Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-01-2024 11:37
General
-
Target
2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
-
Size
180KB
-
MD5
c1158a0c88fc7470aee2b977e06527fe
-
SHA1
a69db3a40eaafbb80048d62c0f84f3342c7f15cb
-
SHA256
0083691c16b5f6e1c36f2494d5f02e351e08ba072da48c2d68e5f9bb8d7a4757
-
SHA512
e8aad9a06d5484342a2ca1214bcd00ca8633776953ac44ac44b787e77020d6162ddc8b062edab8284ca06ac65136a7a7a4f248215c2448d69ccb1baf1616a8f2
-
SSDEEP
3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGZl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{00695CF1-FD33-4000-815C-582B86762F66}.exeC:\Windows\{00695CF1-FD33-4000-815C-582B86762F66}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{10A9D594-8AF9-48ea-8A11-8D80573B1C45}.exeC:\Windows\{10A9D594-8AF9-48ea-8A11-8D80573B1C45}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9CD4D24F-1770-416a-9BAE-F70C122E4D78}.exeC:\Windows\{9CD4D24F-1770-416a-9BAE-F70C122E4D78}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9CD4D~1.EXE > nul5⤵
-
-
C:\Windows\{5B4CF3CF-9B24-4bac-A8F4-6C99A5BBC480}.exeC:\Windows\{5B4CF3CF-9B24-4bac-A8F4-6C99A5BBC480}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5B4CF~1.EXE > nul6⤵
-
-
C:\Windows\{627DE3C2-2DF0-4e08-8BA6-C3099CC29067}.exeC:\Windows\{627DE3C2-2DF0-4e08-8BA6-C3099CC29067}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{93CC7447-5965-45e7-B2B2-7B9AAE8DF3F3}.exeC:\Windows\{93CC7447-5965-45e7-B2B2-7B9AAE8DF3F3}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ACC69C72-8A01-4736-ABC8-A05275333E19}.exeC:\Windows\{ACC69C72-8A01-4736-ABC8-A05275333E19}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1DFFDD7B-986E-4724-BB3B-A2D04A37A3CA}.exeC:\Windows\{1DFFDD7B-986E-4724-BB3B-A2D04A37A3CA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DFFD~1.EXE > nul10⤵
-
-
C:\Windows\{B979B5DD-534E-485f-91AD-850D66C6C5E3}.exeC:\Windows\{B979B5DD-534E-485f-91AD-850D66C6C5E3}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B979B~1.EXE > nul11⤵
-
-
C:\Windows\{3383913C-A7DE-46b8-BB9B-DCBF99FF262D}.exeC:\Windows\{3383913C-A7DE-46b8-BB9B-DCBF99FF262D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{33839~1.EXE > nul12⤵
-
-
C:\Windows\{AE8CAE2E-A53B-4530-852D-2EAE88CE9C78}.exeC:\Windows\{AE8CAE2E-A53B-4530-852D-2EAE88CE9C78}.exe12⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ACC69~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{93CC7~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{627DE~1.EXE > nul7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{10A9D~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00695~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD589c9dc4f78e72fc2fab7092602250914
SHA115de10a1b2b8a6a497218a1f26b73a025a944ff9
SHA256797198411b30310a72c8e396bdd09ea477184a6cb68d0104822ad495ff59bbe9
SHA512bd2564cb1627ccfae44980f7c31e5900dc33da5485e46a2888445aaa63c0e4d5dd9aea0b9b8e409cc7d1a4426ef6ac58e851ee0ed4f1b6413ef5eef544609516
-
Filesize
180KB
MD55edc6dcbb337c825485b54e04db5fbe4
SHA1df958f62a71a4304a268d52ee836328f16f523c3
SHA2567571f692ba07e1171e5cc9db4fc17d6cc7dd6b90fd77ae2b074edf0fac8b029a
SHA512c2416153bd356cdc1f34bf0bc4fd93ceec2d1ff4be97d90da1434da7c55e1f77ed1697dd7e22529682eca4c55141a3b9c1aef1758b720390a54e6b53a8aaa77d
-
Filesize
180KB
MD56dc52aa3a4e3ca0fbbdc43a708a005ad
SHA1e74626d0e757fc6f7737603033b15ec46d42186f
SHA25615890cca768e18a9c90733f7c0c344d7f547628fc8f440c70a9b96ae37ed386e
SHA512ad42832d8116a93b3b251c2b73334f8060ed8afc834dd4a63f849a4f600c10dc4766cfee32c1c9b33e8d26a95374dc570130792ea0cdbf09b1bc9b41b6c07e6e
-
Filesize
180KB
MD5b6b4d263d86b77cdcc3281d6452ab0e7
SHA1be8b2fc629d093010bf73ee173b3ab327fe4c5d5
SHA256ad21400857098c5a20f58c4436c4025f9f886a61c13cde205fd7caee55a180d1
SHA512fec63fa96ad560009fed5b8a00cf6ad72528cc8e82e7474d457aa9244eda2873ced5e08148768d552d690aa34a13555598f9fcb95ec39ce58c78b3eb8c38c9fe
-
Filesize
180KB
MD54a46ca93d427525b4b63f1279facbab6
SHA1363f179fdc1d6170871a950352c80e8cb589bdb5
SHA256957c53b745e28db1b85fa4859a707131fc2a8ee519ce1ac71d8288d4e2875f6a
SHA5129a06894874a548705d3947a3ac3119dcda8a6475a7fb826235d2bbd16d1c0addca8fab608dc1e993eda937afd454245234e30e96f35c104003d93fe4df6f9af8
-
Filesize
180KB
MD57928e3bc40e264efe507bbd0724acdce
SHA15e45a5a7c496536c0195f8f2ab4a67bf8702de66
SHA256ad5a8c342270a9c7492aaca0b299c9e4c75011c9193a641c98df7482d5fb69b0
SHA5123d324824d7a004155be8c431772fee8e52a73cdb4907fe160885aea36929cfe095e268a6d78edaeff25ee5e81be96ecdbf9fbc71dd9945e2073c8247b3e5d6b7
-
Filesize
180KB
MD5198506d253180044b8ff7b8423890329
SHA18c34cfcbad009e96b290b4a5f97b490e5e3801dc
SHA256eed94cc72add0d478a449e1c164fef0df5cd32063aca58498bfa44505620fc4c
SHA51285950e750b46e57d431e994951d4d473ccd74a625ca6ca036c6f0b4de3328dc4a83f7563a162a1f42799434566b4018e831040879e95c0e9b25ce87309a6f279
-
Filesize
180KB
MD59d4e228bcd971324f8c3425f2524fc4d
SHA17ef552848cf77f0d693e4e7745ea641b7dd71339
SHA2569985f240086d61fd2bfb77a8c3ef4135e9796be5f5659582510e484d9f97ac72
SHA512c57ad76f58ec389c3142102a6527c16735a343b0c60c4db240918cd7c13c2ae31bf5c011511dd8222ec61e4ae4c1c9d38c462abc62bc3a6bbae74d1628b3e011
-
Filesize
180KB
MD5128924e1cc760f6db579e56bf9fcebaa
SHA1e3e84f81fa47d65b285e413ae9e15fae4bab7152
SHA256c3f72f29eb4a09c06c147e0794718f463ff05e85a7201e4ec38c0f4c614ac84a
SHA5126d47f5184ae234df37b1c3171023cd266533ffd917da9a563b0761aef9e580f3b62f2e54c0b13ba1628244bdec433e1a07e2036fee3a965e06dd57f2179a6776
-
Filesize
180KB
MD5247f5ef3d2f5e4d7d0eaf23145f44498
SHA152bf96009dc9d746acbb10d345135b424270bd61
SHA2565a817a085de89275c92ae1c06a88fb7b1dab17ee3ef13cb4115e90dff8be8344
SHA512b6efa9024f03d892c0df3d0c1c1a77bf177a58bd34ef1ca4bc36da4a76d8509643b93e8ed46f22e5540e67cd22f48cdc60ab1186d8314a31f1ce895522f9dbdb
-
Filesize
180KB
MD5781a66730a42b622b98348ba329916f5
SHA1420de3ddf467491ac969e3e4f85eb2f96b1f05d3
SHA25629fd63816d75f673aab89bb2fc0b4d109a8d23c195995806cdb4cd455a7b46e0
SHA5120ab4637c7f8d5d12bd095541c5784e9bc1a528f62d0be3608c30eaee1c7b914d82927f11165b8ddd4aacb513ec6bbd4b5415e88400cf74efb1255f82b10ca871