Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
18/01/2024, 22:25
General
-
Target
2024-01-18_0da3d763a7d434a71aef11d949301a2e_goldeneye.exe
-
Size
168KB
-
MD5
0da3d763a7d434a71aef11d949301a2e
-
SHA1
489b2a114b56cb6b286d8ebe13c642b76f95f2a5
-
SHA256
367d8feabc74e951e518930a00f928bf8b9d1ea4f636dcb9d261bd71ffc4c3ff
-
SHA512
f37f618604bfc4e4bde287601b11c9db3d75b65bbb1a1d13c86c98b8d4cf7b5f8e4787347122a1a0b45e4f9fc9bf3d9fdb0326e9d395a95367844158e678aafd
-
SSDEEP
1536:1EGh0oqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 14 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_0da3d763a7d434a71aef11d949301a2e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_0da3d763a7d434a71aef11d949301a2e_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
-
C:\Windows\{CA29F0FC-1F89-4418-AA2B-ADFB8F2C5110}.exeC:\Windows\{CA29F0FC-1F89-4418-AA2B-ADFB8F2C5110}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA29F~1.EXE > nul3⤵
-
-
C:\Windows\{F1DE0405-AEFD-465f-94C3-D5E30888A343}.exeC:\Windows\{F1DE0405-AEFD-465f-94C3-D5E30888A343}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F1DE0~1.EXE > nul4⤵
-
-
C:\Windows\{94285119-4970-4ff9-AFB5-171E14EAF55B}.exeC:\Windows\{94285119-4970-4ff9-AFB5-171E14EAF55B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{783DB2AB-A2C7-42a3-8E8D-B55054465EAB}.exeC:\Windows\{783DB2AB-A2C7-42a3-8E8D-B55054465EAB}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{783DB~1.EXE > nul6⤵
-
-
C:\Windows\{857ECC63-9625-469d-9392-52234955644E}.exeC:\Windows\{857ECC63-9625-469d-9392-52234955644E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{956B0C54-CA06-4b4f-8DEF-BFEC0DFC3A50}.exeC:\Windows\{956B0C54-CA06-4b4f-8DEF-BFEC0DFC3A50}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{71CE7CE1-985E-4a3f-A7A2-95077972425F}.exeC:\Windows\{71CE7CE1-985E-4a3f-A7A2-95077972425F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{71CE7~1.EXE > nul9⤵
-
-
C:\Windows\{66466EA2-87A9-430e-924E-1007AE9FC744}.exeC:\Windows\{66466EA2-87A9-430e-924E-1007AE9FC744}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66466~1.EXE > nul10⤵
-
-
C:\Windows\{05BD9A60-83E8-45a6-8280-A64825F08910}.exeC:\Windows\{05BD9A60-83E8-45a6-8280-A64825F08910}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{57A20AAD-98CD-4b33-B681-FBB03D7E6A38}.exeC:\Windows\{57A20AAD-98CD-4b33-B681-FBB03D7E6A38}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{31C00A14-6F2B-4b70-9D47-6D1657F8EAE5}.exeC:\Windows\{31C00A14-6F2B-4b70-9D47-6D1657F8EAE5}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F13DF09F-47E1-4698-B229-C10195EE63AD}.exeC:\Windows\{F13DF09F-47E1-4698-B229-C10195EE63AD}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31C00~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{57A20~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05BD9~1.EXE > nul11⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{956B0~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{857EC~1.EXE > nul7⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94285~1.EXE > nul5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD547fa573657218da755aa8e71f5bec033
SHA1b5a12fdd1022ddd8c0b5babd98235c73366cf8d5
SHA2568b19a57aa6daa9ce9cd83a57385b41fd1ecdb90d59272d079f1c91f163751204
SHA5128b845557d8fa09bd68fb5e2f23b87ad151d80fa4996e89daa96a48f126e9aeb9a647a572d5825535c2fda9210eaad9144060a9b99d29b0e61dc9a7421cb54ed2
-
Filesize
7KB
MD51854fd76e98c7d47509ab2c5e3763d72
SHA16af4ff4407421b388dd8f942baccefcf3919d496
SHA256fadc9dedaf8a185fd674b659b6d2e9149d1c36d54673b19944242766e86962a4
SHA512c7c027728f4d1e1cb54ea39db975d6ab643a2d482f214ca391b0fb9ab700305a5d42e2fce92a2c113fb5c35e906a67cb4735e766f523a999351e627511fc0890
-
Filesize
168KB
MD57b80c6058f6158ce0d2f959f6b0fe8fb
SHA194173a22a6be92528bdb8840d65b9f5e3bbe16dc
SHA25653ef27e91b6f8c6990745aa0061529efcaed8f3a333e17834ff2b20c6e5a0c37
SHA512e66f356ea2136b5af95e6181c5ed4cea9a778b4a21dbb487cdf3f33b55a9ea8cc7cb10cf04549c3edea10acb27c3b277dadcde3df9d745e2534dac9d3ac1a3b7
-
Filesize
168KB
MD52179cc88b7aba778ba8c656e7580f5d2
SHA1b53a5a67884ae09fe4c3267fb5aa9b5e0e406936
SHA256741c756e4a111e5d8e8e07fd09c6c07f72f77f342c390b7a588bac83a92fd027
SHA5120cc20d5512dbb706700632ce9affbae908c262bc0c997936c7262bd67f45b3aa178b71dbf8a421ba9ec9b81d55eb814a6891cc60d45d55bfc1f3c032b4effdb2
-
Filesize
168KB
MD54247387f3029b55e14ebf5d72ad2b6ad
SHA17a7de55925472b3a3992e5aa4cf6350d7ea5f29c
SHA256d61aa5683c7b8f02b0ff76484a135978be8250c2b9802006b208677cdad093aa
SHA5129f67240aa5f9241d78f6303cb1ea750d73f23036d4531ae6c373eb1ac99c106a7bc8b7780903c0e905fd9dedef0a84683df0d7942f353202d9f9ba5226b18ae3
-
Filesize
168KB
MD59727d5d7e8393ee581a5b793de8b0abc
SHA1f226b3f4cfb21b487541aa09225fd8e08f768179
SHA2562367f9a7d0c198156b41129fdb4bb828dafdfcec575a0ccb3400e9aa5c5d81d3
SHA512ff8f208d111997174702694163949e8a93e92ddf03eb7b7dbf1355cf4dfaff0633fb1e3899150059b3da099ed14333634fa26eb67236cf7b1ef95b72301617dd
-
Filesize
65KB
MD553ec6455c36f96c1d9685611cb36bc84
SHA1619f29201cbe3536e45a19916dde02a386d93de0
SHA256911819503cdc2bd928b94c433677f43a192ab2b95491cb7bc63685677f13afe6
SHA5128dfad20e77b12faf6f3a42d7718f6dda67d2ebded81884ec8266585da2af5b7fbad40e2ba5ab89baa1963239654dbbf004093a25700251804ede8cfa2f799625
-
Filesize
93KB
MD5de2f252ff4d186cf6bd4f0aa6af63728
SHA17ea5f5d421a17ec53b8652d24f0be6dbd5b1605c
SHA256a399ec4a6834eac7dc7eebd75f6263e35b2a345f9efc289d4ddbeb40e7367d14
SHA5122a9d861badd360143de895f08cefc533531fff807471898e7f895410a83136b1226476ca40d2b1ebc6d2ee1fa141316f4cd51bc0a1da5c85f86cd4218be62c99
-
Filesize
168KB
MD531867a4e00480b700a83971b7a9936fe
SHA181e237197b50344b712e34992701abd47e34bb53
SHA2563208d0c92121a058b854cee152533392ed01249c9c9bc37c48553f3cc7c45a4b
SHA5120094ab19cad2067cbf9dff605f5a3d6ef3dbe940fa1084f70a01bc46c377cf4f88cfb12026fa24b59633c69355ff9760dead16b404955bba550020074cbd369d
-
Filesize
168KB
MD50f6cf3ab9a7e8ca18f29fe2fc546a9e1
SHA173b3cd77be5b6f014cab01de63d2b21be42e6760
SHA256dbeed4a9e67112590b0dc4c9dbad04108d40e4d13f370f0802400a653bfad18a
SHA512071c9d41e8b3462f267fbff58413b04273c268473e3739d7081808e0bf12263f1c8462df840ff51d1c6e1735bc5de7a2db4825e21ab7246603b57548e922ae23
-
Filesize
168KB
MD5cb0116e47b035865b10e8d283be98b56
SHA19780c9d22662f2d62bd3817afe0a69c0687e7a14
SHA2563c959fdc80e3bf8f57bae834fe406a2fc891e53b12f07caaede5c95856cb4918
SHA5127bf65c9141e9adc52892c9253b978d05cfb7cff56aa3f5ac552800763ef00c84e5fcc8c071dff0834e6eebbd184f6dbfdf2ab0545d3990b5c628b95fdc4f3573
-
Filesize
168KB
MD5eb47bc30ead5c698792066a63d4bff7a
SHA15ccc5e5e4fca83dec80919b5f884718879973f79
SHA256929e3abb23063c85d977a86e072a5ad004c155dbfbaff83557ef8c43e9776c2e
SHA512d79859ba94721feeb83af8602c33df01af69dd9c637a250309e6aac795dadd57ae2a48a95ebcaa13fbb96d1bde97a1db5798eea453af486057a0449c69c34494
-
Filesize
168KB
MD5da2deb88cb8439c150e8fd6cfcadcd1f
SHA1d5d0abde4158504da5f58aa7eaf16b3a1b03a1bb
SHA256d7e070843d83b99057ef3ce82791b340394a43595dd48af1e7729e8aafc33c65
SHA51224c5e258bd3f70061f37e9cc2c401c1a5ef4bb5ec623a2afbaaa4f094592b078abcacfcb7367a57dc3151373883bb603222842962ad9817f657f2300fe015cef
-
Filesize
168KB
MD56e14e52078635374c2b77c14ea724c36
SHA13eee5e3f0346e49702248f2ac5480c947949983e
SHA2560d5a9ad6d631fc01198324963e4f0efd7077debbb79f79e67ae77d081143992e
SHA51224b290e9b4e646135c13c3e8c28bd54ed0e508853dd9f19f7f89f2935fca0c38b3adc323bb3e233f5e36b424ff914cb484c9169cee3b24cf44aa89c6b2ec377a