Overview

overview

8

Static

static

3

2024-10-12...ye.exe

windows7-x64

8

2024-10-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe

  • Size

    372KB

  • MD5

    f2de1dcc1aa5d57624473e92a6bbcab7

  • SHA1

    05277f83e4f261c7df9e7860d873c4df64b18584

  • SHA256

    bc40de42f21116925de31b5be765772fd934bd7d23ff0079db5a5280bdf0afeb

  • SHA512

    cd02c43830105e68a6931ea094ee81774cd827eecd793f4c93fb9887e394ba5409cb5973a163b6134c1d371dcdd9cfe3e36e903877c327dda963ff24ec1e29e7

  • SSDEEP

    3072:CEGh0o/mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGMl/Oe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\{E1F9DC97-B964-47d8-88D9-E621790CA326}.exe
      C:\Windows\{E1F9DC97-B964-47d8-88D9-E621790CA326}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\{D83CEA4C-12A4-4e84-94B2-271051860FF9}.exe
        C:\Windows\{D83CEA4C-12A4-4e84-94B2-271051860FF9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\{71F32131-4CBC-4d65-B14E-8410EDAD423D}.exe
          C:\Windows\{71F32131-4CBC-4d65-B14E-8410EDAD423D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\{060AE027-A6EF-41ac-88D6-24C1FB4F6FD1}.exe
            C:\Windows\{060AE027-A6EF-41ac-88D6-24C1FB4F6FD1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\{16EF236D-4767-4434-8BD8-A567F8AC1764}.exe
              C:\Windows\{16EF236D-4767-4434-8BD8-A567F8AC1764}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2692
              • C:\Windows\{BA0FDF86-18A0-4dce-9D85-49310289235E}.exe
                C:\Windows\{BA0FDF86-18A0-4dce-9D85-49310289235E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1232
                • C:\Windows\{5D058389-99B2-4a6c-B794-0A0CC65D58C5}.exe
                  C:\Windows\{5D058389-99B2-4a6c-B794-0A0CC65D58C5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2040
                  • C:\Windows\{E5881930-A9A3-4094-9187-A57F31242046}.exe
                    C:\Windows\{E5881930-A9A3-4094-9187-A57F31242046}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:376
                    • C:\Windows\{A6B2E94C-42E4-4284-A65B-30E44D0014F7}.exe
                      C:\Windows\{A6B2E94C-42E4-4284-A65B-30E44D0014F7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2288
                      • C:\Windows\{829AB9BB-770A-42df-821F-90A60DDA72FC}.exe
                        C:\Windows\{829AB9BB-770A-42df-821F-90A60DDA72FC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2376
                        • C:\Windows\{7DE9CD76-A686-40cf-B0E9-4A1B4EF441D1}.exe
                          C:\Windows\{7DE9CD76-A686-40cf-B0E9-4A1B4EF441D1}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{829AB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1332
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6B2E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1084
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5881~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2656
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D058~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2980
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BA0FD~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1276
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{16EF2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2812
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{060AE~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2312
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{71F32~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D83CE~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F9D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{060AE027-A6EF-41ac-88D6-24C1FB4F6FD1}.exe
    Filesize

    372KB

    MD5

    2d596ab28ca1cfe8c6f00efb1f6ada3e

    SHA1

    d7022f788449280c077be4b2cd778984eb930d34

    SHA256

    0044abb3a4473f7a78f0749fd7f5d6006167b4f91527f6cd6be0c84bc9866e48

    SHA512

    a4388817ebe0a4bbdd2a305fcad6c5fc1ea959b6132fc5ea74fd0fa179005323d164963df64269eee03f9c715a38b9716cc18f9c91926be038a88afdd13b3065

    Download Submit

  • C:\Windows\{16EF236D-4767-4434-8BD8-A567F8AC1764}.exe
    Filesize

    372KB

    MD5

    3b354f255648f86f2a7ae0b22bc0cd6c

    SHA1

    7947fad8887e03f91f027aab5cec82cdf7a2c272

    SHA256

    f45c4f4166e0ce7851ee92f172a84b77ef6763648b305d8e5ea2fee87c7067f7

    SHA512

    740b1f4157d88ad7355b40dd98e08442ac680152becb5f71e31e4844b4b39a917e4bdb7cd33beb5f427c95255f4b016bfc4ddbffa1c5d16842e0d04675462bd3

    Download Submit

  • C:\Windows\{5D058389-99B2-4a6c-B794-0A0CC65D58C5}.exe
    Filesize

    372KB

    MD5

    7e0f9523eab4846d7e0278f59e0b9030

    SHA1

    5624bb3e7868362ef9922f8e37474c2583cfbf9e

    SHA256

    9f46483b16747a3c300d58f36d821901d68793be16071c30784b41e63f56b551

    SHA512

    490b181602678a6726b45345933429014d6d6ef8e9a4accee7a1c02063d8cbab89cae5355c0eddbe1dea7bffc25618da92903590bbb9ed0294768eb564ff0af5

    Download Submit

  • C:\Windows\{71F32131-4CBC-4d65-B14E-8410EDAD423D}.exe
    Filesize

    372KB

    MD5

    fa4c4f971c13a4cdb70b1e27440e07b9

    SHA1

    35343720c27dc3e4653f07acc357a4c7d5f84e41

    SHA256

    b4b2544d8176f8688d677d48985d6fff8a299d8adb5edc5b14a3d47e3007cf49

    SHA512

    ed7ef2a44513961c17924a0555d63e1c58051b62df06f49027cc06a4b9d7a07b53a13c95e8bcc51337beaaaca3111ec5af28e44d8fdc546576d2c30aed5110c3

    Download Submit

  • C:\Windows\{7DE9CD76-A686-40cf-B0E9-4A1B4EF441D1}.exe
    Filesize

    372KB

    MD5

    f1ebb44f8f810b30c8c53789003af2c5

    SHA1

    02257270a4020b3701935d76d6a85fed6b75c771

    SHA256

    08bc904c458a86b796c2d8c41f06bbfca2a87d64b2072836f7ff76b7493001b2

    SHA512

    69db2035af494e768c086801a0b3bd5a891853920415b31412912296eaabae455e31d54a215ff8c4085eb89c20bac7f4bc6cbf0af4172aaf95e003aedbeb16ed

    Download Submit

  • C:\Windows\{829AB9BB-770A-42df-821F-90A60DDA72FC}.exe
    Filesize

    372KB

    MD5

    3239446949c43506fd846883b0e27275

    SHA1

    8a04c870912f9c8e453fba737bdc5c35a3522c08

    SHA256

    836af93e438fadb76da51e66bc996bda5d2309b3bf81d74459ae823a4388b916

    SHA512

    f04359b702d3ccced561d3cf3e422086b17f731da658b98fc5d782111f33a831c3346b33c1f91cb35fef9cdd5c46941e6eb0f12d461e27c236fe4726d11b6f51

    Download Submit

  • C:\Windows\{A6B2E94C-42E4-4284-A65B-30E44D0014F7}.exe
    Filesize

    372KB

    MD5

    ab5697f0e8f7180848704e35f20086ad

    SHA1

    9ec03888b07742db112a7be313c7f6ddcd0a907e

    SHA256

    620a6e14c5a7efb5b1b56b3dbdde05c1f21454fe8799e44ed47ce454ff00677e

    SHA512

    97a047c278b1bad8182f399a9b9881dd4957ed4f96dca20eda115a2c84f695eaaeea1912bef5c87b04ba8355717e87fd9720476ff2fc776a4db86af99aeb89b0

    Download Submit

  • C:\Windows\{BA0FDF86-18A0-4dce-9D85-49310289235E}.exe
    Filesize

    372KB

    MD5

    20b8acf6c3c928cc6f69791a928673dc

    SHA1

    e95c6cb2543e13fd5ca58e8fc2c9e4af08b50e8e

    SHA256

    5a67be58a48c2adca66f9ece20aff9fd6f45065724a160a0fbf3f9330a030378

    SHA512

    ad3973a0734df506ccd58d262dc7dfd6c94b800d8aad2dd0cb09f59848f25674df8ca42899380331f1032ff63c05157bcb1d5c1570df1b62c49173a47d984af5

    Download Submit

  • C:\Windows\{D83CEA4C-12A4-4e84-94B2-271051860FF9}.exe
    Filesize

    372KB

    MD5

    5b57e8670ec1126481b61c82861c8a0e

    SHA1

    5a4fc454de5e07ac11222a367424d8c8e7a8851c

    SHA256

    a2694bd0e028c41bb1da6bbcc91b74e4e6aeaf7fdd50461a1eac069bc09a2010

    SHA512

    d1da317f74da9e47f2fbe806d670c1ffd99b70955b475c1398df754ecd9495a3da4327e985b07da543f17eaf891df246b52c44c245c62d12aa670af5aea19d03

    Download Submit

  • C:\Windows\{E1F9DC97-B964-47d8-88D9-E621790CA326}.exe
    Filesize

    372KB

    MD5

    651deb222a99ae24ba15c865f2764946

    SHA1

    baaf81c47836a5322c96408baa816a582a4705ca

    SHA256

    ea4e72fcebbe59648a03a7cb7590697a049e93148215abb609db6017792cf6f2

    SHA512

    beb0161f1e5bcf8c65f00714c305e2a36e2d1f7f94ebd6f29176ea5b4651b090f475dc54a9e00a72c71be52d90593da42e2b31d4f95bec5417d5036b7be5912b

    Download Submit

  • C:\Windows\{E5881930-A9A3-4094-9187-A57F31242046}.exe
    Filesize

    372KB

    MD5

    b367bf6f4b785559acc694f4ef691a5c

    SHA1

    87d34c320bdec116f366040241dcc3b73fb9fc21

    SHA256

    8c98e495c70d14ced5b282808985bd9a7817d598fab17fb4627ac3f57396aa53

    SHA512

    74f31ea3d01fce133b15df8e784e9bc9dd197c8ea258827953f80007033aa7ea085fdfd7bb2c02ad13697d662d81f079d46a4cdc84f697178c44945147d588f8

    Download Submit