Overview

overview

8

Static

static

3

2024-11-21...ye.exe

windows7-x64

8

2024-11-21...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe

  • Size

    380KB

  • MD5

    6aecb1c2e3c36a3d08bd9361ff812b81

  • SHA1

    8f223813f6aca9593babe275709e32a108899ea3

  • SHA256

    1820784312f5be24091b3b7c5c554438b7516929d5f190a520b0b6ad97d50aa8

  • SHA512

    2de2b39f7f2f64d19770d342fba96210582bcc72c29df8ebf04ebfb3a1c38f672b9a6989279491ac82d09ad85a97683b8eef853db35008661121afc5d05364d0

  • SSDEEP

    3072:mEGh0oUlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGml7Oe2MUVg3v2IneKcAEcARy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_6aecb1c2e3c36a3d08bd9361ff812b81_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\{CAB764FD-7F36-4903-A6CE-99AAB0361210}.exe
      C:\Windows\{CAB764FD-7F36-4903-A6CE-99AAB0361210}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\{9806F003-C82C-4088-B2D3-7DF3ED5AB850}.exe
        C:\Windows\{9806F003-C82C-4088-B2D3-7DF3ED5AB850}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\{3E722FBC-EABA-4020-B820-721AB1C93589}.exe
          C:\Windows\{3E722FBC-EABA-4020-B820-721AB1C93589}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\{43B00118-1400-4a93-9F94-4BDF094F917D}.exe
            C:\Windows\{43B00118-1400-4a93-9F94-4BDF094F917D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\{BA1A8614-C77F-4cae-930A-325D96EE0DFD}.exe
              C:\Windows\{BA1A8614-C77F-4cae-930A-325D96EE0DFD}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3064
              • C:\Windows\{7274C4F5-94CE-4df2-AA66-BC7EDB3CC7A5}.exe
                C:\Windows\{7274C4F5-94CE-4df2-AA66-BC7EDB3CC7A5}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2868
                • C:\Windows\{AB5A7F8A-11E6-4ea9-B62E-4FE5877FB91B}.exe
                  C:\Windows\{AB5A7F8A-11E6-4ea9-B62E-4FE5877FB91B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1056
                  • C:\Windows\{2D62577F-6D40-4ec8-BB7E-E4C6F4E9C399}.exe
                    C:\Windows\{2D62577F-6D40-4ec8-BB7E-E4C6F4E9C399}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1760
                    • C:\Windows\{9633FC1E-53D9-411f-916F-D2158AFBA481}.exe
                      C:\Windows\{9633FC1E-53D9-411f-916F-D2158AFBA481}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1804
                      • C:\Windows\{6947693E-4A03-4bd0-AF88-846CB2D8A438}.exe
                        C:\Windows\{6947693E-4A03-4bd0-AF88-846CB2D8A438}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:440
                        • C:\Windows\{ABA2647D-7BD7-4125-8BBD-3CC64F04D5A2}.exe
                          C:\Windows\{ABA2647D-7BD7-4125-8BBD-3CC64F04D5A2}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69476~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1860
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9633F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:828
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D625~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2268
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB5A7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2436
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7274C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:316
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{BA1A8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2912
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{43B00~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3056
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3E722~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9806F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAB76~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2D62577F-6D40-4ec8-BB7E-E4C6F4E9C399}.exe
    Filesize

    380KB

    MD5

    3c6d30346a02693e6d413dec6be319d0

    SHA1

    596c575d1106a7bb0010b3cc57366c1a5d5d0509

    SHA256

    54e623f7f9c86f88686d7afa06be6eed0d4e143fa27a6b801bc3531e83b86250

    SHA512

    6e4c5a909bb4188f7bf07aaba1661944b55bab4bed83b6ff26a0facf33d6c16ecc25ea88c0bff8d83f391bfc0a70abaf1adcde0eaa2512b56624055c733bcb88

    Download Submit

  • C:\Windows\{3E722FBC-EABA-4020-B820-721AB1C93589}.exe
    Filesize

    380KB

    MD5

    df0c177353b0af18abec31038802f32b

    SHA1

    fcdc5c8ee31f63e00f57c1d709853bc17111209c

    SHA256

    af790644407dab71dfb6cfa0cfbfce361566de33fc68b41062344c89d22c8bec

    SHA512

    0031b43caaf46950b006b98d7223022d62eae8f8c5503cb94853a3464b7336ae7403f9b41f6ceb17cf28c7dd7a46d298430dda873845dc04c1cb9e07317863dd

    Download Submit

  • C:\Windows\{43B00118-1400-4a93-9F94-4BDF094F917D}.exe
    Filesize

    380KB

    MD5

    65ac2d8baaaf0361d3a035db48dbe316

    SHA1

    c5e0d7d7b7ff77dd99776e78fb4338949cd7f38a

    SHA256

    fba521b41bb64c183611aa05450fa54793318a89814ee1619343c4c99b03aff6

    SHA512

    a32517adbaac3f6086d003c60c893a0e0d5e44793212b8074922a47a694bcce8c132d3f18cefded17f9a84b8eb0c975459ffc53740aa947404defd6f4b43a9aa

    Download Submit

  • C:\Windows\{6947693E-4A03-4bd0-AF88-846CB2D8A438}.exe
    Filesize

    380KB

    MD5

    9556085190983a77fa72198b2ec3145d

    SHA1

    bcbe4e16b17e3eddbf2b499e56a1a792f8c32468

    SHA256

    9a5c066c9286eb96f3ea214e7e6ace521a17d85ad6ac0ab8bec9592598f68e77

    SHA512

    5253b3f2226151df63a88f69ea2a53ed87ef0070f35c6c20d8e65aeae96cb069c2a706cb8b166e83175c35fc871f6aeee8a35e5a46b2e59f5287e0e0c2b98a9a

    Download Submit

  • C:\Windows\{7274C4F5-94CE-4df2-AA66-BC7EDB3CC7A5}.exe
    Filesize

    380KB

    MD5

    db0d4fb750ff71f80ac1944db1e7b0ea

    SHA1

    a00c64cc733bc71584433da988892145d895c60b

    SHA256

    56f6b82556a871f272d24f8278922688af2776247d502f69a7e32bec98954b2c

    SHA512

    889a13f93d04d471f98ea972453ee1c8480680e2c7176e2b536816251dd1de3fb9a709ff54dd09d60deaf5ae4130b77ab84d2dedd7715261b9328e9695d966c5

    Download Submit

  • C:\Windows\{9633FC1E-53D9-411f-916F-D2158AFBA481}.exe
    Filesize

    380KB

    MD5

    8a0c35edb0ba22b7e55c27337dee3f9f

    SHA1

    81476d6abd167960215aeee4abe714704cb6d43a

    SHA256

    93abf6b6bfd9c39e1c6151612a23c7f2ad56ee2e4ab9251c9106de6d7913da28

    SHA512

    898b1ab17087db8964a4b0a15f4ec405fa4dda964bcda278cbb9f2ae3e556476da20a47af4a522effdb94060a476cbb9036b6ed03a92bb5ef40f974aacb50172

    Download Submit

  • C:\Windows\{9806F003-C82C-4088-B2D3-7DF3ED5AB850}.exe
    Filesize

    380KB

    MD5

    fd2b0559555ef170cd0112d57cf1782c

    SHA1

    2b97f8cc398ba9896f2236e77b51ac4c5a395193

    SHA256

    25f344410a24f67a5d875436fea6980ab29989cb92c61b5f6697f5d673758693

    SHA512

    6cfbb6bbd4cb47d090426ee11ece25d01ee61a2e318db7e0833f7d974f1dd79cd1a869dc2842ff1ca5ba19d7badeeeb45b4e9c4521bae4e36cda868dcb1631ed

    Download Submit

  • C:\Windows\{AB5A7F8A-11E6-4ea9-B62E-4FE5877FB91B}.exe
    Filesize

    380KB

    MD5

    903b641fccd7c89f365c8ab377b36e41

    SHA1

    0610208354a4f420dc155e8b462ffe13a84d3b53

    SHA256

    33a195253c2c47f5d6fff747130544215566a86f66923cb207b379807ce90055

    SHA512

    36ee4cc8d4ffc60c26221752bd9e24615550dc8f7e4b19cbf5a7856fd95810a68d747c1e2283420c57447a93b631741b9af877f57afc4d48b1d1c2abed11e8b9

    Download Submit

  • C:\Windows\{ABA2647D-7BD7-4125-8BBD-3CC64F04D5A2}.exe
    Filesize

    380KB

    MD5

    c8f09fe754eb76bbd13f3465238db219

    SHA1

    b097362291854202092f23d478a35b0cba2a47b1

    SHA256

    4ad1d5c2632c1625c5b716d6d391735590f4f2aec100eb3aa2fe7e8a42f6a9cd

    SHA512

    5e29eeae98ca3f476a4c939ff57237e6266ba45072c98759dd4531cbda9791170dd17dad808eb051dc0b6d0cb1a5366b26ae11749dcbbd96d5ab648c7d04a7fb

    Download Submit

  • C:\Windows\{BA1A8614-C77F-4cae-930A-325D96EE0DFD}.exe
    Filesize

    380KB

    MD5

    69f1108a18282821ca861d1ef9e8016a

    SHA1

    9918218c1a6caef6fe8c58c65f09d52e11d3a1ba

    SHA256

    c193c7ae764bcdec6f52578819cc258a049fbe5ac86814b7503e3838cc91b334

    SHA512

    6c0790d21f5bb0a95cb11a4f6715d49500cc039084f5e18bef2315c73c600920357e00a7b10f2960b1386dcc877e137c72eb6e76012f89a70a1e419a75938d2a

    Download Submit

  • C:\Windows\{CAB764FD-7F36-4903-A6CE-99AAB0361210}.exe
    Filesize

    380KB

    MD5

    7996e193b40d543144de197d93bfeec3

    SHA1

    820f1f1d5005b796c187124f50f96903407f428e

    SHA256

    18d4ad4ee1ed4f8852c017e8fa23ba4a881eabc72f0f3c4d389b10a62ef37493

    SHA512

    a230d1b718f33204005fd977b2d47059cadd0b1020d9db022c9066979edf7852610f7ec186f160b188a15c7cbee79944e215809efc4de5a3e6308c4a5a27ff0d

    Download Submit