Overview

overview

8

Static

static

3

2024-10-04...ye.exe

windows7-x64

8

2024-10-04...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 10:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe

  • Size

    408KB

  • MD5

    dc61e23595ac7c6caa7f0477344adf42

  • SHA1

    4902e91176831d4867a6e61a31977781c52975fb

  • SHA256

    6a897d815d04cc2c6b5376d87c771111588317112936f1a8e07774f8b5d8915c

  • SHA512

    490c079a38e21e3561a8f1bb8eada27d7022b2285ebb577f1778eeaa30bf1c3eafcdb1f21a60bc91cdc544ad24d4e47f98cb31fb0e526a660a36059fe3861557

  • SSDEEP

    3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_dc61e23595ac7c6caa7f0477344adf42_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\{5559D43C-06F9-4abd-A33F-0723B578D52A}.exe
      C:\Windows\{5559D43C-06F9-4abd-A33F-0723B578D52A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\{D2C56B92-144E-4520-8D43-5117728F63A8}.exe
        C:\Windows\{D2C56B92-144E-4520-8D43-5117728F63A8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\{A8CC7B85-8644-422c-9E22-3389CA46EFBF}.exe
          C:\Windows\{A8CC7B85-8644-422c-9E22-3389CA46EFBF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:988
          • C:\Windows\{DE7D86FF-8A85-4ab6-AF65-6E7D6B8E22DF}.exe
            C:\Windows\{DE7D86FF-8A85-4ab6-AF65-6E7D6B8E22DF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1648
            • C:\Windows\{B0BA51D1-B9F5-46be-AB2E-7F7258569D75}.exe
              C:\Windows\{B0BA51D1-B9F5-46be-AB2E-7F7258569D75}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Windows\{AF9BF532-0E14-42df-8E5E-4CBECC65446D}.exe
                C:\Windows\{AF9BF532-0E14-42df-8E5E-4CBECC65446D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1996
                • C:\Windows\{D78EE0B8-8E74-4b29-A68D-470E18C3930B}.exe
                  C:\Windows\{D78EE0B8-8E74-4b29-A68D-470E18C3930B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4292
                  • C:\Windows\{16F441AA-4D18-4593-B476-1338CAD1A5D3}.exe
                    C:\Windows\{16F441AA-4D18-4593-B476-1338CAD1A5D3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4312
                    • C:\Windows\{26A3F38F-4BFE-4011-8FB4-01A67BF56C2E}.exe
                      C:\Windows\{26A3F38F-4BFE-4011-8FB4-01A67BF56C2E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1632
                      • C:\Windows\{59D0BC4F-783A-4514-8697-E37C05E929C8}.exe
                        C:\Windows\{59D0BC4F-783A-4514-8697-E37C05E929C8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2784
                        • C:\Windows\{5A026FC4-FB31-4122-A6E4-F7757E7C04EE}.exe
                          C:\Windows\{5A026FC4-FB31-4122-A6E4-F7757E7C04EE}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5084
                          • C:\Windows\{8BD902CB-BCDD-4dc5-9ED4-4908A42AC161}.exe
                            C:\Windows\{8BD902CB-BCDD-4dc5-9ED4-4908A42AC161}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5A026~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59D0B~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3836
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{26A3F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4868
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{16F44~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3792
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D78EE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4464
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AF9BF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3416
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B0BA5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2848
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DE7D8~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:800
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A8CC7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2C56~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4068
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5559D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4884

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{16F441AA-4D18-4593-B476-1338CAD1A5D3}.exe
          Filesize

          408KB

          MD5

          2c1615bbc8b0bd1e76e9bfcf65b9b0de

          SHA1

          1ca96e689301d83e9b9b25779e11cd464020134b

          SHA256

          d0cacb7aa1eade0f77e426040cb4541651f3784725966be431f8c840344d1fef

          SHA512

          3573bfc4bdf8dcd68fa5b7d29363c50a6f306f42385b32d21ee0e2ff60f60f7a7226198081d99f785864ddb046f0ad4fe992b08248246058e034d03deaf47163

          Download Submit

        • C:\Windows\{26A3F38F-4BFE-4011-8FB4-01A67BF56C2E}.exe
          Filesize

          408KB

          MD5

          2d32577f0ccc24f90f72faa7b3cc59ab

          SHA1

          0284c0aa012d5fdfaa7c2256ed5440f17fef96b6

          SHA256

          107484fcf271f7ea79eb29c1012f2dd96ebbdfaa800cb101fbf4a13d3fdcdfdf

          SHA512

          547e8707b21123d88b9ecc977c6d2f255c631a68622bebe97ea64832452c865e1e7364cf26887a0c631d7a4f643b7cae345f9886b7705a4b16c2f22b429a24f1

          Download Submit

        • C:\Windows\{5559D43C-06F9-4abd-A33F-0723B578D52A}.exe
          Filesize

          408KB

          MD5

          80b075615a086632e770842dc4e7244f

          SHA1

          154f516ce0d0d6a266f7b3a3af4199809645e6d9

          SHA256

          5c2953e0702c46075115b3063c6a689b1e6bc29dfcb84ecc07da8fee38323c25

          SHA512

          64a037ff102f0123087e1274cf2d5d2d125dd7cb84a55cd87e42d08dcd4e2b61ed4727c5a937150b97e70147b807c81bd97b5bb91db925ea0256bb99efbb2a25

          Download Submit

        • C:\Windows\{59D0BC4F-783A-4514-8697-E37C05E929C8}.exe
          Filesize

          408KB

          MD5

          bf3df93697a69a08424be4077f1bf0fb

          SHA1

          828ee29005aba115880d632528feeb2579618385

          SHA256

          4ded8a242d0743e3dea3b021ca6ee0143694ad23f715adbb6b6ed9da9b01d40d

          SHA512

          b1ebde5a91b63c2ed87e22ce46b8983c906008443738d585ad737264162712c4e87129656cc71117ce745385a37f790eb3fd45f6104eae642a0934ecbec47d91

          Download Submit

        • C:\Windows\{5A026FC4-FB31-4122-A6E4-F7757E7C04EE}.exe
          Filesize

          408KB

          MD5

          5ac5dd3746d27dd41a628e94901f820c

          SHA1

          75619f22b4915fdc0e639bf9571b0eb1d70286d1

          SHA256

          a1398c047509e1274b9997a7cb4a5806cd414fe7202f6f97bb2ed121cfdbb563

          SHA512

          fee1c28410d92de48b08e42010d30da9a2ef48c4689ce074d00da2260d99e81c00253482c7e9e1079f95f0469f42c874e4417466c22d8a657c967ae7a64c662d

          Download Submit

        • C:\Windows\{8BD902CB-BCDD-4dc5-9ED4-4908A42AC161}.exe
          Filesize

          408KB

          MD5

          050766cafcac37c1430f7978ac97061b

          SHA1

          cbe3f3c807e84ea31a85d42ec7d77e0e0e699a90

          SHA256

          f876d517b0a0ca1eabe089be54ec1776289c001a80377b1d5d31ca67f70e00a3

          SHA512

          d6c2c453ee9296eca12c7d408f773722c3180f394f942b5da0dd7fac591c58d6a02d0cb3e6287dfea8c6c8418578d96be606fcfbe59446d0cd060e0bd73f9351

          Download Submit

        • C:\Windows\{A8CC7B85-8644-422c-9E22-3389CA46EFBF}.exe
          Filesize

          408KB

          MD5

          c262211708d9165a142bbcea0cf14079

          SHA1

          f58693da7642b3be380409fb32bf809ccda20794

          SHA256

          db9b3ee79530fac0fb7b52a2135771592fe870e6c41613eb569554070eda6666

          SHA512

          a2b64ca0e339318f03006272fbbdc04285dbbfe3c904a8abafcef81f2cddb7ab31ea73c3e9781e4f26c5d46f9a13986061111db9cb086486d2e074aa8c20355e

          Download Submit

        • C:\Windows\{AF9BF532-0E14-42df-8E5E-4CBECC65446D}.exe
          Filesize

          408KB

          MD5

          c617f893449d11c4c70cc7ae6f42b9b1

          SHA1

          ad8d3369acdbc939a53f928558d96e4e8ed15217

          SHA256

          0334e1d74f19000d70836c75cc99a56005093626bf5e8679d9fca7f0d7ea6c54

          SHA512

          57538bc9e80157850e826a59e234a31c63aad97ccb989ce29f1c5b61fd7aeac477d01814a41f2bd3f2be1ff14b18762694113b76d5d59c7ec1fb30846d20e796

          Download Submit

        • C:\Windows\{B0BA51D1-B9F5-46be-AB2E-7F7258569D75}.exe
          Filesize

          408KB

          MD5

          7a8c0fda7ab56c102c162b3f16d469f2

          SHA1

          91a9789472561aec1ddb5026f1447411a53da3f9

          SHA256

          b8eee00034cdd6d7bd6adc822cc081fdca0156b389799cf517c38af6758600ed

          SHA512

          b89339f2d2d007c12174df8ee405f598317e20ea7b4b0af134bf5cf7aa5a89094c937efcb693ee65bab94324700044960191c8041dd5ef23d8b9d0464cbc7159

          Download Submit

        • C:\Windows\{D2C56B92-144E-4520-8D43-5117728F63A8}.exe
          Filesize

          408KB

          MD5

          3fa1c24a06ead0acaf2ee22bf4337f48

          SHA1

          2e74b4272eae76de028a61d7a02393f76eefbdb8

          SHA256

          695ae5ded2626de98ac57ef2016c842c8d7a6dd4f21c6ae82852ee865df65c3e

          SHA512

          af6ee91c8e1d8357e209c350995bd2ef0d88a54be3b341fa1d75aa789e3f94885bfa0b0955e7e6e2bb311a8b44db7777570d49ec76346392cbb235cc03a280c5

          Download Submit

        • C:\Windows\{D78EE0B8-8E74-4b29-A68D-470E18C3930B}.exe
          Filesize

          408KB

          MD5

          846ccd5435233dbfd2f096defe768f04

          SHA1

          340076e35f61ec46c16c8089ca73d521df90c38c

          SHA256

          0f82ddc5a26d977040940a8d6e189045288ac410ff205fb5bad47ba2038d10cb

          SHA512

          5e3aedffd20dba2e9b7ddc7195d8870691638695a67aff83743e528f0230187bb060c5de5aaf1fcfd008a607583303289f3979ac5e62535ca2e8fb5595829262

          Download Submit

        • C:\Windows\{DE7D86FF-8A85-4ab6-AF65-6E7D6B8E22DF}.exe
          Filesize

          408KB

          MD5

          a5aba49781c6e5eeab3614a535322c4f

          SHA1

          b15a5a4288ffad6e867728cec02f0f4b0f19a6db

          SHA256

          daf81ea1fffd9a5494ed104eed79da0ea99c08ffaa813485177eed8f3c07c0b1

          SHA512

          7e4541d1cfd3461d11d55e136b946fd21b933056bd0d50c4333cbbe737454a19317906b9dfae46078ea74cbc29be521978101ad77243c228fca726259371aa45

          Download Submit