Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
10/07/2024, 07:26
General
-
Target
2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
-
Size
168KB
-
MD5
7eb1eb56769e01d76f17bdb09fb003a3
-
SHA1
cd2733d3f637ffe1f757474069a41f70aea1aad7
-
SHA256
b10af3e4e8baa4781f123559040ffe8974694e0fb64187287d47e1ebf15d36a3
-
SHA512
087bf93aab5052f0d81156e90282710f9535495f965af412a93763d243904ced9a1fc4e327d5f89e4fa029ce47843b608938665f82ef046954c91210da598fc2
-
SSDEEP
1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D6AAD0C8-34FC-4b58-8B25-05504F3BB576}.exeC:\Windows\{D6AAD0C8-34FC-4b58-8B25-05504F3BB576}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E6617D9A-E2B6-42c4-B92B-0F8FAE0927FB}.exeC:\Windows\{E6617D9A-E2B6-42c4-B92B-0F8FAE0927FB}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{259394FF-4005-4f47-9354-48CB828615A6}.exeC:\Windows\{259394FF-4005-4f47-9354-48CB828615A6}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{94A4C883-F0FA-4bd9-8ED1-80A4856C27B5}.exeC:\Windows\{94A4C883-F0FA-4bd9-8ED1-80A4856C27B5}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{81BA5C2A-99B9-4c0c-83BB-2735B8CE9A34}.exeC:\Windows\{81BA5C2A-99B9-4c0c-83BB-2735B8CE9A34}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2D284133-5187-4d82-8BF5-5F176ABC4D6E}.exeC:\Windows\{2D284133-5187-4d82-8BF5-5F176ABC4D6E}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2638FC3D-34EE-4512-8FC3-DB65B927C11C}.exeC:\Windows\{2638FC3D-34EE-4512-8FC3-DB65B927C11C}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{65600069-E7B9-4c0d-9274-2E76221BF7C7}.exeC:\Windows\{65600069-E7B9-4c0d-9274-2E76221BF7C7}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B4FEDAE6-7C30-4300-9EEB-D9ADE6242959}.exeC:\Windows\{B4FEDAE6-7C30-4300-9EEB-D9ADE6242959}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D254DE0E-B44C-4e34-A4BB-3F088EEBE3AA}.exeC:\Windows\{D254DE0E-B44C-4e34-A4BB-3F088EEBE3AA}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CD523795-5E4A-40a3-A4E9-61F53BE7ACB0}.exeC:\Windows\{CD523795-5E4A-40a3-A4E9-61F53BE7ACB0}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F9A9F478-1E07-497e-911B-7E93A9723300}.exeC:\Windows\{F9A9F478-1E07-497e-911B-7E93A9723300}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CD523~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D254D~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B4FED~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65600~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2638F~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2D284~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81BA5~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94A4C~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{25939~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E6617~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D6AAD~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD51084833330e302f36bbcf67c2d327d69
SHA123f42651a4f19ad477917e326ed7d3da68391cbc
SHA256f055fc5ab8de848c9e72b1ff441ede78ccb08f0b3c7e9cbddd7d8cbfccd7eda6
SHA51215d653e17c6fc16e87b63944cea0a1c2d8e6007cad6ab96dfdfa203ce638578b54b0572050ceb698a41e7346bc1d2c17249bcfde61891770d9fc1ab0f40733c0
-
Filesize
168KB
MD5190cc1a48cff48e3dbd524e274ffd113
SHA12ad350c2195e06db8618a4206d77b610005c0dd1
SHA256599a0e72ef3058d7f8a416cde90e8031cc52926a47af5dbd8c898534fc316782
SHA51261346573afe0057fb047ec1202e624203043687d336107836443b48b40a125ab0a62c4347e1b555eafcebe4aedc56b596581694c8df835cd713ea24f3f5162a7
-
Filesize
168KB
MD5db8cbced03b5ff5260dc611ce5a2fcb3
SHA1de1b7812a81825dfaed0c202ebbe36412cdefc48
SHA2564fb0ed0c42cc679e4fc308f315279c32a82641961ca84c040a7ba6f5b28d2565
SHA5120bf976a07c56d93f8b9b4410e452ca2f0351edcf9c7ca45fc06a140fb1a1e91c90615e38fadcbf3d55abc7e2b63d54ae1aaee789a0a1c0a44cd36f794b02b6f0
-
Filesize
168KB
MD53319d2351ae969ea4c074469244b90b9
SHA1ed32307f693f3c05cf2ac939cad8f80351a5dbbb
SHA2567d1652e66c15279fa0bd56d868b257fb87887e8d56039b3820c2bceb3d561e5b
SHA512725740d73a6a048a72460110f7efd5c9b724597e93cd496b3ddd1947a15d8033bee534bfcd297423314b8084cbf9819f8ff04b68c47fe0dafeacb6ace318b0e4
-
Filesize
168KB
MD5474421e8a2dd1f54fc5b98a262d78333
SHA14ebcfe8f01b0032f72178b57e70e0df14ba7e150
SHA2566f3775a1d56b7cee5e3b4e1d0325f642991d781606875bf04a5290e4e97b3121
SHA51275cbed577c0c581683ec81c5f514b453429b4edaf356799c137c73abbd7b0a36e5fa30fa4f81039fbd91960311a6c6ab1a792090713878bc1950c8f0ead8d60e
-
Filesize
168KB
MD5209a2a4c4b0e7d92ec24f52ed03416d9
SHA1b17c3318808b2fca21d6bd469e6cb5ffce8a9b3c
SHA256057b6ceab997bc9df54731e7a7fb1d7c64a696f3d2f8524ff00d4e6e0a2fa502
SHA512771f0d117e0faefec65fe4fa7a33e33b85b1752dd2b240dfdc11a74c52b117da47af76cd0ac8a9e39140afbb0d74110695fd53de0a1c0dc535d56d14dfe2a5dd
-
Filesize
168KB
MD5ddc6ff13c17c3e9625d733b266e71ae2
SHA1013919bc1b2605a41ea914415f72c1373bb16c7a
SHA256b60bd0dca0f37abcd1ab4330187bbe95a70bffc5c517306ba49ea18096bc468c
SHA512dfb843dd2de796e2bef1831ad6d919839e5528ec71bdd3b64e8ccde7becf9eef35ead46708d80165b298c8a49c309b7960f7cd6083ade481def4e16bb1e67363
-
Filesize
168KB
MD5a30cf615f5340bd4c9608dcabda308dc
SHA14287c30bfb712f129ab27700e759570e987f94d5
SHA256ff777de4aa9606775d0c2a5190523465b923c8bde773ce5a24d3e3c457e7e60a
SHA512d8bee36517d499ce9b8d543c1b61c7b52966e5fe9f3d664318a7460252cbc5bf6698386e4245ab2945b7854ef41570e96544cf62b8447199f44f08441a6ccf8d
-
Filesize
168KB
MD58eb37123bc3277b818c0e8b06dceba9e
SHA1fb2cea3a4d905c8cd883c1017c9fc555e7ba2422
SHA256269a25b0e7b956cf177b9ab80531321196c74b5ad86480adb40b547d48b64327
SHA512e9d23f3339e9bb8fbde741cc82fa2df35bd1a0969a303f3b134e5d01d959ecefc75f6a6d08c745069a8606bffb93bdaa097eccff13eee0ae2bf00063d97baf31
-
Filesize
168KB
MD56e4c28775637809b24b70521eda29dcd
SHA1a020da777fea86ccf0e6607cb35006dab81a3f57
SHA256877f414842122eed8236bc7ac39fbfa044339a852ed33a790cb20fff1dc526c6
SHA512c1daf3aac173028dccc500e4ab59f0f35563ad3dbdde10235184a6debeb036f7b187d97ad1b34bf943724ef0cc330d9391db1e0460ebe2348bcd370ac3829a3d
-
Filesize
168KB
MD5b004efd3ec52ac48859c0d4e5d352bef
SHA164ee945f36206788395888694d9001210d76b02f
SHA2568b7a3036b23dd814cf38362b93bb765491fa2b4b09b373e5eb5090664b4b2f16
SHA512f77b4bbdf681ad83cf2e5927071361b5cbff997b9b8dc947153a32917a2d3ad2fa0f2719c0836c2e4e535c4a5b3ebacb5a375c5f47777814b38dfe657a0f60cd
-
Filesize
168KB
MD5faa489d3dc8562f2639d71d48882e6e6
SHA17430cfaa791b62fe25f40ad3222a40fa7a451855
SHA256eba6bf7d5b09dbfcbf9a59c4fcbed90d487d622b4c8294decedf460d9c823158
SHA512cfd5d88926da72f6f34898b777ef460ca0bfebff2fcf39f186671234ffec4250eb6ed811ed3431171648c8ac26500923ce2bdaa27096fc18aa5aaef92b473f7d