Overview

overview

8

Static

static

3

2024-10-13...ye.exe

windows7-x64

8

2024-10-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-13_ae5163ad9a84eafee65aa905d883f44e_goldeneye.exe

  • Size

    192KB

  • MD5

    ae5163ad9a84eafee65aa905d883f44e

  • SHA1

    8fa7897a052a645bfb20c8ea0f48df795cfd501a

  • SHA256

    1eac4df3033cab7a187874f484b2db86cfdbebb013065617171ecd1f54fdf4dd

  • SHA512

    8ed159bfa0c7eddc1bb6fcf5510e487c37f9f0bf5b990aaa25b440020600b5a5dea7e77f0c84dbb28d538d55c2157a1801690f7cecdf96c13b333a7d22794fbd

  • SSDEEP

    1536:1EGh0ovLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-13_ae5163ad9a84eafee65aa905d883f44e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ae5163ad9a84eafee65aa905d883f44e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\{422831DD-9CB5-4c62-BBA2-87F0198DD724}.exe
      C:\Windows\{422831DD-9CB5-4c62-BBA2-87F0198DD724}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\{CF7E8873-CDD9-40d6-9509-3E25A4AF5F66}.exe
        C:\Windows\{CF7E8873-CDD9-40d6-9509-3E25A4AF5F66}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\{6D4221F7-B12A-450d-A1CD-E9A0055AF21B}.exe
          C:\Windows\{6D4221F7-B12A-450d-A1CD-E9A0055AF21B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\{A11FCE29-968B-4049-812E-D4059F25E093}.exe
            C:\Windows\{A11FCE29-968B-4049-812E-D4059F25E093}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2856
            • C:\Windows\{D07A2747-1A06-45f8-999C-3741DBD02649}.exe
              C:\Windows\{D07A2747-1A06-45f8-999C-3741DBD02649}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2528
              • C:\Windows\{77CD2201-2A7E-4c16-85BE-3FCC3239456A}.exe
                C:\Windows\{77CD2201-2A7E-4c16-85BE-3FCC3239456A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2532
                • C:\Windows\{16C70F08-F4FD-4f44-9069-A863AB3A11FD}.exe
                  C:\Windows\{16C70F08-F4FD-4f44-9069-A863AB3A11FD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1412
                  • C:\Windows\{632F12B9-3509-48fc-A099-BC6CEF07E78F}.exe
                    C:\Windows\{632F12B9-3509-48fc-A099-BC6CEF07E78F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1772
                    • C:\Windows\{9BF6B57B-5698-4d0a-BCFA-95456DD75363}.exe
                      C:\Windows\{9BF6B57B-5698-4d0a-BCFA-95456DD75363}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2008
                      • C:\Windows\{78DABA27-7BE7-4a99-BDB6-6F4501452490}.exe
                        C:\Windows\{78DABA27-7BE7-4a99-BDB6-6F4501452490}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2788
                        • C:\Windows\{746E1F2C-9EA3-4247-9CAD-DC15E21662E5}.exe
                          C:\Windows\{746E1F2C-9EA3-4247-9CAD-DC15E21662E5}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2360
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{78DAB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:552
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF6B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2708
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{632F1~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2424
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{16C70~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2284
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{77CD2~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1388
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D07A2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2948
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A11FC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2480
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6D422~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CF7E8~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42283~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{16C70F08-F4FD-4f44-9069-A863AB3A11FD}.exe
    Filesize

    192KB

    MD5

    40b2c1b2ec5e0e383f062cca724614bb

    SHA1

    729cf31b95e12ed1cef1b07b6a3da20c49a3f8f5

    SHA256

    47616ab143e8c9807f598ebc4356f1f354d3fc3103e75548ae77f444706996bf

    SHA512

    697593481904371e98314b588166bab1b01d29092ad55c8641f18f3cd82aab6d820e705fb19bad75af9242032a6dd4b38cd4436d95127dc21c1291803c07846f

    Download Submit

  • C:\Windows\{422831DD-9CB5-4c62-BBA2-87F0198DD724}.exe
    Filesize

    192KB

    MD5

    291c70676369ab1aa68621b74f115136

    SHA1

    6e53193171b36ab644c55ac73a6ba373f67f6768

    SHA256

    18cd6a6ee440bd526d664720a046f3bb2f34e3683b3314f22c566044755ea5af

    SHA512

    cadcfcd6c9e0110797fcdd3981923b7a9def34327ad7cd70d3c68facb384268bb244a566a1e6b781698fd28a38c144f0859859775a9a724098f80396225db419

    Download Submit

  • C:\Windows\{632F12B9-3509-48fc-A099-BC6CEF07E78F}.exe
    Filesize

    192KB

    MD5

    fe213423a91e41873817af827c9b971a

    SHA1

    0029971635e09744299bc07186d745b0bc777a9d

    SHA256

    b4fa2107922cf8df6ae3709ec94cf81cf925253d48abf6bd3b151fb2e46e19d1

    SHA512

    c96c3bc5f2d67823ff7edef99b46e9cf301506395411120bf126b0bc3bed4c6e7cff1991d05dd21998160b7915d69c28ed64e004e6d96a89be236f621643247f

    Download Submit

  • C:\Windows\{6D4221F7-B12A-450d-A1CD-E9A0055AF21B}.exe
    Filesize

    192KB

    MD5

    5258887205e317962327b8b9357ca9ab

    SHA1

    329a00c85cd7fa9e4a8a42f37cbd1763306c8147

    SHA256

    05465a06133378eb9849d8c71e50adce2adc54053d7a00c19b56837055796fbe

    SHA512

    6f2d410caf438929a3ad27cd60e11c5511dd49c5ed1da037e93a8b168399679df67d58be6df9f1d1512f6eb5eedc03c2046225bc200cb64c55a6831c472646ff

    Download Submit

  • C:\Windows\{746E1F2C-9EA3-4247-9CAD-DC15E21662E5}.exe
    Filesize

    192KB

    MD5

    e6ed729b9765963fb6be119fc9390056

    SHA1

    27e13deba0ce58f54ba893de9ff07fd70f44098d

    SHA256

    ca091fd5f055c14ca62cbf114f8aefd0c943c25d5d6db4228e0d8368f7618824

    SHA512

    40b8d3d2506d2819872177c914b6f95dd700ede5258c4e9a0bf72061ab4f14b5350fa5e4d761d0b480d9d69d7dada50e86d16f4264d2ba98696652c60feeeaf3

    Download Submit

  • C:\Windows\{77CD2201-2A7E-4c16-85BE-3FCC3239456A}.exe
    Filesize

    192KB

    MD5

    82a7d094b9627cbdf87888d248f909cd

    SHA1

    92097d16f906f2d9338e6447bb98f7c1fde830af

    SHA256

    a1934fd61a040b37db487b4344fa9d84a93cb6a115add0dd67702d7698e5d1c8

    SHA512

    70bed0ea30c4a8e126fbe99abc2c83bba7fb39d50500a95f7fd6433c12b1dde75993648d2d001a5f21f815541d77d2f27c509b72f6dd01aaf95012b2c4e8c3ed

    Download Submit

  • C:\Windows\{78DABA27-7BE7-4a99-BDB6-6F4501452490}.exe
    Filesize

    192KB

    MD5

    d677c277f4f33f79a51b090d2676ddc3

    SHA1

    81629f57c8dc28e9fbf6cfb97ea156dd3c9d6218

    SHA256

    a6e2b6ba8bb809c018666a1d8d1a90a6759119f52c3b11377547cf24ea271c14

    SHA512

    94e15a0fabbb4014863a6d16748694833ad9818a422b166f3c7b2f73957ff52d7ccd14b4b4b246594dc15854db51d75d06db6b2b960b785e5dcfcbee11fe8e1d

    Download Submit

  • C:\Windows\{9BF6B57B-5698-4d0a-BCFA-95456DD75363}.exe
    Filesize

    192KB

    MD5

    8211cc3a07eebb72235462ce9c84e56c

    SHA1

    28b00ef5df01ec84e3bb07d8740d6c8c30fe23ea

    SHA256

    0cb7652b5a7f91ae8c6c58838b4877c29b285dee6bc4a9e426fa4766dc74a3eb

    SHA512

    612231638e081a067ddcc5c33f8b725bc868616cc20a7f449469a2da7e761a32f12c683891e805f8217727622a2605da513f581a5c56163f69089a1ba98382ca

    Download Submit

  • C:\Windows\{A11FCE29-968B-4049-812E-D4059F25E093}.exe
    Filesize

    192KB

    MD5

    82eb42530297f3a312401ce0b257fce2

    SHA1

    3308e56284a2a0e4d423c9b2714131e70ef0f9ac

    SHA256

    ec3ee61cdfc6719b672914e2987db2c5a1d921bfaaa5e69991d244064d309174

    SHA512

    87fe3fdf996caeb21aa330111a2b10d8b9dd62dd805513e0ce0c7baf389babe2e8d86b964246223ccae57d253b11a484fb0ee949ade8a7666b3be1839fe01ec0

    Download Submit

  • C:\Windows\{CF7E8873-CDD9-40d6-9509-3E25A4AF5F66}.exe
    Filesize

    192KB

    MD5

    fa3f9b3ff34ded68d0e0cfc679ff358e

    SHA1

    7ea3afd312b758022db54547a629fa20d59768bb

    SHA256

    266246cc762eb405b390514a7028816bde78b2599ba1774849300610dceff106

    SHA512

    544babcf1513b80b14c48fc131247ea282e2930a2bae79535db1ecd67e40455cd4bcb01ed3144dfae29c4e52284d811d750201618cad0a95515c1910f6d8afcb

    Download Submit

  • C:\Windows\{D07A2747-1A06-45f8-999C-3741DBD02649}.exe
    Filesize

    192KB

    MD5

    9de7a51a31983fc8dfe86be4381ff919

    SHA1

    4f4c55e746438b64fe98e2f0358d9e4520339440

    SHA256

    8171f5a8abebd555ee29244a262bb2a837b7bca58b8cd87131d5a6698a84455c

    SHA512

    f2a7c5f772f83e2ee753a2a90f1b5598e984af2c42f283bc41646fff783b8ed8b930812b0efa6bbe4f743fa43712b07781ac72bf223dc1671422a3e54882ea63

    Download Submit