Overview

overview

8

Static

static

3

2024-07-05...ye.exe

windows7-x64

8

2024-07-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-05_7c81ef9b1129e9b8f40aad7923d69bcf_goldeneye.exe

  • Size

    216KB

  • MD5

    7c81ef9b1129e9b8f40aad7923d69bcf

  • SHA1

    f6c7cb23f5df344b9aa48ef9f776aad8be6332ce

  • SHA256

    c2ca0cceca01f41b5e4df1fac14f86af5f1b5e65e23e2df9833c139d8084c146

  • SHA512

    3e163e7fbce84beee03988f284017675e1ab9d72e75d040f1db91e17e46d57728b681c250698a2fe34d627c9338586553b3a8f0a5913e9e8b7c18b4d9d23a119

  • SSDEEP

    3072:jEGh0odl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-05_7c81ef9b1129e9b8f40aad7923d69bcf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-05_7c81ef9b1129e9b8f40aad7923d69bcf_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\{FE412DB9-C95A-41ba-8C9F-1E1A71F2929E}.exe
      C:\Windows\{FE412DB9-C95A-41ba-8C9F-1E1A71F2929E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:720
      • C:\Windows\{4BBC8706-6798-4900-BD38-5718E22A4E54}.exe
        C:\Windows\{4BBC8706-6798-4900-BD38-5718E22A4E54}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3852
        • C:\Windows\{A42E299B-CE1D-468c-B88C-32EDC230343C}.exe
          C:\Windows\{A42E299B-CE1D-468c-B88C-32EDC230343C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Windows\{F4C4BB7D-C131-4618-963E-B305AF154B1D}.exe
            C:\Windows\{F4C4BB7D-C131-4618-963E-B305AF154B1D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:416
            • C:\Windows\{C84FD8AD-068A-44ca-80D5-2EF7DC135A41}.exe
              C:\Windows\{C84FD8AD-068A-44ca-80D5-2EF7DC135A41}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3356
              • C:\Windows\{55DB77F5-5C20-4ea4-9FC4-B93154C2223F}.exe
                C:\Windows\{55DB77F5-5C20-4ea4-9FC4-B93154C2223F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2460
                • C:\Windows\{34AF2BEA-F2FB-4f97-9DF7-2798AFF0CA1F}.exe
                  C:\Windows\{34AF2BEA-F2FB-4f97-9DF7-2798AFF0CA1F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:368
                  • C:\Windows\{0D5F9D59-9B1C-4209-A60F-CB0A70D4199B}.exe
                    C:\Windows\{0D5F9D59-9B1C-4209-A60F-CB0A70D4199B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2804
                    • C:\Windows\{0B0D7E4F-3C43-410a-8B35-AB8D0F941233}.exe
                      C:\Windows\{0B0D7E4F-3C43-410a-8B35-AB8D0F941233}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3236
                      • C:\Windows\{24925A42-5AFE-49c8-98AB-6602984533DA}.exe
                        C:\Windows\{24925A42-5AFE-49c8-98AB-6602984533DA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3060
                        • C:\Windows\{B53C9D5B-CCB7-4600-A32B-9D073DA92499}.exe
                          C:\Windows\{B53C9D5B-CCB7-4600-A32B-9D073DA92499}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5064
                          • C:\Windows\{27DE2445-F6AB-4370-8F92-04F7A811D6AB}.exe
                            C:\Windows\{27DE2445-F6AB-4370-8F92-04F7A811D6AB}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B53C9~1.EXE > nul
                            13⤵
                              PID:3276
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{24925~1.EXE > nul
                            12⤵
                              PID:4700
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0B0D7~1.EXE > nul
                            11⤵
                              PID:2612
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D5F9~1.EXE > nul
                            10⤵
                              PID:60
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{34AF2~1.EXE > nul
                            9⤵
                              PID:2268
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{55DB7~1.EXE > nul
                            8⤵
                              PID:1496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C84FD~1.EXE > nul
                            7⤵
                              PID:1644
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C4B~1.EXE > nul
                            6⤵
                              PID:4828
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A42E2~1.EXE > nul
                            5⤵
                              PID:2884
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4BBC8~1.EXE > nul
                            4⤵
                              PID:544
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE412~1.EXE > nul
                            3⤵
                              PID:1872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4388

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Defense Evasion

                          Modify Registry

                          1
                          T1112

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0B0D7E4F-3C43-410a-8B35-AB8D0F941233}.exe
                            Filesize

                            216KB

                            MD5

                            e510915eddc052ebe45a28487a8e8577

                            SHA1

                            a7b2b9cd46b8bf701297b43723603253129c2077

                            SHA256

                            810a779c8e52f5c77c8047fe3b4f62b94972ebc75992526dfbf0984cd90c2dc5

                            SHA512

                            2e1d606ba42925ac7d146fb7f613b893da0fa6f03ed721b23bfc3310250f128cf6a5664224fe6c4c34bd3df447a47b4b2a73f73e77bbe60722c4a9f8109f33ce

                            Download Submit
                          • C:\Windows\{0D5F9D59-9B1C-4209-A60F-CB0A70D4199B}.exe
                            Filesize

                            216KB

                            MD5

                            4d74d010b7cfd5446e245b75d95f8748

                            SHA1

                            160fec4405191ee3db0ab9d22c14cc53c2e74b55

                            SHA256

                            f84f12cff3bcf4f79e478b96ae73530e5e90f64f38fc7eec29db489c277af375

                            SHA512

                            2a8e8cc4fdc549b9e24145e9dfcb29c9f23dc9a0755d086fb9f06c0e4bb703044827f791886081cdcf75b8a6f4919a9cb13ffc50621dde29fe59d1f72ce208ea

                            Download Submit
                          • C:\Windows\{24925A42-5AFE-49c8-98AB-6602984533DA}.exe
                            Filesize

                            216KB

                            MD5

                            38aba599ef008769a213c5c484bd92c9

                            SHA1

                            af5b0b377cb2abfa8b303782e2efd1ffd3fb7d4c

                            SHA256

                            785718c229e971e9d3dde194492f07453468f3c9cad09dcb1d53f0228695311c

                            SHA512

                            4a5ae3a03aa4efb364ea61e7941d7d2060458bc78214e917f7edf7b3766e7595f30037ec392b05ee4308f87e8c2dd95046d35c3e3658f6265271f8cb33159093

                            Download Submit
                          • C:\Windows\{27DE2445-F6AB-4370-8F92-04F7A811D6AB}.exe
                            Filesize

                            216KB

                            MD5

                            fbda4f8418b48e4158789642a77d65b9

                            SHA1

                            91d82fcb4c8aa9330e76b6ee8efc45e54f03c1bb

                            SHA256

                            c127c51e075c5c431ab4e5755549606f4445630015daa9abcbb2a285fbbf2706

                            SHA512

                            4ba94f451140c5bac99be2f3748d45007a6477cafd00b84c7919eacf9f434d8994b4f6a5e369e026f9c54e73c5677dc804ad45831ce9a19edfa5a138f1769149

                            Download Submit
                          • C:\Windows\{34AF2BEA-F2FB-4f97-9DF7-2798AFF0CA1F}.exe
                            Filesize

                            216KB

                            MD5

                            096282806e9a6a2d8ba4ab7e81c8629f

                            SHA1

                            b6bf456fafc786ed28d1bcb87735a619c340ad8d

                            SHA256

                            f294e498bfd7e11398c433aa11a710d855f4efd92bf97101c88c340dc0e1d324

                            SHA512

                            790e5ad0a1ad9b0dad1d6e1abfb321445b38ce9a97ba78d71c8a53a844476e9dcc3e1db1c9e8a0593e1adb820d9791e946a7daae6356c84cc5358a4e2c6e07c5

                            Download Submit
                          • C:\Windows\{4BBC8706-6798-4900-BD38-5718E22A4E54}.exe
                            Filesize

                            216KB

                            MD5

                            c42aa8c7bd717b1c85df6195ed948405

                            SHA1

                            c3e171bd814cd440f264121cc5187f451cac224f

                            SHA256

                            ac1680acb1d94dea2fed6c58f42e5db3b917d2f8e1a149cb62f5a319d0d8b5da

                            SHA512

                            4f541ef6e547a69fbbe6888f2aeb7328b892e8eb1007511d2d860104b44468e5d531a473c761732dcbd3692bb4611c029d072b5c1e3a5db9686f85b9078593a0

                            Download Submit
                          • C:\Windows\{55DB77F5-5C20-4ea4-9FC4-B93154C2223F}.exe
                            Filesize

                            216KB

                            MD5

                            70e52d1378278948ea931f7dc5e003b4

                            SHA1

                            febca67778ee876cfc95faf29ecfd33e2d421319

                            SHA256

                            17c30046d3c5c189d5b069eb353568c1238415b3bff634e23e77e07bf04ba53d

                            SHA512

                            55455349a8dc1d83294381362ec36bd3429790d516d28a0d2b68626515987348701e1dfa4e186f7ff85c2a90b941f30038e3fd1c3c1dff001f5fcac92cfd0182

                            Download Submit
                          • C:\Windows\{A42E299B-CE1D-468c-B88C-32EDC230343C}.exe
                            Filesize

                            216KB

                            MD5

                            af2d0c3c3711f3a0284518430334a771

                            SHA1

                            5049232dd099c7b23c901ef9e07292163ed292ca

                            SHA256

                            b3c0f0ece7e01398fd29acf5396b336750c62bbaa85de0f8e2ee8f76dc9e8ab7

                            SHA512

                            43548250c820816d45c61dee6730048ea8d63abe5041b7f3ab4d4ccbb1bf717ecf99d80440c071bea0b8035bfc8f5cbc3fd4f6322c4d8d06ce3a1d322c6a6af6

                            Download Submit
                          • C:\Windows\{B53C9D5B-CCB7-4600-A32B-9D073DA92499}.exe
                            Filesize

                            216KB

                            MD5

                            d41af04aeec9165d8cad66ff535821a0

                            SHA1

                            95a46825dc95e1cbd1620929daa468a9255efaa3

                            SHA256

                            91a5430e7006fbc11344456d3d6b486ed4709c53ee6124897386f06baa893fc3

                            SHA512

                            e876401f7e3c8bd772069ef3b877bf7f65108d182aae31b4cc37ccf410dea4b20c0d3974028869ef642adb7054a108377f8969d80341081e1ff233c5c1fce9dd

                            Download Submit
                          • C:\Windows\{C84FD8AD-068A-44ca-80D5-2EF7DC135A41}.exe
                            Filesize

                            216KB

                            MD5

                            f28c9c4bd98a86f02482ec2a902cb23e

                            SHA1

                            f5952e0b956d9641f324c47889acebbc278c5e4c

                            SHA256

                            d927637e34e6ffb8d8177f9316370ef432a0cd016a179664c042f749ef5450d5

                            SHA512

                            55f9818f11a5374c65d865a67b9ea9b297cb16b7f0738b07f06bb776905351597f29cd824acd25db1612b831a4238706253348cc6074c7ce103f6d598b0958bb

                            Download Submit
                          • C:\Windows\{F4C4BB7D-C131-4618-963E-B305AF154B1D}.exe
                            Filesize

                            216KB

                            MD5

                            8970aba6b74918016c8da7d2768d1d57

                            SHA1

                            f0b532ebb07b7364ebaa9d6e5934bfd76c6d8f17

                            SHA256

                            aad71107b6d5c019e2c8bf3ec0fef2f6d7ec14f1a0e2ac0724c7951c341a4a82

                            SHA512

                            7bd0c6519ea05536a5633e3a0a2648610ea7a69f856cd7d8bfd8b527d82cc39c2a6130d1f6ea3d1bab601cc98fdcd1b63a6ce4c8b753cd5410a8eccbe4c90623

                            Download Submit
                          • C:\Windows\{FE412DB9-C95A-41ba-8C9F-1E1A71F2929E}.exe
                            Filesize

                            216KB

                            MD5

                            2e85b75cc92689f1b87e3803fbb36efa

                            SHA1

                            e828c2ccfa1aa2ab615282d50f10c5ffb9da06a0

                            SHA256

                            e480a9ca0277f5e097299f85cf7ad56bcc62d3723a1e7aafe3f0a5d976e41570

                            SHA512

                            dad937f044e3bdde3009476021a64cf957ac680f76988a7b7b6adca12cd7a9519cb141b351433b837ffba802bc3a05b1296a9583c77095ab32c8d2356e089154

                            Download Submit