Analysis
-
max time kernel
168s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
05/01/2024, 05:41
General
-
Target
2024-01-01_3f536e06b9fcab649debde9835e259b5_goldeneye.exe
-
Size
168KB
-
MD5
3f536e06b9fcab649debde9835e259b5
-
SHA1
df768349bf602d5727ba029d92395b75e646cd6a
-
SHA256
491358089b38175d7ad09cdb120f04e5598bc3fbd5d7836e8735cf8aee002b17
-
SHA512
52decdd5f76b6a646a206c3a0d6a264c6084b2646f8da92c0fb0a091c15b4af6be2f4771479eec90e52b5a595b7b70a2db22ace836293749b7045aac9c96c78e
-
SSDEEP
1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-01_3f536e06b9fcab649debde9835e259b5_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-01_3f536e06b9fcab649debde9835e259b5_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ED63307F-4798-465f-BDC3-54940B3DDB09}.exeC:\Windows\{ED63307F-4798-465f-BDC3-54940B3DDB09}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AB12E5DA-5A9A-4b9a-A9A9-F277233E23FF}.exeC:\Windows\{AB12E5DA-5A9A-4b9a-A9A9-F277233E23FF}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BC89B76B-E5F5-4e23-9110-38AA217D3AD8}.exeC:\Windows\{BC89B76B-E5F5-4e23-9110-38AA217D3AD8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D4218758-FA0E-46bb-A6F1-FC2DF20C4AFF}.exeC:\Windows\{D4218758-FA0E-46bb-A6F1-FC2DF20C4AFF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{80143B47-E7AD-48ec-BA8C-0B1AA3F3FAB9}.exeC:\Windows\{80143B47-E7AD-48ec-BA8C-0B1AA3F3FAB9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F24CCCCA-2A33-4c7c-9C00-E123F69E9968}.exeC:\Windows\{F24CCCCA-2A33-4c7c-9C00-E123F69E9968}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{30379C3B-87EE-4370-874C-4F65C5EF6B59}.exeC:\Windows\{30379C3B-87EE-4370-874C-4F65C5EF6B59}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{30379~1.EXE > nul9⤵
-
-
C:\Windows\{00F1D838-9A17-425f-AF5A-5F7A91FAA340}.exeC:\Windows\{00F1D838-9A17-425f-AF5A-5F7A91FAA340}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00F1D~1.EXE > nul10⤵
-
-
C:\Windows\{36F2B4BE-C0E1-4419-BE5B-C6C960DF3D37}.exeC:\Windows\{36F2B4BE-C0E1-4419-BE5B-C6C960DF3D37}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{49A399EF-B2AB-40b0-9707-524AF83828A6}.exeC:\Windows\{49A399EF-B2AB-40b0-9707-524AF83828A6}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{016BD9E4-712A-4f14-B236-58AC47803A87}.exeC:\Windows\{016BD9E4-712A-4f14-B236-58AC47803A87}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{83EBC779-AB21-4db9-BB0B-0B816D5B4990}.exeC:\Windows\{83EBC779-AB21-4db9-BB0B-0B816D5B4990}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{016BD~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49A39~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{36F2B~1.EXE > nul11⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F24CC~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80143~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4218~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC89B~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AB12E~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED633~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5e1b6d2fdf5ce436b644a19d3e595404c
SHA1661935677f52a5e379cf944528d9134776ada332
SHA25607116acde378e5c5a5fd84dea3dbf52c2c2ddfbba5d788bb560e6fefa1912e66
SHA512c0cf8d12ba1674b909c29ca8b4eb8c5716652cddb3b5316213af1160d1b33331dc8bc3201f6f8bdd989df3d602876c572a3e005ba84f827bba900f5ce6e6723d
-
Filesize
43KB
MD5e36e0c83e6a885271ab3ae3d19761768
SHA19faf76256a531659b0d76e52be0e535adf4296be
SHA2561de39e470874cf087a6a1648a3adc88f9d1b1947106a8dc1454e407dcc5b89cf
SHA5121776027b10e693b5a886fc65179d4c97443d50e5a470bb74ad288454f0798596663b57c0493369e060483fe0fae7e17ecd1c1d3761f6985180e489f7bd35b771
-
Filesize
168KB
MD5b7be3bc92b592cdb8be38038146638d4
SHA1fd5c8313eeb31abcfd0fa3e3c578cd4218cd95ac
SHA25632dac714e8844b59de498e333ebc548d2558f5843a3df27e3b319944fa919110
SHA51269274eb2895a926ec8ed880dbcfa4a92e86ef8dbe7a8223918998e105cb39bb4217c5e880696422bae23996769aba1c67e743f1eebcfabe9ffbed6db478b5177
-
Filesize
111KB
MD5bf906e976c887ba2717fe9d97f4a6ca0
SHA115bbe0523211fb68fe18c69cdab33af4b172a0f9
SHA256cf32207c71b2bbe009a65dc3f717098ed5272b77451fbf427f56ba739f0baa59
SHA5122f39457de2b720de28b6911f3c10c0bad7c696bfb4d3f35127c777240d28e74c00354beac2298d1acd4e712c5fbed426bd48cccaadb28d89490bf78c99707fa7
-
Filesize
16KB
MD50e92225d503e0168ab2f646e6d84a1d0
SHA1594138c6718058b284e589ee7b8f87cd3a6b3b40
SHA2564e88e8dea9983452ac1b42cee0bd2d48661581e4f671cc106421afdd7ba2b9b6
SHA51262dea4e4c7d3d137c08c7c3143fa8e869969501293092375ec947d034a1387a92c5473ffe40a3c7fe0990a5815040896fc52c655d351da538573a9fcbd19df41
-
Filesize
168KB
MD5eab41e3f42f7af89a6e2c6609801fe77
SHA1e46a04e8534dc98c0bb233907a66107607701742
SHA256e4b47ce1d36d4e554b7dbf98a1145d43f8aa33c327a0fc6c9e273c790ea96bea
SHA512f518d6e269520518999db3e4368a7db8d723755ac774071748c112160e3791003cd0f287455fec7fb475436eee4ee38330ffabc710e775abc01cadf1db632ca2
-
Filesize
168KB
MD5a42b639e6f30d1a8d2e2bb7a37720cb6
SHA1ec3b727cc0b55448bf2f246d01d1c2684cd1de3f
SHA256fa6859300908e7eea995f70e10ccfae6448a1ca3b598c2b552edffd535c08c57
SHA512480674c2688ea395b2e43ed8c7e0e6418d4af92a19477abe1ff107fd51981fe4045056997e22bd577fe6585ba109e255195d866b2fdef5e0412cdc955e7cae72
-
Filesize
168KB
MD5d7f299345258e35beecfd9d9f1f04abb
SHA149f6689e5cc8d91f4575d8d25165cf5c769ddae1
SHA2568d5708969e88ba008e8400e23e5024c34fbd8835a1bcdbfb3f06887c38cdea6d
SHA5120872d48c7e0b5868176a161945a44a333ac84a270595c8200d8d014330dfda3287a92a9f1d3b2604625e42bcd697cb338df78684f7fef85d193ce5c1664efb82
-
Filesize
168KB
MD595c26a584d3d849ce1f6b8835f56f34b
SHA1910a3338c2616ab5514b0f77b8a09eece8c96812
SHA256278f9611debe10c5865a6d7ec59870d23b398dbc5acfaa5843a3148e68b4f668
SHA5126d5eb88bc52f25d3f02a05126c54e055c66f60862eb2054a4dc59d36a1a7dec972b0ff3c32096a9cd29fe2b78910713e7b35833807e7fc31ebc6ffbf75725651
-
Filesize
168KB
MD54b31aed4a136ec8830cf4ed5d1bbf679
SHA15f687895276fc8344b6cfdeba118da76ba372b7c
SHA256652368ad22552ab8146feb26fe703af62a2a27da996217e8e09736f3cf824d33
SHA512f8b4b7377ac7eb2ead6c5f86539092b59930facf2a7e29f2f52e59602bbcfe931f938089ccbbc76265d89c354904f272ce8609fc14a715088f09ed911327b033
-
Filesize
168KB
MD55ad1846e7cc415ef65d257f44cb7ba61
SHA154105e93db61d12cec83c6be2ec17ff5ef8a8ad1
SHA256dda8c98baf9cfda0564e599adcfd8d9beff7af4f1cf286b1ce2fc88c196c76dc
SHA512f59f2c4445b51c974abe9a3621a090787d4cabdd14c4c6a3acfe6ead50e4a1c8d665dae6a1d564b3ba60eafd1c934aebbb9d0a1ef939af1c44962143ed0d6a9d
-
Filesize
168KB
MD5db72aab1a78b96308d8aee2b04d3a33e
SHA1f30f572deceec50f69f16eddea25d9a6a210251e
SHA256a5df3579b35862dd6bf932f654e0f9e6b7e4f4c35c92d240291c58c06657b132
SHA5129d4ae26cda18b421a317f08a24595593fb3ebc347ac0ed4e2ba0d1d83879ed62add566e1cb0efaa0cbb97c09babb80f7216fb02a4a1975e4e374110e408c8975
-
Filesize
168KB
MD52f9804b7c392de5c0fc7e3ad65bdc222
SHA191d3692f8ad254bed3d1f6163184e28affc54142
SHA256b631b66bf202a62bbd7683f89daed2824bd56f61e48fa1962918cfb68b9fee25
SHA5126da7847696cc9aa64511e93384ce7e3e2a7338a43071cc76d5b8eadd741f24c5b3f8c33656a66e5341ab374f2c8c3324c54b88d2a6a39e9c67050221b6fd61fb
-
Filesize
168KB
MD510f7042597505c82321125eee1ec943b
SHA1ba0107a73b5686272ebc917dbd1d6c98ab48d6fb
SHA25637a1f25f939e0df421dc150990970199d76acbdb369f50cddf2b4bb09db1fe25
SHA512f08ea0ca7dee004f33df5c294084d779774703ca662bbdc4911e65cae3c9ce951abb2a896115c70cd5746e7f1f99af0eca40c884bc7253a3a1f4fa83e0ba1c52