Overview

overview

8

Static

static

3

2024-11-21...ye.exe

windows7-x64

8

2024-11-21...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_5e596291b07564a1b6692381f7617358_goldeneye.exe

  • Size

    344KB

  • MD5

    5e596291b07564a1b6692381f7617358

  • SHA1

    cf7932c4226ad86be6f86ed213ce648ce0d89b8e

  • SHA256

    5b8e577d581738e25b896a1c7accf259794374aa84fbad520568dfd847e86d55

  • SHA512

    4aa56909f0f90f70bde8486130e114b6dd7eac0d2d85f3cb5526d186bf2d6515a8254b6acef032c67934f3087e638a4065c8605d8ce4f6d373f5650af930ed93

  • SSDEEP

    3072:mEGh0oQlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG2lqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_5e596291b07564a1b6692381f7617358_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5e596291b07564a1b6692381f7617358_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\{5381E9DB-AA37-4582-80AC-B249351103DE}.exe
      C:\Windows\{5381E9DB-AA37-4582-80AC-B249351103DE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\{AC2F1351-CA34-474c-91A8-CAA07B35DAD9}.exe
        C:\Windows\{AC2F1351-CA34-474c-91A8-CAA07B35DAD9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Windows\{FA3CCCA7-968A-4a78-A5EC-6348ED1F62FC}.exe
          C:\Windows\{FA3CCCA7-968A-4a78-A5EC-6348ED1F62FC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\{3919AC29-023C-44e9-919B-810D8A98A54A}.exe
            C:\Windows\{3919AC29-023C-44e9-919B-810D8A98A54A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\{3B1A0685-B2D2-450c-8F2A-5FA1D7BFBC8C}.exe
              C:\Windows\{3B1A0685-B2D2-450c-8F2A-5FA1D7BFBC8C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2612
              • C:\Windows\{3C255276-77AE-4229-ACC4-7DA37E1C33BE}.exe
                C:\Windows\{3C255276-77AE-4229-ACC4-7DA37E1C33BE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1688
                • C:\Windows\{E498D738-A681-46ec-8ED2-297EC95AF21E}.exe
                  C:\Windows\{E498D738-A681-46ec-8ED2-297EC95AF21E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3060
                  • C:\Windows\{12984FDE-8CE8-499d-8D95-273A70C3B964}.exe
                    C:\Windows\{12984FDE-8CE8-499d-8D95-273A70C3B964}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2036
                    • C:\Windows\{5D801FD4-C535-4bcd-8212-C027A24780E5}.exe
                      C:\Windows\{5D801FD4-C535-4bcd-8212-C027A24780E5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1616
                      • C:\Windows\{56D78418-8029-43ce-9D0E-5547338F7EA8}.exe
                        C:\Windows\{56D78418-8029-43ce-9D0E-5547338F7EA8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2908
                        • C:\Windows\{B5B87E5A-9801-4aa0-84C2-153362797533}.exe
                          C:\Windows\{B5B87E5A-9801-4aa0-84C2-153362797533}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56D78~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2576
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D801~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1160
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{12984~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1108
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E498D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:436
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3C255~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2064
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3B1A0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2224
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{3919A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2808
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FA3CC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC2F1~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5381E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3000
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{12984FDE-8CE8-499d-8D95-273A70C3B964}.exe
    Filesize

    344KB

    MD5

    7913bb58f9c45ea4fbf39d891c03f615

    SHA1

    2c6f4ccb4ecd7bab8dc03cd0ea15030e4495b5e1

    SHA256

    5e24a359d3c156575fa6a515d77ffaca921f249b32dff5cea08389a91396ce36

    SHA512

    a20f2db3afe7fcc89bf3898ed2b6f7157c546118c6ab60b8c91a90006a9ea2a8d96e2321d3a058e466c6ad104ec1e138f7c1b39e4d03c4c956542d81be7495fa

    Download Submit

  • C:\Windows\{3919AC29-023C-44e9-919B-810D8A98A54A}.exe
    Filesize

    344KB

    MD5

    3f31246801439376cf0b9b73b0656b53

    SHA1

    ddf6344c156228473a33cfcd47fecaa0ff74214b

    SHA256

    533116aa5d9f457ee0d5582c81e4d50aabe01889345e2b87851a0e0d040feab5

    SHA512

    df43c433f4ef3b2da83e20add90d88b5e33400f42d71fe59d3148106e50dedc1893026dbdfc0edc4714d8456156d9311954c3ba63f4e772274cf7af4887c23fc

    Download Submit

  • C:\Windows\{3B1A0685-B2D2-450c-8F2A-5FA1D7BFBC8C}.exe
    Filesize

    344KB

    MD5

    036b9f4a74a10e2200d9548d8e8a7d2c

    SHA1

    a4afb97fd4ea5b537181c3782760fc71869f0cae

    SHA256

    5aaf0b87aa1406eca040deb6e079b48aeb10289a8871f6ba449b9bbe0da75dbb

    SHA512

    1e41bcea245450e56a2fed7115ec34928192cba13c45dc75373e5618e79d5ea141ae055606ec9e40d24be270f16c9ac6fcfa3714f4a4b5067c844b31ca61274c

    Download Submit

  • C:\Windows\{3C255276-77AE-4229-ACC4-7DA37E1C33BE}.exe
    Filesize

    344KB

    MD5

    da42d1344edaa98cc46ecf9266e0ba0b

    SHA1

    d1f1821e12c13e7cb7d1759eca838f0d70528ee2

    SHA256

    b859ef1670c391d7821a8a01da953eed113efc1225a3103193a91eb1d0cc6cc8

    SHA512

    96d01ba20272201019e03b3512570ebbcb6d3916372f1086435a321532c8f2fcdc55aff0eb47a7198e820c67a49db0e81550364b86ed7806d2e58e0783df712b

    Download Submit

  • C:\Windows\{5381E9DB-AA37-4582-80AC-B249351103DE}.exe
    Filesize

    344KB

    MD5

    d6f14dcc61577fd66f3f31e2b0282c15

    SHA1

    0c8bb1d185384c964191c61a33fa4ffda2cb42a0

    SHA256

    cadc1eb8369b64218b7548a91267fda3b6891cdfe1d1a07a7a5b32614e6333fa

    SHA512

    2e5179a4d4b8a833d29a8067f2add42b192723718f07ce142eba1599150f30901de35205d3dc914327cce73b0a345f387db3b402825849fb2cd35d484ae9cc90

    Download Submit

  • C:\Windows\{56D78418-8029-43ce-9D0E-5547338F7EA8}.exe
    Filesize

    344KB

    MD5

    443b1485d8fa129aea641b2c72ec3e1c

    SHA1

    9cfdeb6ffe551f5519a394b7a1fc117ea61168b8

    SHA256

    499d4aa44ac253daf855c96a38f914fa9648a648fe4f2b59d77bf60760e9e92f

    SHA512

    b38fc0f9c09218d14a23a929e2bd8fccb87e88d665572d2ac404988637fe24bbf267548d4f9c0632c508baae9ceea6adb9d791e784b82feffc388543c4761dfa

    Download Submit

  • C:\Windows\{5D801FD4-C535-4bcd-8212-C027A24780E5}.exe
    Filesize

    344KB

    MD5

    fb2cb43223d3f83e267bdf03258eb22f

    SHA1

    aa222bd3420dd68832a92bb44d884a206336c9cc

    SHA256

    ee476647f4828148eacead2f38d5fc11ede57994478ce71cd576f45e34e528ad

    SHA512

    4b71703e148c13250947c98988436eac75dfd6e89e505b285af616ffebe21a5f38fe206c960d5c2d131371813372fd174510c3d1c24672cb778002d29f2e7455

    Download Submit

  • C:\Windows\{AC2F1351-CA34-474c-91A8-CAA07B35DAD9}.exe
    Filesize

    344KB

    MD5

    21f0ee891faf03310d7140892033fcad

    SHA1

    528b2e21e136e8d5ba68bf0925fb6247a32d590c

    SHA256

    8a1f12522687f3b443ce425a4156ec626d5f6fd0b94559b0cc6cf50f98d6554d

    SHA512

    8254ca2a9937f969d4eecd0dbc614111f56451e2aa8b8c81a8c36745291d28bff289dab694ed0231571255289246a4a16a9c43caa6caf7c91bb441ce2f29b11b

    Download Submit

  • C:\Windows\{B5B87E5A-9801-4aa0-84C2-153362797533}.exe
    Filesize

    344KB

    MD5

    d343cbc32d6f68973acd54f31ca91457

    SHA1

    9834cbe961a54656d93cc2de22ee398e398eef7c

    SHA256

    cd796e0e9a2945deb74c39c4fab772cd257c0cce26fb3949ad6ed3c43f3ecb6c

    SHA512

    815ec57c0198a6512ce52a955c720585d090c73abfafe5a3aabfb261e94f8923ddf1fdff946e70ab70e69e9a80e3fd4561af4bb7ff6f9b3f0895036be88e114a

    Download Submit

  • C:\Windows\{E498D738-A681-46ec-8ED2-297EC95AF21E}.exe
    Filesize

    344KB

    MD5

    b52dd902b7b2622f5e447a4bfbc36dff

    SHA1

    8070d86e6d87776e1be7854981e143d018cebd70

    SHA256

    f70041f0caceff70c088398397a21b51c17682f833ceea60aa1cdd18c89e0ae9

    SHA512

    cf2a3923e7d7faacaf8357498c5145acdfe98db26338f4769697c4003aedba4f1ff91d8c3b147f8784fbcb79b97d1f8344fdea9a5b342373b0c97345ade54906

    Download Submit

  • C:\Windows\{FA3CCCA7-968A-4a78-A5EC-6348ED1F62FC}.exe
    Filesize

    344KB

    MD5

    94bab64cc81e93142c68cdf65e9f4cac

    SHA1

    926541691c073ac28ad67b07c35f0dd2421b8680

    SHA256

    018c7b886e6ccb5c529cdf4db99eaf243fffc7486a630ab02f89f55431c27ba1

    SHA512

    a5c0789d690d4ddff0993e6e1f8b794229c72e7cd6a97c7171a06d6bc012c4fac71a0b5b1dbcffc32b16b814e55570fe90768601fb7997ef4134e4cbd82ddf3b

    Download Submit