Overview

overview

8

Static

static

3

2024-10-12...ye.exe

windows7-x64

8

2024-10-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe

  • Size

    168KB

  • MD5

    ff3096404099df6df0b3ab73f94850ee

  • SHA1

    46fe57291ed5c6a386e9ca617f6bfb9b0e98f82e

  • SHA256

    1e376628cccd44fdf577f025c57391f359e9611c0153a5db49b718cf9b5e9d1a

  • SHA512

    096675d920e62cf972b0cfa6255b827ce716eda5e09f845854c799e2e07d7978ccea923a461843c9f69d36d9d3e639d891bc53d9b701c10b8d1d9e59a61fba05

  • SSDEEP

    1536:1EGh0oolq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oolqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\{56811ACC-C5B7-4c69-BCDE-F0266485F4DB}.exe
      C:\Windows\{56811ACC-C5B7-4c69-BCDE-F0266485F4DB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\{BEF9C0AA-CC4F-4226-A20B-B311D86A5409}.exe
        C:\Windows\{BEF9C0AA-CC4F-4226-A20B-B311D86A5409}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\{70BA1DD2-C0D8-443f-977A-6B223E578785}.exe
          C:\Windows\{70BA1DD2-C0D8-443f-977A-6B223E578785}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\{F3E56FD8-2709-49d5-854D-4B3C3A700A94}.exe
            C:\Windows\{F3E56FD8-2709-49d5-854D-4B3C3A700A94}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\{81293FF5-E0D7-467b-835C-447C604A5141}.exe
              C:\Windows\{81293FF5-E0D7-467b-835C-447C604A5141}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\{34F9F7A7-4AC9-4193-9820-65929D9D831F}.exe
                C:\Windows\{34F9F7A7-4AC9-4193-9820-65929D9D831F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:300
                • C:\Windows\{B74F4057-5651-43ab-9F6F-600522157C2B}.exe
                  C:\Windows\{B74F4057-5651-43ab-9F6F-600522157C2B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:756
                  • C:\Windows\{EFBD9981-A7A9-4079-BD05-DF364A7D46F4}.exe
                    C:\Windows\{EFBD9981-A7A9-4079-BD05-DF364A7D46F4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1924
                    • C:\Windows\{FA630F41-DD46-4a28-A54B-D9E8EB3673AA}.exe
                      C:\Windows\{FA630F41-DD46-4a28-A54B-D9E8EB3673AA}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1072
                      • C:\Windows\{EF5A808B-1E1A-4b3f-9610-F4451E1FE54B}.exe
                        C:\Windows\{EF5A808B-1E1A-4b3f-9610-F4451E1FE54B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2192
                        • C:\Windows\{5E64E517-538B-4de3-B170-C6437A91197B}.exe
                          C:\Windows\{5E64E517-538B-4de3-B170-C6437A91197B}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF5A8~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:536
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA630~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1940
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EFBD9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2184
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B74F4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2720
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{34F9F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2452
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{81293~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1508
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F3E56~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{70BA1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF9C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2824
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56811~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{34F9F7A7-4AC9-4193-9820-65929D9D831F}.exe
    Filesize

    168KB

    MD5

    b2bbdf90d3499237dcad450dddaad7c1

    SHA1

    b088ca900ed9e029c4c23bc9a7b0a20951506c2e

    SHA256

    3d73081e72c165880c702fae9dc239b65b8dabed140663861f836e7d4101a6df

    SHA512

    be81e1a43464b9a1c3b2ac3092744849cc92076b068b1cca056ad4f604148e64f54681db9e1d40bc2d40df03b52d14f99f744c8dec8acf5bc965b09439fdc502

    Download Submit

  • C:\Windows\{56811ACC-C5B7-4c69-BCDE-F0266485F4DB}.exe
    Filesize

    168KB

    MD5

    16ca9bd55c31d37320ac8c8fc26a72d1

    SHA1

    a64aa61a07fec6556adbfa0232e6a71a01d8cf8d

    SHA256

    de6cf921c90ca44cc3fb4bebc167d09b445b0402bfa8f4e26e3154787048131f

    SHA512

    a3f3a7e5c0d3a996b4468b50392b5edbe9e307341dab88502529b707440af1bc1ec66a447633fc1b5f4534c69fb5301c644c9e26cbc99c0bd0ee3e9f7f71d5ff

    Download Submit

  • C:\Windows\{5E64E517-538B-4de3-B170-C6437A91197B}.exe
    Filesize

    168KB

    MD5

    d7861b03a55d2fce423e05ccba8d4fe4

    SHA1

    d1a4734befb9708363b95ef7aba3c4bac95321bc

    SHA256

    1f74559b830b75f0891c2345df6d5794122848210240f4d1d3016aa204a716b2

    SHA512

    4f2e4453f49a23ec2bc32d86f8326a88ad417638d12866d1e82a2e8b69ca9b659dda560fe01f1b71fdaf2252706bc85bba72aecf31e2389fe4d14977d9b9e8a5

    Download Submit

  • C:\Windows\{70BA1DD2-C0D8-443f-977A-6B223E578785}.exe
    Filesize

    168KB

    MD5

    f183fc71f186c25d1b46a4bccc1f6bac

    SHA1

    559909b68c44ccba1775364c8fa48dea2297af9d

    SHA256

    e4561ef986351a605558f44f4566b5bfced2e4414cf24c05596247af2a04094f

    SHA512

    663fe295d5de3f3244319a92aeaf4e2f09d25f39951fce4c49d5f9343a6552c9fde1e9120746ae7b369ed3c841c2c62d4f6770698ef9fd514384843386d348ce

    Download Submit

  • C:\Windows\{81293FF5-E0D7-467b-835C-447C604A5141}.exe
    Filesize

    168KB

    MD5

    8ea05ef0c9b20d42e8d37a549f1dbcd2

    SHA1

    2de96a56b3e4b5ef925c60fc3d9dd5854683ab0b

    SHA256

    e276fffd54bf3fc184eb6272516ee60b9587d87dd85cc1795c483b9674858232

    SHA512

    8c2c79ccde24bfb4e06448ea2771fa5c0913310f3e409a3203b62ab59e21aa144909b61ec4ff94c7dbcd52083e11594b8774a084e59d9b3371976cb622c3dff5

    Download Submit

  • C:\Windows\{B74F4057-5651-43ab-9F6F-600522157C2B}.exe
    Filesize

    168KB

    MD5

    35cc614ce3ba2989a61cb97380242de3

    SHA1

    a32a708c217423b4f9cbe4dce95caccf9717fd7a

    SHA256

    f2d581771991c8c8d38070e70dace0836f4a44d7d69ec6d6673d889f715997ac

    SHA512

    45d3a25a140dde4f73e893aff64947ac19f989af9b1bc414e565b7bc47c24a6b07779de1b48da1e32e651951de765fac04d6ba40ad0ed26211ef8aad17d65240

    Download Submit

  • C:\Windows\{BEF9C0AA-CC4F-4226-A20B-B311D86A5409}.exe
    Filesize

    168KB

    MD5

    f02e9ea18f81ac2b792c32580d70172c

    SHA1

    87ddd79b2b8e19239c9c8af6bf441d58321ebc90

    SHA256

    6f0d806c543008196deac980a140d542593f3158d3fa2603a74a2716ab5cc55b

    SHA512

    9fa01fd93626ded77ce7f1115c6d4f93a560ad84c2ba4a9496d2d16caf0a84c5149215d40f2ce7850805f0b908828c66bac48b861ecc592f442432e0c896c7f0

    Download Submit

  • C:\Windows\{EF5A808B-1E1A-4b3f-9610-F4451E1FE54B}.exe
    Filesize

    168KB

    MD5

    5488337c848770bbfcf1e93725654312

    SHA1

    2fdfb7379f74cb4e179d9f196b607aabec29e5bb

    SHA256

    eb244616fb0396fc415705d9b29314389e86bc9a248436099f697683a8bb49e2

    SHA512

    34264204c0177a01c0e2931194a7ccc119b1988927193f65c248b369f9629719378326e51234979a5fb6abf262b49b85045e849aa95e919b7a483256d403eafe

    Download Submit

  • C:\Windows\{EFBD9981-A7A9-4079-BD05-DF364A7D46F4}.exe
    Filesize

    168KB

    MD5

    12ecaf10cadc048ba969992003dd6eaf

    SHA1

    7be76f8622f23460220ece7321df2c3cfe9e7705

    SHA256

    a93b79baa1cf53a781bc761db7bb62faf22e368245f4d166418c306cffa73bec

    SHA512

    ca6b3292b9e1826418cad0ae47e67ad22f2f0ad051896d92fe242c12b7409644f4375af4e6831fb0783d040a86fa885aa2b4dbcf0093082b336dc31d86b568e3

    Download Submit

  • C:\Windows\{F3E56FD8-2709-49d5-854D-4B3C3A700A94}.exe
    Filesize

    168KB

    MD5

    b98fc17f280bc3a4fb5c13ee1c68e5da

    SHA1

    8605e76390a4db3902dcbe5b6715cc483b76f631

    SHA256

    bed7dac7e761e48c71bce071e56d7f6ff8c9fc01c21fdfa5f13b01ed21885087

    SHA512

    3303afc56fc2d3f3424481317afd4960765e4cf9d301a8820bf3c86caf85a5ec3ec3cb0a79248477ab0840c05a372601a9ce65a716bddee348596cf2981349ec

    Download Submit

  • C:\Windows\{FA630F41-DD46-4a28-A54B-D9E8EB3673AA}.exe
    Filesize

    168KB

    MD5

    80ae44131ed651816d6aa931250d7486

    SHA1

    3ad91232a8635fc7ecdc3142f1a3589a1a70f746

    SHA256

    e12fd224c196dd246d5f04ffe0b5bdc3f52d18ecea408cd3ebc4603e65468854

    SHA512

    68aac58ff786a278333831a128246227de8e1d57db881d2f9f26e5a3c86110288a07200ba6fc889eff96aecf2ca8772bdf19fe047e57b84fd7fae2ee24b1f03b

    Download Submit