cf09aa3df50a4a65bb4c0e730f

    Download Submit

  • C:\Windows\{9070ABE8-9006-4842-B992-DFDC258276A6}.exe
    Filesize

    372KB

    MD5

    ae8c74858e845c15346ce3549c250a8e

    SHA1

    2aba10744c2c968b7f7507dc003e563fa9dab6b1

    SHA256

    767b606270516eabb44ef181182c17d4f64cbf49b00bc5acc143fcc5531330e9

    SHA512

    b73d5cd3d1c66bb23cfe4a3c903024487ebe06c466978893bb1f54d6cf75d5db9f5d5dee8ac2b9efe9e066ed0cc109c8f75c5849bdcfce68fc634d4daccb78bc

    Download Submit

  • C:\Windows\{B9CA2B7D-CC6F-40f9-8411-9ACA924BA006}.exe
    Filesize

    372KB

    MD5

    4bc86cdc57158913fc9b7e1d581f6f7b

    SHA1

    63f3a4d1e65292466f79d22bc47c9f9825f44d09

    SHA256

    98458af9a31de35f0fad7abd642a44072a93fd5128357a11f5518a94d5470d1b

    SHA512

    1df55cea854400cd3bfda0d330d4b1d68240b98e13c5baa8a4327463eed954f660851591f35d842aa7072a3675a4be4cb851af0f2ebb7bf7990e5b0ade834193

    Download Submit

  • C:\Windows\{CC15CE35-1B8D-4054-BF29-34CB6EAB2D0E}.exe
    Filesize

    372KB

    MD5

    cf0e05b9b0e2ac58237d85b64b2ce1e2

    SHA1

    5e3adc88c46078cd2fee96a6a642fbc6d9b1f9d9

    SHA256

    9f6771869289a037c660ea4ddef467b3daea547c75203a64d294d577b5bd5f32

    SHA512

    be68d54045848b6f028de1a40ac7a2829dfb8b591b6ea8e6c641a24d563c0226b0ad4e77bf54e090699265fa097438d732e4f4d4425dfd7ae213d28b559afcd5

    Download Submit

  • C:\Windows\{ECFB1810-F974-4084-814D-CCB85AF64D9A}.exe
    Filesize

    372KB

    MD5

    b7552cc86ca12b150e6c0d65ec0fdf5c

    SHA1

    6b8ca7002fb140df90ca0604e2cc2168fff8e55f

    SHA256

    e262144ee5923f1e4c5954f679977e038f7667866d3810cb729a186cbab4f64f

    SHA512

    db59533676d981de341ff45fc51514ed4ad6e896cd2b52e06530d7baf02f253baeed137344f7710ef6284e769e495b6ce962f812fdaf39822f6f3a2b7442e8de

    Download Submit

  • C:\Windows\{F877F513-4616-495c-A8A7-D92D752DE49E}.exe
    Filesize

    372KB

    MD5

    b0e1433188a2b946020fe64f64b20407

    SHA1

    a48379c862afa2cca689260b4c4131cfc3944f5c

    SHA256

    6b83bec9f74d3fbf219a83375cbeaf8e794a1ce45d365d6df0108b6832fcf66b

    SHA512

    6e62168791fdb8521d0b43535bb57958743caf55acfaf697a99e23d15152fcb946452ea84d2eef4d3805fcb9f9ae6ccbcc001bd921a59f0c870100436adbf8a6

    Download Submit