Overview

overview

8

Static

static

3

2024-11-19...ye.exe

windows7-x64

8

2024-11-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2024, 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe

  • Size

    168KB

  • MD5

    2357c80a83a366fb3e62bb5cd949b267

  • SHA1

    41988247efd766dfeaac255622752ffed80e0d00

  • SHA256

    41c9cffa9b9e1ffa20eaebb2bc58ad4d42cb1da10c8867130d420b394cf10ecc

  • SHA512

    7094e5d60bc35df6663a3be2691674d0124059875e03f420a10c0b3e54838bad8d4d559ffffd79f89d490529f52f4ccf93fedad297d3a71a052b2b90951daa04

  • SSDEEP

    1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-19_2357c80a83a366fb3e62bb5cd949b267_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\{330AB851-986D-4766-B29F-983E02F2AE68}.exe
      C:\Windows\{330AB851-986D-4766-B29F-983E02F2AE68}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\{50875967-1606-42ca-BE89-1C71A3F414B5}.exe
        C:\Windows\{50875967-1606-42ca-BE89-1C71A3F414B5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\{7A528031-94B8-4549-BC1B-7F0A4D3A300E}.exe
          C:\Windows\{7A528031-94B8-4549-BC1B-7F0A4D3A300E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\{FE7E3219-BA5C-413e-A1C0-77C24FC68F4B}.exe
            C:\Windows\{FE7E3219-BA5C-413e-A1C0-77C24FC68F4B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2912
            • C:\Windows\{FBD2BE42-A36D-4ca4-97F2-7004F7FD5372}.exe
              C:\Windows\{FBD2BE42-A36D-4ca4-97F2-7004F7FD5372}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\{C779EAFB-F319-40a9-A50C-E13549E6702E}.exe
                C:\Windows\{C779EAFB-F319-40a9-A50C-E13549E6702E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1552
                • C:\Windows\{875770F6-4C63-4c82-96E4-303777F45E60}.exe
                  C:\Windows\{875770F6-4C63-4c82-96E4-303777F45E60}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2092
                  • C:\Windows\{8FBCC4D3-9F69-40a2-B902-B0738FC6D58F}.exe
                    C:\Windows\{8FBCC4D3-9F69-40a2-B902-B0738FC6D58F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1724
                    • C:\Windows\{C32DC68B-5E22-4ba9-9B77-D3FA19AA3C71}.exe
                      C:\Windows\{C32DC68B-5E22-4ba9-9B77-D3FA19AA3C71}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:696
                      • C:\Windows\{5D3C27F6-358B-463e-BBB5-00E57EB253D0}.exe
                        C:\Windows\{5D3C27F6-358B-463e-BBB5-00E57EB253D0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2504
                        • C:\Windows\{AE60998F-8DEC-41b0-8497-43C158E678B3}.exe
                          C:\Windows\{AE60998F-8DEC-41b0-8497-43C158E678B3}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1240
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5D3C2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1720
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C32DC~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2456
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBCC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2900
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{87577~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C779E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1864
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{FBD2B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1184
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{FE7E3~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2680
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7A528~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{50875~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{330AB~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{330AB851-986D-4766-B29F-983E02F2AE68}.exe
    Filesize

    168KB

    MD5

    15ec5cf50422d42b9e725842ac00832b

    SHA1

    854c546dac3d0b9c56ca8353457e9c881b265ba6

    SHA256

    7d37597b14f5eae3509097e9e1d06d49ba10c86bce5d0f9eced9cca33678d499

    SHA512

    975304308c32246de702fd3076b9092ad893285e1e49bdabccbc214aa6c5ae5b73757ef1dce156b0ca9cb55464cf8aaaecb2cd9cf04cfd644e807b5f903b08ba

    Download Submit

  • C:\Windows\{50875967-1606-42ca-BE89-1C71A3F414B5}.exe
    Filesize

    168KB

    MD5

    43312d7cbf5a28266a625f720484d5f9

    SHA1

    f33b997623caeed7d9e36ea84876683015c3d4f4

    SHA256

    a4231282f7d71ed65ede8fa43d04548b0607418061d360425f72cf620259340d

    SHA512

    d7269ee796c98dc49cc2f843da186898d255a871438398d6acd55400f37f313543cd7b69ccabd1d250f7c451b132e6ca0bf6d335b0a757533c7d108084e6a0e7

    Download Submit

  • C:\Windows\{5D3C27F6-358B-463e-BBB5-00E57EB253D0}.exe
    Filesize

    168KB

    MD5

    dd285525914fbc1665dad5b12f65d919

    SHA1

    912315c8810244d4545abf3141a6d4d727286617

    SHA256

    2b21389d0cb880d7984b6125a67225e285296c69ed825ac7f87cbeb870836f61

    SHA512

    21b9b0c7852c06c0ace7790ce96d1bac920da76f9d9e5f48f24fea9984f149cccd1dcd38117c11a57821104f028bd06aa89caa4ac4f12a1b7babbb1fd033ebab

    Download Submit

  • C:\Windows\{7A528031-94B8-4549-BC1B-7F0A4D3A300E}.exe
    Filesize

    168KB

    MD5

    13fcf0fdf037b63f2cff993f9ea5f1a1

    SHA1

    694d37c9fcec4832346a58cbbea58e94d46b3709

    SHA256

    8cc65eff5780210400f74628d9051e42057756264936f75a09f370210dcbc68e

    SHA512

    4f0e1f24f6302ade19abd3651b30a4aa8a199d2e120d0c4da6faaa42557720aaacf3aed4d756cb896afc0c71efbd103e9adc0e67a9f8c5d542c3c54375dc2b41

    Download Submit

  • C:\Windows\{875770F6-4C63-4c82-96E4-303777F45E60}.exe
    Filesize

    168KB

    MD5

    7a1c895cef213e711ce1ed747c42e985

    SHA1

    3004cfc6305267cc9e9855b6e0843e1905001f48

    SHA256

    6a23d88cc283fe73d34470d612a367d3330fa637ced319d54a128b468efb1488

    SHA512

    319e56d9acd0c8c576adf1cd6b54d1c2576e97a44b24b247afef13247961ac6c66e51ec30261ab7e183c276959523ac16e19a1e40dfeb4b5712a254313b96f0a

    Download Submit

  • C:\Windows\{8FBCC4D3-9F69-40a2-B902-B0738FC6D58F}.exe
    Filesize

    168KB

    MD5

    ad579c23b5b8395147452da23d5a086e

    SHA1

    c0c817dbf57c1e514b50b1642377129e0ca639e9

    SHA256

    c7510992df210ad5b17776cc111af97b6e52eea160792eab7792e3644322b209

    SHA512

    86b6e7ba1b71f26775b907684de22b072e8b5052e8c42dc0e8952d82c7ec5bdc16d6501cba0f8ac1e7973d41d09690d0198ac8a7718ecf6d29a5229dac9e2c37

    Download Submit

  • C:\Windows\{AE60998F-8DEC-41b0-8497-43C158E678B3}.exe
    Filesize

    168KB

    MD5

    963f9a049018eecadcc740194f3fb5c6

    SHA1

    69bd4db3eacbe96282ce82421808e931c38092ff

    SHA256

    e90c8bfddf3c3aa7de7fec356a311cddf342e73db683bbdd34390a26347f1313

    SHA512

    b3e3b060f3444bce36a6c47dda6aad871922f5ada0a3ffce208f14ecc5314a7b4ad13a74308e6e565167a6bb378481ae57705c07e36dd95e2254b7bfa179cf31

    Download Submit

  • C:\Windows\{C32DC68B-5E22-4ba9-9B77-D3FA19AA3C71}.exe
    Filesize

    168KB

    MD5

    3ea607dd83143686620ad8d6fabeabef

    SHA1

    6963fd268ab764cc3a4073c0c6f31a61357308df

    SHA256

    5f667fa1d1f67a76b5ee058ad885ae2e5ea30a84e3adc1f94d354e14f0a7d6c5

    SHA512

    37495de6be9e61a7ba52fcad3e50d5c2e755d23cb811dc0e8490e5fb03db9130ef5f22ef448133e92915e965327f67dd2807b82c71d9a2c1439a3577778a07bc

    Download Submit

  • C:\Windows\{C779EAFB-F319-40a9-A50C-E13549E6702E}.exe
    Filesize

    168KB

    MD5

    fc7dcfc70f2a83c65bf08ca0b554593d

    SHA1

    3e09918cf268ebc429fc27c267e394dd7c3bb659

    SHA256

    97bbe95d96a429021bf7cd5ba782f4200d9651c4e1c698ad3eef622c24cb6d80

    SHA512

    1b5f5746fc72c1c182ec4548c353bb50e896e6c0af8c82b960b3852c78054a0d7ddca01d45a96dd88541c23fb68ce1dae7585ad2fd98ad770cdfcd48a2fe0cd9

    Download Submit

  • C:\Windows\{FBD2BE42-A36D-4ca4-97F2-7004F7FD5372}.exe
    Filesize

    168KB

    MD5

    c57335335f6f795f7728bdfd2defce2a

    SHA1

    8ea0d37536cc3bcfa85b8c38983aef9397fa1f2a

    SHA256

    af4c28b4f11b6ec43b61a3cf848dea30f6fbff9df18d6ac5d28b961acc967607

    SHA512

    79edb2bbcdffa8614962558e633d16d8c99d1d456a411866ab01a035a867dcdead0e5e8a0502650aad9cd5d7b7a9ff73fcf8d328c7781cd7081abd431703890e

    Download Submit

  • C:\Windows\{FE7E3219-BA5C-413e-A1C0-77C24FC68F4B}.exe
    Filesize

    168KB

    MD5

    71cd4c4ad49ec4848825a9407c6cda6f

    SHA1

    d9c7d45c5b95723e95dea68119329a4a47ff6278

    SHA256

    7a400928e8ee4b2e0f11ef4a13f427d4d0c445009272d42f63a160ab489408cf

    SHA512

    ed2bc4491874e529dd10a53a1e9fc51e65f164d22472eadafc9d6c1e8b0adbb9c8853e951c660a409206e2d6bcbdcbc9499c5a82e4116dbc706ab9ad2b42f432

    Download Submit