Overview

overview

8

Static

static

3

2024-05-31...ye.exe

windows7-x64

8

2024-05-31...ye.exe

windows10-2004-x64

8

Resubmissions

17-10-2024 23:31

241017-3h5elssfqg 8

31-05-2024 04:49

240531-ffsxgagf35 10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe

  • Size

    180KB

  • MD5

    325ad5cab02211ba043f6a1ec096bc26

  • SHA1

    50d54c83f2a838652bef7e12981a8576527d2113

  • SHA256

    c7f7a7ddc0c84f60366206b41c11ec34c73094fc8718a3c358dadec33ba5a837

  • SHA512

    e08b85acb7fcf1845d5b2194db1591c3ebf1c98fad8c174fa7e86807407a382dc8a876fe990eff7e35d762e6e69ab71d1c5604d0402934339a2678fddc816ab1

  • SSDEEP

    3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-31_325ad5cab02211ba043f6a1ec096bc26_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\{850CD9A6-C276-4db7-84AF-57FE23CF4310}.exe
      C:\Windows\{850CD9A6-C276-4db7-84AF-57FE23CF4310}.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{850CD9A6-C276-4db7-84AF-57FE23CF4310}.exe
    Filesize

    180KB

    MD5

    abc8142b047e7af1f4b45fed17d97d97

    SHA1

    cabf91ea523234b7cb8d7852078e89a33b7f12c7

    SHA256

    ae8fe7f2b79a9016884ff1549d3587704e4fabf5915e50575e9f0d51e64d22fc

    SHA512

    8974c62d7c6777183a2a3563b4bafceb3447326f5c622acaba312ae1ea0be6f4190b34136f953f1a0d03151e9beaa76ec258db20777185938d8e1320abdb2f8f

    Download Submit