Overview

overview

8

Static

static

3

2024-10-05...ye.exe

windows7-x64

8

2024-10-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05-10-2024 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-05_27326c2b7a744505f6a807c371d9debd_goldeneye.exe

  • Size

    216KB

  • MD5

    27326c2b7a744505f6a807c371d9debd

  • SHA1

    b067a62f3193e3a08de36cd3f8149a4f748ced3c

  • SHA256

    975f89f201ac9238e25f04d75c1a0de5d1d301eb02f6bc3cf06e23e67bacf61e

  • SHA512

    2958fd3c47946f549dd22c61d15d49702ad55ec6a8fbbc08b2422d96a9e9c5e5fcb352dcfcf7dbb21c6b93d9cab7649d556ace7441da099df8cd5a401cef7d5c

  • SSDEEP

    3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGmlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_27326c2b7a744505f6a807c371d9debd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_27326c2b7a744505f6a807c371d9debd_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\{541DE94A-B215-4c39-9171-BA0EA09111B4}.exe
      C:\Windows\{541DE94A-B215-4c39-9171-BA0EA09111B4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\{DA4521D4-82D7-49fe-99FE-5307EC30F584}.exe
        C:\Windows\{DA4521D4-82D7-49fe-99FE-5307EC30F584}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\{60791A39-E572-4f57-B9FE-974EE470644E}.exe
          C:\Windows\{60791A39-E572-4f57-B9FE-974EE470644E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\{B6FB2BEA-FA6B-4bff-8D9A-381A31B48E42}.exe
            C:\Windows\{B6FB2BEA-FA6B-4bff-8D9A-381A31B48E42}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\{D2F2988B-27BA-4cf9-B811-0D2AA004462E}.exe
              C:\Windows\{D2F2988B-27BA-4cf9-B811-0D2AA004462E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2848
              • C:\Windows\{C0F03666-ED7D-4030-A91D-F77D2D26336C}.exe
                C:\Windows\{C0F03666-ED7D-4030-A91D-F77D2D26336C}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Windows\{7E37669E-E983-4591-96B1-E8613E9B7FA0}.exe
                  C:\Windows\{7E37669E-E983-4591-96B1-E8613E9B7FA0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1364
                  • C:\Windows\{32D14430-98C0-4627-AA0A-93590ABE1489}.exe
                    C:\Windows\{32D14430-98C0-4627-AA0A-93590ABE1489}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:536
                    • C:\Windows\{0236E05F-B6A1-45e3-9FD3-FC1AB47A207E}.exe
                      C:\Windows\{0236E05F-B6A1-45e3-9FD3-FC1AB47A207E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2540
                      • C:\Windows\{63581107-DA6D-4065-838C-5E5B20F6ED75}.exe
                        C:\Windows\{63581107-DA6D-4065-838C-5E5B20F6ED75}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2532
                        • C:\Windows\{33F77DD5-935B-4e82-8606-8FAECA426B7D}.exe
                          C:\Windows\{33F77DD5-935B-4e82-8606-8FAECA426B7D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{63581~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2288
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0236E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1936
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{32D14~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2068
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E376~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:788
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C0F03~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2872
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F29~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1608
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FB2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2592
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{60791~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA452~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2924
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{541DE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0236E05F-B6A1-45e3-9FD3-FC1AB47A207E}.exe
    Filesize

    216KB

    MD5

    cf9674fc7975933cc30ae1407878942b

    SHA1

    ee3943d16a340cc180ccdea58291261a37100d48

    SHA256

    487c669ce205f14d3de79fd703940ee21945106e327ecc2d9ab5749b0066dc5b

    SHA512

    e7a0c6921aa91b8cd1f42a780717dbdf1ee6afd23e216f0d2770ccaa055b54400fb201e5656676cd1ee7cdf7d3a05fa3f58b1f96bceb4856a8f7bcfe8ab25050

    Download Submit

  • C:\Windows\{32D14430-98C0-4627-AA0A-93590ABE1489}.exe
    Filesize

    216KB

    MD5

    1d7417211665ac2eef62cebee6c3ceac

    SHA1

    a99b6223b760d5b9444c0d907cff3297c1a54136

    SHA256

    863fa5c62cb01ce08d4dc0615601990de76bfd5006bc0c7dbfe967866eb41ded

    SHA512

    329c5ede935a9599a468b04b5a8db24a2285663bc9959fcf99f91516b813c391de95bc942d4700cd0eade9aebd04bb7be03d7ca52e8e3c937b1a0efd6965ffdc

    Download Submit

  • C:\Windows\{33F77DD5-935B-4e82-8606-8FAECA426B7D}.exe
    Filesize

    216KB

    MD5

    f7eda0cc077b71f1b929ca6f5fda4100

    SHA1

    94142d65517c5ae5fe53a000ea84ff782685fc05

    SHA256

    bf022c1120c158b7fc82cf7f9f6f82936672d666ef2e9d84270fc5cc49d61257

    SHA512

    d2b036d399aed28fdee4af662f408be0f766a77d57d43fa825ed4f213330ca14f893d0a6c8497834a49109ebfaf438d7e5043e1200ff6ca2c81eb0205b89f6ed

    Download Submit

  • C:\Windows\{541DE94A-B215-4c39-9171-BA0EA09111B4}.exe
    Filesize

    216KB

    MD5

    fc502bcbb10bda94a87486c08f4ff0a0

    SHA1

    4592099a6251d894f89b27733e20eb0e5ad24759

    SHA256

    07a0c8b13fd5ebd2bd6bf1758c4179db07e661c743a5f258635505e2efdce13e

    SHA512

    664109b95c0333537ef056c87bbc571d78d820b41907f0c5c61323be19a9712ffc239d44b75d66dccc7b4d9af6c61b4a8b932eb3e8a9ea7fbd549b29ba479b92

    Download Submit

  • C:\Windows\{60791A39-E572-4f57-B9FE-974EE470644E}.exe
    Filesize

    216KB

    MD5

    5e8448a72b5db4dc22c4c58eaf5fcbfa

    SHA1

    14a6ac24d4722470943f7bda0c351c3c4821658b

    SHA256

    78605fe13b52e75dca558c7cb6c14515fd39a28ea9e2922b70c3369fa254cf04

    SHA512

    e6d81d378641ae64b0a204af512e7f6cc0fc5ad20f8db661c29e46f6c0711776ed9c6345e7aa904c4e08de26e14143535b18f0f182eadfc90bb969cb3daf141d

    Download Submit

  • C:\Windows\{63581107-DA6D-4065-838C-5E5B20F6ED75}.exe
    Filesize

    216KB

    MD5

    a11ed8bf9a93fe111ba5935515135e0f

    SHA1

    bc8471f7cb5e63d04f98e2b08aae02dacfe75a6c

    SHA256

    0ac5de1ae420b8808213d7156bfdc047f9159ffb199dc4b2655782ad7a1d0627

    SHA512

    c587ccf2a15da546caeb4e0a5bfc14b1e499a52721fa19e20f2ecc651e6279f522a0cb9c01b5a1731597cdfbd9b4ad8975192818e8199e8872b78b92cf26e1b9

    Download Submit

  • C:\Windows\{7E37669E-E983-4591-96B1-E8613E9B7FA0}.exe
    Filesize

    216KB

    MD5

    c2851a78b53e3301dcfeff205771dea6

    SHA1

    d51cbeed2c5a7bd2ff0f66dfe5061107cc40a33e

    SHA256

    f2c9a8af459288f7025c9f18da7acf9201dbba7940b47d745f37936d5420aa2f

    SHA512

    33456064951fab2b83148fa4eb3d5cec41fb8d28be9f9b6e03813f6444a89d7b787fb9a0df1379517a98c50ebcc662b8c868ac31f84b2184cc47160f6b1bc75f

    Download Submit

  • C:\Windows\{B6FB2BEA-FA6B-4bff-8D9A-381A31B48E42}.exe
    Filesize

    216KB

    MD5

    9ece438fa8435092d4ed3fb76f4a2309

    SHA1

    a3bfb0873da1875f671a5c7b5f8c3528309de7a9

    SHA256

    b93ff83e3342b05c723e8c6da5b9abf6a3b0c2751ada840f185a91217d5489ab

    SHA512

    9f53ff2cc161625f07efcbee8d0d7ae1d8f5f86568a001c40925176268915cab9c7be598aa5f93c6f6704f05231df5c66c0f9a0127a2bbf5a3f076f7455cd28b

    Download Submit

  • C:\Windows\{C0F03666-ED7D-4030-A91D-F77D2D26336C}.exe
    Filesize

    216KB

    MD5

    ac1b295a67b84b497a2730b145d8d569

    SHA1

    609ee8b73d8c91d0c2aef54dcb312a98b7f11955

    SHA256

    d5ccb5a7c71c41d65c9e0ae275771f066a5c47419dfa26559c0d339efcacbe74

    SHA512

    3944c85d366e01bb644734cf42678e71fdf820ad01e9283967bb278323858b28c39e782eabb6f10138b3f7ae6008ffa1e2229940c7f83b1cf9fe854fd4b08c0f

    Download Submit

  • C:\Windows\{D2F2988B-27BA-4cf9-B811-0D2AA004462E}.exe
    Filesize

    216KB

    MD5

    91da7aefd23033b33eef0e5213147de9

    SHA1

    291a23e1618f1046b38522fee6f5ab62573c6223

    SHA256

    676401bf6505c038a3a0dde054a47893f94b983cf4c71f51f0fd9955d1cbae41

    SHA512

    6e4ba74911d3953c39472b1475113af444f21a4e85428f9fff9f04308b50d0f6b926eb0b2b6383865c3335aba5cd4a9a46de8fbaed12bc743d7d7a97419c4ad6

    Download Submit

  • C:\Windows\{DA4521D4-82D7-49fe-99FE-5307EC30F584}.exe
    Filesize

    216KB

    MD5

    47fd1a4d2b15ee687f7a10121b5dfaf3

    SHA1

    4d5de4a23a1507e54f910c8d1d50a994d4a9d25c

    SHA256

    73342deb9092dc0361e96f3f160b012ea2c512f58724b3ba81c12a8b2a5cf932

    SHA512

    908c682064847dfc111cdb8d10d6bb5abf9274d4e52e7c652f212f5b96759ad356b0140c6b99e8472f1c73f0d37764911e5bcac09129d791f6a330a16d4dad64

    Download Submit