Overview

overview

8

Static

static

3

2024-10-13...ye.exe

windows7-x64

8

2024-10-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe

  • Size

    372KB

  • MD5

    8b11e32b06c58c5023dc6d550d0b8036

  • SHA1

    53080cab6c65e90b28390e9a3ace8190ddebf347

  • SHA256

    12342783aea1d93b0427529d19f92b0b8fe854e326647a97dd93680aecb43df4

  • SHA512

    a6fe80a23d7a0be52dbb229b21f3e66131db33676617f2956e7de935e860a2f3a40ed716516415a4fd1ff15d719b55e0026b7bd4d7dadac70141315af6ff0a97

  • SSDEEP

    3072:CEGh0ozmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGwl/Oe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_8b11e32b06c58c5023dc6d550d0b8036_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\{8A19F290-0A10-4829-B0AF-D95A42E32D8A}.exe
      C:\Windows\{8A19F290-0A10-4829-B0AF-D95A42E32D8A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3316
      • C:\Windows\{32DD4380-A5CD-4cd9-BF9A-4F3867C66A76}.exe
        C:\Windows\{32DD4380-A5CD-4cd9-BF9A-4F3867C66A76}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\{19DA1C00-5928-4d7c-A77B-62D44FC9EB78}.exe
          C:\Windows\{19DA1C00-5928-4d7c-A77B-62D44FC9EB78}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\{B221812D-A5EE-4d24-AF36-16DA2F57CDF5}.exe
            C:\Windows\{B221812D-A5EE-4d24-AF36-16DA2F57CDF5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:768
            • C:\Windows\{F4523BEB-ABB6-4605-ADC8-4A0E8AFD15A8}.exe
              C:\Windows\{F4523BEB-ABB6-4605-ADC8-4A0E8AFD15A8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4024
              • C:\Windows\{140FC3CC-8D9B-4a4d-B690-359D65D4D96A}.exe
                C:\Windows\{140FC3CC-8D9B-4a4d-B690-359D65D4D96A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4836
                • C:\Windows\{7681B9EC-201D-45a7-8E3A-A0C7DC6A55DB}.exe
                  C:\Windows\{7681B9EC-201D-45a7-8E3A-A0C7DC6A55DB}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4360
                  • C:\Windows\{A23CF3DC-D257-4aac-80AE-50795201A3A9}.exe
                    C:\Windows\{A23CF3DC-D257-4aac-80AE-50795201A3A9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:704
                    • C:\Windows\{B7B6B101-0800-44e7-83EE-4E8C934291E8}.exe
                      C:\Windows\{B7B6B101-0800-44e7-83EE-4E8C934291E8}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1828
                      • C:\Windows\{277D873B-35B1-4d42-8A52-C9F8E7978348}.exe
                        C:\Windows\{277D873B-35B1-4d42-8A52-C9F8E7978348}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5016
                        • C:\Windows\{B14D94F5-5AD6-4ba5-B540-7672A158E480}.exe
                          C:\Windows\{B14D94F5-5AD6-4ba5-B540-7672A158E480}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1444
                          • C:\Windows\{D00A1302-98AE-48b8-905A-72DF337DD993}.exe
                            C:\Windows\{D00A1302-98AE-48b8-905A-72DF337DD993}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B14D9~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{277D8~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4252
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B6B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1712
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A23CF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:752
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{7681B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3264
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{140FC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4356
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F4523~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3708
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B2218~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1504
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{19DA1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{32DD4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:224
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A19F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{140FC3CC-8D9B-4a4d-B690-359D65D4D96A}.exe
    Filesize

    372KB

    MD5

    b2ff4012995d6f2269db4a525c59d771

    SHA1

    b37da999022416d229e539e68f7a29d243ce7d72

    SHA256

    80bd925ce1bfb2a0502898e8b0e7843fc406c0ad35c30e51960685848a447f85

    SHA512

    1f14c7d3abd59b5e274a2a3c5a8098803b5e8340a910f37edd05ba2c5d9c30a1e12fc6ccf4fd965eee8b17fe4883339e270450dca6e5f3823c18d20d8de13e9c

    Download Submit

  • C:\Windows\{19DA1C00-5928-4d7c-A77B-62D44FC9EB78}.exe
    Filesize

    372KB

    MD5

    8ea96ed790bd7b42f8877ee505526994

    SHA1

    7552135e9ad01d0f5dd0ca2ac4aeaaf9b25c8cd9

    SHA256

    e10be677f8239ce074d16e02737d55952017408a354dc77b99e54d7ea4157a0e

    SHA512

    59df43f47c663b4e286fa0c9873221eb608230eaaf8526431cff2009ea8854699e6fcec9d7825ad6d9c9ed7167916b77bf54a5750d02c612f3a1dce66f742c09

    Download Submit

  • C:\Windows\{277D873B-35B1-4d42-8A52-C9F8E7978348}.exe
    Filesize

    372KB

    MD5

    d39a798e4a18e4df753608757d7d94c2

    SHA1

    648c26af3cd25e27115e80634a402f5a2b82770c

    SHA256

    9510aec78a2837dd64ea1b947fb36bbff106b29b1f8e5662952ae77ba262741e

    SHA512

    e4ad960a8c041416c792b895c29ccf35c5ce779b53ca8eb1e45f97fdfc294cce15fd8609d288ffc822d7f1d6f171f5e413a0a82200cc7b0194140130acc5c336

    Download Submit

  • C:\Windows\{32DD4380-A5CD-4cd9-BF9A-4F3867C66A76}.exe
    Filesize

    372KB

    MD5

    6b466d0e71d288bc31e19aed9b717cf5

    SHA1

    553534c5798d11199ca0672f6e5e8ae06dcc4456

    SHA256

    b310f1e73dcf1b233e4f62e7a8d7af58219896682dd03ca0bae9deb9caa152f9

    SHA512

    dcb20152fac7cc53b9024a8cff9008cf029d8f62ac530e7490e3753726920e337a583ed7ed48ca03c9852de9d5e5df7164e7547e9167647b86f5bef6405e1b9d

    Download Submit

  • C:\Windows\{7681B9EC-201D-45a7-8E3A-A0C7DC6A55DB}.exe
    Filesize

    372KB

    MD5

    a11bff070f68591d82350fb974a93301

    SHA1

    45d34e69cf03a50740b8ed6d3c3897c99afb548b

    SHA256

    ee1ceb992453aa6e87a0234f0ebdd9321fdb4a689c5059b32e9a379e1539b4d0

    SHA512

    9fe971ceaf1edcdd7d73bc6b9f6ba1b0f65376e718a03aff9e8a86287c20a591ad656ddff7f2ed5515aba583261f5a65974108985e76ecb5fe35385179022bb2

    Download Submit

  • C:\Windows\{8A19F290-0A10-4829-B0AF-D95A42E32D8A}.exe
    Filesize

    372KB

    MD5

    18b67e6abdb04c3b71b3bf7518a8ec94

    SHA1

    c8344176effa8f489d8cef5092f043dd10be46c4

    SHA256

    fdd922ce3a7904ac89bc266ab0673d1c3daf06c100f4ed110dcd108749d4800c

    SHA512

    85bfdf833489a4ac518d08768745b77f4268940186f217ca0e9f058564b81c273b6fdd382bde5c39255d99ddfc0851435ab00e476127f3c027a897011645c2f0

    Download Submit

  • C:\Windows\{A23CF3DC-D257-4aac-80AE-50795201A3A9}.exe
    Filesize

    372KB

    MD5

    1f755b7be822dd845116996e3251ce55

    SHA1

    40d14c227f55881fe2302e5c58e8557e2c608550

    SHA256

    3dce289dabb2de595cc8aed401f0768358457e0c25aed4f336533e54f032f3d7

    SHA512

    1ff8978c269c0738f66dfe34e3b38c053d6bc723340ece05c327cb5b7a5186f1f01a5f2b849801fc40330f794d92120dcfbb7577402c4f75b17afef405974315

    Download Submit

  • C:\Windows\{B14D94F5-5AD6-4ba5-B540-7672A158E480}.exe
    Filesize

    372KB

    MD5

    c7f4c928be08576cd583dd4517c86c17

    SHA1

    5ef12025c721fc05c8e4a363702af35e9aa6df8e

    SHA256

    2a1e258e7a82e587e2b52f366f7abb70cc0a7e02f772a490abb2a194cdb3237d

    SHA512

    3286504e9a9800781b8756649215ab8eb147e2d443278d7bf93a5aefd9d2cdeeb49188c3d43ce10ebac3e92864170e42fac599c3029f080fda330c35f88ac7ce

    Download Submit

  • C:\Windows\{B221812D-A5EE-4d24-AF36-16DA2F57CDF5}.exe
    Filesize

    372KB

    MD5

    0c9a48fe65500f5a59bbc8deb85d59b5

    SHA1

    eef7e7a0084417018a01f696be6b1babd614fbb7

    SHA256

    8bdaa1343ec8e102f6052c163669f61b0e6ac477ab70820608fdba27d8e19f42

    SHA512

    f4fc2380379d8785fb511301cc1d89cf0886cd60e7a3346d56f199c4910b4ff65bdc2bfc9c54dbf419ef2c1bcb03dee9a4149ded7fd4b22505c861e5ba2573c1

    Download Submit

  • C:\Windows\{B7B6B101-0800-44e7-83EE-4E8C934291E8}.exe
    Filesize

    372KB

    MD5

    808f68733a2fc85992746ad2c19dfa36

    SHA1

    a340d9252a7ad57eab5699f8dcbe81753b61fbed

    SHA256

    44a88ff69b4e0ccbd28a79758ba85230c0e90369eb30888aaeea24a08b397b11

    SHA512

    19cccd9602049be2b1a15b7d1fee14aef16c1bd3354156d03853c42c8c3f6f61fa9412028f2f76e8d03e313313d8887d0ef01eb6ff341ea02d679d3ae3977369

    Download Submit

  • C:\Windows\{D00A1302-98AE-48b8-905A-72DF337DD993}.exe
    Filesize

    372KB

    MD5

    561518ad83af4523f8e88d075751280d

    SHA1

    034e55576aebcac8ed6a1f5145821946302527e9

    SHA256

    7af3c696e0d06c3a13101eeec00649ea880356002594f0eb1ab6e4ed6baf4371

    SHA512

    d219c59b43016b553f4ab9aebdc0f1e15cfcb8de699c9dfa9bb2c6844d8bc83010c10df0dcf6e38316f5b4f39d4e8b3fb8b8f1e0fefbaf2fe99f4a2c4efccde0

    Download Submit

  • C:\Windows\{F4523BEB-ABB6-4605-ADC8-4A0E8AFD15A8}.exe
    Filesize

    372KB

    MD5

    299d1780e5b2bc1945ebe6d61816efa6

    SHA1

    a0f86bf3a12c3b7468968cc01856d5e42f5cc8c4

    SHA256

    3ac64b351fc360e15ef2e7d84c37779ec31cffa3932b535ea799ee73bd0943a8

    SHA512

    ddaa8df20a8d77667623d36e63163e50f961ed9627a4ba011bdd661663c36064eb5095b7b8bfc5e02c866350ec7ef8ec919fddac3dd0245630cfcaa5ad07add4

    Download Submit