Analysis
-
max time kernel
163s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
25/01/2024, 11:24
General
-
Target
2024-01-25_386057845b1cf6cb6bb2135e02f1b81b_goldeneye.exe
-
Size
197KB
-
MD5
386057845b1cf6cb6bb2135e02f1b81b
-
SHA1
600d0cbd701643815c26eaa246ddce2aa37cab44
-
SHA256
1c79a8b69b7bbd2045fe0be9b51fcbe008c28a8e60be0188489e04ad12261b3b
-
SHA512
3941e616d9f4958726f29e69fbb64158b753fcc5d8a8d900449b0251ccccfd1c3cdac4c3c6eec9e7c190e4adb613463d0f0279281662665f285a4f1e684e706f
-
SSDEEP
3072:jEGh0oJl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGDlEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_386057845b1cf6cb6bb2135e02f1b81b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_386057845b1cf6cb6bb2135e02f1b81b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{77B3070F-CC62-4e25-BE7A-BF48A040F647}.exeC:\Windows\{77B3070F-CC62-4e25-BE7A-BF48A040F647}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{80B656C0-E9DA-4926-9DE3-7DDF9C1C1E71}.exeC:\Windows\{80B656C0-E9DA-4926-9DE3-7DDF9C1C1E71}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CCB68175-FD61-46f0-9286-4A1A71A9CECB}.exeC:\Windows\{CCB68175-FD61-46f0-9286-4A1A71A9CECB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7065F0A4-FA6C-416a-B4BA-9522C1128E1C}.exeC:\Windows\{7065F0A4-FA6C-416a-B4BA-9522C1128E1C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F9558DC1-B8F7-4179-9822-27BD76D68CDF}.exeC:\Windows\{F9558DC1-B8F7-4179-9822-27BD76D68CDF}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{109FC62D-C546-44f4-9FC5-6C21C6E54C78}.exeC:\Windows\{109FC62D-C546-44f4-9FC5-6C21C6E54C78}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AFE45CE7-296C-4c1e-BD13-2E5525DCA9C3}.exeC:\Windows\{AFE45CE7-296C-4c1e-BD13-2E5525DCA9C3}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AA2D935D-C594-49de-98A6-A45E57FE6D8B}.exeC:\Windows\{AA2D935D-C594-49de-98A6-A45E57FE6D8B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{0641BCFD-FE95-41e2-AEBC-91C61B7E5302}.exeC:\Windows\{0641BCFD-FE95-41e2-AEBC-91C61B7E5302}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{EF6EF530-03D7-4f9c-80B1-9DC8B1F2AA09}.exeC:\Windows\{EF6EF530-03D7-4f9c-80B1-9DC8B1F2AA09}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F2165AA7-2375-4378-932F-4B76402C977B}.exeC:\Windows\{F2165AA7-2375-4378-932F-4B76402C977B}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{622CC4DE-CE8C-4e71-A7DF-808D6FB5C0B7}.exeC:\Windows\{622CC4DE-CE8C-4e71-A7DF-808D6FB5C0B7}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2165~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF6EF~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0641B~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA2D9~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AFE45~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{109FC~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9558~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7065F~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CCB68~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80B65~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77B30~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD537201058c452892f62181b0b6a67015e
SHA12d3ae7c469cfb2d5e704f6265e3acf7a64245abd
SHA2560e45c14590d957946ff04c7606047cba66c629e17088e05a92eec70b0b86fd52
SHA51281a90a22cc2f29bf63163ce6462db5b3f898e7202edfb694af3301f72a95b5aa4da20824d539ce7f00c04ac7e7548fd1bc507425526be1cfba2746db819f104f
-
Filesize
197KB
MD59ed06286e9f2aab9722671d9dd08ff06
SHA11c90caf9c96bf00f345a245d52ef8f7257ff47ee
SHA256d77f617a33c46694d6795fe987912b26acf03202905d69573a8765daeb64e1de
SHA5126b63d0410874b3a4a1a465ed41e20c1338b1d8397a75b644b5b40a58b533392e212be8857268c094f82558c11356756ff7bfa893c6403e4c4460b3aac5fc56d1
-
Filesize
197KB
MD5be0b6d7a687f8a636afeaf75f37beb96
SHA1008ea5f9d9e64c482b85cc2537f3d5e78d6412dd
SHA256af6771653ca58414c9e834600ce429f256a808f6339ebc56cfc1f1ee7439ce59
SHA51242c9ec900c9cef8f76f253af8cc41e788f92a21608a3170e49bc59deee6348e398783ce149cf5f966038aeefa29834863b5afdf2e580e52ad1afdcabb1afe481
-
Filesize
197KB
MD57484b17ffee82cd211e30ea5534431a0
SHA1fca38ba15e0b2d34c0e0693dff96201763cebbc6
SHA2564be00f98037fe4020627ac53c9b20e133bf18b57930108b8b24cce0a26d44b59
SHA51255ab1d5787e92440295cd2b4c81122c18e7df684b0301195cca0d86a4e171482bc222c72bda2ab0938021be1526d6a14f91721217938476b1f0f0a2b7ab7097b
-
Filesize
197KB
MD5b59206e3dc615eff87197b31143ece88
SHA1d8f9b11948fd96659be5b62ed5a561ad3d583a02
SHA25673a60962c79e603e7202a919a7eb5ebb5176b3a97d8a40d7a90cd290fc9c30fe
SHA512e2a0e6a77f8755a38c9bea6e34d33469a91feda20c37fe55b8cfe95f9057c2a4ca497e87f70f69b7635eacd5b936bac42e85a8525a1b0adc9fb5d5d105951f13
-
Filesize
197KB
MD5cacfc0982cc3e2bc13deb040b93eb6da
SHA1c6291b991184d7bb4336499a10a0e3db1760aea1
SHA256b91437869fd429dfb7ebee723f4bd2ff9eb0b4d7ccd11b7087e43f5e3687bc6a
SHA512cbeaca889e4e5152ce304f7b277457a11bdc90b22e06c84959cfa9a79270050c066f598838f8b42016b99d23db9fecc62632a96d2cdcfcb40455e3af28b1fd22
-
Filesize
197KB
MD5a470afabde04afab9fa34099b53e5832
SHA17891765a4eddf5ae1d3f7626095d60855d33fab6
SHA256cae9355242fbfdc22f1c04d1b9072c7ff1e65739a1e4aadcfa05ef79f0f301d1
SHA5124b2d7fab1fb0bc8707e5a502a8b82237eb85b740e6f496f054edacd53d473059a66b9e500b58b408785fba923406edcd65b9a640b3b245972dc32a640c7105b5
-
Filesize
197KB
MD5a2a97468f56b85a7c4eddb89b4ba6a03
SHA12dac71f523981e6b4a3854e542c4855ae3de3703
SHA256aff864dc018be14cf82153f69484f0a08f56673e4ff62206a8a8a2980421fb60
SHA512864d9e55f621d4b10cfd5d49a43360a09f9893e3c3620b8ac7f6e7c8e8ecd70f22e972654ef459511ccf338523fe54df39f608b6bc28d366364f56bab9216718
-
Filesize
197KB
MD5a2770daed550bb2fead12eb7c0351cc0
SHA1e0505e029e55736e44663aa500f91c9c89b64073
SHA256ceb7b422a9b71d20cb14ec48ea48fece5860ac78887366c25355538ba5a8b30d
SHA5123da21805f6ff8feebb2051c490f317f00daef45bc2bccbc2c64085fb846ed8804f4384704ebcc6852089872faaf41072e23b14e0282277af1f948f566a03e173
-
Filesize
197KB
MD5fcb4ea03b43dc2e7acd833e7a9383004
SHA17bb87fe1c25456441b3942e008e9eecfc786f9f2
SHA25682bb0d45ec77ac79ecf28410eada9adeef2704d549d085efcca831a9e864de3e
SHA512a5b16b65ddb833d9085e74a7540fb14e0c97559ec39aa8aeb9810be77b9d5ec9b4536aab933ce89bb7c16b8e9bec0ced349446d83a89c95c164f3c6465041575
-
Filesize
197KB
MD52244b9c5528101ad1b5c5eaa726399c0
SHA1a7e7d551311a103d3e0f4b624970098eda69f871
SHA25605e1aaf6db38527b35dc3c53f193192f28b31b44280eada3493d488c0b19a3b4
SHA5129bf2f4296b65edba8c4461ec3992c69f1613573a05228cd32e89c97014939e4c1e57103266c6cb371bbabde82129c34ae179f36245fdd447bd135b91ae199a73
-
Filesize
197KB
MD597ea389457b230f7588aef3600df3f81
SHA1bc5bd8e0b614a77d7f775f45c699425ed9205083
SHA25603728fe02366e198b4d70c721c0ef512041ae72f71ee91c8e6640b43a7c41b6d
SHA51267d1a1aef17351e752882956f6e6dd787f4ed19cfa2a83015c9e26f8fce8e9a0f6eee2ca7315e345c8df00fb6da596329af4044bf98e08f4e285d103ca37084f