Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29/01/2024, 10:33
General
-
Target
2024-01-29_f004ba35380e50242981a5a106dd5bdd_goldeneye.exe
-
Size
180KB
-
MD5
f004ba35380e50242981a5a106dd5bdd
-
SHA1
ac9608f34ec0725e06b96fb097c30fb62596cbff
-
SHA256
d1cb33ed6c3086536f0372e351f4c5d461721f6d1beaf14e88ed67ce1f4f9ab7
-
SHA512
af9f626fdcb8b748dc5bb766c6cee3889fe9e23e285bc96d0a9b1a1697286718a40ed0cb9ad78e81741da350c9f5df7b4157270ecc5714e6a43341444ddfe19c
-
SSDEEP
3072:jEGh0o9lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-29_f004ba35380e50242981a5a106dd5bdd_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-29_f004ba35380e50242981a5a106dd5bdd_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5E73269A-BFEB-4e6c-AA9C-3DCA9905CA04}.exeC:\Windows\{5E73269A-BFEB-4e6c-AA9C-3DCA9905CA04}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D4C5EE33-0919-424b-9177-08176568619F}.exeC:\Windows\{D4C5EE33-0919-424b-9177-08176568619F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{62F7A483-14E0-4604-8CE8-2B3C6CC761EB}.exeC:\Windows\{62F7A483-14E0-4604-8CE8-2B3C6CC761EB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E85FF7FD-7754-4bbe-BF11-33C8259C91B0}.exeC:\Windows\{E85FF7FD-7754-4bbe-BF11-33C8259C91B0}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FF7E4ABB-4DAF-49b9-AE3F-BF67E0EF8F01}.exeC:\Windows\{FF7E4ABB-4DAF-49b9-AE3F-BF67E0EF8F01}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{95D83D75-C258-4e67-B26F-26BA8E3C2EAA}.exeC:\Windows\{95D83D75-C258-4e67-B26F-26BA8E3C2EAA}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F97F24AA-CE37-43dc-9ABC-8B96B6CC3721}.exeC:\Windows\{F97F24AA-CE37-43dc-9ABC-8B96B6CC3721}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4F9CBB20-95BA-4bb2-AA82-14522DE6A422}.exeC:\Windows\{4F9CBB20-95BA-4bb2-AA82-14522DE6A422}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7B83BA4F-E616-48a1-9DDB-1A459B9AFAD6}.exeC:\Windows\{7B83BA4F-E616-48a1-9DDB-1A459B9AFAD6}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{CA1242CD-915D-4842-92D7-C08906651B0D}.exeC:\Windows\{CA1242CD-915D-4842-92D7-C08906651B0D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BA553517-6B9D-4abb-BF18-F442D84798F4}.exeC:\Windows\{BA553517-6B9D-4abb-BF18-F442D84798F4}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA124~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B83B~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F9CB~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F97F2~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{95D83~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FF7E4~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E85FF~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{62F7A~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4C5E~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5E732~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD501477c0d1d81f3cc453fd248f509e007
SHA1113577dd64d33bae2e9343d27b5a55169b801dd5
SHA256efc31c40b6d05218538aa47c6043a93ca7be9067dadc23114161fe9119c5828a
SHA5126462efb71d67259cc4a48dec25596696793774e0c850775f5470c2e39d06fb20397660899c9566d9bd66e42b9171d5e9980c66f6a704419cfe6d4c077e6e373b
-
Filesize
180KB
MD5ffaf9d46c4710424ad504f92086f5f8a
SHA1e93f8457ba9ccfa0712f52e0740f577ee4d866a3
SHA256cf6ce03a50294322dc2e21d83b93d43605e9367fbb4a04eece5f846c026c7f63
SHA512b8e6adae75f651884e31c43f21a1da84744b981dd805ac4ef418b9d74c322effec27d7d30d8c273397bcb9bc04cbb2d9e86f491b748359742156fac9e84da55d
-
Filesize
15KB
MD599e43ab3933497bf63804733791c9c39
SHA14ed016cf95e30a2a99bc4652332257acb8c021af
SHA256b740e7a2ecbb37a217294071ef81fa55123e9deea7843ec230e62d180c7ca453
SHA512e5b9d02fa42ad9d154fbdfd380ca66a39bf6205582da0a6abd8d17e9817cbb539aba8002020a2af44df4c0372822a195fcb201d604d78cbb9c9766e79177c3d4
-
Filesize
180KB
MD57110e1f00035fade90abedb3455c670c
SHA1b57db95f440278f5849af020e162ff859eceea86
SHA256759adb0338caecc20b6b34a97dc85d0e981bf0c87fe868a6f38a8ccfc262a148
SHA512824e564fc532e0972e693d522b57e1f8218c9250e4bfdd0418e88f4a3cb423dc094acc1f92397b1400d62f1b10eb55154993e1a02b3c86e1c881a6c74f672fc1
-
Filesize
180KB
MD5eae5d759048f6edfb8365c58b95eced8
SHA130c9dd28b092495cd1ed7f5b227abb78cfb469c2
SHA2561c89bf5074a8b1940850eb4c75ac86fd48d680dc55573474cfb284248bed0cfa
SHA512d921f641ce16577d430fec3c20d277563145933ca670b3ad32548cca8a440741fa1514ef4bf5fc2a32e4040640ee1024c9ed63ad8e6be8e9a05a4beca421c8e4
-
Filesize
180KB
MD552fd5cb35349dc5ca5e17e2ce9278809
SHA1f69040f034c6537d049aed74de1405a4ccf28cca
SHA2564671c964f6437fb23c836fa911645bf9195c6727c96d2d3c77f3bab18662d767
SHA512c556218e9b7c30c430524ed85755f18f1c9ac24287e39b66c0fa10664ebcdbdf585800d09626748f3731e027c6aefab45f99055e2beb046addc1d574c3e0a6dd
-
Filesize
180KB
MD5b93ebee9da647b8fa11196e372a79108
SHA1e472b06349b63d3e37a06faf4bf1ce72296e2f19
SHA25644a1d9259eefa1be44d43eec8ee9e8771f334b2d33a15d351c0b4cd4a50d16c1
SHA5122d19ceadc5d655b99b5f6c61265aa133dd62a95ba1c247ce204c8638ff802fa7ba66d655ebbfc2ca7714198ba0b5b4e7eeac664f200e1c80ad36d40c24ae695f
-
Filesize
180KB
MD54ff62d273e664de6771df904e2101d6e
SHA16c3c081c7871b536ab8c587b43a029183405a398
SHA2560dff2b31e22d4a6ab823985f3cf2aea2c87d46a0a89cb4cc4cd172a356dbfc37
SHA5122adac58633b2b8efcfaacbfdb2d8d46cc83b7abe5916b7c9e4b7e8cb80d6bfe2e7f4f7d5fcf4c668a2054c1a6115d64812ae2c37efb524cf1b448860bc1de2aa
-
Filesize
180KB
MD5a1aabefeb196f50f784d26c0b31ec745
SHA1c2495122df2cdb426c6eb1a51b6cba0fe4b6530d
SHA25687b56def43c88f24593820773a23a7ff0046983b5eff13cd7dd781b20c6fabba
SHA51273396491876047e2e42bdfa2cb0849dc2458044e2ffdf08f300195ef63d40508cfd5564cb7686bda10a2585bdefe32746368282b77edb7af494cffb303c77398
-
Filesize
180KB
MD5f09c87716d3b716853f328faff6d85af
SHA1fa9f858c6290c65fe774be6b7c4dd8976dddb25a
SHA256dce7e5a4c1fffbbee5e5da4e36784ce70c8ca15477a5f443277735ba5ca4479d
SHA5125124a1a857efb18d9ba6c108991ad71343f759b2879c2161c9c75104690d69ff22e14c2ba2ac72ec6bbb4355278e121751353cb4bba410268dcffb7cfb102b18
-
Filesize
180KB
MD55b03c3cec4c69478f8388ec44d59dc3d
SHA1fe340127e1ee5d3d454a1274375285c19b5d5e71
SHA2565f93e3fffc45e56d60969d2f07f1b931649c3c6225915497603d87c05b419f69
SHA51275946fdda08f038b8f4ff5918e6267c43495546dd827747de2bd6abb0dfd40d16e441c91ef4b3ba413a8512c65f2b7078ff985d5f0d4155a7310bb273df75dd7
-
Filesize
180KB
MD52a7539993f32344f72c2ac904892352a
SHA169d11cf31725fe10eb844c5d7e2b26c36f9468a4
SHA256d831e0e3ea7cca1a16ad0a8f9bbed8777b9c829446523b6db31177717028e4c5
SHA5122b660ae869b5c10ac260fca475d6179031d14e17cb85ec3991bc20ed3e7fd16fa2160f5b4941cd2caf2d82abd97d726a3e7290ec20832fbb31fea0cc3686d5b9