Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
27/01/2024, 11:43
General
-
Target
2024-01-27_e0c52b168c4d2b29d3740e92e218cf24_goldeneye.exe
-
Size
168KB
-
MD5
e0c52b168c4d2b29d3740e92e218cf24
-
SHA1
e937be973538132439cbe85d9f8de4bea34971a2
-
SHA256
97c89a5155ae3ade2206c61f62f5fdf430c206f1de545ec11b751d88968eaff2
-
SHA512
4a237e00ff080e458c29412b37bd95671fcdef4f28fa8399c63e3cd650037e7b488d48ec2da5fd4e3b78a2da87e0b81a0a61be3c87d7fbdacc6449d437d4c1ce
-
SSDEEP
1536:1EGh0o/lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o/lqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-27_e0c52b168c4d2b29d3740e92e218cf24_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-27_e0c52b168c4d2b29d3740e92e218cf24_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E9F90040-C832-4cdd-A065-8E87F29BF6D2}.exeC:\Windows\{E9F90040-C832-4cdd-A065-8E87F29BF6D2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8074AF4D-8EF9-463d-A1A6-2995C1D4B6D5}.exeC:\Windows\{8074AF4D-8EF9-463d-A1A6-2995C1D4B6D5}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E8EED6EF-FDCC-4593-AF39-FBFBC0D268D5}.exeC:\Windows\{E8EED6EF-FDCC-4593-AF39-FBFBC0D268D5}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BBC5F265-7FA7-4b6b-BA4D-A005B79BB62C}.exeC:\Windows\{BBC5F265-7FA7-4b6b-BA4D-A005B79BB62C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{740DDF26-76C0-40c1-808A-D324BA07D4BB}.exeC:\Windows\{740DDF26-76C0-40c1-808A-D324BA07D4BB}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D2C46A6C-914D-431b-8081-C991AA3B3C30}.exeC:\Windows\{D2C46A6C-914D-431b-8081-C991AA3B3C30}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AFD02951-BFE5-4e76-9883-07485ACA4193}.exeC:\Windows\{AFD02951-BFE5-4e76-9883-07485ACA4193}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CBC69CE8-07BA-497c-B63E-B05DE2B9AB8E}.exeC:\Windows\{CBC69CE8-07BA-497c-B63E-B05DE2B9AB8E}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{08AF03FD-14F5-4177-A33D-ABB7DE4B4BA4}.exeC:\Windows\{08AF03FD-14F5-4177-A33D-ABB7DE4B4BA4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{08AF0~1.EXE > nul11⤵
-
-
C:\Windows\{9163F804-128A-4009-9B7B-F9C1CD38E82A}.exeC:\Windows\{9163F804-128A-4009-9B7B-F9C1CD38E82A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{C964ABBE-F866-4ef9-87C6-D88DAC1DC6E4}.exeC:\Windows\{C964ABBE-F866-4ef9-87C6-D88DAC1DC6E4}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9163F~1.EXE > nul12⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CBC69~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AFD02~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D2C46~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{740DD~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BBC5F~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8EED~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8074A~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E9F90~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD55e22aecfb18937e7aef88e647f70f5ed
SHA10039646f4daf3e18afed0d187d739bd21f7fd24f
SHA256132e37521eb0e7c5ba39d1b2fdf57dede8f20a79be6c979e93106f7dc6d0816a
SHA5124126d4ea2d7cdb9bcb48fe28724d8c18de3e9b0e1979d6caeda288ead58be71b066510d364e2d2c5b544df108e7115c0e22bf454f8dff43227377e22eef1f556
-
Filesize
168KB
MD57851e1c24065636901cac5639602b42f
SHA116b88e0059f3941324e942ca56436198f8e1b81d
SHA256b0bba9a79afa83610538f43bc8ed0b4255fcbff00643f833368bd9aa7fd1c870
SHA5126d5c880be5ce92de412dbb308288c20d558929d7ca01974a4d5ac26662dbae7c09dd49680e8b540b78a1f5d1e7a3ec3f8c2eb443aa86ba60cde234fcc5b09c24
-
Filesize
168KB
MD55370ae949a1166d08620ec9b34ba7d65
SHA102a7da4030ed5840cb574965db29d856ddad3abb
SHA25617eb628533e85bbe3ce0311ed80a21ba1cd39a00bba98349a49e3397b5c634f3
SHA512cb4b829363ca10daba173646d980f09014dfaccd5bf96f5121ddd2255bbc624a8a7b390d27d96681feb69a88c6932b5dc5ca3dbf1549e106cbf76ac52faf3c4a
-
Filesize
168KB
MD543f2bf6924d9f357642ee555bd82ade4
SHA151b34856fb9c114f2ba5c5092b95dc4d7d8c943a
SHA25698848956857a7194c4e71781eecd9d0daa049fe7dbdc6adf5ba7875f421ce504
SHA512c9e51d2046467e3049e5f886fed18a87b26f75b6588cb853e5427d5ffb46259baa9bb973f0e6f8d6f9e8ffe9bbe76706bb9516ca06415de61ace95c926e53bf4
-
Filesize
168KB
MD526f4fa87609fbacc748b77f80003aec0
SHA10c7aedcf56a805969c0503d3bb202e2015f6c6fe
SHA25689dfde1d6f347016ac67ee69f7f32a94eec95613d8b87d84373568cc857d4efe
SHA512580ff4ddb276bc8fedc4c03712dcfb21baa1c717a648705147a5b45743d1ecdeb8741d415846bb94ab781bb3def5edd34e58046d9f79107eb968c13092338a50
-
Filesize
168KB
MD5fb52519237690af43eb85b90f70ff867
SHA1fafbe8ef6d85367cecca5ad15b8cff880f8ea685
SHA2568fe8f7848547d232328c3d192cffc11d266cd8f8240a44e53dbf069c6ab50689
SHA5125b1aa67456e133979851639a1dac47039f6b474b177ca72c2d5efe0bdd1ae4ffeb7f1040f2fd6864965c8ffe1808caa2cd594e81877063f4b06c64aab5d48000
-
Filesize
168KB
MD5a2b0be95f44b8a4e1ea7513c43ea607a
SHA1307a038a400d2c40c66cc5e3b1d497e774770f26
SHA256fd4f4b23eb1efeb4de5fdcd456ffdbb87f0b3088b62a633a695911b5907c69fc
SHA5124f383bfdc4a2030da6981e730684647d0c1fbd07d453e9a965647c9f157ce38c0978a081ac56c26cbc0328982e49cf99431aff26c1ba2d2a64fdfa1772ffc472
-
Filesize
168KB
MD56710aeb21a07c12ba21f18efddd58234
SHA12931067a7c365155948f9dee7ff95ccf514c9545
SHA25630adbba54d7dbb3913b0b03fc4f24b64d972efef592b5c2ab48b92a337ce7d12
SHA512a6b80e2e07d43f831f5978fd8711b01fee31ac74f9a8aafdcfd814b5a0d73b5cff579baaa650368f18d0df185b0fc9da636ac2c4e69b7941a7eb81575728adf3
-
Filesize
168KB
MD5dc1aad8e8c0052b27a03cc08d7d68e98
SHA1255ec8f27f93a86a093033d56d3d63ee2ded17a0
SHA25670094d2693fb431aa1b78f9c71c199d70fd1f0bd88bc11617d7d039f8d6bf759
SHA512c68103143646af397e00b3a9b6633289753e7fbeb6a168f809028e925db897db0957f38a03d5eb48a7df8b585cc6269059bbeeea2955a4778f1cbc3caa341f95
-
Filesize
168KB
MD51442b6810ef623cbb4b4951dd3317bed
SHA197c402f51c89c04e7056d4c0213e73a70615c2de
SHA256ecac3ce7e22243a80fe199667e25d01fa88b67ed644b36f69551cc62b24f6567
SHA51233f369ac3c7ac2522589f55d06ff7114c8ea4fee2677ad42da971df74cb8b3c41428b9b018541fdf70bb308254e60103c4d3778a2344f79ce0de52608467f720
-
Filesize
168KB
MD51956e2ed73cf84a6ce253c56ce079a21
SHA198b4aafd7fbe6c2190efee4206e8f49ee7c8c802
SHA256445ba1a3434a65d03fe7de4721cc58bcdc72e842cb667d0f6ccd9c0cfda74f41
SHA512e10590a984fd5123bab0bb5babe3c77b238d34c9f6b5c7ed0d43e382ca9bc2c1a2d42f714599762c241226a1a8f647c0166ccf417c1566112ec7688b5a9f5f28