Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
03/07/2024, 20:45
General
-
Target
2024-07-03_2d15369c210273b502ba622410611ca0_goldeneye.exe
-
Size
192KB
-
MD5
2d15369c210273b502ba622410611ca0
-
SHA1
aefd8b0d2594dcd33b0cbcf8710ad89870722dd8
-
SHA256
e59685ec4d071897532b431051e0e18189d231ddfc741e9f4ab1f79f36eb5dfd
-
SHA512
91fca7c1447fed191fa3a83421943f752ae13a2d88aaea98677c06e5310410d08dc0147a618a9a7e4af8061cfaf448e2ab616ade95d1899e89799baab4e7bc02
-
SSDEEP
1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oBl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-03_2d15369c210273b502ba622410611ca0_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-03_2d15369c210273b502ba622410611ca0_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{01143F94-CBE8-49ac-9A8E-BA8217CFA87C}.exeC:\Windows\{01143F94-CBE8-49ac-9A8E-BA8217CFA87C}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F049E95C-EAC8-41d3-B361-D27CE3C2B156}.exeC:\Windows\{F049E95C-EAC8-41d3-B361-D27CE3C2B156}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5423B7E0-A28D-440b-A43F-B3A24A725CAB}.exeC:\Windows\{5423B7E0-A28D-440b-A43F-B3A24A725CAB}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8A849B32-C80C-4cb1-A64F-816ECB0730FC}.exeC:\Windows\{8A849B32-C80C-4cb1-A64F-816ECB0730FC}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3C099457-CCDD-4f1b-A363-E46D9231298A}.exeC:\Windows\{3C099457-CCDD-4f1b-A363-E46D9231298A}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{79DB9580-026E-49bf-AFC4-CE8833A0119C}.exeC:\Windows\{79DB9580-026E-49bf-AFC4-CE8833A0119C}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{353DB0A2-5EED-449e-BA0D-F1F2FDE0BABC}.exeC:\Windows\{353DB0A2-5EED-449e-BA0D-F1F2FDE0BABC}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{31570038-F204-435b-B28B-C346579FC6AC}.exeC:\Windows\{31570038-F204-435b-B28B-C346579FC6AC}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{B656F093-B9C8-4ab7-BE9A-902680B4B8D7}.exeC:\Windows\{B656F093-B9C8-4ab7-BE9A-902680B4B8D7}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{139F318C-917D-40fd-9225-17DB5F8B043B}.exeC:\Windows\{139F318C-917D-40fd-9225-17DB5F8B043B}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{AFE30E1A-0CA8-4ed8-AF93-2CD4C2970445}.exeC:\Windows\{AFE30E1A-0CA8-4ed8-AF93-2CD4C2970445}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{21804158-85DF-45c2-AAE2-B75D9EE64CC6}.exeC:\Windows\{21804158-85DF-45c2-AAE2-B75D9EE64CC6}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AFE30~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{139F3~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B656F~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31570~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{353DB~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{79DB9~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C099~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8A849~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5423B~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F049E~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{01143~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD52157a080393e3d61ea1f8b2ed066635c
SHA10c84d20c790c1cd1430f931c83b908d49eecda5a
SHA2568618573c651c38e4fe7af75b06109a87e0a9d4671401681e29cf24d499d62bb9
SHA512ccfb7e63bb8d55a8aa0a1e9eb97956e62d5b6b817f50f5c6fb766e546b15f071d08177fcdb31bdb43af8e25dadeb4f1572b4a7825c41190be466b4655a1004c9
-
Filesize
192KB
MD5785178eef000dcc23f38c46c9a1b7e0f
SHA1b94ee6f4e6976c645958962e0afd08f9b5090c7b
SHA256b5e71971fe2183ecaa19f92c77240f7f18e9a70df1cddf10f5573551b594b5a7
SHA51233de5a401546834d5173512229e3689a79e81c642a729ce285ac85d8d72fe7bc837668a6ca9967dce9a73ddace8a184d8e8c7813196d4dd43fbbc6e6a518bfa4
-
Filesize
192KB
MD52fd0aa1a89bd585a4a59a5fcfd8e5fff
SHA10479ce33ef3a85db27e136b5fc99aef57086dd2c
SHA2560654585dfb67e20e8a95d87bca63a24a90a689c18462f737a646fb2baf4ecf29
SHA512ae4196c9968dfdefd45f6ef8fe00442574eeeb67245cae14d9c1117a35372451b354da9f68f5ce26183b0c614c20a5a5ad1725bb2337ee81178448b7decbbd1b
-
Filesize
192KB
MD556c340f82f0926225bbd7061164f5c7b
SHA165c8f235e79ef20d0483d2432268efcf57e60677
SHA25642008871359c08d6a5a351661b942feb64b1456d594b6c59dc2deb5e4481984a
SHA512c6b3d2d1114591619ea0cc9f164efa46dac90a5a56772c01d01d182bf0df53be734b1df7f6c23a68b9bb3de842d9e37af285207b1abd24ebebbe9b28277769d5
-
Filesize
192KB
MD5c43e4738972056303f29b2d6c632f043
SHA184e7eae8b6af816342a3a47a106b22a06fdc5e37
SHA256bd4f1680d141f1aada468d95ad204b2465225bb4154de4863905b9c730cb5d08
SHA5126142428bc024fb7bee87d3ed62f55a562afb34a68b8085395b4c59f4f5097ea922d618207c7d8e04c62ed8bb1ff9031334ee557bf58c417656d9ecb8a9c348bb
-
Filesize
192KB
MD575d35318c20b343eebac6d93c9c0ccd3
SHA1ebce4e8c5ae9bf351b5ae4bcd58db8bbc0998979
SHA25629faaf131141ed225074d30f36e818d3ac2786e0adb8bfcfe5ab171dc5cea3cd
SHA51206053d31a21ba0a8b8b2746e376d2d9848ef57fdd4831da808ec77fe810635ef32617082aab57936fe36020415a535c030884644175190d3fb399aea13dff3b1
-
Filesize
192KB
MD5c2612648c77f5b96701f57edc59fd515
SHA1d69064797004a94a7ef8cab02459d50933e1b03e
SHA25677ec4e2bc49a0180b45e700654188d6923e024ab197a7f5849f67c95f4e8d84d
SHA512fe9413221b1e0aa9de26f6ddb12f888148655fac014f3905a2f7c2d250758a95afd0f93413c282afc40562fa35a30cdc3a4b3b326c5918ca3133c181e99c66db
-
Filesize
192KB
MD584ed2f7692c2eba99b81842dc3a0c74b
SHA1459e0260cde71199625f8a027af04ba3f058871a
SHA256c840767404a3c9b49b93305c11097f7bdda75c25ff46088c11f758bafe348dbe
SHA51258b42a7348bc6cf77a4a8f70cc9d5a970530a9b21d2ba972c2394cfc39addc616621d57a8b1df40950023cb93f1b8ef55425ec158fbf8024d6d08df9debbdb34
-
Filesize
192KB
MD51463584bcea0ed3f8e38427236295e02
SHA145c01a2e685b0a5e7aef5ae68261ad3bd17cba1c
SHA256d70d18989056e712694487c76658eaae70a422b21b5d597a65bb6be3c359ff36
SHA512372866d50fc0c915ff5162e0f31c745f267d5e8aba0ff119b9fbdab893e9aa7a08ab813a738ef64473234b09e8725f39cd153e4de21160b203886bf425d18dd7
-
Filesize
192KB
MD590fc620d432e1dffcefb64588fc5be0d
SHA124806fd841d8a290a74794f6c62c2165a02e3129
SHA2562bf942bd9176276727f18c62da3072da4fb20d271f6b3980b21eefd9a69da0f4
SHA51285eaa8dfc83ac5c0ad4d7dde6c4eaaa7b4ef6f2c32105bbbe8b8d0f4219ef78608375efa2508f1f61088ea64a833089d3d256e6ece1fcd6df6ba5f8b2a2878cf
-
Filesize
192KB
MD5c96f772959d8ed98c49fc6bceb4930bc
SHA12473b6917d05319076dec804dc941b1a33d3097b
SHA256518ec9d15d8d61f16d7af177dd65eaf28ff131c1c04f2910ee0817873a71dd41
SHA51266355fd491580c0a1c450b9dce4fd6d42915265cffa0ac6e83762eee7e0b50bcce9890400119755698ba488b07ab9a6452cc9c251a4ff424665a72d087c81d07
-
Filesize
192KB
MD54b4480bb7784ad6b26dc2d44cf4984e4
SHA112220bbf90962a011e6c8dde1bc614793986f254
SHA256b1ef2ecb684318f3acc09e08453481fa144c7805465870c703ffd1c8a96c2be4
SHA512529a7709e3604fd4e706366991b2b08dd84ce56dfb955307e2ebb131bbc71e1ac8f5374bb8796eace9fb1da05820ed757d58358516a2dd09573699ca298f2621