Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29-01-2024 01:08
General
-
Target
2024-01-29_ff635b4ac83f10132b3a9dfe98d9f983_goldeneye.exe
-
Size
408KB
-
MD5
ff635b4ac83f10132b3a9dfe98d9f983
-
SHA1
874be00839258faf4154537274a123fe5549bddb
-
SHA256
1163dc9075723431154ddec8c25ca3b2b6560764a714208e9e687d798c4fca15
-
SHA512
34a3ddd6e81c3af98472ad32e4d4a121f9a7c758e69ae02813bbae2589ec62130e501ce4640954670b7953ef37c63e2533c1c1fa07020d7d90bd59e19f9df7d1
-
SSDEEP
3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-29_ff635b4ac83f10132b3a9dfe98d9f983_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-29_ff635b4ac83f10132b3a9dfe98d9f983_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E7D30C94-FCA6-4007-A423-B5A7AAA23065}.exeC:\Windows\{E7D30C94-FCA6-4007-A423-B5A7AAA23065}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3FB0450E-8122-4f3c-A51E-1CADF3AD3AB4}.exeC:\Windows\{3FB0450E-8122-4f3c-A51E-1CADF3AD3AB4}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3FB04~1.EXE > nul4⤵
-
-
C:\Windows\{700F5340-A8C5-4852-9EF1-2ADA96088C3F}.exeC:\Windows\{700F5340-A8C5-4852-9EF1-2ADA96088C3F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{700F5~1.EXE > nul5⤵
-
-
C:\Windows\{53DB49F5-194B-46f7-8B5A-CA80C250F1B8}.exeC:\Windows\{53DB49F5-194B-46f7-8B5A-CA80C250F1B8}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53DB4~1.EXE > nul6⤵
-
-
C:\Windows\{597F3D81-2747-455a-AB4B-85C33C3B6C5B}.exeC:\Windows\{597F3D81-2747-455a-AB4B-85C33C3B6C5B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ED31EF78-C6A2-4efa-9198-6D5EBE18BF11}.exeC:\Windows\{ED31EF78-C6A2-4efa-9198-6D5EBE18BF11}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED31E~1.EXE > nul8⤵
-
-
C:\Windows\{E29721A0-5014-45cc-9FFB-FEEA2BDC9907}.exeC:\Windows\{E29721A0-5014-45cc-9FFB-FEEA2BDC9907}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C9AA5D7E-8BC9-4fdc-9545-38F7FCE5D6EA}.exeC:\Windows\{C9AA5D7E-8BC9-4fdc-9545-38F7FCE5D6EA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7E9A190C-B0B4-4f37-A030-C54C0B45ED0A}.exeC:\Windows\{7E9A190C-B0B4-4f37-A030-C54C0B45ED0A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{75C3AC5B-FE65-4edf-9738-F090E2BC1A95}.exeC:\Windows\{75C3AC5B-FE65-4edf-9738-F090E2BC1A95}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{89B58D0B-62E8-4958-B6B5-8CB5F7F4A66A}.exeC:\Windows\{89B58D0B-62E8-4958-B6B5-8CB5F7F4A66A}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{75C3A~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E9A1~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9AA5~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E2972~1.EXE > nul9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{597F3~1.EXE > nul7⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7D30~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5808b2e489ee091e825dc0dfc10d45fea
SHA1a0f17f7d0f17a4888717e3c29e3fb5eb98dd8187
SHA256216dec929a5755c7cb0da997e167f6098a4a6e84abaeddca8dbe13092359cf53
SHA51264328637ee16083edaf4f26dd362dc76a1a9d6e6d712582d39568648cb6895fd2e2e3b8087e463cfdfcb5412b880099693bf4e4498a29c7ab268113fee035eee
-
Filesize
408KB
MD56919506be18c1a27fa54f8d6542d3a05
SHA1bf1fa0152c2c1916fd039f7204c506419b3e789c
SHA2569e6d4068dca5b944d943701587238418b3b0a0e3a71fcbad0eb2fa1f930b7385
SHA5122c43458974d922bdbfeec09540b2e784c2db60970f4d224050d86b68ab26995db7ab13698597e1735e344589daeb1bf482b72f21c5fe225c25578308aa233866
-
Filesize
408KB
MD531a4ec3d3b6fdd007aa9429def456f46
SHA167d74251bcbeea80d15fa196c8c3181ed41b4185
SHA256c12ed2742344d88081ec1099efae87ef4b7b671e7163dc48c062a22146468f6a
SHA5129651de4a4021249ebeb466a2b3d63dc5caa046ce2281f48a707ac699305644faab7ca3dee88d3ef084e3407018888df9da8b970fb9fbd5579f59b66e753e177e
-
Filesize
408KB
MD5e462879a23e9a6785d23ffd33d5f0e02
SHA1f9c8281301e2921c4df8b66fdd2f708f0c387723
SHA256758063182c15880f4563d37511d26febfa09f3563e4388d5e275950e3a28a50d
SHA512bb8682c8ebe47e1252a1792e469d905d17be8e0d5292bbd6f908bfce38b1888b02db4e721686f1522f9f647cba747f358e39e8a17d40fe8e3af8f02bc28de38f
-
Filesize
408KB
MD51bdf25a6ab3aa0b0b8d15a9b3cbc437e
SHA121009540d2ec174923f4e2246b617eb7114c7220
SHA256364e55c550eb7a6fc618a09c5ab1e1fe2e4d88ef91c9f6a20e468946453a8d11
SHA51238076d7fa8dc7b7b7bef1e8331f7295fdea1e29011a7817756835fb933bb454ab09c2a9f56a350bc8b33f50d6a19f8543347b0569e971c80477ab4390bb87e67
-
Filesize
408KB
MD57d36d762689f7e89f6fe64ab7bebd761
SHA16396b02b5d7b0185ee6b5b2383284a8b3bb1664e
SHA25662b8fcdd96d837ab4c371812d99d4399aa2eb89e0de6ec370cdf724ab21465ac
SHA512a361a76c76fdc3a898aaf4a750ae8902a94251d913c9585426b75d10d159ff4e60f19c75be39f0be827b9cae0db4f161b355a985bfadcbfd17c92efb26ba9cd7
-
Filesize
408KB
MD50851ceba2f10871eea3e00e73c3b7629
SHA1f0afa50aac20e7774d36e52c1873e2dc7c511b32
SHA2560c85e0d2defa95b8a41f50bedb1e7182ed8bb033b11350fe7759b9f81329a5d5
SHA51274e2f0aff658ffb84d650b2b5da94625f24fa73504931269382b4d7db7e026a7f4493571ad9e302d71a9db2c3708131655b0a9ff1e2a80f8b90459b507f42706
-
Filesize
408KB
MD5a376963d972854acb7f83823331d90fc
SHA1e036fb2ad5ac018ced8f417a41c4c71e18d0a43a
SHA2568cf024da72913fc4f10f0295d4f1909837b340de7907175345454ce4d0f56820
SHA51280738fd5ab505bef4cab47aebd2e029c87700e448d06ffe10afbe7aac99ef62780722c176644d8093b50215a074aeee6988baed0f2c3d876ce5ed96718b180e4
-
Filesize
408KB
MD5749c9bfc7cce3e5fbce8ac8f451a43a2
SHA130b54372c33d212f5be9b43c0b9e43b2b57f972b
SHA2562ddea71240454400298746bc3372276f0bf65656a40b7db0ceeac7915939ca59
SHA512708416cf9a47309d0c79c1bff6ff98f76d430e628384ad8ca74af39adb9e7c11a368c7ece0a40ccaa3b6180727be20adaf7f7e7c134de536d929d2b76e602353
-
Filesize
408KB
MD513dbc37104b8fda2e3bca6ed8ef10df0
SHA13e8828cf154af92d18a4d88b5c55dcc681ea0f3a
SHA2567580aca72d2821513613cf4b9e3ce5fd47b8ee4c62c145655547e48362de0cb2
SHA512f069e975cdb20f9b525e80ad6766d87fdf9a3e1c870f80ef8b6f2f2d3a09577e513494efe45d40cc41d4e0cbf2ad10b29ffe1874d3160520ac6b87af58b078a8
-
Filesize
408KB
MD5d88778e9b53c8f498dc382f17ff36367
SHA161b248d8cfdeb56f1d2483807cfc404c9aab1ca8
SHA25680f9520d0953a1a7a0efd4e70bd1b2cd442f63b9e2e1f7a661398efb13faaaed
SHA51227daca9453beb633c1300105df1de92c51fb93a489b32e8446d679d85b312737e8f780cbc33d050f240eb103dfd182c039e2920200caeadc41acd2ef4a991f46