Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
07/01/2024, 12:06
General
-
Target
2024-01-06_1f3e224395c2e3e5894781513d05b648_goldeneye.exe
-
Size
192KB
-
MD5
1f3e224395c2e3e5894781513d05b648
-
SHA1
3de5cd65f014e8eafa4dddefd71acfea077cb133
-
SHA256
78253dfea1888d645790b81c1252d290492addfeb508fa31ed0b9fe5bed1ba46
-
SHA512
e206afc3c9758837531e0a91a514425ef0f953c8e1cc0a854ffa581b8ffc5e1877a62f2de30726c79719444730a04e9ab606cbaa8d9d2e31affa8fdb94fe6a9f
-
SSDEEP
1536:1EGh0oQl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oQl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 18 IoCs
-
Executes dropped EXE 9 IoCs
-
Drops file in Windows directory 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-06_1f3e224395c2e3e5894781513d05b648_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-06_1f3e224395c2e3e5894781513d05b648_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
-
C:\Windows\{0F3E988F-BCBF-4a72-8645-6DA73B1C2CFE}.exeC:\Windows\{0F3E988F-BCBF-4a72-8645-6DA73B1C2CFE}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F3E9~1.EXE > nul3⤵
-
-
C:\Windows\{B8F7ED4F-E9C4-4a73-B142-CB3E3EB107B2}.exeC:\Windows\{B8F7ED4F-E9C4-4a73-B142-CB3E3EB107B2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B8F7E~1.EXE > nul4⤵
-
-
C:\Windows\{C2296308-19C9-493f-BCE1-2E8F4C743D59}.exeC:\Windows\{C2296308-19C9-493f-BCE1-2E8F4C743D59}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D10FD76C-6B7F-45b8-9915-A59B1FB35C06}.exeC:\Windows\{D10FD76C-6B7F-45b8-9915-A59B1FB35C06}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D10FD~1.EXE > nul6⤵
-
-
C:\Windows\{F20F63C6-EAF3-4af5-9EF3-28C4BC7989F3}.exeC:\Windows\{F20F63C6-EAF3-4af5-9EF3-28C4BC7989F3}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F20F6~1.EXE > nul7⤵
-
-
C:\Windows\{3F1AF019-0EF1-4de0-B30B-D293C81DC69E}.exeC:\Windows\{3F1AF019-0EF1-4de0-B30B-D293C81DC69E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3F1AF~1.EXE > nul8⤵
-
-
C:\Windows\{7A88C7D5-8BB4-49fc-B241-F289B739A7F7}.exeC:\Windows\{7A88C7D5-8BB4-49fc-B241-F289B739A7F7}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A88C~1.EXE > nul9⤵
-
-
C:\Windows\{DF7DEC44-B3E9-440c-985C-7FF47FFEC269}.exeC:\Windows\{DF7DEC44-B3E9-440c-985C-7FF47FFEC269}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DF7DE~1.EXE > nul10⤵
-
-
C:\Windows\{ADA4CF04-7C25-4c9f-9832-FFFD631EAB7B}.exeC:\Windows\{ADA4CF04-7C25-4c9f-9832-FFFD631EAB7B}.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ADA4C~1.EXE > nul11⤵
-
-
C:\Windows\{AFACED03-622D-4c9a-991E-457EC0C0D382}.exeC:\Windows\{AFACED03-622D-4c9a-991E-457EC0C0D382}.exe11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AFACE~1.EXE > nul12⤵
-
-
C:\Windows\{494C2004-A41F-4573-8246-A050A04AA2BF}.exeC:\Windows\{494C2004-A41F-4573-8246-A050A04AA2BF}.exe12⤵
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C2296~1.EXE > nul5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD54fab151698780bd83c72c1b117a61636
SHA1878517a278248540e018a14864b4f2e71a33dc80
SHA2560ac4f372715ebd510395b9a4731011f77e4ff68e466b5dd688a92886f5eed3b8
SHA512ef0cb026a4505be535b4b9a8e95003bdcf14b5b3b35bc450b7ce6ecf1097066ebb9de982afee39ccc2b4270bc8890004fa37c5416d59cd7a7124e6e1577320b9
-
Filesize
155KB
MD57d03b6cbdbabefdd1d86ea1c6c2fe720
SHA12f2a1cba55cb94748702b6d88910629523afba91
SHA2562b8222f4e9cc9bd2b3b3e0ba4e8ebdb3d570eff988f31024d41b485ee1337fef
SHA5121d7cebd8da169ba228dc972192a83a330865e735665a68e5a78fea9b2be1be9f006518e2720835ba4a9d02174c2d286bef0a68a380d2d857bae6c807dbdb1054
-
Filesize
192KB
MD5bb6312e94a6d0e8ba233c412bd920a68
SHA1ec9682251dbc6808cff3feb60b13ddd0b8fc6b41
SHA256e3882b0520de31be59ef3818ee21e69b09371d46a915d4b74fcbafb178ad1210
SHA512fd5dc212dcad7888d5cc695f92aa91e7d657d07fafbf330c2f88a54bc43db0fd7387cf955491650173f9a60ced101429db18c61dcabeee95e610540b9b257174
-
Filesize
192KB
MD5d8ad2e018ea5a51981c893f7c48f0483
SHA10de8ec2743de77011b6cee8dd45cc97bd50a9199
SHA2560777b54c26ecd6f2959fe3dba7320b06ef80b983d9793aca4d08c16df42c022d
SHA512b485c0cc143c31d4b27f227079ec843569149b3366d7282ed17b1b82020e43447b4bd6e4e312ea8d00797fda55632979414c926c4acabcbe2168c099dffb9404
-
Filesize
192KB
MD5e10b7b7356aa0c1b72da46e51bbb82f4
SHA1654b030ca4b28c33f669df5f311bba0d96ee89e7
SHA2569f53611555d168f1dd293c18572631f9634d52eaf7c0fecec9340ed6ddf2ce37
SHA512d5fab68ed3fe94bab4b4ac35e8d67404887249623ebd79e815e7e083b5da8737a0a8839eb5c4bd30a3b693ad4edd66e702a1ae24bcb29f20f7cd0282f228c0d8
-
Filesize
92KB
MD5c05abeda0b4265eadd540d48688cc681
SHA187a09f0bf5b90bbb0eea37eafbbe51b08bdb75dd
SHA2567f003eab52644559250872a875d8d3109d81a60b63aa82c469b34fce0f43015e
SHA5123fad5c5baf6a10a3fe267d0a39c4fe943edc88ae3db679841de1d8f1d18ae72c1c317d5f51054006d86b73f2b4d739df26d71cf81b0dbdd3c7e0fd01ceccf77a
-
Filesize
192KB
MD56adfd9c4198ccaa57c0c996c84d5d64e
SHA1e970f3eabb7f80aaa472db7d5d87bcf62249d25c
SHA256c3526af325a05f44fa55a722c7bee2d08400eb95b05c6efe04857d668e882daa
SHA5123014daf2c8675dd974c3e6b0430b466c01f79181026e82c07ae49c4329f406887c0525f0d6254c6ac707986e4dff209920efb836958c014270fd053766d7dcef
-
Filesize
192KB
MD5fca2074afe0b4a5d0c1fffb88fee247c
SHA1e50af9a4549685c197809c9b85c3a988fbd51bb1
SHA25649a192ab9678b1b516408e2c10496e20d45fcef8ba867e63490141f4812f4ecb
SHA5124fa506d5d780e2ff82c840598f9d43ea662ffce0df3ea94e4368046d9223319f8f72da24e00cca925e29cd6d2065dfeefd8dabdbe12bb41a633af82e8ca2c8c9