Analysis
-
max time kernel
149s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
03/07/2024, 10:45
General
-
Target
2024-07-03_8188aa665ea39fe0a9b2270712827b19_goldeneye.exe
-
Size
180KB
-
MD5
8188aa665ea39fe0a9b2270712827b19
-
SHA1
0e0d4c9a2875bd72dd6b13d2b1a7f7a7be5eae97
-
SHA256
51878eda2c3b9a2d74625681f506a075e043b9feb85f51411ce3015c4c7f1d87
-
SHA512
038f64f4342ed009dc0502dac08d9b28d4257dac77a4d2b4bc982e1365ccfac382ad97d077a5c45ab11bf365d8f25edca85689c86f285435bc73b739fb6013c5
-
SSDEEP
3072:jEGh0oulfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGEl5eKcAEc
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-03_8188aa665ea39fe0a9b2270712827b19_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-03_8188aa665ea39fe0a9b2270712827b19_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0537352C-953F-4eb0-8E1A-CF7457B23A8F}.exeC:\Windows\{0537352C-953F-4eb0-8E1A-CF7457B23A8F}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0EAA62F2-FE07-4fd3-B9B5-E3A753F5912D}.exeC:\Windows\{0EAA62F2-FE07-4fd3-B9B5-E3A753F5912D}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FFF29EFD-7ED3-4c86-9C8F-DFB3452AEBCD}.exeC:\Windows\{FFF29EFD-7ED3-4c86-9C8F-DFB3452AEBCD}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A7152CB5-155C-44e9-9392-C9EA50766F53}.exeC:\Windows\{A7152CB5-155C-44e9-9392-C9EA50766F53}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DF9347FC-31D9-4e12-886F-0EEF5E461ADF}.exeC:\Windows\{DF9347FC-31D9-4e12-886F-0EEF5E461ADF}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D2EA3AF4-FF60-4454-86D0-ABB8330B5CD8}.exeC:\Windows\{D2EA3AF4-FF60-4454-86D0-ABB8330B5CD8}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BA739872-35B9-420b-BBFA-8A967E8B12B9}.exeC:\Windows\{BA739872-35B9-420b-BBFA-8A967E8B12B9}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3563C567-618B-4990-B22A-B03400385301}.exeC:\Windows\{3563C567-618B-4990-B22A-B03400385301}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B25CD904-4C58-46ad-B281-FB29B4F0123C}.exeC:\Windows\{B25CD904-4C58-46ad-B281-FB29B4F0123C}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1E659C6C-6D00-4b3d-BDD1-9D08FF3975A6}.exeC:\Windows\{1E659C6C-6D00-4b3d-BDD1-9D08FF3975A6}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D1456052-9615-46d7-8D5A-42B8E9B4B542}.exeC:\Windows\{D1456052-9615-46d7-8D5A-42B8E9B4B542}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{9232C3DA-8F64-497d-90B2-3C4FD8541D94}.exeC:\Windows\{9232C3DA-8F64-497d-90B2-3C4FD8541D94}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D1456~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E659~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B25CD~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3563C~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA739~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D2EA3~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DF934~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A7152~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FFF29~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0EAA6~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05373~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD584b7d4e27c4a241f237bf0db76e5ef23
SHA17e0b7456add762f559b8cab677a27f4a817c1c12
SHA256fc4f481f554709235ddc3bfffb8136f11a0717acb7a2fdabc3c16e1cc170aecc
SHA51245c76501598cd81f0c8e1287251d1a85ce2b9d9183fbd1cf1b04ff69a970ae49d72b58693a8f9e593462e80483b7a27e1f4749b855d555814978ca569c51c45a
-
Filesize
180KB
MD5b347e0dc235f9c4d7d861e2e47f0fd07
SHA18000c8f4f39bba33650af886b88aba9b6c8fb72b
SHA256360bcb727c90c82ed7c33cdf17b20ee06844df6cbe952e5958e916c8c9ce423e
SHA512b8084a61a8ee443502e62e2f2ddd2471bddf91db26eda10775ae56bf056811eba808455afda6f82ee07ed9ce7c2ce66c60f69db55778c97c9635fdef22f9cf8c
-
Filesize
180KB
MD5a898e716a70549ab37fec3705d85ead0
SHA174d3719b92d0c1e69265057ec605776a2b95c989
SHA2564a0f9acad02e3de29684202b58a79cd4776503771666e7c1e818c7a28742dae3
SHA5123c1c6cdcbc855b8174878d16d72a5dfc863ef48dd42620d230089ddcd9111e204cea2a69c4fe58105cc7d216928fbfc71da002d66eb5ffd844735d1dcdbb53a0
-
Filesize
180KB
MD5b4cdbd798f796e099f7e52d3d12896f3
SHA128482f882f040fe25313480890ce19774ca21e64
SHA256b130d5dba0910aaca6bf32d64bba820a3cabe77cad2f42d44a75293a7811197c
SHA51218d772b4e3aca8f1eb6b04e9d259725778674f831fbe077dcafc5d66b6f6ca7513d186b0105dec0bd7faf50a07062baa55b56b7ace09801ad3531b8cafedc87e
-
Filesize
180KB
MD5f30103b9758346bdb076906686994521
SHA1df2c802e160223c13b1a9ebe25e8d705289fa848
SHA256693e5709ae23294afad967e558c5b13582745e8639d2fc4d5626f687b3348ef5
SHA512ab065acfbb0321d6e037e7b92e4791effe70168fe65524c828677569855ca0442a39535e0a1ce2d9fe8bc27f8d300b1922b7bbd75998631859806c58b96f4f2a
-
Filesize
180KB
MD5573cab690af07e7ac192798b6f8ba78b
SHA1882913b627080b981170e4496805a10c1ebaf5b6
SHA256823ed3281a3d171a12843b2df4ec7f867386e03ab6aa19fa6450c79f224ab01c
SHA5124e274a5e1a44bd15d574ab57bfc0ed07319835043c700dc362f18e2f4bdc729ef9970365c8db29132b7a7fca5e4d388a0c6a3012b64f5abc904f1bdab564b124
-
Filesize
180KB
MD5c9d7f787d3fd38d39b304743d0a47c55
SHA15f4beca2abaa675a4e35725ea556416e0f3d81f7
SHA256c8b6cf5b7b7ed7ed93668a0f3eeffc4072f450607dc9fca78c6c360bc9c854d3
SHA512333d0c4438e1423122c9b766379c1d87e75f8a768a6b73d95bed15d98c3e76874edff255b9f1657fbb59de7973daeadf7fd930009ef61b06e4c6577e38e8b2c0
-
Filesize
180KB
MD5a4553fcf790d7c1c96605024acb55580
SHA1999693dbb0e90e3cc88c175780eea679a86c567b
SHA2561ec41eeee7f0ae967d65f992d3207278a89c722f5443779aa9862d9ac14dcdd1
SHA512f45a7b11f4ec48151a914f5cb023d582d124bfc363cd5baba9eec2346d0bd83611abee01df3803db72d8c44f0922a3160e58768bafa6944fb51aa1baf943085f
-
Filesize
180KB
MD50b3ead912819fe09870416f98b5ac984
SHA118d3cfa579d4ab642a815af5f57371e4a835b70a
SHA256e09f80635712c0bfb5a1c99d455e0ce861cbf55597aed1adc013c963fe548ef8
SHA512d708b4122e9bdf10b0250ff7ca771a32680f08b2dc79241b2d568eac50843d8ad8cc5463a0e21e3a77b8f69c89f4eb2688b117dcfb7170778481bb9df0d88ad1
-
Filesize
180KB
MD56d243293bfe4360843b850f81d95eb3d
SHA10d7fa8098a23d454ccc234fc09de58d8b0efef41
SHA2562254721577310e045b0bd8aa4d05d4696569720dc9ba53edbe12cb78ed5db43b
SHA51232a8a48ff734c699af593f2d23d5a5e7abbb183aa86684da3d753294d1d4803b837b190bdc8598bae7041b65e828b4d8bd162a2444307648aa3e58ff5e8c7080
-
Filesize
180KB
MD5cc4935c2dd3102244e792799f27d4c50
SHA1cf401a7bbc92ba7f292e6e8501efbc91a0250e8e
SHA2566f178ffb62ef20edc0be7089d9a9be9e20fe2cd87fca1190c9db6a9f0bf3b576
SHA512aa622ee9094deb04762a9f8f82f4a2d0d6da1cd05c1965f05a2432c4a10661c9cdf6cc4bdbb311cb19c82a61992ccf76d08df78b0a771a87cabc0a315924feb4
-
Filesize
180KB
MD5a02503b8aa6f26e4f4bb3042de21775d
SHA1dbeef48686929bf8e06c996741a8430fcfe79ba6
SHA256dec3a417af116c5272a6c203afdc9c3c264c56855fa6efefe8e36f8f629dde7c
SHA5122e44fb32d0f911d856dc879b0b32cbe11e107b15027694722947b10f336323f65da33322523af171eb222f7517f53fcf4372ea834b4f75c4452b03e1eb2d3087