Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
25-01-2024 17:36
General
-
Target
2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe
-
Size
372KB
-
MD5
ba912d46e1acfaf79d03097f09a2702c
-
SHA1
5498bf61a4d1dd745ffd368f4322cd1fd2484032
-
SHA256
a0dc464d4cce80c660597babf8923ad92308d4a14fafaa54cdc7670e09dd7955
-
SHA512
d2c2ae47d101fa2645acfe9a7e4c04fc6d05f6820971cf8f8fae396c17ba8f2345c62b7e1908bc6848601c94ab07e6ac63296a382e35dde2130855fc057b5f44
-
SSDEEP
3072:CEGh0o1mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG+l/Oe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exeC:\Windows\{204046ED-4538-4740-B41C-0CEF24082813}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exeC:\Windows\{33C06764-CF96-4c23-9BED-BA414C102AA9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exeC:\Windows\{6C3C2157-0D30-4fb0-B373-5170F15179BB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6C3C2~1.EXE > nul5⤵
-
-
C:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exeC:\Windows\{4256BE8D-89BF-470c-BF07-975D1302F613}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exeC:\Windows\{FC04DF75-B70F-4349-BB4D-8527F1446938}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FC04D~1.EXE > nul7⤵
-
-
C:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exeC:\Windows\{F66CF1B8-C598-45ad-82C1-1C1AAC803E2F}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exeC:\Windows\{53CE17B9-5D5F-4791-A413-4010C7ECF99F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exeC:\Windows\{D39524EA-A969-4896-BED0-AC9B3702A241}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exeC:\Windows\{6039610C-50B8-4cc7-8CF4-6F42B8F780E1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60396~1.EXE > nul11⤵
-
-
C:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exeC:\Windows\{70F64A43-3318-4bcf-AAEC-786F8240203B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70F64~1.EXE > nul12⤵
-
-
C:\Windows\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exeC:\Windows\{446CF7C2-059F-4a6f-9E34-2A8B32B42CF1}.exe12⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3952~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53CE1~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F66CF~1.EXE > nul8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4256B~1.EXE > nul6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{33C06~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20404~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5d1681548f57a7e905544e3afdae41268
SHA1196e3a097a9b264689a8251d0823b032c4c2cfb6
SHA2568872317a370fc34ec1fb0f763f182878ce1fe9e7849e1ee381c18887d73ea704
SHA51228b858da6065a6bc1bbe0007f6f9ab80b0bb6c37a66dbde3ac088c1a09ffb619a492bddaeb98abcf9a2a25c908a2cc8976c31d6e621229f311eb8c914f1cc8a4
-
Filesize
372KB
MD57447b49fdb68a3dead993273d3ac4d5e
SHA103c9cf286a09c7829b42f09cf0a662629b34a504
SHA256b6330b31457a1fa72bcbe748f53a5d4666eeb61694377b61dd3f507edc939c9c
SHA512b047b154f0f72153fb45bda49f4f0a7fd5071142e284c6642928160fab4505295a5f704bf74eb8a48890ebab2b19e4a6d0f99ca6fb0e8286a4ff71d60fab6834
-
Filesize
372KB
MD5e3116d36623e3d88db9a38f11cfefc54
SHA1335907a1fb60e0b75d8af476c2722673a8816d31
SHA256996ad2583b2b438bde837543eaf84130c060ea5378fa21f7bee2cbc888546ca7
SHA512aa1fc7507e677bf6530f3831fc02c80b35ccb51c7812b6f60ed43fdce6f4b5f4ad5f59cd26b846078164e9bb7bd4ae6e252ed7985d1cc9c2ac4581971725fe45
-
Filesize
372KB
MD5239d82296c8c6485c0913f12d97a4032
SHA1d83f67736731947c3025fcd4d7ac8f5bbdac4b05
SHA25609d744b070bec3d52d3a821096df789de8dab8002b317c5f7c6078dcea135916
SHA512e2ed9fe45fd236d54a96e56b13ee12a907718a1607235284056753307dd614be68a03165959ca11c157deccd6f1895d886ab091677bd448cb398e8be3c18c87c
-
Filesize
372KB
MD5c62d8296eacfdc087e9c00f09ef69169
SHA15508ff96abdf56037df49387e0a4ece85da10fd0
SHA256871885ec5d39fd779809fbe204c8be31d588d694b111c3d261c3ccf7047ffbc1
SHA512e07ff7eccb0667461a6d8c1eeef5e6c211b575812091bc77fead17ff4cd134492b275c5b49ed23e634703426aff56b1fd2d20bc222d71a3289b9c8a46f2b1570
-
Filesize
372KB
MD53b18815df039bffde436a31c04991c0f
SHA126f4de68e522cea93ad5efae7739e0ede137d979
SHA256fb3df338585fdd8c1bd559e942bd53b606a5ac96abeda28f620d886ad4820649
SHA51229b029fe1b13cd518806151a841848044ce6727905738e0a2d606ec39375c0a0740b80fadf0fd159c5d79846610e30efed76a8f83019a7cc56bc035322fb9290
-
Filesize
183KB
MD52da380725c265b17b0360128fa811e1c
SHA1c3918750ca56efb7fb1b5201cc9a450dc8affe2c
SHA256e106325e3cc84662d636d73531eb3fadda65d5683d26a4f3b141076e35d7685d
SHA51224b7bf8a04a35151239c52cfc594785cc3f96b8a11c689fb3e7fe0df13db81a986d6737fd19f3066c4797aa8e7b7f3e0561c39f49628bb0f83bcd3b78c6f7323
-
Filesize
372KB
MD53c73f7af5954b80e0baf6023885bb4ef
SHA149abe7efb3d648e159b8ff83c3f2b19226eeda46
SHA2568554c68dc2d2be61abd1260bff04aa48c1d9a9f13d8a5fec651caeb258d4f1be
SHA512ce9b42e9e28e9ca6c734a89c3c50695d96245eb81d201565e692c67de78134adcfcc3d2a8f943d745108d7b3840dfc60b2102167761e6d742c4605ed445abee5
-
Filesize
372KB
MD5c82363d45350ffc565e77e4dde1981d2
SHA109225c83b39e742492ba10fdd9cd514e93e0cc32
SHA256fc65257a93df557dbfa3004031eb702ed9406af5b89250869ac175ece506d508
SHA5128572f9656f0529ae1bd3c11065ed5d39a0fda939b2a2e770d028020606cdcf5951378f4534a4bc3385e717e43db75d07b16c614f20ab789ffb110d2484a3e07d
-
Filesize
372KB
MD5e5c8cf745316728b5ae9cf9a5032ace4
SHA138dc4d46acd4e39257063086abf0f4685a078346
SHA2565e14ea9f3faf41b4876454039cf9d26bc26cd4b2c48a8aa579185bb2290563d5
SHA512ab38d9876927b84a00a992f704e9d3d43098bcadd72faffeff8899054b58acd77f791ccd788232a282466c5202fccff3899fef6b6c16a6dd48a063d9257f6f23
-
Filesize
372KB
MD53da2d172f6b840cbfb992573a1c67fa0
SHA14269e1240d93746df18bbbffe2a19aaa596ccdde
SHA256545370ecafadce51d3c2f99a9d9f8ab16e2a22f92e7b4fd98800644d7a5ad7ab
SHA51220698fe5cd92f2ce9e71f8d79e0488c892551951d18cb8bb9af210c2ff44b9fe683f59ca52f672abeafac085386c640ddb54f978664e314aff6368f8e468ccca
-
Filesize
372KB
MD56911081714ca4053adc962909842572c
SHA1daf2aadceace86d72ab4dcbe5908daaa3a907c77
SHA25653a8a139020a18164d4cac5fbf9f9be70d43e7dce22145c4fc89772f5a28e94a
SHA5124becf8961324a02aa12d6f4b3ebe43a53bbfd64d8de545560e74efc3db3543370a11919901e25a76af1e0a494089c1068743688744a899604d62501bc854ba6f