Overview

overview

8

Static

static

3

2024-10-06...ye.exe

windows7-x64

8

2024-10-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-06_0d0f19492a17885ada66c4cee0fa248f_goldeneye.exe

  • Size

    408KB

  • MD5

    0d0f19492a17885ada66c4cee0fa248f

  • SHA1

    3456bc24c93dede7d24a7f1332da33c5ba683c87

  • SHA256

    52ce7323543ab48ed9a816a8ceb1c67b4fabb0d8309ba2bc170569f7df0aacb5

  • SHA512

    c0eed661878c4fcbd15a8374491166847805d7dc539ef02b6dfbe8d680e1bdbc5c78977b84be7fed9a17e68e7363f7e1fc1daa30b26412d07e448d1818bd2f08

  • SSDEEP

    3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGyldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-06_0d0f19492a17885ada66c4cee0fa248f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-06_0d0f19492a17885ada66c4cee0fa248f_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\{EDE12397-A9CD-4b2d-9BEB-FB079A77C476}.exe
      C:\Windows\{EDE12397-A9CD-4b2d-9BEB-FB079A77C476}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\{FAD810AE-16DF-435a-9E0A-EC6FE3EF504F}.exe
        C:\Windows\{FAD810AE-16DF-435a-9E0A-EC6FE3EF504F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\{15D30CCA-9B6E-460b-9722-A5E259489BB7}.exe
          C:\Windows\{15D30CCA-9B6E-460b-9722-A5E259489BB7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\{CF3ED2BC-DA36-4540-BCF5-EE8301A9EA83}.exe
            C:\Windows\{CF3ED2BC-DA36-4540-BCF5-EE8301A9EA83}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2292
            • C:\Windows\{2A664382-B129-478d-9241-1D82409F36F3}.exe
              C:\Windows\{2A664382-B129-478d-9241-1D82409F36F3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Windows\{DECB95E6-8A9D-497c-A27F-86032B671F7B}.exe
                C:\Windows\{DECB95E6-8A9D-497c-A27F-86032B671F7B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Windows\{79E08CD0-23A2-48a8-AB57-950C1114670D}.exe
                  C:\Windows\{79E08CD0-23A2-48a8-AB57-950C1114670D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2528
                  • C:\Windows\{C3072667-FBAB-4797-95CC-9B0CE024ACDD}.exe
                    C:\Windows\{C3072667-FBAB-4797-95CC-9B0CE024ACDD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2136
                    • C:\Windows\{1AFF0DB2-EB33-4bd5-AAB7-B3A32B2482FB}.exe
                      C:\Windows\{1AFF0DB2-EB33-4bd5-AAB7-B3A32B2482FB}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2984
                      • C:\Windows\{0C8175C8-D473-41f5-9580-FEE268BA2D3E}.exe
                        C:\Windows\{0C8175C8-D473-41f5-9580-FEE268BA2D3E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2160
                        • C:\Windows\{7A676109-4E12-4e77-97D3-5731A2F4C41B}.exe
                          C:\Windows\{7A676109-4E12-4e77-97D3-5731A2F4C41B}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0C817~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:864
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AFF0~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2316
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3072~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2260
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{79E08~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1084
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DECB9~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2904
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{2A664~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1156
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CF3ED~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2124
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{15D30~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1120
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{FAD81~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE12~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0C8175C8-D473-41f5-9580-FEE268BA2D3E}.exe
    Filesize

    408KB

    MD5

    97de3113e7ef808a966e18ae77bd7405

    SHA1

    96b2fe5e57370cf25d30ea699191a7e8645515d8

    SHA256

    f3f006f2c36a151c7eac11d711ed0784cf6e988edfdae193d14f7d18353d3d96

    SHA512

    3362b954cbbc82b705d51927419397eeb19131ca31f5da8b9893e47ffd2022225ffdba7437bcd2c31f20f51e91f70037c1f51250ae11a0854616142950051164

    Download Submit

  • C:\Windows\{15D30CCA-9B6E-460b-9722-A5E259489BB7}.exe
    Filesize

    408KB

    MD5

    3099f5afdad3576c8a30b1cc0e7e268e

    SHA1

    48e1c2773ad131d3edc87891b11ad06e20cf4689

    SHA256

    604a7efc992a4f68f9bb0a51fe7181b5864fc2480706e8fca1b3a72dbfeda426

    SHA512

    4baffa48e0f5f4b4909c82cf40ec489d3e605103a27b124eddace91f23e6a79339ac948db81ac84bf2ad325a2440bf29f7fe192ec34852024ef493ea44a3a3c0

    Download Submit

  • C:\Windows\{1AFF0DB2-EB33-4bd5-AAB7-B3A32B2482FB}.exe
    Filesize

    408KB

    MD5

    099af2881333f3ac87ae184b66d76465

    SHA1

    f3a423b8238b60db796db0121f42db850b4d408d

    SHA256

    a700e3754a530d27cc558a69761026da2b2e6fb359096c3dcb1b92ad15cfc4bc

    SHA512

    5d3cafb3873c2d8882116e24b32130309fd9908f309651158dba02fb004cbe698e799dcfe16d66d5a5b87dcb01c13e3bd204e2f19fba4d259cc66eba8b7ac7e1

    Download Submit

  • C:\Windows\{2A664382-B129-478d-9241-1D82409F36F3}.exe
    Filesize

    408KB

    MD5

    feee40ab23fa0bca92e4d7389f800390

    SHA1

    336b662d7cbee8056bd8bbcf7e73e95a0a3ef7c6

    SHA256

    2716f043582d170d7608cf7f0959ca1fd1e2c67a02f933c7eda9542577628a0f

    SHA512

    edff3be55ced7c30d22d7a07840b54940038038854c4ffdee40cfd9f65b63e2a9d23c8ad77b9f1bf743426f343f3a56c988c7aaba9d64e2ef5e39d56d80e6f4d

    Download Submit

  • C:\Windows\{79E08CD0-23A2-48a8-AB57-950C1114670D}.exe
    Filesize

    408KB

    MD5

    ec23a25e1a07f70d01843f9c10a1c78f

    SHA1

    1041df4d095a11fd3dad4a904c48fc5168e67a4c

    SHA256

    2deeeb3e093c5885bcba157127a29c7be093b59ca6e1e3749a99d1a6f3c25568

    SHA512

    3b45090aaf20cada3854a4ab839d3a29498d0f080b635dfbd6a97085c6ad5f23cfa46a2d9164383c59953a4b6fd76378bf60450d8cda9671dd39c34c0c56542e

    Download Submit

  • C:\Windows\{7A676109-4E12-4e77-97D3-5731A2F4C41B}.exe
    Filesize

    408KB

    MD5

    ec69db0aed0ce2e0d5386826e445e226

    SHA1

    8c70639f5471192f45833f75a26f513219fe2df1

    SHA256

    25f36d80a144a1051833e671feeb198a836398e6c936b40505d5973206f8661d

    SHA512

    37f3383705ac10563bebce038df97f3a68105b633e6cf74c2fc90539e4174058e4bf5b7221bff60042ecc836802465c2193b7fc620ed72a7a7ffc2fc1803dab6

    Download Submit

  • C:\Windows\{C3072667-FBAB-4797-95CC-9B0CE024ACDD}.exe
    Filesize

    408KB

    MD5

    256c91d6f18f2a20dee5bad83f3ea1df

    SHA1

    7f57738ba09a640fe126fdabb73fc3b00420b5b5

    SHA256

    c0e1cd0a6c25411fe6070944c690b0a650fe0fb94683c42c903810fd8e683c3f

    SHA512

    c427c6b1cc1d696365a896a6ef5d9fa94e39e4e13dd68a5444e303d2d58a4a82f07364e96f4b8d1d5e6645c5bc9db566554512a21fc91bf09ef99a9ae7a5ef48

    Download Submit

  • C:\Windows\{CF3ED2BC-DA36-4540-BCF5-EE8301A9EA83}.exe
    Filesize

    408KB

    MD5

    843c532ad8400342afc757eddb6a03b5

    SHA1

    2c5cbd7aa280c10fcf436b4adea457662497a5e8

    SHA256

    003d1e54a68e90d78849e5f35b29d69a645c90afffd12ea805321e136402936f

    SHA512

    d6043c8a087ad9f6a4330779859441da3fcba0105b3426f3cbf2edab09f689d7a7a871338656c74f98645d9ecdbcb902eac51814637c53da1d663c5291a352c9

    Download Submit

  • C:\Windows\{DECB95E6-8A9D-497c-A27F-86032B671F7B}.exe
    Filesize

    408KB

    MD5

    f434c860a48737b3a5db0968ab978e6e

    SHA1

    c1c22f6d3afd3cdc0eb20b9e9d289f23d34832e5

    SHA256

    a8a067f96006ca5ae7931546b6023f63f0993d1892a6637d5723b42bd32932a4

    SHA512

    64a926cc6a10071ad36017ae854fe9822ffb2d1c8747597b065f213bb792c88fe6194f2dcff4eebfdf8fa05cf0c5cc020c0d23183a307287786bcf12a59f5bcf

    Download Submit

  • C:\Windows\{EDE12397-A9CD-4b2d-9BEB-FB079A77C476}.exe
    Filesize

    408KB

    MD5

    8d6733761199dc07da809ca7a8600e14

    SHA1

    fb24dab0d0abbe16a701e9ff493de1df00a8b65a

    SHA256

    1ddb6690b71bdc9504b4df73b396a983aa32cd9929a7eacd6f0c20e7c8168ab7

    SHA512

    b700da93df2b7907e42a49f83f2424ffc48a88e924634a7b7818da2e48592b17afc59ad99982da73b0159710782fe0cbfe3c0838f6db2a0c1ccc6fc8d3e142c3

    Download Submit

  • C:\Windows\{FAD810AE-16DF-435a-9E0A-EC6FE3EF504F}.exe
    Filesize

    408KB

    MD5

    2b598003402a1acf69cdc9ce13a72752

    SHA1

    7f1d59a8c8badddba68290a99622edcc9eda1490

    SHA256

    65a0c82c37e9c27e2d8650f69a3b80482b79cfe5e7b7df206feffec55db72652

    SHA512

    50e497aae4cc772a77fafb9295ea41a2ca765007ae414798f2d94022373d9f7bcb7eaf637d262b8a739c1af4ffc80fe78e6082c4bcec420c00ee6299af8eed8c

    Download Submit