Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05/07/2024, 19:24
General
-
Target
2024-07-05_ec84a992592d437b486e4256a900df0f_goldeneye.exe
-
Size
197KB
-
MD5
ec84a992592d437b486e4256a900df0f
-
SHA1
81b116b3f10585b221f8be8e821f59c197c0f4d7
-
SHA256
76a836c7692328c1a5346cc053cc771e441a781f30b2ff1532afee6a139144ed
-
SHA512
fe3e34fda3bb2b247c09f5e589f17cafee3340cc4afa51696f995ae82b18394f1bcad2eccedf9a53c5a00d2c1b96814d82839e1d67f1b4bcb7edc03ee3f63d06
-
SSDEEP
3072:jEGh0ozl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG9lEeKcAEca
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-05_ec84a992592d437b486e4256a900df0f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-05_ec84a992592d437b486e4256a900df0f_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FFE93460-0ADA-4ef9-B1A7-AB400EE9B333}.exeC:\Windows\{FFE93460-0ADA-4ef9-B1A7-AB400EE9B333}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{52EDAE6A-1428-43eb-BA5D-F7994D74E11E}.exeC:\Windows\{52EDAE6A-1428-43eb-BA5D-F7994D74E11E}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1FA9F0EB-F18C-4313-AAFE-6D063C8BB200}.exeC:\Windows\{1FA9F0EB-F18C-4313-AAFE-6D063C8BB200}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9B96DBCF-508F-4494-A3BC-ADC765A8350F}.exeC:\Windows\{9B96DBCF-508F-4494-A3BC-ADC765A8350F}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7F6073E9-FF4C-4930-9461-5257AC6318D0}.exeC:\Windows\{7F6073E9-FF4C-4930-9461-5257AC6318D0}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4343A9B9-88CA-4327-9E49-F82CE0D04FE5}.exeC:\Windows\{4343A9B9-88CA-4327-9E49-F82CE0D04FE5}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A15A4D0D-CE0A-49d2-9940-97E23DF218E7}.exeC:\Windows\{A15A4D0D-CE0A-49d2-9940-97E23DF218E7}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C789EB53-7A2B-410c-A0E3-35FD3F25263D}.exeC:\Windows\{C789EB53-7A2B-410c-A0E3-35FD3F25263D}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{018DD62A-50F4-4a2a-98F0-C39F08F62B99}.exeC:\Windows\{018DD62A-50F4-4a2a-98F0-C39F08F62B99}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CAC52617-FE1F-4942-A61B-D81692F16016}.exeC:\Windows\{CAC52617-FE1F-4942-A61B-D81692F16016}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{707C4E81-F9BF-4a66-BFD8-F22E8DE8D1EC}.exeC:\Windows\{707C4E81-F9BF-4a66-BFD8-F22E8DE8D1EC}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{73FC8F68-885C-409a-B33D-1D2C71F4FA22}.exeC:\Windows\{73FC8F68-885C-409a-B33D-1D2C71F4FA22}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{707C4~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CAC52~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{018DD~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C789E~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A15A4~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4343A~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7F607~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9B96D~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1FA9F~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{52EDA~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FFE93~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD51aa2a75fc5e6f2244c588369e501d170
SHA13ef33a389ceae1c74c231eb1a88b4c008f258516
SHA256d8b2e5ecd830cb66e2092352e8721582cf201b675663b91b5980602fbea74e54
SHA512bfc27db3085f0ab4c763e87c6aa64b3c99645f88e55aacffebff071e80c2db1457d717a7f12bf0409d8f40ff76f0760ba061903839e3f0981222888922b281db
-
Filesize
197KB
MD509c4057693cbfef6c27a1c1fc1940d77
SHA13ecd5268090d9e63aa7b0e43ace9bd18422fa435
SHA256371ec7ba890720e8f8ad3385ab582df97835e173b1f42d899f949a3a1253312c
SHA5121f3b81a045ca4076b8ed6cba64dfb8b08c235ec60bcad291efb5ee1eb141141a09e1158aac26e2eecc9b55337fb2e01f0b3b0fead1ad0f85489b268a4afc4beb
-
Filesize
197KB
MD5c7fcce50cafea9689ee385893669089c
SHA19a6037e16e9e73e576da2df61548ab05d4a8daf9
SHA256bf273c56033cdfe5f5035b69f230a4cbe6b1df60bdb108fe5b22b18202640002
SHA51268c89090c6f076bcea92c843b7a4a8ebc898a26d334190b67e4013f73460a3e704a0a53cdff8a76912c66b94830adbffce8903895ce97887470ab0600d5f79c1
-
Filesize
197KB
MD543979926e532a60798cf505ebdcbcfd9
SHA11ece724a4d038cbbf73a843a42b26aa362032549
SHA256256e45420b3c344ac3b68e848e0f10e3e06b9701e633be8145cbe8c90e31cc90
SHA5125c63fab6339c1aa3b06f48ab2275559c7d8362f0c6c7f99fabcf2101479a1d91f51e42ff58d778eb5be38d2d162deeb3c2369218319c15c920910d4f922c679b
-
Filesize
197KB
MD5dce69274869cb24ab1cd93c3cff2474d
SHA1129f3bec849c909d8c6bf70f128f0c2eaf677530
SHA256e868b92df08181be3a5b06e05683f5210292f48b4e2207db103fca88b38f39b7
SHA512aacf603d137b34730c565ef4ab9e1529c19f9d6bf417866b8dfb1ec82ff21b3743fefcf7e6ca449776345652126250a6eea7531dc80bf2f71a5cf0a0c011b505
-
Filesize
197KB
MD540c6f949f65c52a062756e231c3cf993
SHA1b6e6d46b3141fd13c58c80180eb8a04b8987ddd9
SHA2562737dce406c9f20f88f4e4c3e2c43d7c69e357a3ad99a2e37a6fe609da3e6d48
SHA512cf2be586594094892cdf328b1b657edcfa715326047c0f4a5619e7c53f39586803357fb9b3d57b5fb94bb5768ef8364199d4fb750b6eba39d89d2edc4e609877
-
Filesize
197KB
MD5b4d7c4d9754f58ee2a27e52098dac11b
SHA15323f59292bf0902e053dbae91d01706abe4921b
SHA256f9460b233656dc88029ff5323ae83df70a4264482166cf32ae326049806745e1
SHA512d11ce14b6e0aadbf856e21d74ccbe0ee1e15b0e3f60efb4b56e2d73a7f30e869f24ab108e332343c94f44921e7a8292ffc66555b79dd0cb0fbb73d853d7d0b67
-
Filesize
197KB
MD528f936723075eb39158d3b9ac51ca525
SHA18dffd461c130ab11818583448207d5d6b937df64
SHA25671603db624d0977b2d41beea3d29f82d3cf62a21d9f770c78e78c00e90fb1f19
SHA5121182a37952d1bf9c4281a65eded36ccc6f7268f03925377ee214d069893834ec59cbf232a4e698e3f465fb5bca272b53ebacc3fb167b2b88a3e128796fa5530e
-
Filesize
197KB
MD509b04611a168211e2c0242f76d934666
SHA13f970b38c47e2afe8fc286ee3d68eddabe452bb0
SHA256551829277c290705e1d433c54233122fe96899c38cdfe543628c57702378f6d8
SHA512a8566e2f4e4ffb381bca7f1a541126abaf70bfcc262fa91568e2cabcd8e81d26de58220cd02028ff8a9b3748b634b72096abbea452403871a758b2b7cd563414
-
Filesize
197KB
MD595a5a082155bfd62997d6d1909f728cd
SHA160299c56983c77ecce7e694de8ccfa4d28971a53
SHA256fd898af0055d0922a3ac2e0510894d9762791c1b626544c19eb6418f6b7af61d
SHA512ff1f6332cdd38368d8b1812c4d630e505ab5a316b9dd3dbf33e42f3020614ec2bfd7d05dd6d982b27e5afce8e740fc27d8623b53e0e447ce99d6b0e302b28657
-
Filesize
197KB
MD53271432613cbd5ea7914afababc62c7e
SHA1a6fb27351759a2fda0e00543360286c3a63ce62f
SHA256630113deb097f80ed5980261a89898421376913483c6d89b0749fb60ad6475b0
SHA51248816cf73261d7bcb8c90370efba9aa3b54b0fadd5583be4822089757145583fa92915370b923880c0644293c3831dcfc25d48efa02d9ff7c62470a4cf52f970
-
Filesize
197KB
MD5ad6c46899a278e5ff970bbd072898c82
SHA15473bf8b501e0fc7b6356cfcb78d34d9216ff52f
SHA25654da49def62f968897633c8975017c1962d542e8519a27d8e7a9f25895af3a35
SHA5122e607dc9317fcca13e840d6222169d5b6983c8909eb9cce034527a5f941e2bb3e2ee42f57fccb2908ceb155bf34b4241bd4c9df170b2bd0e1c3760c975334e53