Overview

overview

8

Static

static

3

2024-10-09...ye.exe

windows7-x64

8

2024-10-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-09_59a7cad49562e96f37763b21331008f3_goldeneye.exe

  • Size

    408KB

  • MD5

    59a7cad49562e96f37763b21331008f3

  • SHA1

    22b1ce74c5949d4c0e93281bf81394dbd980b5ef

  • SHA256

    1071dc1e1f3e842fe93982096869a185b700646b9ae076dd401b76bf27bb8157

  • SHA512

    b54a9130e89e1dac839e29ec7e17dda39bb434b9df0b352445005dc1e4ac2276caa1cbabb8843520ae2a98a186eb2603adfdb508c11e9d8bf8c7b29c71b87ef4

  • SSDEEP

    3072:CEGh0oml3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG0ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_59a7cad49562e96f37763b21331008f3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_59a7cad49562e96f37763b21331008f3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\{564E4AA3-2B71-41db-85A2-4DC76503762F}.exe
      C:\Windows\{564E4AA3-2B71-41db-85A2-4DC76503762F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\{5D79D3EF-84CF-4a3c-B77F-AF1B7BA60F27}.exe
        C:\Windows\{5D79D3EF-84CF-4a3c-B77F-AF1B7BA60F27}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\{F0442B9D-FF2A-40ba-A4BE-D2A66907D9BF}.exe
          C:\Windows\{F0442B9D-FF2A-40ba-A4BE-D2A66907D9BF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\{CB0FAFB2-7E3B-44f9-93FF-AB20A4889443}.exe
            C:\Windows\{CB0FAFB2-7E3B-44f9-93FF-AB20A4889443}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:804
            • C:\Windows\{343CF118-64B5-43d2-9F91-00BA3B37E51C}.exe
              C:\Windows\{343CF118-64B5-43d2-9F91-00BA3B37E51C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2208
              • C:\Windows\{14F8803F-F841-49f8-BCED-AA902B5C39C0}.exe
                C:\Windows\{14F8803F-F841-49f8-BCED-AA902B5C39C0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\{7E1B2E23-6C56-4bf5-8B80-683FE07A1C49}.exe
                  C:\Windows\{7E1B2E23-6C56-4bf5-8B80-683FE07A1C49}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2692
                  • C:\Windows\{D2A738A8-DA76-42b1-995C-E239D6C57EBC}.exe
                    C:\Windows\{D2A738A8-DA76-42b1-995C-E239D6C57EBC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2904
                    • C:\Windows\{3EE327E8-79FC-46ca-A6E2-00FEE577CEBF}.exe
                      C:\Windows\{3EE327E8-79FC-46ca-A6E2-00FEE577CEBF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2020
                      • C:\Windows\{16608375-F985-463e-8AA5-C89FFC8C1E50}.exe
                        C:\Windows\{16608375-F985-463e-8AA5-C89FFC8C1E50}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2160
                        • C:\Windows\{A3000C7E-9BB0-467f-9DC3-D6AF087A6D49}.exe
                          C:\Windows\{A3000C7E-9BB0-467f-9DC3-D6AF087A6D49}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{16608~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1744
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE32~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1884
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2A73~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2488
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E1B2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2416
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{14F88~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1848
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{343CF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1528
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CB0FA~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2128
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F0442~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5D79D~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{564E4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2676
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{14F8803F-F841-49f8-BCED-AA902B5C39C0}.exe
    Filesize

    408KB

    MD5

    69c9a3b29c4b5baca569b9f83cd3c47e

    SHA1

    a2a1a42a411f5857e774ec63be29790de5aed0e4

    SHA256

    e3077ef8f9df423fa06987d284695e75b3af8333043072d537225f5b4e380f0a

    SHA512

    0f212f470b17bec294dcc28cbea836e79ee983d1343534977b0c29a6a1b43ba41b9582785689e19b91f64d1b42787fe16ce348757f94763d7ab5f5f0c36e45f0

    Download Submit

  • C:\Windows\{16608375-F985-463e-8AA5-C89FFC8C1E50}.exe
    Filesize

    408KB

    MD5

    5b985cc219b66dd35d90bf76de07222c

    SHA1

    b3e74dda260f70d5c17bf694bb8736ae5c87e6fd

    SHA256

    56c46bb6c3eb25e994bdd71848f69c4bd33ccf756e67058c8dacbba793c26436

    SHA512

    0e086053fad23dd0c1f99634a093f5e609ec9455adf2e934f47a4f1b41f4436d81fefae2980945a6c6091126e924c8382c620084c0cc9c37d858cc7b60769ded

    Download Submit

  • C:\Windows\{343CF118-64B5-43d2-9F91-00BA3B37E51C}.exe
    Filesize

    408KB

    MD5

    8ace244a828c663ac5973ece4b811020

    SHA1

    31ed48652bd0f51090cdba5078dcc1613e3ca72d

    SHA256

    b70542714d2dae75031518fd92957f32974371f6015fe03f4efeeccaa0c2ee4e

    SHA512

    0d2e5a0fedf2594397eb17ccd663887441a3447655049ef838c982e9bd497e4175360690cea8c9923861e0768e1e10bc7a26e0cc6f5292489c142ce85e621c9b

    Download Submit

  • C:\Windows\{3EE327E8-79FC-46ca-A6E2-00FEE577CEBF}.exe
    Filesize

    408KB

    MD5

    673026086e6d2fc599ea3c4bc7ca14a5

    SHA1

    f293558c05f5948244caf0583fce4f9ba664f2ae

    SHA256

    6833e5506ed7f93905b5fa8c1ce98daff0ca2142aa008cfaa4b219b7a4e2c37a

    SHA512

    74519a90f250fe3d9450a17b756a60267bd314375e6900dcafbf677450fd412b8f72e2a13f468e2b553c72b0bf00d674109891f273afee9bba99c3f815d19281

    Download Submit

  • C:\Windows\{564E4AA3-2B71-41db-85A2-4DC76503762F}.exe
    Filesize

    408KB

    MD5

    0018ac756a8e726e5b3da7c73c458fcb

    SHA1

    c2603669c61af7b2c2a6f2113adeb009cc280a84

    SHA256

    4ed413611bb4a5689805ed25a2542cf53b8aca50665d9b81257f77a43719fce0

    SHA512

    d85518d816d4592020a3301ab4f59b561f2c295de53e10b80c5fff997dbeff39d98df50223b1f6a78d0784deee1e65d26489bd939f0ee7b9694293b93e0615d6

    Download Submit

  • C:\Windows\{5D79D3EF-84CF-4a3c-B77F-AF1B7BA60F27}.exe
    Filesize

    408KB

    MD5

    6d6642d4888915a3e54d18c95f61b66c

    SHA1

    4e06e5051c67aaa7565c5c951b67b60718ecdcba

    SHA256

    14d1bd2d2eb104ae0a0eb2a42f32c023a32e5ccf93e4c42183b0526df0d272e5

    SHA512

    2a09202449c18c7530cd2f755563a250959f28728495f45b673335ae733d821ae1c5371bc865f681b0f6779bc0bfcdc8bafcad02f33c023ab6e24364ffe56eb0

    Download Submit

  • C:\Windows\{7E1B2E23-6C56-4bf5-8B80-683FE07A1C49}.exe
    Filesize

    408KB

    MD5

    e17fc81e02df70d5d11ad753a90fe080

    SHA1

    372cee761832150b0b1a8a003e97b38e8d92945c

    SHA256

    ead8ae7e722a150797c1cd6cc5f1f43111640a86aa36227e61bc4e7e9ae12820

    SHA512

    7bf4503d738825248b2af69b24fa46e17d8352f288f7d3d44fc1ef09861a9221d29e817ebfbdab4a2f312fdeffc3b5c0239be6f7a2301993c5438a2650e46ce8

    Download Submit

  • C:\Windows\{A3000C7E-9BB0-467f-9DC3-D6AF087A6D49}.exe
    Filesize

    408KB

    MD5

    a9c12fff039d66756651a3eb03fb78bb

    SHA1

    33a9b4e0c011cd8bef28317e107b26c04d7362b2

    SHA256

    1eb52c3e49694362a92fddf6b38e707dd459ab2f124ba9b178b4abd13be4d89d

    SHA512

    1976cb1587568ef896c775d268e3059a2043c181ac2ef3a3c7b7b4ad4e8f539bb2518945391a642e13bfb26b9d786d9e24ed62a8b6600aa8bcd9a4eafbc3902a

    Download Submit

  • C:\Windows\{CB0FAFB2-7E3B-44f9-93FF-AB20A4889443}.exe
    Filesize

    408KB

    MD5

    c57994ac3680d2331184f33f65305c0e

    SHA1

    85a1e4240ed431da7e16cf4f4a5ea8ae87d2a759

    SHA256

    370ed1ffb8c3ce3767dffcecb411636cc373f2277ee7c39a6c4ecd5e94db9448

    SHA512

    9068bc051ecc864110d06e43fb62caeee21406b49ac018e0603a602fcd34466c3183ae38fc0394502f6562ecb81d0c732d0bda631c3d332f1ab5e9f01b585828

    Download Submit

  • C:\Windows\{D2A738A8-DA76-42b1-995C-E239D6C57EBC}.exe
    Filesize

    408KB

    MD5

    0752072399855e8affeac17781e8b23a

    SHA1

    d5169214006b1379a114fa6c7538897d339eb4ef

    SHA256

    c77bdebe8f15ba82cef6cd1d54f2ca1e5f42ea9e5fab8451d443439a7d3e8cde

    SHA512

    576e9a3c20ec6c4e75c8428d81d5c33bf38d1436e5ebe1a5d9f46163cffa8747dfa0ad1233668353729fb6cd67014f49921d9797a6863623572dd3da6459c567

    Download Submit

  • C:\Windows\{F0442B9D-FF2A-40ba-A4BE-D2A66907D9BF}.exe
    Filesize

    408KB

    MD5

    94aa16b6e192673453c0762c683ae54b

    SHA1

    5808d2683111ba2b171c19d08167f8199b7abaed

    SHA256

    d4bc62d95d92aa448e2b28210cfd9595b6bdfc2a0cfbb6146aa22854a90ac629

    SHA512

    e6d2d476b9880e38df52372af65bb3169ae61d3bbbda10c07599a2b11d72208a77c1d51d8066f58506ba7a25ef7bfa761bf1f25c5db23a1597630d97bd7c96eb

    Download Submit