Overview

overview

8

Static

static

3

2024-10-06...ye.exe

windows7-x64

8

2024-10-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-06_0d0f19492a17885ada66c4cee0fa248f_goldeneye.exe

  • Size

    408KB

  • MD5

    0d0f19492a17885ada66c4cee0fa248f

  • SHA1

    3456bc24c93dede7d24a7f1332da33c5ba683c87

  • SHA256

    52ce7323543ab48ed9a816a8ceb1c67b4fabb0d8309ba2bc170569f7df0aacb5

  • SHA512

    c0eed661878c4fcbd15a8374491166847805d7dc539ef02b6dfbe8d680e1bdbc5c78977b84be7fed9a17e68e7363f7e1fc1daa30b26412d07e448d1818bd2f08

  • SSDEEP

    3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGyldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-06_0d0f19492a17885ada66c4cee0fa248f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-06_0d0f19492a17885ada66c4cee0fa248f_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\{35FADD8E-9EFA-46a2-8A52-74A80FE957A0}.exe
      C:\Windows\{35FADD8E-9EFA-46a2-8A52-74A80FE957A0}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Windows\{712CDE77-DE44-474d-B886-E7CAC12D1551}.exe
        C:\Windows\{712CDE77-DE44-474d-B886-E7CAC12D1551}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\{7D37AEB7-07C5-4ba1-85CD-811772DD7101}.exe
          C:\Windows\{7D37AEB7-07C5-4ba1-85CD-811772DD7101}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:940
          • C:\Windows\{3AB7FA27-7333-44fe-AD6E-9F95E9A67352}.exe
            C:\Windows\{3AB7FA27-7333-44fe-AD6E-9F95E9A67352}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\{9B8D438A-3524-4292-95FE-01D9AD256906}.exe
              C:\Windows\{9B8D438A-3524-4292-95FE-01D9AD256906}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1152
              • C:\Windows\{609D5266-1258-4f28-90AE-42D789B004A8}.exe
                C:\Windows\{609D5266-1258-4f28-90AE-42D789B004A8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3244
                • C:\Windows\{B61F06C4-3981-4f11-B5C9-D50EB38EB4A8}.exe
                  C:\Windows\{B61F06C4-3981-4f11-B5C9-D50EB38EB4A8}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2512
                  • C:\Windows\{9AFE07C0-1949-4d4f-BAFF-006AD591AB6E}.exe
                    C:\Windows\{9AFE07C0-1949-4d4f-BAFF-006AD591AB6E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4944
                    • C:\Windows\{211BF42F-DE85-4cc8-9BCE-8844DF404CD0}.exe
                      C:\Windows\{211BF42F-DE85-4cc8-9BCE-8844DF404CD0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4332
                      • C:\Windows\{8D18CF61-3EEF-453a-A4FF-6266E0BECBC2}.exe
                        C:\Windows\{8D18CF61-3EEF-453a-A4FF-6266E0BECBC2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1472
                        • C:\Windows\{FF0B5FAC-E8A9-4d13-9F16-4BABBDD99CAD}.exe
                          C:\Windows\{FF0B5FAC-E8A9-4d13-9F16-4BABBDD99CAD}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:992
                          • C:\Windows\{1B417B5D-BEF6-49e6-AC9F-DE401D0B5FB3}.exe
                            C:\Windows\{1B417B5D-BEF6-49e6-AC9F-DE401D0B5FB3}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FF0B5~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8D18C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1996
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{211BF~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2676
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9AFE0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2488
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B61F0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2348
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{609D5~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3728
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8D4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1236
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{3AB7F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1056
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7D37A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{712CD~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35FAD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2448
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1B417B5D-BEF6-49e6-AC9F-DE401D0B5FB3}.exe
    Filesize

    408KB

    MD5

    a3315d1d465f294a131834717ae2f059

    SHA1

    465066716f7e47c6099f7cd3edbcedd538874bf1

    SHA256

    b76654666de3b4eed7494e0befaa13152ad13c5d15e00f04c32511d3b4afd25c

    SHA512

    f2aa7be8eb7a1fdd9499d83a18800836779c70625c91badfdbf2f8d51725c8b4c86da9979dcfdc80e21a992a585b76dbd8eb50184d788130135a65bd9fac652d

    Download Submit

  • C:\Windows\{211BF42F-DE85-4cc8-9BCE-8844DF404CD0}.exe
    Filesize

    408KB

    MD5

    84d320bf3b5a660febc1019a6f0c4b44

    SHA1

    df7c943cd16c46cad4a58ecb7d3ce6400e0a1463

    SHA256

    ad39a95574f2dec980105041c97b9ed7b8f44592e7d874a08f9b63a754a0a045

    SHA512

    e4b218b1760496767c439b28ee405d34d3c8aa73a6c9cf7257371e1cc3b2919007a19f6ded39ff1a15e0df3454610e0dd3bbc3e1ad9e76cd3de3ba1e8945375a

    Download Submit

  • C:\Windows\{35FADD8E-9EFA-46a2-8A52-74A80FE957A0}.exe
    Filesize

    408KB

    MD5

    c04f79d29f181beaff8de7af354c7154

    SHA1

    9403d0f5be7207e6cbc5133da11b2e022980d656

    SHA256

    a0d485073cc55f100cab7072630261141c2bd9f5310fac572322f95cb959d27c

    SHA512

    b2f9ca7e40149a1e54f5ae25b64ee3f388ee81a8f628e11a3f946e1b2fc33c66ebf232cced37f2c7a70c84f95837673c6ad7a10a5aea64961824d2d0b23d819d

    Download Submit

  • C:\Windows\{3AB7FA27-7333-44fe-AD6E-9F95E9A67352}.exe
    Filesize

    408KB

    MD5

    2e1d8abef68c32042678a46cde48565b

    SHA1

    57a917e85ce406de16cde20ece80bb2bc2072e0c

    SHA256

    d51db292ad51b969929d9dc310887e558e4fcf4a630f490d8fe75a0eb995b930

    SHA512

    a21b7f7d00a7718ae748f432a45fd06e359273837779ff1e919989b37b5f1fdbb96b8f2b011efeb62049b8faaee38b730f9e99a8444fd6383abd5bfe5a846c99

    Download Submit

  • C:\Windows\{609D5266-1258-4f28-90AE-42D789B004A8}.exe
    Filesize

    408KB

    MD5

    6785d1be379a5a04647456842fee2153

    SHA1

    d072e90fdc822ce2e71139c1c23f009e77f02524

    SHA256

    26f7eb65a776b95440579d5c895d63e59468ce9b6d711d8d4628cec33fb5401d

    SHA512

    4caed652f67e0b918252329e9c0bb7e7d3a05b380e277097dbd2aa602741a0dc0f828d472d89d5e04f2a00badc32c6124a233ff5c365805ddce27fcd2c9bc981

    Download Submit

  • C:\Windows\{712CDE77-DE44-474d-B886-E7CAC12D1551}.exe
    Filesize

    408KB

    MD5

    05b38f878ec07d57a40e572a260076b8

    SHA1

    21b61eecb077b455faea6b124adf79fe6d0e9b7b

    SHA256

    8eca7f696ea0d4103c14bb3649fb41db928b5f477dd49c77885de3c7e14f6e4e

    SHA512

    d453228b9540c6e1c5f91f7d29cae268884686c399f415b44a705bdaff2aa41dd4b7854420d769f8206a9e9495cfa1f209b0a814238a56ff1e96ba8c52176280

    Download Submit

  • C:\Windows\{7D37AEB7-07C5-4ba1-85CD-811772DD7101}.exe
    Filesize

    408KB

    MD5

    92f5b4dc8b77c4729167c06073784050

    SHA1

    09cb19dd95879f36bf061e9b04395b5c0c1408c7

    SHA256

    951337fc7c7c5966d3752c7acc4dcc31562f2a4ff42a0a06c5a4a0d02351e3ba

    SHA512

    371653400f8bd4f1ba04fcb276411be5b566d1219613404742004e04beaa0797a2576b3221ba8d03acb163daf5a7d82a9ffab31cb68c3d2a43d8161a39d93d29

    Download Submit

  • C:\Windows\{8D18CF61-3EEF-453a-A4FF-6266E0BECBC2}.exe
    Filesize

    408KB

    MD5

    570924292486825893143f3a11b5f7e8

    SHA1

    16ee32bc151a429ac99a2668659d18a9c61a37b9

    SHA256

    945e8ae3f5aea2f274cd2c08896badad29bb755e49efef0b732a3c1122c9454f

    SHA512

    880fce0235099e36bb5ed2e75d12bf257e8a4017ad62fd32f681824dc7467e135713d435179de5be6f1cf5894e3036379865c455931ec5e6aa87ba8bd8e42fc2

    Download Submit

  • C:\Windows\{9AFE07C0-1949-4d4f-BAFF-006AD591AB6E}.exe
    Filesize

    408KB

    MD5

    4a0d1a2d7d810f25ed3d656ac7356adc

    SHA1

    d0dd7cc01065a7bfbee681e16b46e37dfc779e7a

    SHA256

    a5a448d257b61eddb852bd3a70e5f31a99f90aacd2188703fc0ecda33d5b7f7e

    SHA512

    871353bb0fc9f1f80d964abae88a169eb93a025ba08404d9111b6155f87a192aaf95ffc4e4f72c167987632a9237b81be5e87d9b2f64a0e84f064190c4ef6158

    Download Submit

  • C:\Windows\{9B8D438A-3524-4292-95FE-01D9AD256906}.exe
    Filesize

    408KB

    MD5

    81c50cdf6e85469021f632926bec4bb2

    SHA1

    a3349fc6d81da5435e19a70737aa98a2b169d040

    SHA256

    cf94cd227c804088cb079799f6c75b452bc2adf718e3f140f9f152380f338045

    SHA512

    02479414691bba597c5ed70e7aef113860dac1df15a0b3404bc38353bf295d87213800aedf9246c72c86a095d6cbe821e739df1b0904e676f929cecd7b34c9ee

    Download Submit

  • C:\Windows\{B61F06C4-3981-4f11-B5C9-D50EB38EB4A8}.exe
    Filesize

    408KB

    MD5

    6a68345c5cc67b7133727fb9abc49489

    SHA1

    ec2d06ba8077a8c6641ea235321e9f7c9944fc99

    SHA256

    8f08b6bccc2a2a06f481b6aa7fa75d3bb4061d6c5a7253c3ae61c8b92a9e2ce6

    SHA512

    d1f9478d393761e8083d51d93970167265866cd5cbc06acbdbe795f802599f8d56674279091bcea223afa100a3763a77b5a2ebe14741589755806b6dd5bcbc89

    Download Submit

  • C:\Windows\{FF0B5FAC-E8A9-4d13-9F16-4BABBDD99CAD}.exe
    Filesize

    408KB

    MD5

    364c2eae499c3aed1850c88568aa646f

    SHA1

    33345594996ab4c15c43a93a6c134acb683947e1

    SHA256

    6d690dfa3cff5b5570e1b90b2386c19cd16d09749a6e9c855b9e42f90d58ddc7

    SHA512

    d0c9f66092079fa2f9065daa279efd8932a77b0ed0042d30e557c9c79d00216c82378ecc420af37013f39b892cc6b8cdc683754ed0784fde959a12995bc5b08a

    Download Submit