Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
03-07-2024 12:21
General
-
Target
2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe
-
Size
216KB
-
MD5
f95ddd59a0b0fe59620cb8e78ee19334
-
SHA1
a13db8b2d3805e305d4220016cad66b02d0e8dfc
-
SHA256
22018eda162b32d9e94864666abdc83260dca552c7aee29c1a45301228527cc0
-
SHA512
64b818b93bcdc7e020bd069f7e56a230e6e10c267e4d1ccb9b1dc9347f204fb820b561206b09737d12adc7271aecbdf3785357d9dc6cf082a96650688fba4109
-
SSDEEP
3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-03_f95ddd59a0b0fe59620cb8e78ee19334_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2CFF5BEA-3D0D-4788-A50F-6E398B853955}.exeC:\Windows\{2CFF5BEA-3D0D-4788-A50F-6E398B853955}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0051BB36-0B20-42f7-B1B1-9B913AE22D09}.exeC:\Windows\{0051BB36-0B20-42f7-B1B1-9B913AE22D09}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AF90747C-CA27-4ec8-8D58-FD441E937BB1}.exeC:\Windows\{AF90747C-CA27-4ec8-8D58-FD441E937BB1}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FF016959-D04B-4e24-8E20-013F309D58F3}.exeC:\Windows\{FF016959-D04B-4e24-8E20-013F309D58F3}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C079203D-9D6C-4acb-B194-B893E2E93022}.exeC:\Windows\{C079203D-9D6C-4acb-B194-B893E2E93022}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9FCAE7A5-2D8C-4ac7-BEAD-1DA677A2B985}.exeC:\Windows\{9FCAE7A5-2D8C-4ac7-BEAD-1DA677A2B985}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CCA86EA4-1B64-4948-81B7-176E5F6C922E}.exeC:\Windows\{CCA86EA4-1B64-4948-81B7-176E5F6C922E}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7C6EBB7C-3A62-4942-8A3F-243463A6B111}.exeC:\Windows\{7C6EBB7C-3A62-4942-8A3F-243463A6B111}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EAE367CC-C3EA-43c8-BB52-6EC954490715}.exeC:\Windows\{EAE367CC-C3EA-43c8-BB52-6EC954490715}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{223F0ED6-11F7-4a35-96F3-A897498D3532}.exeC:\Windows\{223F0ED6-11F7-4a35-96F3-A897498D3532}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C34ADAC8-DEEA-47bf-B2DB-DD2377EB8BB9}.exeC:\Windows\{C34ADAC8-DEEA-47bf-B2DB-DD2377EB8BB9}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{802B8939-3391-404c-A9A4-D4899A149B96}.exeC:\Windows\{802B8939-3391-404c-A9A4-D4899A149B96}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C34AD~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{223F0~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EAE36~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7C6EB~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CCA86~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9FCAE~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C0792~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FF016~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF907~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0051B~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2CFF5~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD53982579f2d6266cabb8f7b0f8f85f660
SHA16744572932d99ebbdb50382e2c714cfc3c114238
SHA2564321f66458349065dbe395e7e08bdbd0fbaf158b4b8e127602e28fbfa76b668a
SHA5122a906897e37973167da2c8ea5e8584fca2c86395a4d6b4241289daf1f294fae999dfbc3733609bd4b337569f2a87ac000531370a23c541cfdf2f9927895510d9
-
Filesize
216KB
MD571af35c669b336caaee8cd9739def290
SHA16e341f21bcb2439c3fd0f3026289b13e55f88f75
SHA2568560724c1458211efd299bdad5433a186f9b940eb490e5f8a41be14fd595466b
SHA51203b933ea33ae4b066999e28fdbcc9891e3ee772145c616708ea4bd8e246c96b5c69c97e3a84b6e113954a6d4fc28da069bc9387182bae2b6e4121b62bb427240
-
Filesize
216KB
MD555069c1bf7f6b45d126e67d10218c74b
SHA11e8eb73e0705a98e29e4280c6c36e65b3f726e81
SHA25627091d8e6d3a359fe625c24e9c31d7bb5370260621efffb737d8b8367693c9c9
SHA512be9ec64a9f00517b9b1d5e31c565300e93bdee56c58818b9a6dd3595c45606da9ca11d9fadfb2cbdc4d4d1167de1859195234440214d553514b2d2d63316e8c3
-
Filesize
216KB
MD575e3cc43df047ffc203339a93c241c98
SHA11ab1f1f2ef536890bbc9dd691a8a2b8813617bf7
SHA2560a33fb48069d0732b25a4d63cb4ef6c8c21a67ae039d3572f48fd1f7d6cf8dc8
SHA512d609ca0d8279fa686d14abacccee8fc1843d03c467ce635dfc0d0e2be18b7a10f53661df7b69ad24d3a0c8f16b3a216698eec9b70535cc83a464873d8f527146
-
Filesize
216KB
MD574eebaea4386404cc6091ff136ec061d
SHA1940dcf479c84dbaf19278b693aa4c37f1e220e48
SHA2567a34d79defcea980bc587be20296e990998f8de693f22877ca498046e1ea5e96
SHA512a93478947e1179724706074b308e76dd6c5e6ead0e58c3052766d7d56ad50ce7e6ac7e5fb779b865d9bc67fcb2dc2ac76c52abb7f54909a34d3d15ff24a48da0
-
Filesize
216KB
MD5b95b9347c56ae9f5b6bbe01f453a0c47
SHA1b7b098785be4c86ee4cdc4b4934500ce3cd97c91
SHA2561875cf46d2d49edc064cb82ed0d31a771b80242be94aa38d8dddb233781c6164
SHA512bda610e070c1290ec42c6c34e16317ce2790206f0f47f6f52d2109ba9b8626acf074130c405584b677359b577102368ef46f5309e4200fc76be87b4bfb72ea4e
-
Filesize
216KB
MD5e6009651a2c723f6872f207a98cb959c
SHA19020b504c1adedc06720c70d84b274c89fb59272
SHA256122b563e74dd13971580b5537f59bd2a5cb7203fb2145684d501d22c6b5761de
SHA5128a76aab098d8250ac91f0d0823e86e3d8cc5bb07dc3c381cc67703d9733699edd945ad40f4d55634f8dadc3a0e485d1bc16b45d0e14a889973c1c3472caaf86e
-
Filesize
216KB
MD5d8c3c0cb9904000f6cd15ca30fa6ebe8
SHA15686000f7529bf3d41b8cbcd41c3273f48dcebbb
SHA2562c9a18084a20871e6d0280e856e8f39753560785f715bce677184cfaa9166c9c
SHA5129086adec11afce35f00942f41a9ca1af12048e968229a161c7b093b19faeed9cf33e23613552813a4d9e92e11a576b7a25b81756d8a2b324401d6b981a8710c3
-
Filesize
216KB
MD5ba1e3809368905755f1a9d045c6fb6b3
SHA1ec976a8da9cdb3afe1e8200fa20dc6248e2399f6
SHA2568693f1c4d4d943539277dee8de1a8b3bfd15b617ce1dc058554441169a38e83b
SHA512b62c73f9633ca7468c91afe9807b36189467fdfbdd6b370bdfe2a55f33f3005e491068b476d7677635c4ad0329d82e358bb7c95ea0f8547496f4ed13ad9a9f1e
-
Filesize
216KB
MD5d96a2825eff82bd4b41b694cd57f0700
SHA1410930d30316244e06f8b00b81764b5173075a8f
SHA2569ca9bdf75afa8ed84eef729972fd5dbe3230087e82513c5c5d469b3621de3e16
SHA512124f4ffb5c6289808e1b0517ceec3b112baa5b0a6afd306a00201d95a568512d91b80deb63b16addce4ce095c8727592e8810fe86afaf86af880437e3de72f36
-
Filesize
216KB
MD556b118b6300b2807b08ff62623f3a233
SHA1275ecdacb037c8ab77d80550ce7a25c954ecb528
SHA2569cb1f253551aa8a3d944968bf4bf30d92d93be7fe58b6001232ce3c58bbdf88b
SHA512385b0559561c7a4c925b01e3885ee3bfc6d9c55f0be6f304a17735517fdd18d75885062b0ffa20f21238861a217c6ff2e2bb58adfea64bbf716a66506624b5be
-
Filesize
216KB
MD5f9ec2073fab879f2d5fceb58190c45a7
SHA1ac3c70f3350816890e93c70d7b122678b93d4150
SHA2561ab0ba65984363d3b9e6762d7289498df460e0d0316588ddf08658c43d6e96fa
SHA512ee417b172f274efb2e4be27fb38005448dd1b83786a43ba663a37d481567068a761275d866fdb597c700915c4e74e554ddd5812921311858168e9238b72a832b