Overview

overview

8

Static

static

3

2024-11-21...ye.exe

windows7-x64

8

2024-11-21...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe

  • Size

    408KB

  • MD5

    6f3518815a4556a1edb0c30430ed1a17

  • SHA1

    d092b17682bbc9937060f3b6fc66cb821d1eb51e

  • SHA256

    39ebe26486ffc1198f4995d7060e77c0c13cc52a84a13002735decb2a6ae0e7e

  • SHA512

    8e2a112ee9534d7364e150934a1ed002074a1fdf1f23f67fa3d94ad42b2b616e3c79f617c44a7ab22cbf614b039d223a3a5b550edee95bfe91da536b409e3233

  • SSDEEP

    3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGnldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_6f3518815a4556a1edb0c30430ed1a17_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\{7BDFBF2D-C836-4fa2-9190-05D6D1285FEB}.exe
      C:\Windows\{7BDFBF2D-C836-4fa2-9190-05D6D1285FEB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\{FD6B37A0-BE24-4e74-A76D-7392A26B167A}.exe
        C:\Windows\{FD6B37A0-BE24-4e74-A76D-7392A26B167A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\{56B608B0-500E-4e22-B4BB-AEDF3DD3D714}.exe
          C:\Windows\{56B608B0-500E-4e22-B4BB-AEDF3DD3D714}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\{775382BE-8AE3-4f47-974C-3987B316E6DA}.exe
            C:\Windows\{775382BE-8AE3-4f47-974C-3987B316E6DA}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1116
            • C:\Windows\{D2FCB41D-7C2B-4096-AB06-9A5F37C0793D}.exe
              C:\Windows\{D2FCB41D-7C2B-4096-AB06-9A5F37C0793D}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2028
              • C:\Windows\{FB06975C-513A-4c95-8068-11E3748F1CC8}.exe
                C:\Windows\{FB06975C-513A-4c95-8068-11E3748F1CC8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1396
                • C:\Windows\{4DCD59EF-1274-4896-B593-29470B6A6497}.exe
                  C:\Windows\{4DCD59EF-1274-4896-B593-29470B6A6497}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3472
                  • C:\Windows\{6F35B914-8825-48b2-B3E2-735623225919}.exe
                    C:\Windows\{6F35B914-8825-48b2-B3E2-735623225919}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3036
                    • C:\Windows\{9BA341C6-C3F1-43ac-993F-10C03C167A64}.exe
                      C:\Windows\{9BA341C6-C3F1-43ac-993F-10C03C167A64}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2204
                      • C:\Windows\{9C1179B7-1FAA-4e1c-8CA0-24E4AA71343E}.exe
                        C:\Windows\{9C1179B7-1FAA-4e1c-8CA0-24E4AA71343E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1248
                        • C:\Windows\{8882D74A-C7F4-43d9-86CD-C259BD284C0D}.exe
                          C:\Windows\{8882D74A-C7F4-43d9-86CD-C259BD284C0D}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4444
                          • C:\Windows\{75DB7F4D-D2C7-48a0-AC96-4DFB068C8FB2}.exe
                            C:\Windows\{75DB7F4D-D2C7-48a0-AC96-4DFB068C8FB2}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8882D~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9C117~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1796
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA34~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4060
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F35B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:788
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DCD5~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:680
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FB069~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2680
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FCB~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4980
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{77538~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5052
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{56B60~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{FD6B3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDFB~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{4DCD59EF-1274-4896-B593-29470B6A6497}.exe
    Filesize

    408KB

    MD5

    d633bea34aa9edbc8db55e7649bc3cbd

    SHA1

    ebede2e10e4a3c816553b79a00024a987b74700d

    SHA256

    640c1e9c1b8da7efe34b0d4f38c5d201463429237eb8ce07bd331958231f03dc

    SHA512

    2e13f6789426672b7bda04652fce8d2dde0ddaf30564c13ac4e06afcfb810c97f86c2f122f778af0428aa7fb9d52f5edf747fa697f9aad9fd21bcb9b1f7cbb12

    Download Submit

  • C:\Windows\{56B608B0-500E-4e22-B4BB-AEDF3DD3D714}.exe
    Filesize

    408KB

    MD5

    c72b9467a5f64aa365f854f9dde94e20

    SHA1

    ca6982f60fade3ebec66c80422faa2827c7fce97

    SHA256

    00009102965e44119dfd0dba2d26f3fc89c8edb7c2afc79d75a190707c857e76

    SHA512

    a425c274a0d7c0fb64aa0ff31384d8c90fe9c2d60ea4c0144d759c938ff6aef1f8ac54eea7290bce5a8c73659b200e9ba66a405cb4edd035d9c7ed9e5500c680

    Download Submit

  • C:\Windows\{6F35B914-8825-48b2-B3E2-735623225919}.exe
    Filesize

    408KB

    MD5

    cacb8224926db235e93ede2a26073a32

    SHA1

    7cbfb35f35b5fcdc61d6b8cea7fb6b902f81c8d4

    SHA256

    c077e9530db6d79de9b0c50ffb307ad208132d581e5db1851d765c77f7aa3897

    SHA512

    7d13a353edd668dfae3c4e44d6103fe41617eaaab714b0a30aff78cfede21dcec502387f8a33ebd685e141033f1b8fd878ea06572a938a23329d22e6d70c0f60

    Download Submit

  • C:\Windows\{75DB7F4D-D2C7-48a0-AC96-4DFB068C8FB2}.exe
    Filesize

    408KB

    MD5

    5791423c0133e4d6616a0d182b4055db

    SHA1

    b505602b22e662d8ea08cc092da33d63feebeb9f

    SHA256

    5ee5c1844dced6350106f183e4e275d61027eac3bcd174be2018346854c26354

    SHA512

    16bab59e808f67d49a5d34846a1c51b458dba3d3e88afd662c1d69613fb6e05d5dd5855a9488d32efb8f2513a3fe64bcb32e9e280a9ecb25b9d46800fa9c60e1

    Download Submit

  • C:\Windows\{775382BE-8AE3-4f47-974C-3987B316E6DA}.exe
    Filesize

    408KB

    MD5

    07292d7bc8023472114a7abe0078ecc2

    SHA1

    f0a612c2840108497d863ad5d6ab65fdf3e9a9fb

    SHA256

    171c12843e767371442f680e2fdb4e088449eea35da6d979354610cbae7a1c7d

    SHA512

    b22d75a79c4d03f72dd316e491bb025e51df3886f5aa8c3e08eecb2ccc6cb6233ecae9876eff971f606a44d89d0a70911ea1d5b64d8f9937fa23d4fd99b81051

    Download Submit

  • C:\Windows\{7BDFBF2D-C836-4fa2-9190-05D6D1285FEB}.exe
    Filesize

    408KB

    MD5

    9184f1b52c25532c8c4914fc3c8ab997

    SHA1

    89fda6b4e87df207d693b272a860028ae8cdae3d

    SHA256

    0216c7c184f69d903b236e6c36bc13579a015a9b77b943040d4601363003523b

    SHA512

    168c1f6992f18cf43e576a52da2b24917b8d69cbb31c10413700926a0cd0fdd8b03e2b842473e6293b5c774b62b8bfe5be1e0be41a82f76f4ddaf003a87eb85d

    Download Submit

  • C:\Windows\{8882D74A-C7F4-43d9-86CD-C259BD284C0D}.exe
    Filesize

    408KB

    MD5

    93379ca04e071a549bd85f1be9d51e46

    SHA1

    bc8459cf8adf126127dd27068de6bd203603171b

    SHA256

    f56028a1dd1507b15c87ff9065d8fd8b20838e0f963c9f086d6cf8ffcfb8e6bc

    SHA512

    3d78922f3937ee6518e1310e36e471dc11062725c948a37d2e9e26299502bd29f64c700d43f56ab3adaad5639a7b98a7a04c67b1b38ba722dfd7b6ae9b2a9aef

    Download Submit

  • C:\Windows\{9BA341C6-C3F1-43ac-993F-10C03C167A64}.exe
    Filesize

    408KB

    MD5

    1a2cefa97e3a2b9ca1d55079a3050d44

    SHA1

    1e2fec9d08942c2e0cc217bb10f8acfc649c8976

    SHA256

    721c8008c0324b18888c8c97564692d4318155c499eb0d4b6246a59c1eca112d

    SHA512

    488ed079ae93a02f3679b4b018bbb0d017320c5cbc3931bd3d8d4757db0a912d53a632c0d6d8e52d22f6a7337f65a551e196567b1cd2d086c1818a0d697eff30

    Download Submit

  • C:\Windows\{9C1179B7-1FAA-4e1c-8CA0-24E4AA71343E}.exe
    Filesize

    408KB

    MD5

    d1b7e7ae8c30b211c82a66cd162e1f76

    SHA1

    346a07b0090c5a4b35ff07e37b714908b784a0ff

    SHA256

    9b2573e13a6f96074961f8d57b2ec438234e37dff5157d6a879c6499a0e75c79

    SHA512

    ef526f18f8e2caa950ade62cf2e96d2eb928d5d5d019aacabbf35bba328eda1bff2994ee271f7690fdf4e55beaf4237c7be6c217b5195de90fcbc851868f784c

    Download Submit

  • C:\Windows\{D2FCB41D-7C2B-4096-AB06-9A5F37C0793D}.exe
    Filesize

    408KB

    MD5

    1d0bc16302ff279febd55b95f3715b8d

    SHA1

    a433354978fece0db0827b547381e626782c6766

    SHA256

    aeb26d7ccf4e9bf654d4beada9bc9ad7846c98964a8afbc9e9ea3a6dab4a8ca3

    SHA512

    7f297e89e809c22b4797565bb5b379363d8baab5223a2784b3ec287380378cf35fffbec86a1c88af37de8e8030098723a9e4ab9fd65a87c6a3d44c0c1414fcdf

    Download Submit

  • C:\Windows\{FB06975C-513A-4c95-8068-11E3748F1CC8}.exe
    Filesize

    408KB

    MD5

    9ebf426392e234e0684c31ac6b44fe0b

    SHA1

    57392244d287288de1ba103334c4c242a3f052ce

    SHA256

    154876d703df12f87407e60c0265c6e22aadfa7b54a05e9dbe4e91d3a1d4d250

    SHA512

    22a7236dc6b6df980a5364d26803c8f7a6e8afca945909742f539ac9041ae3e5f9fa04889edc1c8723bd15c91ef46c68fa6b87a96bab805635fdbcc0c15193d3

    Download Submit

  • C:\Windows\{FD6B37A0-BE24-4e74-A76D-7392A26B167A}.exe
    Filesize

    408KB

    MD5

    45a7344789707856115d98dd9ea3d52e

    SHA1

    b41324b6692bd947ae3f21f6970e37b688a0c8ce

    SHA256

    6b12b685d03905dff2dcf0564323e3884940fb45e494d80cada83ae93b610c19

    SHA512

    fb399cb8c290817cffd2bec499750707bf47bdeeabb1cd422c8bab5a3280c9168ff83758253e6be11b34740231473c95bc657536c54d05bf40d26c5bc838fc69

    Download Submit