Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
22/07/2024, 10:49
General
-
Target
2024-07-22_c13919e5d273245b567763c2b456a091_goldeneye.exe
-
Size
408KB
-
MD5
c13919e5d273245b567763c2b456a091
-
SHA1
fe956bc2c82199d5163fb2ecb3352efeec827f41
-
SHA256
fd2971c2dcd1c5999150f3eb288aa9f3386c48e1abe6c07a23be6f1317dea5f8
-
SHA512
cffad9f174a7585c81618b3e72d62aee8d8940b0aa55333f39baa6ce60e3242422ed9222dd67b04828f710df38c6cd793e65edc882ff1a8a955a843049c44003
-
SSDEEP
3072:CEGh0oEl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGildOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-07-22_c13919e5d273245b567763c2b456a091_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-07-22_c13919e5d273245b567763c2b456a091_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{64340181-9A9E-42a2-A7AF-E4C7D4E8B773}.exeC:\Windows\{64340181-9A9E-42a2-A7AF-E4C7D4E8B773}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{459A7F4A-A6E9-4062-AAF2-031FE54E3C43}.exeC:\Windows\{459A7F4A-A6E9-4062-AAF2-031FE54E3C43}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0A6C6515-EEAD-4ce1-86BE-05E48A81633F}.exeC:\Windows\{0A6C6515-EEAD-4ce1-86BE-05E48A81633F}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4769925F-C77B-457f-896F-282E30AF0633}.exeC:\Windows\{4769925F-C77B-457f-896F-282E30AF0633}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{37699CCF-AE44-4f03-B758-2CB89727DBA4}.exeC:\Windows\{37699CCF-AE44-4f03-B758-2CB89727DBA4}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1ACB330B-E1AF-4566-B68C-F0CD5E73338E}.exeC:\Windows\{1ACB330B-E1AF-4566-B68C-F0CD5E73338E}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7300BB2C-8B1F-4cab-B0F8-938CD96EF72F}.exeC:\Windows\{7300BB2C-8B1F-4cab-B0F8-938CD96EF72F}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{003CCA33-83F9-4468-9D73-348DD4C65F6F}.exeC:\Windows\{003CCA33-83F9-4468-9D73-348DD4C65F6F}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6278DCB4-CA70-4779-B0AF-5600BAB54B53}.exeC:\Windows\{6278DCB4-CA70-4779-B0AF-5600BAB54B53}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4F5D2F7D-DDDC-4172-B4DA-7E39BAF505D5}.exeC:\Windows\{4F5D2F7D-DDDC-4172-B4DA-7E39BAF505D5}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{421EFD46-06D8-41fc-9F59-91FC337BBB73}.exeC:\Windows\{421EFD46-06D8-41fc-9F59-91FC337BBB73}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6BF51A4F-050D-43c2-B399-1228F1C11DE3}.exeC:\Windows\{6BF51A4F-050D-43c2-B399-1228F1C11DE3}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{421EF~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F5D2~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6278D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{003CC~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7300B~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1ACB3~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{37699~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{47699~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A6C6~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{459A7~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64340~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD57cd6ad2ef969ffcdc7f7e52030616bd6
SHA19d18382a2c7068618876e4bb91ab2117ff393292
SHA2568c59bdc23448391baa655d65632ed1a316f2baac62ffb2466fda17435e2c0b29
SHA512caf96e2abf4023420a7b0176b914901b54ace45087f59b7999a5acf6602572a2f04617c5465c2619d06b6eeb95256d9f4fdb89970c1dfce77a0fa817fb1be9bd
-
Filesize
408KB
MD5a8564bea34340a710acf168ccde31485
SHA1e3fcd05057ac562749ca46864274313c1c4757e8
SHA256a8c86648d1f5514f2ee5c0a18ce37ce2fe7e21ebffb5c80c32639630a7a1e50c
SHA51253d5fff0510ffa8c231d728140852e297bf7ece4d6eec7338f245186f26da34f20c8c296259d4edf9d9d7f6507c78a89b8503338a446d3ba7268a215fc246eed
-
Filesize
408KB
MD503e85696eba7ae7b39c3a79f9c9e39f3
SHA1ec0084b744fd138b9706f1b45b315e236b6d3220
SHA256266f96e888b9b6a305cc26ac4ffa7e8090823480f7508ff0af8801be5ad49ec0
SHA512f8a91926693dd51f109c2f28196354386b5507a88c47ca9216a18cf61112f2d321da70216c376f46609cf94b77b683a202787d465cd8a0bee1330e4b12a6b8d4
-
Filesize
408KB
MD5184caf7e3a4371622fbb7963d491dc2e
SHA102bfee8731989107090d1d00244d82cfcd30e9cf
SHA25678c0d2c5c39545fda6cd4ea71deb5030ff269eaabf701e8d4de20949cc779cca
SHA512257105843e64145a621b224552ef1a5e3fd1518b437eee1ab43f9156c17aea4cfb7d0246324d131af51e8b4859760279459bc5b9c82824bd03f3a9faaf6f23b5
-
Filesize
408KB
MD5c9d49c84f083576a2a357047f25d8ffb
SHA12d39c0811d94361894d56c566dde39300425ebe7
SHA256d04581aca3a30af736c13a3ba440f47719b7a5a11478fc536a9f4b4d54dad6b1
SHA51252b89f49c65f434a8483ef78da0376b4f6b98a197d8d51536773797f568c964773a6b68993a3f6d716589ec787f8bec8178b7b5922e35dde89128ef0e3cb92cd
-
Filesize
408KB
MD5d0e4e19c9c6594ba9f25a57e13c8ec1e
SHA1dd37afd839303e247c20d00da251632a67608c76
SHA25627933648507af756c14b9e9b3782905b6a7c1cb7289c7d0bdd11b46c294d8304
SHA512490c1b7dc76a1383440c08b1fddc6fc987a14f02317b53fa80b89e54bc530c65bcf5645657610b6fc057dffe6d014cacfdc2872572d04b41425330797ff75335
-
Filesize
408KB
MD51434dfc752bee7a890524a555899262a
SHA13301a6ca419ebf14036d4ecc58efd4dcd3b01b33
SHA25694685a5bfdd6b534609d25749c5bf645d0cb04cc8981a0a43e8c25c9d5e45ab1
SHA5124ccb71a75123159be6392ac68ae58e6b1d8bdc32005f1552d501985dda9c4dfbe4b212954e9b527488af1e97fd922b0a7a83a99be43370e13e644596cccb162e
-
Filesize
408KB
MD5ed3edb03b1125f70711197b982fe8531
SHA14ff95e9f274d09f42bd8ef19ef4aa52767d5cfbf
SHA256bd59a51dcad06fa6bcb98f2ab7af18c5550014e13a9f852b328267f6275f4ffc
SHA512fa31ba1101ba908e8c4e9b23dae0f82092cb7dddc3b37dd24e25a5b0ad9a9bdca31dfc1ffff74acba7605289a81bace7ea17ed078045377a74289c3154900c07
-
Filesize
408KB
MD592ae5e3d1d2f6c194c8db8f7614e67f1
SHA13aaae97181a3b9ce0a7d0a7676c9132a32075e48
SHA256cf95ea1b4133a68256dc98008ad295ea0f15484d0923820c54db26d8c5ad38d2
SHA512c620cada370aa3069b0f63ef6bafc6cb593451ae149cb1ba7aeb6d1439fd33abe35adcdcbe0fe03b485f13b37a7d036db4ba4b0003c76677f58042c6a7e6dc1d
-
Filesize
408KB
MD577fe662e5067cc3509cc2fa5ea27633e
SHA1a267c3420c4bfc01199dbdb4bae45b8081317240
SHA256debe218084c788dde42493b32518825cb790c01facb30f334e053e4b7afbee26
SHA5125b2d96253b9d0a7dd7274c9036ecf21cc3c1be61ad62b1dee8c05cc406b8e6c7fb4505981752eb1b642713d7c0c754231ad46500814b35777212c4843792e768
-
Filesize
408KB
MD5a499177579a5d67122562dee5938f694
SHA1b0b82e22de1f33ae0d2b0303a34e84df854ae5c5
SHA25622ff3c4141dc7b6cf59e6cc163d72c8e7df773fe5069f1fb78ab2d727f52f83b
SHA512559ca02e3f7e842c4a1c94f51fb5f6680e823e1dfd4520e0436445ae67214c05696eb921efd74b0e983db68fce4e0318774d40088c4b0bf07dad06169009b8b5
-
Filesize
408KB
MD57e0654cec764c5ac3bf1f6ec65253bd5
SHA14ecc0e2a4cd9343626d723f8d61af999e082a53c
SHA256c1d7f969d55bf5481aa6a0bdbcdbbf4bdb61c1491489f94ad93f60cdba61af02
SHA5124da9ab601c82bb433fe32857711704cc7cd1fdb2c540a5c3c140f22c63885b495ce3557bc803cdfefc4b52438a9d1ba5def68e96ebf14ce46ceddbf12334051c