Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30/06/2024, 08:47
General
-
Target
2024-06-30_8687a63e908a18329e91e1c8d97d1ad3_goldeneye.exe
-
Size
180KB
-
MD5
8687a63e908a18329e91e1c8d97d1ad3
-
SHA1
b260620c0e76bab3c8aa4d60969be62c3598eec8
-
SHA256
94d177e72abe42fd7686589933e05381f5530989e9d026d2639bad8c2bed24ee
-
SHA512
7ff84d9923b26e9cf73d3f972ed96f6972e2559b4e70bd4a605374a96572fa5e71e4d138e975464a34e5a47fa1db77534a4f9e914dc4b63d6276ed15f1f0635b
-
SSDEEP
3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-30_8687a63e908a18329e91e1c8d97d1ad3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-30_8687a63e908a18329e91e1c8d97d1ad3_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E590C6FE-71A9-4273-A7D7-738D5701FCE6}.exeC:\Windows\{E590C6FE-71A9-4273-A7D7-738D5701FCE6}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E201BBA4-9DBB-49c3-8369-FA86D8A9E930}.exeC:\Windows\{E201BBA4-9DBB-49c3-8369-FA86D8A9E930}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A18CFE6B-B6A4-41ef-8E1B-32C7E7A8E631}.exeC:\Windows\{A18CFE6B-B6A4-41ef-8E1B-32C7E7A8E631}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{014EE359-D9D6-40bd-9929-69EDB086E0DD}.exeC:\Windows\{014EE359-D9D6-40bd-9929-69EDB086E0DD}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A0A807FE-C3D7-4bbf-8453-C4DB7F7582CB}.exeC:\Windows\{A0A807FE-C3D7-4bbf-8453-C4DB7F7582CB}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EFD75979-0E05-4093-87D1-CB7FE7AC0283}.exeC:\Windows\{EFD75979-0E05-4093-87D1-CB7FE7AC0283}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1DBD881C-A82D-480a-AC14-8DD3AFD2E16A}.exeC:\Windows\{1DBD881C-A82D-480a-AC14-8DD3AFD2E16A}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{573E06AD-4781-40b9-B83C-FB7A820A8BA1}.exeC:\Windows\{573E06AD-4781-40b9-B83C-FB7A820A8BA1}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CCA37629-895D-4fb9-B8D4-DC03AEE0A3DE}.exeC:\Windows\{CCA37629-895D-4fb9-B8D4-DC03AEE0A3DE}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2AC65701-EA26-481c-BB81-93C959D4ABFB}.exeC:\Windows\{2AC65701-EA26-481c-BB81-93C959D4ABFB}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5DA4EC98-17C3-48c3-8F7E-50F5A30CEAF3}.exeC:\Windows\{5DA4EC98-17C3-48c3-8F7E-50F5A30CEAF3}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F99D5519-0246-404c-A5CD-62EBE636432F}.exeC:\Windows\{F99D5519-0246-404c-A5CD-62EBE636432F}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5DA4E~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2AC65~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CCA37~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{573E0~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DBD8~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFD75~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A0A80~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{014EE~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A18CF~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E201B~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E590C~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD546b9879a988ff13471266c34a3c15152
SHA182e82a4645f1c65ccb42dc40bfe5c2befdd38373
SHA2569e609f52bb73d8a47ffb3af2740550fdc018040b218099dc6e8925f4400303a4
SHA512bd610776a7ec791c93682af97f6db57ec4e3bb45b4bef84686845b421ec81ec335a7676b6d9f03df1ea90c2347ab208d392844a4cdfbc5fbe6153f0f2911ee5b
-
Filesize
180KB
MD58c0442cda3e95af1e64ddae61d24c8e2
SHA11dc5ba4e4323b5b0e5f65ead841ada427910bdb8
SHA256e01f316c59d470128d84c61aafb21e9b9ba2b840c9af655bcf1eb34ab19c6e9c
SHA51270ace7d7c7c5e7a153d04bb9e8e329f2f5c17f9803b8b117c45776de821e0523d13f2390ff9fd7acc12cdcd3f729ed3046ac76b5179cea06864c012405d27bc5
-
Filesize
180KB
MD55d65f73c840ce41cfde5a992871c6b68
SHA1c0047613f2ddba25d8a869282e97c4151f2942ed
SHA25647bbfca540b8157c112e4c79dc2e0938e93756a534d4f0cbd88afe31811265c2
SHA5126e211243ac7a9cb786b7c3a228cc1582e53b81b80e51b5ce27867b0869dea81857f88e37286c306380cb6dfd63e5108615f4aa2d0e7bb49c7072d281ae9b2f26
-
Filesize
180KB
MD59f1d91632462109663e5e5d7d3784b10
SHA14b5cbd49eead11b2c76848057d60a4bf12c6a081
SHA256760e2421d20950eab4fe151ba6713df0ff260c611827f09a4402bcf67fafdb94
SHA512b9b6717d59d50f7fe07933149e0604901cd639bd8f44adeb5b54d134f8f3782d8229b97f330c1589bfce1b0ddd9c4133290e5765ff8ae3251f13dbec2505b957
-
Filesize
180KB
MD59b46f916018c649b8a87de650a3a249d
SHA1ff24faf77f8b741759815f0ec5099245fd385f79
SHA256a2e5edf2eff0d77f1f633148590c810e013b4dd762ca119d0c40c9272c4559e8
SHA5122eebc741ae57f45842760452ea3c5633d2a7342bcd42b46be077683034560a7e92b30eca86628560ec594eff9860436ba2856516b2c1cf8014149524a757b3d7
-
Filesize
180KB
MD54a1d17856d15ccea53d2c5cd42949842
SHA1fc47d1f197956eab7910284f72eeff51c790a639
SHA25696bd0cbfd62a9763839ba906af9acce688e5ebc25b9f5425fe01c24cc2e1d14d
SHA512476e3e24e98a785418ba3a8d753704d30ab37023201a2894c79be5164bc9b3e0a855ce32bd938748989f0fd7da44c4a6128af53bd84274070725009f27bf5647
-
Filesize
180KB
MD59564091e07d5d140edd52236da59b587
SHA130e33efb189b3ccb6bc669dbd742138456fc65ad
SHA25637f1e874e75695a55d1d2cca886fea41992ed2eff3662e933bb0f22838928f52
SHA512842111bf3c708d61e4ac262de0af24d1e4569f7596ad54ae8e6e5009d24784704a02ef5b944a16c5c07623d3e79bb24761ed760d35491f1836adf363ccfe223f
-
Filesize
180KB
MD54cf5205db1d7e85c784ec82df09cbf87
SHA1f6f22b99924a8edc8a8cefd4cbdf1171b142daeb
SHA2566a07ed4859995d87735945bfa5865ffd1079f66eb6ee0d311d0b01839649b8cf
SHA512730ddde0a536c89c938a019eed92f6898d489fb9a7aae22f29bf5f4787c3fe27caea246aa0cebd1aca5df7276a824d3f4e1b8bf2fe795e3849faec29e96158ac
-
Filesize
180KB
MD5b35f73be5fc7f835eaa5eba32ca99917
SHA129a5370a026d3dd9f5f4b72cc8cb33b81ebbc587
SHA256549cbb58cf1f8bf88b980ee851d2921428665c0ed088f6c17a8c4d5e8fa5d851
SHA51209d76d2b5de1fa006d4b7fbfc5bb453d73c2e3922d643eb16151c2eb3a532be0fee71876fc59f9b289e04d376b12505da292db709133c5eb0759d076bf89a35a
-
Filesize
180KB
MD577619273f4c539816007b4027924ca2c
SHA1a3e398beac9026612730be3c1e579711220c058a
SHA25624f7606b182f5bf3b7f5376bd7bcf45f14e5f03e73181aaf06ff7acd024703f6
SHA512821bbc31b24069b8dcdeb44927ebe93928390620f5ddb8b0e2dca68402e2fd6b1b139600c55b5f2a6ece819a80264280a1f0529275ed3f16925856c240d61d7a
-
Filesize
180KB
MD5a8bb1b16d12f1c3f052f68f1234833cf
SHA1d9d322cfb8de14b9e721d4a62a5eeb592a1a1559
SHA256732828fef5fb0a17baf7a88a3974c09ec33a12967a9557f1783204d5c9da297c
SHA5129056b1a3020ea2e06ce32804c46b2caf04fd504958418700bac4e39b9bdcbe7716ea15ceb99de98214e123d48669455e64b4b9f17402fc046d9a0b6465d05f03
-
Filesize
180KB
MD5fb00cc016a9b555eeb5329ed4861f85f
SHA1db572be82b73e3b51c818d95131768002718d42b
SHA256b8820a9460c0978146a5656e5a5cea0c97d81caa199e6441f9122b9fa424c305
SHA512b10033451bd30d3cc0e85a75992ca73091c8d58b41f2b43d973820233c1bdbbf7543c44effd1b36f7ffae6cf425620fc968eb2654f2f8b620febe412a00577af