Overview

overview

8

Static

static

3

2024-10-12...ye.exe

windows7-x64

8

2024-10-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe

  • Size

    408KB

  • MD5

    3eead2881c1f747f622951ab207e3d6c

  • SHA1

    a59f7b499a2c52bc944bc1c640b79c5910ab598c

  • SHA256

    de2a00b71bacb015bc38112a3988987fbda6fe9da3053898d75b0d3d9375733e

  • SHA512

    8e9f12d8a704ec08ef52d69e93697e7333a06114b6d38419937a74f83cd0e9803c89232d8376482b152521a657d5745916804ad30bd6c5cb2561b4a678a7ad8e

  • SSDEEP

    3072:CEGh0o5l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\{A6E12F6A-C6CA-43f7-B28C-D6306184FADE}.exe
      C:\Windows\{A6E12F6A-C6CA-43f7-B28C-D6306184FADE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\{25D97132-8157-4360-8C3F-9F022B769DB3}.exe
        C:\Windows\{25D97132-8157-4360-8C3F-9F022B769DB3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\{0D68A455-C443-4017-A45E-F56DD9121573}.exe
          C:\Windows\{0D68A455-C443-4017-A45E-F56DD9121573}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\{D4672468-5F6F-4295-BEE5-B4CD1BEA4E55}.exe
            C:\Windows\{D4672468-5F6F-4295-BEE5-B4CD1BEA4E55}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\{183856D7-2423-4248-8326-70A7C5157C3B}.exe
              C:\Windows\{183856D7-2423-4248-8326-70A7C5157C3B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2940
              • C:\Windows\{0797BBFE-CB8B-4b2d-958F-ED8FCEDA1A2F}.exe
                C:\Windows\{0797BBFE-CB8B-4b2d-958F-ED8FCEDA1A2F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1344
                • C:\Windows\{874A2F4D-94BE-4d6c-835D-A97BC5992B3A}.exe
                  C:\Windows\{874A2F4D-94BE-4d6c-835D-A97BC5992B3A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1164
                  • C:\Windows\{0E4D1346-CFD4-4b22-A40C-E3A02D648E96}.exe
                    C:\Windows\{0E4D1346-CFD4-4b22-A40C-E3A02D648E96}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:376
                    • C:\Windows\{B6FCBD6F-EE3E-4219-9145-4572A100E219}.exe
                      C:\Windows\{B6FCBD6F-EE3E-4219-9145-4572A100E219}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:664
                      • C:\Windows\{6C000E59-74A6-48cd-A627-C9B9C8EF1A88}.exe
                        C:\Windows\{6C000E59-74A6-48cd-A627-C9B9C8EF1A88}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1128
                        • C:\Windows\{DE0731CE-4452-4677-9B06-18EF3857C1F9}.exe
                          C:\Windows\{DE0731CE-4452-4677-9B06-18EF3857C1F9}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2512
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6C000~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:872
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6FCB~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2804
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E4D1~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:972
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{874A2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2384
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0797B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:324
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{18385~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:304
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D4672~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2008
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D68A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{25D97~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6E12~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0797BBFE-CB8B-4b2d-958F-ED8FCEDA1A2F}.exe
    Filesize

    408KB

    MD5

    5ca78d1c13137d43d7d416a95d1f4721

    SHA1

    1e5be8d33db8ae91a871004eb256cd7731616941

    SHA256

    4d99095349b902f59ee9e6976d1640cdfa786d07d0155100289d47fcbefec10f

    SHA512

    3ed7c2ec00032afbc883f5b630852eb519cf21ba7a93a5207319c78c6bdb8dd3abe539b1c7efe14ba1be7433adc7ecb26e9e2a0bb85c96a461adf037a90c2338

    Download Submit

  • C:\Windows\{0D68A455-C443-4017-A45E-F56DD9121573}.exe
    Filesize

    408KB

    MD5

    79547e823d9cd31b818e81e938cd878f

    SHA1

    a0cc1a7a1d841e8bef96ef6bb4dbadfdcb7cf6f3

    SHA256

    275d8b0bdbefe0e20c9969beb019a76fb9fd2c0803c28df34ff4ef3707aed8cf

    SHA512

    de7f82fd952cdab61ef646e1fbc773322c9c8cd2d284d69ce1b94477b1e235958b7ad766f5082738b63aa367c2a9c1c745aeb3408f0c1c2162f7f37e264ebb1e

    Download Submit

  • C:\Windows\{0E4D1346-CFD4-4b22-A40C-E3A02D648E96}.exe
    Filesize

    408KB

    MD5

    9af392f7c9705523349f3e40e3b41367

    SHA1

    623940ff64a598f1f3b97ea00978ea0a4c7219e4

    SHA256

    1dde0065be371f73662a58d172d61d248894addc32043e25c12fae23a9db5404

    SHA512

    893c0879e6a05d2af3e4550c215f8f5551e73cf3d3a86e53b3eee3479f5d46a3bcd810c6b1d90dbc56e209f6ffae2a9c5ad1a0a18108094773fbb21b44e9c206

    Download Submit

  • C:\Windows\{183856D7-2423-4248-8326-70A7C5157C3B}.exe
    Filesize

    408KB

    MD5

    613bffdfa59302689c1eee45c9f92a78

    SHA1

    231c075852e057bc1ff4da2a2188d7aac92921d6

    SHA256

    50f725680eff2a38fd893156a96a8a259c4f8d258c332a185b710b5e064d0a96

    SHA512

    fefec902a6e8593cc876f0694d4cf87fdc0d68bebb25015a098af26b01e6a82435bbf3024b4adb87dfb629bb6f9b50f3b31ec0a81cc641834ee6b52d90f25c06

    Download Submit

  • C:\Windows\{25D97132-8157-4360-8C3F-9F022B769DB3}.exe
    Filesize

    408KB

    MD5

    b3bd6fae4cc19a090d43771e5349fdcc

    SHA1

    a32701a9b5fd53b73f99062da39e43004a155d81

    SHA256

    aadbf4e4f74c98b8aba938d6fe01ad941ac569fb6d4821b49c384d063e62cdaa

    SHA512

    d1673a775f7837ad5b0650ff02b8ac6224eb1682e17e77c1def3cbbdb23042f50a97ac618ba630207e2241f23279fb677a1905a8b4a3d389ffdfdbccedd79cec

    Download Submit

  • C:\Windows\{6C000E59-74A6-48cd-A627-C9B9C8EF1A88}.exe
    Filesize

    408KB

    MD5

    071dfc7d1dccfbc027c7d8d766e9daaf

    SHA1

    5ba5a1d40e52b65eeba6ca9ded787c0ecfebda18

    SHA256

    5c2b954387b7ee20f7255710cbdb16092a7168c2982f935de52a8820ae72ad8c

    SHA512

    46cd1919fab7a3df7ba56a95c89dbd824a769134f1dbc7b9e1539a8df05a3f225662a6d1777eed726e1aea7ef037191e2802138546036f5d65ff9b5aaaeb0457

    Download Submit

  • C:\Windows\{874A2F4D-94BE-4d6c-835D-A97BC5992B3A}.exe
    Filesize

    408KB

    MD5

    a8589c98b5161841e623e16e5f6e207b

    SHA1

    a9717265f8b291dd034f0d3422fa4b5ba8589c18

    SHA256

    e7ae605717a97cecbb6af5f60861224d21dcf6be868daf94657ea7690f74918c

    SHA512

    89116db1cc9422df441cea3a503f4b89ad88571d3b7d4b4a00a40f006a32d3e7091602f39ff89798fea8f7ac38810e6c2d7f5405653b715fa9818bc2516d8bbe

    Download Submit

  • C:\Windows\{A6E12F6A-C6CA-43f7-B28C-D6306184FADE}.exe
    Filesize

    408KB

    MD5

    1d8d21971f31d94d33acbf07e60e08f6

    SHA1

    44bc546b132c1ff5fb6f91d1a36bb84a493cde43

    SHA256

    b8d0f2c3aec4a481b360be0da2f0e3e72f65773566118922233299c253dd7607

    SHA512

    dfb7c2a2cc4dbffb26f651af8e68ce412bd037ea76b9cba803380e59da3f78e029344019fee2941cff2602ca1c19c3c544bf538d0522d0cd50ce22b5fb5b4e74

    Download Submit

  • C:\Windows\{B6FCBD6F-EE3E-4219-9145-4572A100E219}.exe
    Filesize

    408KB

    MD5

    982ba0036b6775ec0c5447fe327ce315

    SHA1

    bf358c8afdf0fe98b41176113f183f4916e7600a

    SHA256

    a8a09c3b5c6ad259b8e0f4a46ab0daa152c25d1bb31752d97076077298dcd3d3

    SHA512

    f3f583cccc2ef91f0f9cf6a7c8e557fdab95baa409dcdc17b780ae32701ce48c17dc484c211dafcade1eeb8d9c35b369aee740fc08600165d5061055500d00c7

    Download Submit

  • C:\Windows\{D4672468-5F6F-4295-BEE5-B4CD1BEA4E55}.exe
    Filesize

    408KB

    MD5

    698dbef0ee523dcc9a631c85fd964c9a

    SHA1

    aaf1efd4a53129f34cf8827399c39ad75543a35a

    SHA256

    858549209c08a92d1555b597cc5fb2211a8e82248894455e0384e4cbe1533ba7

    SHA512

    03650da05cd6c405ac2e16247419c91f4999be58fce775d659b377008e3daf22e455a847ee8481650460c27a088505c32bf90c48d144247ef02e7d4935bdca07

    Download Submit

  • C:\Windows\{DE0731CE-4452-4677-9B06-18EF3857C1F9}.exe
    Filesize

    408KB

    MD5

    78f6213d8f7182fb0d4a0324cf1ce2c8

    SHA1

    acb4c82d718e6ec332d8ae74399a6120a9d6955d

    SHA256

    836dee2ad402b48d38462f215eff7ea7abae6b6a26861b1c4f8a83effd0a1e52

    SHA512

    989da746329955e955d643836af1beb115760319f88d6cdf4c6bd4f0610572855298ddf8d44f63292f0a9c8869c4d78ca3e03a5bd5fb3139802731b10e74f5ed

    Download Submit