Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
11/01/2024, 05:48
General
-
Target
2024-01-10_3904595aa14ef97bb54c309035c10b05_goldeneye.exe
-
Size
216KB
-
MD5
3904595aa14ef97bb54c309035c10b05
-
SHA1
67983f5a56f98c96171a2f91fdacc83d5fabead5
-
SHA256
8cc7568113dec300f52805873c4568f76168d6682cf3603fcc18badb6b1061e1
-
SHA512
4a37df4fd8bea7866e06718f6bfb190206288fdd446b785c1a4b216a3810bab915de0996100f50485707850703cb96e914e44e8411a9b317e3ebea63e62665d5
-
SSDEEP
3072:jEGh0oel+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGMlEeKcAEcGy
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-10_3904595aa14ef97bb54c309035c10b05_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-10_3904595aa14ef97bb54c309035c10b05_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
-
C:\Windows\{B4F09EB6-0F53-44c5-81BE-9FAAE4BDE719}.exeC:\Windows\{B4F09EB6-0F53-44c5-81BE-9FAAE4BDE719}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B4F09~1.EXE > nul3⤵
-
-
C:\Windows\{7368BF2B-89CD-4e1b-8620-5FC8987BC788}.exeC:\Windows\{7368BF2B-89CD-4e1b-8620-5FC8987BC788}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7368B~1.EXE > nul4⤵
-
-
C:\Windows\{F2185D30-8390-45f2-8ADE-A34C1D2D6246}.exeC:\Windows\{F2185D30-8390-45f2-8ADE-A34C1D2D6246}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{24962E62-0B1E-43b0-8780-CE95BFDC1A88}.exeC:\Windows\{24962E62-0B1E-43b0-8780-CE95BFDC1A88}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B4BDE19C-8D08-46ef-9C1F-3990169F0433}.exeC:\Windows\{B4BDE19C-8D08-46ef-9C1F-3990169F0433}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3AAE55A2-0FBF-4fa2-88DF-470A4867BB23}.exeC:\Windows\{3AAE55A2-0FBF-4fa2-88DF-470A4867BB23}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AAE5~1.EXE > nul8⤵
-
-
C:\Windows\{7A5C2519-EDA7-4e1a-A3B8-FF16A6365608}.exeC:\Windows\{7A5C2519-EDA7-4e1a-A3B8-FF16A6365608}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A5C2~1.EXE > nul9⤵
-
-
C:\Windows\{823637F8-2ED1-4460-9AF7-E72C0DF7A667}.exeC:\Windows\{823637F8-2ED1-4460-9AF7-E72C0DF7A667}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{1055588D-1445-4ac8-8790-A3B5F4E4491C}.exeC:\Windows\{1055588D-1445-4ac8-8790-A3B5F4E4491C}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{3A7CEA3B-21FB-452d-9A54-9D00647FB2BE}.exeC:\Windows\{3A7CEA3B-21FB-452d-9A54-9D00647FB2BE}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{4848A993-9229-432e-804A-BD0C8E939F32}.exeC:\Windows\{4848A993-9229-432e-804A-BD0C8E939F32}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A7CE~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{10555~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{82363~1.EXE > nul10⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B4BDE~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{24962~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2185~1.EXE > nul5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5ccb4e8ffe0e51e6aa34711f6143d3382
SHA17cdad2a1e18191fab5e14f3e065c7d4e10ee0cea
SHA2567a6996ac8ba73efa7c92ff8c2bf3bec884c0491650c4a1ee58a818a6a72ea43f
SHA51284adcdd3ec57fbe6f96baebc34576b436ee82bff4a1e8dcfd15cf24a35ff4ef56ad095e1e87ec0ad5b6b261359dbe3f68022bd6185b8837a938edb9b9034b303
-
Filesize
216KB
MD51d5e95fe28eae4b8585bd866504f2c66
SHA135563cfb598ef1df69a451807ad34ddcfd4e706e
SHA256387ac4e4226f2a2188383ac810886c73a8a6df2caeed68f7aae865205733a0ed
SHA512a7f1dd901f70fb5ff1f583ff79f54c137974df6c6903b0325b0bc754b902b162f850038d634705785081b12874b6b3e20c017059a1aacdd7d57dcc9e08943ac0
-
Filesize
85KB
MD5e8cbb9abe52996374d4e752952f61a5b
SHA1a81e60e14b06404449e4ea04e60383005538dca7
SHA256798d657b5b153d55c544b43ca2f1053394bf2734252a5fd9a7ae92c61be10527
SHA51269943fbef11353cf6792bf12b42b1ce96025011bde49e6762ca3698850f8b607ecfc9bca58c06afc6812a459da07ccd8a1eddabadfa7daf3d5d65ba6eb9c3bf6
-
Filesize
216KB
MD51d8e3fcda0dba49fb8a458f9060d6d95
SHA1fa025fbce2148952324addc75b423da489dedb1d
SHA256004f5c77972c01fac9257becedb4f9d882da15fc5e1b1f42ae36b751a153558d
SHA512e978fc5dbd40257a1971052e532f48edb56ab50e5a16258fa24b612a2749710d742867ff84635a4989eed6af4698e5975931f887ee40cde7404482e141660121
-
Filesize
216KB
MD52b3da65e9cdae6813685e3379e3cddf1
SHA1a062a347cfd892e2f12efea23ae7a845b6293d01
SHA256e4a087b78c10cdbfb4844a9cef9013b72e1e3a91cd601f020732f6c948bd4b38
SHA51231398b546a6a14dafc77c9c905943ec34f1ed408cb93d05f9a1782f4ec339777d5732b58a2f0c04e79bd02911e511e8f34f9ca519b9ed977197cc62518f987bf
-
Filesize
93KB
MD52c85295d39c92c336d5820d35863d60c
SHA11cfdfe50227a43145ab74a32eba63212efeb0979
SHA2560365c8059864bff9dfd8617aabcf784480d0ed765c849d00627823620eb76a61
SHA51218c0db85a87eedcb03ec5382e1cbe0e5ea11ecf0557d4f6ed1fd5837115a5785c7b57ab87056bde9be0ca637f0e5735a4e409b2f024b0b4276606ca8af1b0107
-
Filesize
216KB
MD55b6a3de8467fcd8c00396fe604094e87
SHA1a13869076c36ae8906ca896b203c12b996065566
SHA256a79ebbc95d8f446201a014c581c2ea66ead35b89ccf77a245878d5d5a7d886c3
SHA51245d007952c7d97c761fb350d890f1145793d8458c42ba588ac9cf2e51c12f46d088f96e8c65c99ee879ab4421385e209d84533ea760d3519c6d5cc6e4f90104d
-
Filesize
216KB
MD58c177be36ee123441211eb96df5f17c9
SHA1ca0248e7dff3dd6a9cd7e72d62a68142d029a873
SHA2562fee08b1840117516c2fbd1cf266b21f53f3ca0e24ed933bf90c660dfadd613e
SHA5123397a10bc1f56a57bcea34cd5231cf2df2d983cf4b832be771b7d2d320776a26fe5814feccca046d720b1da42efaf96d7ca035c5fd721794487a4d69060e8424
-
Filesize
216KB
MD588f4ff8b960230507d5ecbed13120dcc
SHA12d65bfe1a822da244452efd6b51930d62e3bf571
SHA2566562ed5e738a70ce07c516c7351dfee141d699f46f2952d9d3e333abecee76f5
SHA512b9dfe18f6f44142ebf6d342a327d732da06bfeea4e561650beeb06c7dcb300937813865e458aa3505f461b32c721bf419233bdb6e764184d382e4a474caeffc8
-
Filesize
216KB
MD5214b48647b7d0a350f7f6312fb6d7edc
SHA1dfe025d46b572721b5ac6c5cbd70bb4da74c67f2
SHA256bca8bfcd32393dd8802ec5e7d2cce077fe6eb4587c4e474fc807a6371e3f652b
SHA51245f4a56038c768dda8c188e58a3751dac1c3811423ef28165f89f2fc48056511465689eb17a6413130aee300b0cace2bca68c4f581ac0da187d5d5256c73a48d
-
Filesize
82KB
MD54720acfb920753f32550612f2c903cc6
SHA1b1c7c3bb386bffc7b0e10437307771359b8b20f7
SHA256af07ae3cee5d4c4c50f22d14e4a1438dbef8312b2939afef780b37f7cb30f570
SHA512f6a0b0a9ed2069fdb7ae57b05ee80c361d13674ab7354fc1a5656140f4b5d48336b9b1196105b5add077bce2e83ef6e7e19a7f2a6ec1a1de111490b76374a847
-
Filesize
92KB
MD5dec731f28bb320dc399376ab6720bd73
SHA1aae6546e475e36a057db3c965b60017adc91ae78
SHA25649f6994bc413bd4bd54e9c53bc951afa3cc80e2088bc82225e7d484f0a77374c
SHA51213ef5d7712855f57bbe62b97b5498079bd14b6255d4ca2bddecaa07e05aa35691cd4f55eb7e1363e2b66d942b18812dd15041ca894715f4d550ceb89d703f995
-
Filesize
41KB
MD549709a2ff5d81ac1b210b4afd76d0473
SHA1cdc7d4dc370f5bfc4fbd96c42e51467f9e5d2d24
SHA256f8b61746fd7bd89060bad456d51b0fc92f4497d698e75dc6258e8d9db70eabc4
SHA512514540b8da9eeb27ca270edc152dd8714f44ada4a028105268223d7d84e4954baea912ad7ad217d09fc9dce07a8198a9a60c2d3ef9c1a7268b1a82c08607d27e
-
Filesize
216KB
MD54710ac4e9397b5ff3a571adf690b4656
SHA104f161df2f485e4ca42d371316fadf896b3633ea
SHA2563447c5dfaba009475cafef87c7feb049088647ec5e6253430e858f6bd200fa91
SHA51298f24aa48c0e01af7f515a3a6caca7d09362a21c54ce9c3207859fcbf743a501a06fe825376b68d5fce8c20c06f44268c614be7ba9c173a518728c180cb8fafd