Analysis
-
max time kernel
149s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
03-07-2024 18:02
General
-
Target
2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
-
Size
372KB
-
MD5
5b68e69d2395b63e55dcd6f11b614f8f
-
SHA1
2fbec41a6916acb6206ac8b47720fdd48fc5684f
-
SHA256
e479e77b1ee73e2905b4a96ddd4e40720674c5e5ed6b28ce63fa2b8b911dcb49
-
SHA512
739a0a9a9f928a6d3c497a94d05438512b25af7e4f228570590ee30484a67f2c8a30ee31bf4637ed555e28430890b31ad74792e323082905781c8c140fe8a176
-
SSDEEP
3072:CEGh0orlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGhlkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{939F9D33-406A-4f7d-B9D5-327C0EE6480E}.exeC:\Windows\{939F9D33-406A-4f7d-B9D5-327C0EE6480E}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{36656A40-9A44-4adf-9126-17509E190D38}.exeC:\Windows\{36656A40-9A44-4adf-9126-17509E190D38}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1F0E3A88-793E-4a91-ADA9-F5BBAEA16FBB}.exeC:\Windows\{1F0E3A88-793E-4a91-ADA9-F5BBAEA16FBB}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9478FEDB-6CBA-41dd-8AC7-7EC56D33725C}.exeC:\Windows\{9478FEDB-6CBA-41dd-8AC7-7EC56D33725C}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8F78FD16-623E-4996-B36F-760F0CBF4BDB}.exeC:\Windows\{8F78FD16-623E-4996-B36F-760F0CBF4BDB}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1441F127-97F8-40de-BD55-BC26B06A792F}.exeC:\Windows\{1441F127-97F8-40de-BD55-BC26B06A792F}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{07D78DAB-3D9C-4717-9A85-6EDC8DFCC0F6}.exeC:\Windows\{07D78DAB-3D9C-4717-9A85-6EDC8DFCC0F6}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8E5AC04D-BB31-4b11-8976-DC6CD5A16EC4}.exeC:\Windows\{8E5AC04D-BB31-4b11-8976-DC6CD5A16EC4}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9952D2D7-5D1E-41e6-A080-2A941AD9003A}.exeC:\Windows\{9952D2D7-5D1E-41e6-A080-2A941AD9003A}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8FE20735-1031-4080-8F34-5DBCCC1D7C05}.exeC:\Windows\{8FE20735-1031-4080-8F34-5DBCCC1D7C05}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D6D015E1-B183-42fb-AD35-D1E9953F9514}.exeC:\Windows\{D6D015E1-B183-42fb-AD35-D1E9953F9514}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{59056C8E-6B62-44ff-A800-3E3C8B7404E5}.exeC:\Windows\{59056C8E-6B62-44ff-A800-3E3C8B7404E5}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D6D01~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8FE20~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9952D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8E5AC~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{07D78~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1441F~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8F78F~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9478F~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1F0E3~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36656~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{939F9~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5254ae2915b52a171febd9265ac684a21
SHA1d33b622ecaf7c3a170e11368720e358cde5769df
SHA256af980c235642735b81e6065927829e9f3a778c483a1270bc0a1a8218113e69d8
SHA5121ff16446bea38770c8fbf8f27a41d46375373fbf8cc0cbcded20e81f0f91c5a84a1185a7eb804aaef76fa3ca37231f9cae194ee6c1c54055ad8286953411c3ab
-
Filesize
372KB
MD5ed160e3601bc6abdef9a3ee4f7ca631f
SHA12a5166406ca31a32653cf7aa10d370b28fca4151
SHA2564e19d7eb9b31f19dfbf07008c59726489fa52d386e4f81e3c15428cb4c11483e
SHA512a52566106df9c3e860a4f4dcf55b7e15c877cde426d4b0bcace826e9a74e62c9b1f74fdb81e17c5b9bbdd09bf890f70291d35c37d709ddb8101ef7d8d9f0f245
-
Filesize
372KB
MD59931001005baeb32366e40a90987c4b0
SHA1c00d00389907f24795a584e051763c5e90b2d421
SHA256896a7514583fe1ab793d5ac3bb42d997348516a7e2a052648a97343a6a6e1a1b
SHA51209752db2136b611c6f351aae5ac69ebe692dc0a091b52da77bac663c600371c434369343f9dce8ee9ae977e7d84336714753924a7dd11a87284e67319e8b2cf9
-
Filesize
372KB
MD59ba73f788c7823324cd94894ad5f9707
SHA1b03a981029d1c3300dd33d2f437a324117465c9b
SHA256292b4e9acb0f3cbcab62e38a635b330b2fc3563603e4e51a9e8600cd02cb6894
SHA512cfd068cd77d667c712c2c2389b7ae2dfd0e0f5e90b66ea3879dfc7c7083424a6ac2bba8fd0979245513394527c20ab3237dd4c5dc9295f0dde7442926ce450db
-
Filesize
372KB
MD56424e103a5e43d37a00e1965611f0e44
SHA1b525614abe0e95c647a8f9992276b267639239f5
SHA2569314ea8db332de16302e626c1a555b8c9287c01eaa39a04b5e18000a9c3bde54
SHA5124eb9f3a035f9e08cbcfd7ad83ee3c8bf619d394a52a90a317979b5d3277046fc4c4c1047bf8d503de02c955dbccf8978510256d290b55bef186d3361b579de88
-
Filesize
372KB
MD58c28d7fd7552f1b8dcf95edda071b7d5
SHA134dd229d16ca8b825e5112d88fbd00f67e6bea69
SHA256f8bfd3fb4a8eea1b8d701e2b5eed45ca533583238d67600edd9c7c5cdec2bbbe
SHA51271ea3b7208fdc4e12d0834028504732940a737c69d0dcedda8341e49970217152d9189a80e56aff370fa00e4196462b3b0b5ba34bdf13f6a2f1e76c81530841d
-
Filesize
372KB
MD54bdb782eeeb711614938abb8c4fc255e
SHA157154c099b28a8f7df63d9cff4bcffd621d9a51a
SHA25606239cfea5d66bf9517369a40d7fc4a9f0e21a631ed37f60ae4b78d3bc2b0bc2
SHA512a8dbc64dcd686502042f3950caf810ae759c1ce04dbbecf128205ba2d0222215066cde67b652fdbad3393415414b048df0068a9cba38ed3ca35c6cd17feccf36
-
Filesize
372KB
MD55ab22188890dd956db756957b160d622
SHA1f858ade68f7061c69c5e8927f36e36a623112d58
SHA256c91a22b49eeb63e702623c004d1ed85de9bdbb1e031071ceecb77d1772f8a3b1
SHA512e9f338614b03750571e22ee39bd4f77f750e75a3dc4a11e85510e9e90bc9be7286713ee4840ccb1afdc05fe676b26a61251c28e8e2ef27498fe2846b9325868b
-
Filesize
372KB
MD5e11a1db7cccb8b7bc8c03f6783730b9f
SHA10ec63cb5d1f78426fc3e73dcc8a6c34e44f759ef
SHA25644118bd027c89593eaee40051e30a78d16b38985c0c7fcaa84274ee550baf18c
SHA512821f84078c023cddce5d9955fadf7fdf25172e9c54e5e9f8e68f346a88c3341f202dbd28e70df16c58c5c9c4a11a91befbd7dd77077d2013adac3218401d2ca4
-
Filesize
372KB
MD57b795943d786ed87df4ba19a26cb2bdd
SHA10f6aeda2a8eb4c17ed0a3896fba58d46cca6faa4
SHA2560430e4f1a115e346c07cbef2e6800555bcf486d65c60f3d3317ffbcaa89fa2cf
SHA51222671e978bd4a7777c64ebf4624bb1edeab6ef2d05baf593193b43b4b78890490891657648b6f6c6db472a0af1ac2b9e23f7dc9200f9cbece4727ce78f2a7a8d
-
Filesize
372KB
MD52fd1133c8136f354f010de64ad957d3a
SHA1fc8d51b31dc6d72b92dcd2b8950496563d9e1bd3
SHA256d2c0aa7598e44c71fc4b4693b9b9cd1b431db79cc96ee9d3aa73e597810a6bf6
SHA5124bf82ba428aae553b5967d3bbba2c50f310c7d052b2307afb0beede2b70b7b9cf43fa5a644846a0406315a703d80c1f8a27efe0f780e811cc3fc7c0e01ba1510
-
Filesize
372KB
MD56e8652f3aa422780efef812c19b85995
SHA1e07a311cb6d54aef7ed2f601634bd2d67135e41a
SHA256ceeda3f162ca11e59fc233e8642b4a2172c8084d28378c56063058803e5c5a10
SHA5124e921e8a169d857f2f5f510ba66dd93ebeb23981d6742e784696106b1477eb1938fcbca54970e4f3647a82a00ce45ff20084c19199d66bbdac34a8529cf6db4c