Overview

overview

8

Static

static

3

2024-10-05...ye.exe

windows7-x64

8

2024-10-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe

  • Size

    168KB

  • MD5

    dab6d8f1ef18fbf3b0e954085c0c51da

  • SHA1

    53821e3046a8d61dfd565949a18b1cf93f91c3b9

  • SHA256

    0fb6d5d629bc87c4f0e67626a71eddce44508909b4fa8c32c84df39d7627dfef

  • SHA512

    b0a6acac2863b1bda9808959bf2429a84c1a19fef26839e8afbdaad15e474871dd9496bfd8dedd3c21441b028a1f07b2e376ceac760c1563034c8f70a95762c8

  • SSDEEP

    1536:1EGh0osqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0osqlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\{EEC3C6C3-4542-406b-BD1E-960033DCC973}.exe
      C:\Windows\{EEC3C6C3-4542-406b-BD1E-960033DCC973}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\{BD85697D-E012-46ec-8223-1E09A4B19B05}.exe
        C:\Windows\{BD85697D-E012-46ec-8223-1E09A4B19B05}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\{1A475FC4-5F2F-44f8-BA73-064E5BCA5D9F}.exe
          C:\Windows\{1A475FC4-5F2F-44f8-BA73-064E5BCA5D9F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\{9B57EF92-CF18-4b3e-A916-A7E8EDD96513}.exe
            C:\Windows\{9B57EF92-CF18-4b3e-A916-A7E8EDD96513}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\{C016E34E-9E0A-4844-9008-615F9BCF5072}.exe
              C:\Windows\{C016E34E-9E0A-4844-9008-615F9BCF5072}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1528
              • C:\Windows\{8C023463-2F10-4451-BDC4-39379290246A}.exe
                C:\Windows\{8C023463-2F10-4451-BDC4-39379290246A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3660
                • C:\Windows\{66CE5EAB-4F95-47cc-9942-6E934769D968}.exe
                  C:\Windows\{66CE5EAB-4F95-47cc-9942-6E934769D968}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3020
                  • C:\Windows\{A3F71301-0351-4792-9980-943611A7DE0A}.exe
                    C:\Windows\{A3F71301-0351-4792-9980-943611A7DE0A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3408
                    • C:\Windows\{16900415-F015-4455-9C34-5D0475251D14}.exe
                      C:\Windows\{16900415-F015-4455-9C34-5D0475251D14}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3016
                      • C:\Windows\{F96AAA69-66F4-4bf1-827A-D0311ECCA6C7}.exe
                        C:\Windows\{F96AAA69-66F4-4bf1-827A-D0311ECCA6C7}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2644
                        • C:\Windows\{3069B200-1B0B-4d5b-840A-5D94B3C7CF7F}.exe
                          C:\Windows\{3069B200-1B0B-4d5b-840A-5D94B3C7CF7F}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4576
                          • C:\Windows\{33B78FBC-C9B1-47c3-975D-475453D18EF7}.exe
                            C:\Windows\{33B78FBC-C9B1-47c3-975D-475453D18EF7}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:548
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3069B~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F96AA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2668
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{16900~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:724
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3F71~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2636
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{66CE5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:836
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{8C023~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2312
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C016E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:5112
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9B57E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:452
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1A475~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BD856~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2060
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC3C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{16900415-F015-4455-9C34-5D0475251D14}.exe
    Filesize

    168KB

    MD5

    463b111acd4981b0cb989550eaac6786

    SHA1

    c87228252d5e33226c61ff4ae91c7ffc483b95e9

    SHA256

    fafb6f720d6a8bae17bc12688de54d2a57c5a891e45518fdb616a5b0c4501614

    SHA512

    ee1d2266cedf4f4a1ae5ac9a320affa22e10086689ef9bea39a99158682a41144cd3b5bb423ca8aa30b34e6c2938c90839462b48745262bc62b2d53bddc92f65

    Download Submit

  • C:\Windows\{1A475FC4-5F2F-44f8-BA73-064E5BCA5D9F}.exe
    Filesize

    168KB

    MD5

    623984033e0ce4ba637e22ee46d84748

    SHA1

    9854db484b5252001236fd2d57eee53703b27deb

    SHA256

    dd8c0e5b0925c36c5daadd6b04defed02f0bbbb340d01724534aa1faaf49bf9a

    SHA512

    c6503b5a2fc9c1f3ab6268fd6a2451c9fea474ea61b5d3fb38f791cec6817946d5ab67c1ff9c29448259463d96ee2433709b653f3b365c2116d697ff32f75cfb

    Download Submit

  • C:\Windows\{3069B200-1B0B-4d5b-840A-5D94B3C7CF7F}.exe
    Filesize

    168KB

    MD5

    d73785792776fe07bb7da1edf4abb08b

    SHA1

    f7b2bb911d0023d7d6624d10d75be51a329e84f6

    SHA256

    7b9f1902144cb18860951e4a277f180df616456b75b12191452180b2173be7f9

    SHA512

    9bd2987309a9b67804acbc192655146b246368e1fd7a492b645c1347a6b35ae7d367f7ca14f9e5c558a2630df3322e8e3bd032642a017e24a35a0d8d5c410d8b

    Download Submit

  • C:\Windows\{33B78FBC-C9B1-47c3-975D-475453D18EF7}.exe
    Filesize

    168KB

    MD5

    360e2d8d91c881791a98f246d6ee4332

    SHA1

    1e86df06ecbdcb41876c0e46c168bf7d009046b1

    SHA256

    eb817af0d2b549a0e52aa92540dd5c08d57708091109bf893761aedeae5cd853

    SHA512

    ae6862f0f2ee315cf9036d160cc208ee11ba3e9bb03357a5e97dd8f490daf8dc3135c73b5c5796771157ac76f1ae5ce3cbdc363385866ea6865ef008da59cab2

    Download Submit

  • C:\Windows\{66CE5EAB-4F95-47cc-9942-6E934769D968}.exe
    Filesize

    168KB

    MD5

    ea7cf2a1eb2988cfaa3a1037b32d3bae

    SHA1

    c8186b59afd4aa3484104e44cd18926dc3bcd26d

    SHA256

    1687d948dd791b1c66cd42dc54db4f481c215c1161309b4a18c11e56541f43ff

    SHA512

    9f67be9e77667c49e89330c03568fced28e1f8a28f4e3570a52f64a3d28ea449366b24d3773d2a9f682c393949e02098a40678f0a3a9e20cbf5f471c9791f450

    Download Submit

  • C:\Windows\{8C023463-2F10-4451-BDC4-39379290246A}.exe
    Filesize

    168KB

    MD5

    fa1f0972f41dbea2cca0526b40a5af1c

    SHA1

    50930728e0c9dcea7cc01d9d00cf72cabb3f94fe

    SHA256

    85ba166c8f473a1288a052ed9d36a4485a81b0cb982329020d7ab00bafc9bc4d

    SHA512

    95a2af6bac53038c95b1f216f173204eb526f9b0300fa0233e413c2564fd1de31d0cbc524628b090a6517b54a7f1138c5218b3ea6a1ec2cc74e9cb025b3ff768

    Download Submit

  • C:\Windows\{9B57EF92-CF18-4b3e-A916-A7E8EDD96513}.exe
    Filesize

    168KB

    MD5

    ae21469a7ccbbd8efbc46e5d7f64d12a

    SHA1

    e306ea3330d480b547b762cbb7a87a1c92b0cb1e

    SHA256

    9afc1e14cc64e2a9fce6b0038f8e351fa4166d0d0eaeda8fa59935aab750d3ef

    SHA512

    bd48be5bef1eb0897d880427d9302cfc6782490150d9f42373c0f2bd49f63d8771db6f0a34be2449068fd5e425fa747353ec4fd0c6bf5d454f4fae1f55d4290a

    Download Submit

  • C:\Windows\{A3F71301-0351-4792-9980-943611A7DE0A}.exe
    Filesize

    168KB

    MD5

    3c4b3490ecb3a2200ee4fb4aa522dd4c

    SHA1

    3adb6134f9ad081c41e022578f83628cdcc6197d

    SHA256

    8452c2afdedc2d8b30ebd0438eb4f4dc02b029b9163f7f6df1e6535f0b075cb8

    SHA512

    8a6f964969c5617b8b841ea0682eeb1f62a7015ffd2c82787bbea595595815c9d2913f01e6e1a26365c5a7b769a22780eadbe5f2ba6ef1ff15e140c3d8e7bd5a

    Download Submit

  • C:\Windows\{BD85697D-E012-46ec-8223-1E09A4B19B05}.exe
    Filesize

    168KB

    MD5

    7ad4ee2e053d7a70b772260b4e9ec9a8

    SHA1

    aa851505636d4657045a9475817b34b5d6e06eb6

    SHA256

    d7279ddf040d27e7e6aabcae33ab4d47fa37809bcff03702f8720b5ca2f45358

    SHA512

    30f70bf9c1c741a99ad54d5b402b7b85559742fc2a21bb330395a663a3500212cbdeca688a69901b0c5b796d6823441fb540951f046e893ab76096c3ed359aba

    Download Submit

  • C:\Windows\{C016E34E-9E0A-4844-9008-615F9BCF5072}.exe
    Filesize

    168KB

    MD5

    2ec374fdb94f986bec9254323181c90b

    SHA1

    9859af686120ea478b301c94e77718d788037813

    SHA256

    c46e2b59f3fd1bb33c23e74225450f2936ac508b3a5d2df19933f0d1e8e91766

    SHA512

    7ca3de1f80e9586de523aefa864f5735ba81f239824d6c0c4c570181aa1b2601898bcca40709177971fe9d2d5773f672cd30a3d061c49e211f00f9dcfc0a9bf8

    Download Submit

  • C:\Windows\{EEC3C6C3-4542-406b-BD1E-960033DCC973}.exe
    Filesize

    168KB

    MD5

    62d977cadd58b13b016f70598c00230c

    SHA1

    762bcb8f986e5706055eadf233944d4b2a8e4de3

    SHA256

    ece126232b03dbc363806de5a3bae9d42878805470c3772aa1e7e0414614a3d7

    SHA512

    b270ab37bdd70ef4e971fa94867c325c0231055a86353d90b1e6c0aed50efa3115301092ceea57b4043e0a9b12ca3eceb072e04f58abe6f8faee747028ba3125

    Download Submit

  • C:\Windows\{F96AAA69-66F4-4bf1-827A-D0311ECCA6C7}.exe
    Filesize

    168KB

    MD5

    8653b430c62e17ab5f3d911c2bc92237

    SHA1

    e2698703982324188cf452427970f7d9c7137987

    SHA256

    d5c892083263e67d10bf7572542af0de519b0d9a113c757a5f88bcca3a1c3681

    SHA512

    b63abab5504e9be846dd82a633abbf9ca44e0c988a8d5e92e620bbf92195ca035678063d2d67b64eab98299f19a6b5095dc1fc9ca09045beb265774774ead74d

    Download Submit