Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
18/01/2024, 23:29
General
-
Target
2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
-
Size
408KB
-
MD5
e2943c3c0ba3f317bf5cad2bfea901e1
-
SHA1
10dfb5ccc57047c316a14b31a36c7a73560fdb7b
-
SHA256
124c54a56eb0a69be4b06daaba4400ec84af1aabec10bf4ffc72286ab40e7580
-
SHA512
493d5ebb1b6e6b33248cddee2618adb94af8a83d93516c9b1ba25a924a2cd2cd269a27710d9dd6710d3021e8ecb559a5eaec94bd6cc265ce82d243330eadfdee
-
SSDEEP
3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 10 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Executes dropped EXE 10 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A37947E6-8DF7-428f-8728-EC4A678D8578}.exeC:\Windows\{A37947E6-8DF7-428f-8728-EC4A678D8578}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A3794~1.EXE > nul3⤵
-
-
C:\Windows\{D90A769B-7212-4896-86FE-EB14A828CD02}.exeC:\Windows\{D90A769B-7212-4896-86FE-EB14A828CD02}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D90A7~1.EXE > nul4⤵
-
-
C:\Windows\{48282C43-D0F1-4083-8F94-BC024D5C256F}.exeC:\Windows\{48282C43-D0F1-4083-8F94-BC024D5C256F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5BEBC732-6A36-476b-B7CA-6D3EF1E820C7}.exeC:\Windows\{5BEBC732-6A36-476b-B7CA-6D3EF1E820C7}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{256D2D70-3396-4e6e-9289-999722760E6B}.exeC:\Windows\{256D2D70-3396-4e6e-9289-999722760E6B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6D8FE74A-8BF3-4fb7-8221-EBA7AB6D78B4}.exeC:\Windows\{6D8FE74A-8BF3-4fb7-8221-EBA7AB6D78B4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D2E0E18E-4D65-471a-A628-62E11559FF14}.exeC:\Windows\{D2E0E18E-4D65-471a-A628-62E11559FF14}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3B6798CF-C676-4167-B9FE-2AAC0D4727D9}.exeC:\Windows\{3B6798CF-C676-4167-B9FE-2AAC0D4727D9}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{71B064D2-61AE-4790-88F6-D1A82E90F9B1}.exeC:\Windows\{71B064D2-61AE-4790-88F6-D1A82E90F9B1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C6B61C0A-3F83-456b-ACC3-2E54F1753F26}.exeC:\Windows\{C6B61C0A-3F83-456b-ACC3-2E54F1753F26}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\{0F0AC57A-7E0C-4d1c-AB36-5C6D9507820E}.exeC:\Windows\{0F0AC57A-7E0C-4d1c-AB36-5C6D9507820E}.exe12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{71B06~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B679~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D2E0E~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6D8FE~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{256D2~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5BEBC~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48282~1.EXE > nul5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5b8ae64a44348d3f830d885cd35279172
SHA1847defdb8996ed4ad5ea6add632663ae2b039390
SHA2563390a2c5d59859157954386ebdce14d27f61a5f6edc0bb156695e0edf527480f
SHA51287f677a01ae93982e56acc1e91938f9b3a7d2311763aa2c2613c0ca368a85389f767e137015202b7bdd6bddedad4180d2a662e68d516da9e5d5d2f9f819f89a1
-
Filesize
408KB
MD53ff5ae2f8358d1e3d5813bd0febae5e9
SHA1032aa9d629a63ddb89bd013d232cb36e9aaf7686
SHA2563ea50796786a31784653a9aa2a7bbb887ddb5e4022cc3aec748d8b03c056b7b2
SHA5124a5211ede07140faf4f77e069b5e622fe3d693a2a696d7d1a035d372bd1b764ec2df0156115bf3300055781fbbe2e3c981c97963e265027e0863f53f2c2b647a
-
Filesize
408KB
MD55d8e93bf5dfbdc01d6dedb3831f6eb1a
SHA1dccf5643f57ddbd9b73ba80d90d6940448ebe4d0
SHA25677cfea2c57179b8e7016a5f33ce7348bda2cc243385d85f14bf4e1cced8b3a14
SHA512a3b6385c4e015a4e9baa3d8ccd4bdd310ec3343f06f6b1fad93e35846246f44ef5b521c59c921505ed420cd98746d4812c3f1b2acaafdb643417e64cdbbd9dcc
-
Filesize
408KB
MD50cd3783770bcfeb2c7e835d93ec93317
SHA17893a074f0f4b0d5dc2d60df4fa4f21e24666dde
SHA256077c1e972ab29f1997ecf9d99e580a9ae56aae0fff7070527c6510c70baa27fd
SHA512905962320605dc5cc0d98eb9d459b3ee877fb8f980401949183d3f24b0207d9555da9523dad4ab1b0720584e9f39151567f8085c50b9291f6bc2f6dad60f6ce0
-
Filesize
408KB
MD576d8722eccaaaa2f26b4fb20ff0c5332
SHA1e3ad4ee9482cf45df32a3e99a38d2b7f2d48df07
SHA256fb1fc3cd12f3f50dde8911535448d1f88e215edb7c1686d70e62ab3f91888896
SHA512edc9094924428a1de6200cb2d87fe19732f5f33a9d051cadb6639e39fb76db0abdf36acd6478d59b1194b625dbf5761986db2689738061bc70defb186a680086
-
Filesize
408KB
MD5ecb08513ca91f5be71c13a35e88b91c5
SHA1655067cbbb1f7849a4f55c295ad7200bf937ee5d
SHA256592b0caa4a1eb32c273c740ab6312ca9837953e09a7d03fee9736284cc9680cc
SHA512ac72fc41b7dbdba87335053501de061850709d6d037a51fd8913750f0d7c823a5a37b943a177937123355038fe22903439672c60e270e96a9655a58c6aa8d236
-
Filesize
408KB
MD539e2596aa298ba937af933ccc7105eba
SHA19cce30ad063ebf4ef52aff507cca4845711fff2d
SHA256de69000afabe2b4e89352b0adcd663a600e34ef4f10c0498399836b7449aa7c0
SHA5127e9863c42ff9935b851863cc9f83f7329ff225a64b979ba463a2c763b08b6fd1a07e76130ab1f4427ee85a95dc57396caacf2141890fdb769936342672c30bd8
-
Filesize
408KB
MD5a903bab8491fd19fa4e2403dc0bc0a69
SHA1df369d7b4ff00ba95c10bf7a41753a9b6f598411
SHA256e3019e4ba917553d0f683c41bd31544beb140180372e072e7cc160409aeab187
SHA5120950b2688ecaf2ab6d1df501fc6d82de6647eb0e09f915a46c2ed6db60eb5318d7764ac48ced6fa70d5eea8993cc0a24123673115191918d2c1d63ce4e83bfa0
-
Filesize
408KB
MD533dc9971239efb5226a9df3f3c1d1a04
SHA14d6be40d5309b1cbd85743b6323ca597fe2a8799
SHA256a41a254c5b3347966cfa74ce6f945d63c1e0536e564d1fb33496f25f364b52f0
SHA512afcbe636ca91df0208efd82ceca8a2840bd9190203219ed9670fb5fa2cc4d1adffefd40d0f5f1ef46b029125e771b2eff0019517428309e1f5a38230c8ec5bc7
-
Filesize
408KB
MD5d0ebbff4bbd967e91138cdbb4d8db229
SHA13f9a53da7e4572755153b3b38986df2216209249
SHA256786b8e4d334de4eaf322cca6ae6fe75c6bc0e9145f3cc4c3c095cb6d724cd7b5
SHA512f7cd31a4b8b601e759c637420f618fe1c9a997965e02a12b12dfa0e344b132a2c0a4c34183bb0fc7ca4d58b0e92bfb34fdc26c0027687416cd0a0b0256f2401f