Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
28/01/2024, 04:39
General
-
Target
2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe
-
Size
380KB
-
MD5
81e223ac0a3a37ca500c6a921ce4dfdb
-
SHA1
59de425381df3c9149120c021823fb3738a99594
-
SHA256
ef06f2bd5901bc299a92c99d45f7029d84214b8885a816d502085bcb9fac528e
-
SHA512
0aca55c373546eff488f8ed50a4f782365d66c2231455813df1bd01c70598afd4ab4d6d5b75eb2fc057e69301b43a6747f88249df59c793b010d80d6c9b6e2c0
-
SSDEEP
3072:mEGh0o/lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGNl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_81e223ac0a3a37ca500c6a921ce4dfdb_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8704363F-31AA-4b4b-BA46-EAC77C779C79}.exeC:\Windows\{8704363F-31AA-4b4b-BA46-EAC77C779C79}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{10DA505E-ECB3-408f-83BD-CE0F9D04A309}.exeC:\Windows\{10DA505E-ECB3-408f-83BD-CE0F9D04A309}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AB8119B6-69D1-491f-BF3F-D288FB3E53F7}.exeC:\Windows\{AB8119B6-69D1-491f-BF3F-D288FB3E53F7}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A89AD98E-D1A6-4dd7-A17A-113E7A160C1D}.exeC:\Windows\{A89AD98E-D1A6-4dd7-A17A-113E7A160C1D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DA925E15-A046-48ed-9878-2DB3D38C0042}.exeC:\Windows\{DA925E15-A046-48ed-9878-2DB3D38C0042}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9F5380B7-77C9-4826-ABFA-CCCED0D4CD2D}.exeC:\Windows\{9F5380B7-77C9-4826-ABFA-CCCED0D4CD2D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C6C007EC-D49D-4746-8345-973C7EAAF916}.exeC:\Windows\{C6C007EC-D49D-4746-8345-973C7EAAF916}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FA3FF920-9655-42ae-BB40-7EB3B401DF25}.exeC:\Windows\{FA3FF920-9655-42ae-BB40-7EB3B401DF25}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{78AFB52D-55E1-4253-A97B-52B38DDD0D3A}.exeC:\Windows\{78AFB52D-55E1-4253-A97B-52B38DDD0D3A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{78AFB~1.EXE > nul11⤵
-
-
C:\Windows\{AE397682-FF51-4fa1-8C00-885531B79498}.exeC:\Windows\{AE397682-FF51-4fa1-8C00-885531B79498}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2B9D9C1B-B03C-40a2-ACDA-6FA645ED304B}.exeC:\Windows\{2B9D9C1B-B03C-40a2-ACDA-6FA645ED304B}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE397~1.EXE > nul12⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FA3FF~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6C00~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F538~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA925~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A89AD~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AB811~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{10DA5~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87043~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5458f6f1a8b251d133d1c20e3b46dc74f
SHA1802f700ad4d3935d66dfc7b5ed88a98259eece2a
SHA256eecfea05bfa68bd09ef163c38a4b926b3f165d4da778ed55411dd30f21f29979
SHA512d85df950a0761aece114c9380141c236079cdadd1f0e1f108d41b75bbc7acc0570e95b322edd8a65cd25ef6abd8807d11b15ebea4143664c53effff19bd6317a
-
Filesize
380KB
MD51626276a450756446f482ef8f15df414
SHA1fc16293c636b43ca2d4667ace4814087d53c8acc
SHA256af634282dbc3d029fe643aee388346c62f3e01e1c75e7b58f7afa2af1726a55e
SHA51203f539a7374b1fc5373158400a12d305504a453a3efc9b7bf84264a85b2c7a5537d3f5028620dc49ccec1c0e0e8b5b49fc3d5ea22ad3555fd3e78d20b609b515
-
Filesize
380KB
MD5e0d0f07399dcd843268dc14b8b23162c
SHA1be1f1eab111a7d9319766b3c6ad1d598997120b5
SHA256aa23f67b4a016e924886060868bf69ec6e80553e56b5824753a86b107acaabc2
SHA512b7531f9fcd4b1120bbc30ecac1a5788ee4e8a2923ee08be3a42211989a3615c0337a1cd6621b958e3a30f69411ce4e2da9b51aca1d76ccc90aced76323035931
-
Filesize
380KB
MD5fd1cf8672dc107936b1f6a630edb99d8
SHA1e94beea64979713f46bb2efeaddaf7eaf1dfa76c
SHA2564c2aa5ced32f67214123e32f996c8b6675338127ea148ef33674adb61f33fcb6
SHA512edc5857679036601c7219fd6e6bc392a61f7a5b97cfa33718264c16bed9bad54b2cafa034f59e1c0ffd275f477e1b14f796e9a2b0adfd4782d5e8965e08bde1a
-
Filesize
380KB
MD563e65a7bf30dded42467e44138c4f48c
SHA11d4b9e7af0fd49b23c7fd7d7c922bcd320539c54
SHA2560951da96f922c165b5bf308a481b8200ea8ba579d69ee70662c89afd66503789
SHA51237f220b97733c31fc1a4a4e212afab4066006963f5f432488ee9f37be92b543778da183eabd41e68e4c34130c20738075279652fd8b15017f4694d953ed186ff
-
Filesize
380KB
MD5da772e48c688ed42d959beaa94ab8b14
SHA1477bd246606cee91f20cb8c3811c78a85ed4a6db
SHA256d89b5a3b455435f39a1c44eac4f735c23257b078430b31a04381ad42dcd19d74
SHA512d813054478131a727526b6d50143adf2cea0216a93f67edb9efa118136cba38bdb5f7cfb99c081ae5737957dba5b4b8658039af0b297cc127a673a00bfa04c76
-
Filesize
380KB
MD51e4a838523608a69c25d487a725059b4
SHA17dea82e456cb5eede3c938bf5137538e4b9f1db7
SHA2560a5f6313f8598f429d8af7eb7996d3887f028965452f5c330f9fcc06ffeebb80
SHA5122541de2173e3d1f7a5d59c564b0ab27ce243e618937bb650cf2d238374fec8c616a1668836059fef09df0758ac76d1ddfd93f835bf63040fe66a01bc992c67b9
-
Filesize
380KB
MD5c34478738904f7226f748ceb89122b81
SHA1ad6b86b3b01c06a6ca5899ea1f5c7fb1c42bfffb
SHA256cb54b375b4dfd57ffecc482a91ef9d07c9f34b26dff81922c183f166020bc90a
SHA51201ddcaaaf0cc37a066b68ec99838e3e77a419b409283bfaa295241dfff39c2a9be8cee76a7a0db7cb236e7304e239fee6620f2a99b16d5c9e85606aa50e29dbc
-
Filesize
380KB
MD5917d9d4906b0680d999a77967eafc73e
SHA15bb18bb54fb29dad41d9cbbbb9fb153060d43176
SHA256034de0662efffd068026c997050f3e44e3f0fd766268cfdf87747d13d3f8ac9f
SHA512c5730e0f9429d133b96a0d158e4a739917696801370f16f22d27725dd4883b4f6fb71f028a078f56fdca31ec500650d0aed2f26381cda97e261e554c865674bb
-
Filesize
380KB
MD5b7af5fe5880306a5a1ba3f4a8f2777c2
SHA1c9aaca7943c7b94d2645d3c0373a248dab9ae9da
SHA2564766ab54cc29166a4dc5608e44a1cb6129b121db06eb7dc1db923e31418c1bc9
SHA51259bc0653d1397fcbc2c612889cd900588b818b08c0782d02b70ee7b9d000a2307d709a2b9ead8e2fa29b3a2b74b0299979e66ad07756e96169f92a0d2a08528a
-
Filesize
380KB
MD548f24714c7f63e220fb53ddd8d0e9413
SHA158c5fd613d410a0f891107ca45b81040d4ce6cdd
SHA256eb008d8455bc5273eb62a70d94dd01bfdc96b0586a400b6d6e0cd3b003cb5f21
SHA5126268e2b10f18a0247f583eda0ec497574d295272011f6483b887f0cc49c404376ab55979c9a813d15905f9644ca2b2bdbbc7f574048ab25e91ecf8973aa23293