Overview

overview

8

Static

static

3

2024-10-05...ye.exe

windows7-x64

8

2024-10-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 09:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-05_18f5c4f2658d54de57a890bde395631e_goldeneye.exe

  • Size

    344KB

  • MD5

    18f5c4f2658d54de57a890bde395631e

  • SHA1

    11717d1ebc7e2d41723f3af3ce0c67c378aba0b8

  • SHA256

    8bf7067fac31c2ccdac94dcb32abcb3b5b75acbe2ad5265d9673be1e1e6ec7d8

  • SHA512

    f3389819174e6008358ff31b7aee176585e6629d1041fdfe216bd909d4176f427feac029a8394bbf5515bf15097bb0e1b2cdc4880602f85b466971cbe0a4b70c

  • SSDEEP

    3072:mEGh0ohlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGPlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_18f5c4f2658d54de57a890bde395631e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_18f5c4f2658d54de57a890bde395631e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\{4E2FE422-803E-4e86-A1D8-96F0289C2F68}.exe
      C:\Windows\{4E2FE422-803E-4e86-A1D8-96F0289C2F68}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\{9AFAC37B-5FCA-425e-AD90-4220973EB17E}.exe
        C:\Windows\{9AFAC37B-5FCA-425e-AD90-4220973EB17E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Windows\{B323307D-3856-42a5-BEF5-1A9D2A9710C9}.exe
          C:\Windows\{B323307D-3856-42a5-BEF5-1A9D2A9710C9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\{8E2DA52A-F245-4bba-A2EA-4B570CE7B295}.exe
            C:\Windows\{8E2DA52A-F245-4bba-A2EA-4B570CE7B295}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Windows\{3632DB80-3DD2-4008-A8A3-142AAC197599}.exe
              C:\Windows\{3632DB80-3DD2-4008-A8A3-142AAC197599}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3912
              • C:\Windows\{AF75D726-3496-42cf-BAFD-53819D7ECD4D}.exe
                C:\Windows\{AF75D726-3496-42cf-BAFD-53819D7ECD4D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2824
                • C:\Windows\{12216837-4BA9-40ae-999C-E791AC8E1BDF}.exe
                  C:\Windows\{12216837-4BA9-40ae-999C-E791AC8E1BDF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1540
                  • C:\Windows\{B0FBE1AC-4D93-4c82-8BF2-A3C6DB10E3CC}.exe
                    C:\Windows\{B0FBE1AC-4D93-4c82-8BF2-A3C6DB10E3CC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5024
                    • C:\Windows\{E53E5527-6063-4d24-8510-89F86F62DF70}.exe
                      C:\Windows\{E53E5527-6063-4d24-8510-89F86F62DF70}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3492
                      • C:\Windows\{83CB32DF-3E95-4fdf-905E-499AD2C34116}.exe
                        C:\Windows\{83CB32DF-3E95-4fdf-905E-499AD2C34116}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4828
                        • C:\Windows\{838D469D-124D-475c-A2DA-6E93DFF76B12}.exe
                          C:\Windows\{838D469D-124D-475c-A2DA-6E93DFF76B12}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4996
                          • C:\Windows\{EA47FBFA-AE14-47e4-9A68-64E30D74FB8F}.exe
                            C:\Windows\{EA47FBFA-AE14-47e4-9A68-64E30D74FB8F}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3368
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{838D4~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{83CB3~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2412
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E53E5~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2656
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B0FBE~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4588
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{12216~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:5008
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{AF75D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3632D~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8E2DA~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:836
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B3233~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9AFAC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E2FE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\{12216837-4BA9-40ae-999C-E791AC8E1BDF}.exe
          Filesize

          344KB

          MD5

          a9db529c2c13104a692db27627e678b2

          SHA1

          7865c41832f520f1dd253e66e9b155ffe15984a0

          SHA256

          176330233affa11200617a512f33f7c5aa4379113081f84ff8d14650af74eb67

          SHA512

          89bb6fbc80c51c65a72c94d1d6d4340552a94246b4b2561aebe2c792f27ee043cc01b736aa0a80d9e0c6173ea5417703074ab1ffb639e38aa44cdb8d2c951333

          Download Submit

        • C:\Windows\{3632DB80-3DD2-4008-A8A3-142AAC197599}.exe
          Filesize

          344KB

          MD5

          3366275cce336e6a4f8604d4a6ca08d1

          SHA1

          566c4e4f04d9db2c5aaabf9ebf00ce12c46ee81f

          SHA256

          88a0ccb961678b5f269a5926187e2fe34221a73296b8c00c031080f76f9e8ecc

          SHA512

          f92b8e4d4e11fcbb7896621fa28b8145a29a6b4f1bc6cfe23ed96568c8c0f27464e3d23f6041232f295ddf6c3fc2f28d5d400aaa0f6125d025aaaa263c74a11a

          Download Submit

        • C:\Windows\{4E2FE422-803E-4e86-A1D8-96F0289C2F68}.exe
          Filesize

          344KB

          MD5

          c65fb16f29350caa2e98f5e87aaf0788

          SHA1

          3f3e0fb87792cffa03b985143ff339a4586d17fe

          SHA256

          b81cef89570bcb8749181ae323c235737c320b1e67de5df91e0f3de589f49dcd

          SHA512

          175ddf9ac38d1fb0a1ab8463bb1354d134b3c3e3c073961d5301c07112df36f93473a81af61e078e4b7bb0e7d1bffc2d12710c6dec657c61aeaca54e25965ea2

          Download Submit

        • C:\Windows\{838D469D-124D-475c-A2DA-6E93DFF76B12}.exe
          Filesize

          344KB

          MD5

          bcd45d922ef637918b63b2c8342ad2c8

          SHA1

          5fd04277e825155d45a14b4759a3d1ceb26bbaed

          SHA256

          9a916ce433672b61f414aba8eb66fb1edafd0ff5c215ac99f5179bc0f0bfbcb3

          SHA512

          6a36d0595ced29c1cb8b020a6526b226ec22f5748d76e0beeb7641264ad293467f996b5c53cb8992049f01f360748ca0423aaceee378e5231de8f710245b7f67

          Download Submit

        • C:\Windows\{83CB32DF-3E95-4fdf-905E-499AD2C34116}.exe
          Filesize

          344KB

          MD5

          65b0ab4e8fd63ef08ca81dfce917b29c

          SHA1

          bb26eb94bc0169dbd4a11abb2d6f38b235f78777

          SHA256

          5014625988d202f277c91422d20c356a7cb0cf3289a62ac0a18b979f4f7cd02e

          SHA512

          b22aeccec778a8330a60ffcc99683cff24742a0e5871557406453916434b447d9187d6d472d6dc9d5e3ec0f91e62068b98963178041b4125e99650c28414ab65

          Download Submit

        • C:\Windows\{8E2DA52A-F245-4bba-A2EA-4B570CE7B295}.exe
          Filesize

          344KB

          MD5

          856ab04efc620d69511e3adb7b4dcb11

          SHA1

          17adce6cfc0988ab088ea14434ed6a30c3192191

          SHA256

          c270cdc314d464650649e5c3a5f4b486d8c4632a4424641b0d1664fc86115fc3

          SHA512

          d6caac47e4a7d9f441029e3cd6fa7f69b0acf25431f81cc962083076863476298ed770fbdbed8069e2ee4bfed5a4df18088740fecbc8dfc743210dfd530fd71f

          Download Submit

        • C:\Windows\{9AFAC37B-5FCA-425e-AD90-4220973EB17E}.exe
          Filesize

          344KB

          MD5

          a01eac978afb4e2df723d76c8478a9e8

          SHA1

          cd0535e96ca920145fa06abee76f0b2af4b5c22d

          SHA256

          4fc5bc9455380c25bd602e8e1b734afa0cf5a99f7076263194b20a7efb5d8411

          SHA512

          722cbf6b8dfd091fa251d82a12fca7b667154b4b6b2bb595c8132fbad4a4833f133b74cef6929e5ac0e69bb59fe95c9313bd61cb19f53e6115bb544d845c4e2e

          Download Submit

        • C:\Windows\{AF75D726-3496-42cf-BAFD-53819D7ECD4D}.exe
          Filesize

          344KB

          MD5

          0edd8a124b062a086bb60c9c62b69d26

          SHA1

          c7b3a98d87473e7342e3cc00ff0715dc2bab5772

          SHA256

          d43163a887ab44ac6a0d8c8f85c65bf105d535476a35f7041b39675453af1a05

          SHA512

          5e40be59170de0c14e69ef0d621139861a608bb86e52f9654c27741d202030948219451c816c11eb8cfb95a8224e4392ea4a9cd3decef4ea8ab36a41ad4e6d03

          Download Submit

        • C:\Windows\{B0FBE1AC-4D93-4c82-8BF2-A3C6DB10E3CC}.exe
          Filesize

          344KB

          MD5

          7b42c852fdd8a6b2f551afbf6127a0ff

          SHA1

          5d13c5fc16222f77718b330038d36ae48c15b709

          SHA256

          70fc395b5ed7ae221f2618cfa4f78397a04fa47f7101a2691ed5bcb10f3f9807

          SHA512

          1bf78c6a393a1c91d26a7a5e5cec7096acf954c162ddd6519c27f9873605cd0c53f824fb4a0ee8947a0eb503d48a67219600050368792320045ad81f86a5dc07

          Download Submit

        • C:\Windows\{B323307D-3856-42a5-BEF5-1A9D2A9710C9}.exe
          Filesize

          344KB

          MD5

          86164afcc2a10d9914204e8cbc1e7507

          SHA1

          636bb0c3a7a1514420570b9a06f2d05246b5767a

          SHA256

          1bdb97086569b28ab638238b63e3487b8cfe27949738b7e7cbc735ef665607a4

          SHA512

          cd32455ba3597f803062c74354f3d08bbc2e08f2613e9454eefbb7e1081eb5834bdfb722efa33ddd7b89672adc228053008637eb8b8e28f4a84b4d376e0a0e94

          Download Submit

        • C:\Windows\{E53E5527-6063-4d24-8510-89F86F62DF70}.exe
          Filesize

          344KB

          MD5

          befa6c99ece1658b86a809d53dede00e

          SHA1

          91b5fdb4eb785549483612c62d7cc384e38195e2

          SHA256

          87dea0e15ba7269a3a79b3d1f09a1bb2a9991340c9cb278a57a0982c171290dd

          SHA512

          aebaee8d5644aad90442be0b62d337515eb567ac4c69c9e60b561381d8637981f6b7261bdfa6e71e17739168b17bd2bc6ff368fe567b4a0dbcf04f634704afca

          Download Submit

        • C:\Windows\{EA47FBFA-AE14-47e4-9A68-64E30D74FB8F}.exe
          Filesize

          344KB

          MD5

          431ddc29c95227288fbcb803615c9d0d

          SHA1

          112915fb5373c97a8ef3c76cba1d72eb2539e4c3

          SHA256

          2564186d3085524297fd42caf242f0ad5c9acf956812740389255c51d6bd847d

          SHA512

          e72aa6c6ee97c51bdf55bc6ce296b9d8d395a81b72a197257de610a01b556cc020bfdff215cf211703950d635571cc67b1d69aa092a1e3c6c3b1162f42b240c5

          Download Submit