Overview

overview

8

Static

static

3

2024-10-14...ye.exe

windows7-x64

8

2024-10-14...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-14_bf07cf2a1768af0ea1152f6d8e260b6b_goldeneye.exe

  • Size

    180KB

  • MD5

    bf07cf2a1768af0ea1152f6d8e260b6b

  • SHA1

    3f50f17815b05a21ffa0099c80152cb37bee7565

  • SHA256

    f06872d98c4dfe708262a92a30c04aeea71f81abed05ae16a20514eba05ecfda

  • SHA512

    600a466f5167e1f2c002c3f9d53a27b88c3a2f047ed3bd8ea8fb7af45bb0e4ccf7434fbff744994070da87f1581eca8576a2928a9bacefdad08f45a29a721bed

  • SSDEEP

    3072:jEGh0oxlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-14_bf07cf2a1768af0ea1152f6d8e260b6b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-14_bf07cf2a1768af0ea1152f6d8e260b6b_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\{C0FA3149-63D5-4acc-9CA3-497B3BD24B81}.exe
      C:\Windows\{C0FA3149-63D5-4acc-9CA3-497B3BD24B81}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\{928C5BE2-F70C-4d85-9CA3-4EE051664C08}.exe
        C:\Windows\{928C5BE2-F70C-4d85-9CA3-4EE051664C08}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\{B6176175-8868-4d5a-8D7A-CFACFD425358}.exe
          C:\Windows\{B6176175-8868-4d5a-8D7A-CFACFD425358}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\{59B4851C-1E45-4e4e-B2A2-36D0EFF4BB66}.exe
            C:\Windows\{59B4851C-1E45-4e4e-B2A2-36D0EFF4BB66}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Windows\{7CEBD854-B7F4-4b9b-BFE0-B75DC9AC1305}.exe
              C:\Windows\{7CEBD854-B7F4-4b9b-BFE0-B75DC9AC1305}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Windows\{C2526628-BCEB-49ab-A4C4-DE7D9B2698CC}.exe
                C:\Windows\{C2526628-BCEB-49ab-A4C4-DE7D9B2698CC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3032
                • C:\Windows\{EBA2B895-4D64-4c66-A878-298E00BD8D44}.exe
                  C:\Windows\{EBA2B895-4D64-4c66-A878-298E00BD8D44}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3056
                  • C:\Windows\{7E8A54E3-2F70-42f1-9DDA-7BB729450EC6}.exe
                    C:\Windows\{7E8A54E3-2F70-42f1-9DDA-7BB729450EC6}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2940
                    • C:\Windows\{6E49E744-B57B-4739-A065-2DC2D696E936}.exe
                      C:\Windows\{6E49E744-B57B-4739-A065-2DC2D696E936}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2248
                      • C:\Windows\{E46F1757-1290-465b-88AC-3364B248F4DF}.exe
                        C:\Windows\{E46F1757-1290-465b-88AC-3364B248F4DF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1984
                        • C:\Windows\{E770883A-A7F4-4957-BD36-A603063CEA5F}.exe
                          C:\Windows\{E770883A-A7F4-4957-BD36-A603063CEA5F}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1132
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E46F1~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2228
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E49E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2060
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E8A5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2280
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA2B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2476
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C2526~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7CEBD~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1652
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{59B48~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2296
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B6176~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{928C5~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0FA3~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{59B4851C-1E45-4e4e-B2A2-36D0EFF4BB66}.exe
    Filesize

    180KB

    MD5

    e4283a89b8353a0b8ad1e1586df36209

    SHA1

    39ed9af0cd0af642071a8b23f3a7e93ef4d63395

    SHA256

    f94970724dac8ecb31df89e9bf528c9daded032ab458d17fe2f1cbd2a65d9bdc

    SHA512

    22bf91ea1ca25d934ca38a4049796cf82dc69744a30a2795e57cb95fa1d8ca73f4c182903fbda484804bf844e48a0ff4b78f80190760558410eb38ec339f9fe8

    Download Submit

  • C:\Windows\{6E49E744-B57B-4739-A065-2DC2D696E936}.exe
    Filesize

    180KB

    MD5

    6b751d37654163e01ec8329eb8f72423

    SHA1

    b5d91c9520b2a84d46f990e115493b967fa157a3

    SHA256

    ed4c8a0498fc4e31795c98e378bbcdf6bd827dfe3e2013d53d56c11458b08e6d

    SHA512

    49d2de9fa8d3f983635b4a040a0b286bcedd527efda09abbbde306277bcb2837dec2c83d05949db1bccd830bf9c2ea425a1c2d5031b54a07a44acbfb19bbe8c9

    Download Submit

  • C:\Windows\{7CEBD854-B7F4-4b9b-BFE0-B75DC9AC1305}.exe
    Filesize

    180KB

    MD5

    42f55b6fc40ed716e055bab4dec87519

    SHA1

    d2d39c5d00d495ea5b0eafd62a14a0766146a90c

    SHA256

    bca035134cbd4af88906015736d9647aad54fecfb8416f4c6424d8f3c5d7bd38

    SHA512

    9742a8668de718e7894ccad049ab8f79a334085a843614c44885c47e97843e9a1bba7a4059dc3a9c019eaa19216d45ab95173f31d82e09cb7fb253bd70039102

    Download Submit

  • C:\Windows\{7E8A54E3-2F70-42f1-9DDA-7BB729450EC6}.exe
    Filesize

    180KB

    MD5

    6d3643a8a3efe50a68b11f4b544b7f89

    SHA1

    41207e8e365bbc3d2d58f34f4a8861e9a9446d69

    SHA256

    e1dd9e11ea21c7da314a0774966db72d013fca2d7e4721bde5a96c282c929223

    SHA512

    bb54c87fd37c5b99d1dbd4d85eb52cac7d0f3123d4524fb265d028927740248c539b41dd0bce9f2005f5cfcdb2483c06839539ad39236b269aab1b95810eefda

    Download Submit

  • C:\Windows\{928C5BE2-F70C-4d85-9CA3-4EE051664C08}.exe
    Filesize

    180KB

    MD5

    f9de4a772350aa7e6d9a14d20a82827f

    SHA1

    9b4247f7db0dd830719c8bff1690e6bd3b7ad54c

    SHA256

    86753489129999fc394443d1d367df76982c2476003d9f959036570b201945e5

    SHA512

    2f913e46a7b03363e105efdbebf3a2b1598e202c1a636503ba6593bce66148cae4e8fcf6da61551bb21b690f9405695cdd9003ccaf8e78460be78b422af330f9

    Download Submit

  • C:\Windows\{B6176175-8868-4d5a-8D7A-CFACFD425358}.exe
    Filesize

    180KB

    MD5

    c4d15d9edd853fd9e22ac70190ff26b8

    SHA1

    9659d74b314c00a58f8bf7d55da4f5aa81a5af92

    SHA256

    011f31ca6e32705f19f5a2e30797313674c5fa4de53d66d114f282faa81fbff6

    SHA512

    495129a72bc5895cd7fc3e337930cfc532d60a1196fdb09eec156e26d819939f23dc6522f00c3dd205d884264f3a2338c029280335cb9ec0d7db6a150fd2c633

    Download Submit

  • C:\Windows\{C0FA3149-63D5-4acc-9CA3-497B3BD24B81}.exe
    Filesize

    180KB

    MD5

    916f92d043fa8f0747db330f15c60aad

    SHA1

    c28b0b646056ebac6e5fe452b581799f2d1b2ff1

    SHA256

    e06b2b0f9079593a7a42577f22c1ad3f905d00191766f3ffb6b0d01f6aefaa3b

    SHA512

    1fd11af477f933f2be065cd141d639a40a2a614c244846538caaf6edbd39e929f3c79ad3fa0af836666a82e082f7c86cd7e5c62c941bbb1e5b71651d791e9847

    Download Submit

  • C:\Windows\{C2526628-BCEB-49ab-A4C4-DE7D9B2698CC}.exe
    Filesize

    180KB

    MD5

    6e938a048474fd660a1b9a9f88c0bb61

    SHA1

    b2b93324b507570bb465b903c3def7c1422478b7

    SHA256

    0ec1b0464dcae9b10e8473cc014086bbd4e6e2ea8ee812899610278ea63c2586

    SHA512

    90505367709b28f3868263e141528948082f23680dc56c6f73d90eb0803285f79dcb34b59337af6496715f9606a9746acbe6b9e141338a57179cc6611751695f

    Download Submit

  • C:\Windows\{E46F1757-1290-465b-88AC-3364B248F4DF}.exe
    Filesize

    180KB

    MD5

    6f6d6bd103a12ba920af072eea2cf71e

    SHA1

    10d128d5ac76ba36ae1648264a9238b93dd83b40

    SHA256

    2d06d7f0ccb4252b37e686bf7ea0c625b951dcb0138b2e0581ce9571fd1db1a0

    SHA512

    8770a6958eb8b2ebee3ddcd87f4544940720346da317ea9180b4b856495ba8e553b05b12910c3a6d9fd936067febb9812290449d0fc0128a89133b18a83362f1

    Download Submit

  • C:\Windows\{E770883A-A7F4-4957-BD36-A603063CEA5F}.exe
    Filesize

    180KB

    MD5

    d4a39035a189d5daf60e14e9430a1624

    SHA1

    388e17677a77044f781429c944a85b87758fe463

    SHA256

    b878e924fd1ce16ea2c3c4b1ca790528b339456167433739b3634ba2ffbc4fc0

    SHA512

    9ee957d943f42d2beff4f1a9f45a9defed30ebedf8a77fab86f0e861df2ceb31d89d1c315572eff2a86e9beae21ef6fb2156d1f4cc4735e7d0ba2eff124c905e

    Download Submit

  • C:\Windows\{EBA2B895-4D64-4c66-A878-298E00BD8D44}.exe
    Filesize

    180KB

    MD5

    b9646f76c181723edd20d438248edbf1

    SHA1

    55eb20bfe0b5aff86dcb7f8a108e246ce62a86d9

    SHA256

    6988c8077f77e1329d479f8472c459d29f3e68367a9f8b25f756eab5bab81d81

    SHA512

    249b1ea612a017fdedbb02e2346e3f2c0f83459c8c9e2259c3e870225f72479c5d71069ca7e96e32b70aed2579aac6fd2b836a8fa7fbabb85ae656806a1ba603

    Download Submit