Analysis
-
max time kernel
144s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
20-06-2024 12:56
General
-
Target
2024-06-20_4cccfcc2436536d5b1657f236c28717e_goldeneye.exe
-
Size
180KB
-
MD5
4cccfcc2436536d5b1657f236c28717e
-
SHA1
e474c8daeed4d8eef294452799cc034fd5205d4a
-
SHA256
0ca88cfbbb4737ec2c855a1a9f95e0990c6c90aacc1c21406fe4cb92921a046c
-
SHA512
d0353de010b91e14fe354a02111181a4d1f27091ef429c0620434d4313bd83ca31fa26301cefdd265721d031771c17fc71bc89d40e855ccf1ffb972d4c01d182
-
SSDEEP
3072:jEGh0oglfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGKl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-20_4cccfcc2436536d5b1657f236c28717e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-20_4cccfcc2436536d5b1657f236c28717e_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B2950881-8076-4e51-ABC0-B6A03E48A4FF}.exeC:\Windows\{B2950881-8076-4e51-ABC0-B6A03E48A4FF}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0590A496-FA70-4879-A921-4A6E8A080BF3}.exeC:\Windows\{0590A496-FA70-4879-A921-4A6E8A080BF3}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7707E19E-D3CE-42bd-B599-32EC94829E4D}.exeC:\Windows\{7707E19E-D3CE-42bd-B599-32EC94829E4D}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4D87D16F-BC0E-4b8b-9977-9FD0A9145B13}.exeC:\Windows\{4D87D16F-BC0E-4b8b-9977-9FD0A9145B13}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{03F26ECE-64BD-40ae-B738-80AB685ED25F}.exeC:\Windows\{03F26ECE-64BD-40ae-B738-80AB685ED25F}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4788CA2D-0E5F-4fb3-A8C5-15A2B272C250}.exeC:\Windows\{4788CA2D-0E5F-4fb3-A8C5-15A2B272C250}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B227CAA5-A5D5-4256-9CA5-38F35FA8DA02}.exeC:\Windows\{B227CAA5-A5D5-4256-9CA5-38F35FA8DA02}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6E320EBF-DB24-49ef-A1CF-319ABB05EA5E}.exeC:\Windows\{6E320EBF-DB24-49ef-A1CF-319ABB05EA5E}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6B0821FD-B8A0-41ac-8127-96F0D7CC59C8}.exeC:\Windows\{6B0821FD-B8A0-41ac-8127-96F0D7CC59C8}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{205A7B97-52B9-46c7-B65D-E5582EC731FF}.exeC:\Windows\{205A7B97-52B9-46c7-B65D-E5582EC731FF}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{01313F0D-AF70-4da2-B934-1062B075DD61}.exeC:\Windows\{01313F0D-AF70-4da2-B934-1062B075DD61}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{205A7~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6B082~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E320~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B227C~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4788C~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03F26~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D87D~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7707E~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0590A~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B2950~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5ef7e8dc27340709dfd6f6501de2fda20
SHA161f9b048c9f7952687554ad8d5eb33a8c9f3df19
SHA256370fe6114b017ad1fde4e8637fc0240ce5a0bb5ca7fb21764a1098672a84875b
SHA5129a77ce87962647848d4f96884ec2e022405f4880b7894fab64f9c232b94fbe356fa6b616ce61306780fad86a60e080206a8703b7c66489402ca3ed21cb386dab
-
Filesize
180KB
MD540260b5785b81d15655e2b62020b05a9
SHA1dc16e1482ed8963ef768ff94e2a4119b41fb8ef8
SHA25661e16e3e28b608b7eb7dc1ecdfa01393e677df74770410a47dd79d16b885b0a2
SHA512342000721b873da01685ea16589e73dc7da9ceb72bf90070d1bc048e343d38b7675eef22e7fcdf32143bc87fcb3cfa0e44092d42b3d78a730f42ded08d8d228e
-
Filesize
180KB
MD5faf3ca900e7ba1291a427312dfe4e504
SHA13ebd5c1410c487a3ec28900bdf193178790c37e2
SHA256680c8a268543c62726167a7c8a75f30f24c57fe67ec0d491e1040d80fab44fa0
SHA512dec33708069a30409b117ca72489162873a246fcf67f9c8b88c129fddc2bd13d73c8c74f0b3e75b6dc4df931210ad2f06514cf3d2fbfb4a769500e4ac73cb663
-
Filesize
180KB
MD5ea3c0a98a9794e2ac8a26ebab8c168a4
SHA1e947f349e845fecb0ca28cfa2e4553a98628bb27
SHA25636d8f782c96e42beea1be02c700e842ec815e2f3433a65666255554febccd5c8
SHA51230b68387290015f6438a100a9a9354f50ecc716b25622fea1a162f42d1dc00d266e9b92cf18423f4e70a445b5b4e7c4305a573fe484537c1524ae718924f7a3c
-
Filesize
180KB
MD56e2ad24f06a26e0d036356c534c86742
SHA1376734510e9301431c42ce621ec6b0e7f3b7a80f
SHA25675c51a5a386db095e647b4b49f2199c8f8dd3ab4dd669a1d454ba6ba740338e1
SHA512c97d31fb185fbce390e9ee0b3f98498132e8e721cccf4e6ce22633d3f4ec74d160033deab8d9bc8e7f4e851ee3bb167fae6507daeae95744581043d37206fdfa
-
Filesize
180KB
MD5969c75f611f1641d85ee2bd1f69b5e68
SHA1136c7eae4a37751eab3a77e7cf29e2a95b48f972
SHA25689cea5fd08f4482428ec6ad3b1f33c68aa27570aec6e0ec80c037fd0e4a5289f
SHA512c4097f7d53a4e9bc655fcce2dffb4bdf753507e9afe23b0d11be68e76997cd11376662e351f0b4b3c10f8ff96f5ed6973e7a7d50c27f9076a71d2b9809ae9ce6
-
Filesize
180KB
MD517558ee584d6947a61e6031b9886b53c
SHA1de6460eea54b03de1fad41f53ae66f6b3014653c
SHA256465800044f7eb64cd02eb1d6df23a185086068d94c9e61d3086def1dc732e4c7
SHA51262a8cee4b135deb375cc60ce7f08116f3eb9699d719a13bf2d523dd0eed3c23c8e954c1025e0ff2c8ce6a04032f93e1cb621a283fb659c1035606e5f5b34b9dc
-
Filesize
180KB
MD50a88a8cd78103949bc29530c84b91312
SHA1474f123bb275753fee7587c265fda2c9b9276b55
SHA2563774f4a6478ec4b4d66825a12f2f6105af2e5bcec8fbdb9ff08bce6bf4f041bd
SHA512e3de7d84f1ea4eb9131c9646291ec58cac4ef8c2ac84fabf9b2f941551c8b3a77b474e53dde7bdb44a6327c4a88cfa160041ce8d4b3ae5da401a0ab0768153b7
-
Filesize
180KB
MD5b3057dd328226ddff1a99424312b6e61
SHA133475b0c8a278c1edf5bf62a85dc6860d7eceb79
SHA2565e0ec4d91717930603cb6ba9d55e209480d52cb883704e77952b603597dafdb9
SHA5122c562f66e751749b8c1ea3216e828741461985d74bc1dd90021db657eec71c68392bbf54f9c5aed0da7b1e2bd980d34920a1714a282405c7129da3a51eca13cf
-
Filesize
180KB
MD5cfed475925d8a36dcad533fe05f4a15f
SHA145401ef663f7e07145cddd6cd303d1b84b920878
SHA256bf50d3711c9afcc08b20213c6b41b150e04c1d1ffbb58cc8be0f67c3e21d0ce5
SHA512b824ff7635e980411b37dd12de5674ddfd8033a06918c811f2efd915f21fbe0ddc8752ccba5f7162f2e6358f3e84273935a1127d11b5de8a4c3bf9f1d01cc4f7
-
Filesize
180KB
MD56d69a079b0587e03bf7baad282e2ba8e
SHA19bb48eb3d6ad3aca966d6cb38cedb23fb79d544b
SHA256db3c2c500ca11266684583f5b1faad698ba8f83f15b083638a6609af851906a7
SHA51263806253eea8ea48864017f6192bd0c8f3eee646f64c8880a045fd50ddf2cb3c41af33ba57f83f9a6b9474026fb111be9a38a6fa60a599548b78e33d258cdb70