Overview

overview

8

Static

static

3

2024-10-09...ye.exe

windows7-x64

8

2024-10-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe

  • Size

    180KB

  • MD5

    cacfd063d386abc10d049f18c8a1a59b

  • SHA1

    ab7984ae095a22cf2fcfcbce3f67a55407fbaee6

  • SHA256

    6a06e947380a9fc3df7822b5a76e344e4d725deff627900cf15a9323c29f9e22

  • SHA512

    a8ee3f99cbab1d4d7b5c0b019925fc1715f0c0a9413f6c325cbc0d18b56f2c01f5d50ee132998a9e286a68d72c64ad2394f677b3e56eeed0d12c210b3934f7e5

  • SSDEEP

    3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\{B638CF63-5C20-44f8-AE78-8E4648626754}.exe
      C:\Windows\{B638CF63-5C20-44f8-AE78-8E4648626754}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\{B6FF883A-89B3-45fb-AADD-6DB53AFAFEAA}.exe
        C:\Windows\{B6FF883A-89B3-45fb-AADD-6DB53AFAFEAA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\{98989FE4-390F-4482-A63A-D6A81A509BDD}.exe
          C:\Windows\{98989FE4-390F-4482-A63A-D6A81A509BDD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\{92160BEE-A85D-4fe0-B938-DF99273D8668}.exe
            C:\Windows\{92160BEE-A85D-4fe0-B938-DF99273D8668}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\{503C6AF0-EC99-413e-AF02-19D4A6ADE4B5}.exe
              C:\Windows\{503C6AF0-EC99-413e-AF02-19D4A6ADE4B5}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Windows\{DDFEF87D-A3D8-45d9-9A21-7700954F3EF8}.exe
                C:\Windows\{DDFEF87D-A3D8-45d9-9A21-7700954F3EF8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1064
                • C:\Windows\{830B6D77-565B-4b39-952C-F998D980F797}.exe
                  C:\Windows\{830B6D77-565B-4b39-952C-F998D980F797}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1412
                  • C:\Windows\{1DE9B199-A185-46dc-BC27-30658A417DBC}.exe
                    C:\Windows\{1DE9B199-A185-46dc-BC27-30658A417DBC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2700
                    • C:\Windows\{3794AA77-7E54-450f-B61A-973204877DE0}.exe
                      C:\Windows\{3794AA77-7E54-450f-B61A-973204877DE0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1964
                      • C:\Windows\{91AFC63A-0CCE-405a-9444-359CC1EB23DC}.exe
                        C:\Windows\{91AFC63A-0CCE-405a-9444-359CC1EB23DC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1728
                        • C:\Windows\{0B4F2B3B-3DFB-48c3-8BE7-270267577F29}.exe
                          C:\Windows\{0B4F2B3B-3DFB-48c3-8BE7-270267577F29}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2272
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{91AFC~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:944
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3794A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1352
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DE9B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:680
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{830B6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2152
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DDFEF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1724
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{503C6~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1236
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{92160~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:496
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{98989~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FF8~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B638C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0B4F2B3B-3DFB-48c3-8BE7-270267577F29}.exe
    Filesize

    180KB

    MD5

    25473e78d00983775f8c20b5fdc5f980

    SHA1

    660238f90b1482aac9fda03b073efcda7209ef79

    SHA256

    94a9b8a91b382458f00e7b7cb15dca2513a27282db15330f778c053d78b64fe8

    SHA512

    a66a9e9ccdfe9eb4fc48dc042cfc1de3dbf555f697f07926b4079c897901feacdb497ffca8e757fb1e9b0ba4ba225d36eb8a7a06936c35cb413042db57dc8724

    Download Submit

  • C:\Windows\{1DE9B199-A185-46dc-BC27-30658A417DBC}.exe
    Filesize

    180KB

    MD5

    127b86e004809c5a01abe0d904af2e36

    SHA1

    98444c684f1788eae8a6e3917e803030888a47f3

    SHA256

    ee7592ed8b3988c4371cb9fcffaa1078669ab991a0d2289eccfd4121031aa3a3

    SHA512

    f56507abb421a3e943b21e8cf8f909bf3c8117d2941ba718d4b78128c9e200a8af835af75f5b8e3f154b531338c34053066b1f15e5705156b2182db5e9df5648

    Download Submit

  • C:\Windows\{3794AA77-7E54-450f-B61A-973204877DE0}.exe
    Filesize

    180KB

    MD5

    54a08e8c9123d1f52d56e9d8c17d9396

    SHA1

    3c8b2bc33d5093e504aba079dea017c45eb55ed7

    SHA256

    91980704fc2dc3e4145f2d376d2895b5cf023d503a562d11673487bad6f6d033

    SHA512

    4dfb1851fdd61305400c0adf54b3b8631d5e25b6181a89af11965d59ed8d3eb01dedc6cd12e926eda1862bb1d297842bd960283879992fff090d39f4550f5e3b

    Download Submit

  • C:\Windows\{503C6AF0-EC99-413e-AF02-19D4A6ADE4B5}.exe
    Filesize

    180KB

    MD5

    0a0eaed7a30c9042753978cb7ea64190

    SHA1

    08f9f04fe0742d4508e891758c35e9b925ac20be

    SHA256

    03ac68d41a59ab604277b9e03447193ec0df30f89a883316c6e171df5197dd6a

    SHA512

    bc7543aac4e8580ea5c5104ec05e3fa5f983d4837e6e27745e41ed95efe45f1c4db1894b5b20f7931985a07a727d95b940d898b4183c7a7167f20b257bdde6b3

    Download Submit

  • C:\Windows\{830B6D77-565B-4b39-952C-F998D980F797}.exe
    Filesize

    180KB

    MD5

    486b3cdaa762fc2beccb09fbfbb5c311

    SHA1

    e3fc656b6fb29b85a82dc21bd01e87bb21581a11

    SHA256

    19ef11a2fb4b853017d76ba94729c439ecf193c1a5674fbc76a9814747721ed1

    SHA512

    e6e89be5bc26f44fd87540298759ed0aa69a06c6e4c92be0e304f6f0d59859b3afe078b612031426b788631d2fdb3b215837387e01dda775700189a1ca59c742

    Download Submit

  • C:\Windows\{91AFC63A-0CCE-405a-9444-359CC1EB23DC}.exe
    Filesize

    180KB

    MD5

    b8d4e8128826cf3da49f74ac246857c4

    SHA1

    99f5702d545c48ec40fcc41c56f43b8ec8da1d1b

    SHA256

    e9ad0f29055145b1eba22a1f76da07744accaafad5bef5dbf750ca89fde2a55c

    SHA512

    a32c024bf9e2f91eed370e0b93e717c662ec5f8a7a9474f22a9471f530c6110081a5a2e1fb3f7ca92cc7be67b0d3711246ff0d8c9446df64e9e89496d043a4a3

    Download Submit

  • C:\Windows\{92160BEE-A85D-4fe0-B938-DF99273D8668}.exe
    Filesize

    180KB

    MD5

    7358afd1d137a7989cb5255b97fb943d

    SHA1

    c2881664ec1ea5da26c8305f9b4437977fb1a51a

    SHA256

    cd5bce2a69597f97ec31a39f65254e25d30a44991240ea6436d67a46d02d8dea

    SHA512

    a461e75dd6d9789197ab14372ff817263a6365674dc0fcc64e6008c50f102f72a51f35da00af38f2db2ef9f45728c16fe687b4c6aeb91024894d52fdb5e569c9

    Download Submit

  • C:\Windows\{98989FE4-390F-4482-A63A-D6A81A509BDD}.exe
    Filesize

    180KB

    MD5

    27fad422b6c0f7495ce0563b53ced62c

    SHA1

    ae294cabe94503a94a229f30fcd42d8e5a8897bc

    SHA256

    5aa76da701e3db0bef58e4305e767971625bba31175c12fa07d5c3f7d1f1df83

    SHA512

    e8d64e5d86c02c80db2f1981ecdd42b270a52848e2bb77af31b2c8db5c6a6bb3b85c6a88b0b8eaf1b91c3aab238a7bf7583210fc6bf2be8859cb01dbcf6a6ab4

    Download Submit

  • C:\Windows\{B638CF63-5C20-44f8-AE78-8E4648626754}.exe
    Filesize

    180KB

    MD5

    3983f5611d7a605308c5281b1b47706a

    SHA1

    8b4fbeb30fae81a2ca36224105c86eea2bc6616b

    SHA256

    e8073cd3615c7ca73e484fcdc7a4643a44f2b699574922e51c125d4ce5c77aba

    SHA512

    d578e7af59518ead47306bd7f152c28cb5b438984f5cc090190195d2a0e5bc91b106b93f34e24ef9f5739ece0f51eacd1d02b6aed42f7caa75f29202fcc222e4

    Download Submit

  • C:\Windows\{B6FF883A-89B3-45fb-AADD-6DB53AFAFEAA}.exe
    Filesize

    180KB

    MD5

    8c784ad8ffca0408557eb4fcde10a2a5

    SHA1

    ffe47129f26a4f11987215f8a6fd27d35b3565cc

    SHA256

    4eb577dc70214dd884d30772092f95e3faa85c7821d4c90c5080d9d6cec19b7d

    SHA512

    caa0d7633febbdd001ca2b2ee22ce396960920dd83212b36d172113be8f7f1d5589aa7d608702b51ae45d749d00c2e2fe631fee510b2ef202445715d71e7213a

    Download Submit

  • C:\Windows\{DDFEF87D-A3D8-45d9-9A21-7700954F3EF8}.exe
    Filesize

    180KB

    MD5

    b0436ba764f9ab66c785f517c396e083

    SHA1

    3267d5b8e671193e5832255d2575f2109c034e7b

    SHA256

    de9993013481a5cfac5545cb1d2cc263249923c1bb93cfba8d69186d242ecdd2

    SHA512

    711e98c8e0059af49201428542b78a9cfd0f0b97234827c0c390765b770cca12d536235885e2f2a4f6a5457166691d6683a87dfad9abb7015b12ad3281e7cd88

    Download Submit