Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29/01/2024, 10:33
General
-
Target
2024-01-29_f004ba35380e50242981a5a106dd5bdd_goldeneye.exe
-
Size
180KB
-
MD5
f004ba35380e50242981a5a106dd5bdd
-
SHA1
ac9608f34ec0725e06b96fb097c30fb62596cbff
-
SHA256
d1cb33ed6c3086536f0372e351f4c5d461721f6d1beaf14e88ed67ce1f4f9ab7
-
SHA512
af9f626fdcb8b748dc5bb766c6cee3889fe9e23e285bc96d0a9b1a1697286718a40ed0cb9ad78e81741da350c9f5df7b4157270ecc5714e6a43341444ddfe19c
-
SSDEEP
3072:jEGh0o9lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-29_f004ba35380e50242981a5a106dd5bdd_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-29_f004ba35380e50242981a5a106dd5bdd_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
-
C:\Windows\{9EC8A020-E129-4e45-A947-726B6FE7FB4A}.exeC:\Windows\{9EC8A020-E129-4e45-A947-726B6FE7FB4A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{76496333-751B-43a4-9453-D842E70135D4}.exeC:\Windows\{76496333-751B-43a4-9453-D842E70135D4}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76496~1.EXE > nul4⤵
-
-
C:\Windows\{EA158564-A49B-4770-B676-E8CD50A8A03A}.exeC:\Windows\{EA158564-A49B-4770-B676-E8CD50A8A03A}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6C74B375-8F3A-4a04-8A9A-84ABB35356C4}.exeC:\Windows\{6C74B375-8F3A-4a04-8A9A-84ABB35356C4}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{56E25A67-13FD-4874-B9AB-808846FAD2E9}.exeC:\Windows\{56E25A67-13FD-4874-B9AB-808846FAD2E9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1441A3C0-09E4-40b6-B0AF-FACC8A4557C8}.exeC:\Windows\{1441A3C0-09E4-40b6-B0AF-FACC8A4557C8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{146A31F1-FFE2-43cc-AA6E-DB1BD39482CD}.exeC:\Windows\{146A31F1-FFE2-43cc-AA6E-DB1BD39482CD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9910834F-51A8-42be-9442-F85F5F164437}.exeC:\Windows\{9910834F-51A8-42be-9442-F85F5F164437}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3BF2FDF4-C512-4740-A7A7-BCAE7776250E}.exeC:\Windows\{3BF2FDF4-C512-4740-A7A7-BCAE7776250E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{61B9230F-F114-4555-9AE9-5F2326F1B60E}.exeC:\Windows\{61B9230F-F114-4555-9AE9-5F2326F1B60E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D1E7561B-2CFA-47ff-8B20-2F8D4DE35D80}.exeC:\Windows\{D1E7561B-2CFA-47ff-8B20-2F8D4DE35D80}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{51E61F2F-426F-46ff-8B09-903ED38CE48D}.exeC:\Windows\{51E61F2F-426F-46ff-8B09-903ED38CE48D}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D1E75~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{61B92~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BF2F~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99108~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{146A3~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1441A~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{56E25~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6C74B~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EA158~1.EXE > nul5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9EC8A~1.EXE > nul3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD59fa559720c976d1249d405f0587fff50
SHA1cdf581136daa29a7f8b69772b5288e5e53ae5ea3
SHA256102460aaeda88e6caeba463f8ebb3be5a269920faa83c38dc4128a70e10628eb
SHA5124ac26a2a5392b4645f79ae4834df900110857783476e7053587ecba8ccdf2bf72ba737b5b9f6795d583381aaa57a2a114c15c4145956ba99d0768ff7a3eab321
-
Filesize
180KB
MD5eb2699b006356995c8add30125955a7d
SHA147a4bae991f330b8fab9c4cb2b03704ac8fb8c98
SHA256187728eeab8b8d7a21afb134359d69988e07c4d441bd7e30183e2a8d4dff4bf9
SHA512b4ea45ccffb46c899c61a80ead61f121eb5d3e03792e6be9b91293cfa857ab195c1c08b57d907d94d0cd4f685f11625cbb33b728c41185fa7c9b4ad40470d883
-
Filesize
180KB
MD523b5ebe1e07ba53a095a66f953f35a15
SHA10fb15cbfa0e1c13452b3c287bdd3aaa7787f92aa
SHA256d09fe71cf3bd419379c066bb26c306d0ee99afd8650d153e7651a4b1938ace25
SHA512bfc84a526fafa6aaa23ac8145c81a51f283334823ef1c7c14615b779e506cdae035fb9a96875176efed25cdd0bc2e3b766ad8c082339853b8ad738dd8f8ef576
-
Filesize
180KB
MD5606256022650b29ea59ace4776cbe899
SHA18b86f07a553b05d29a2301bc8e4e11e277d53d78
SHA2567d08530bc0915a9c670efb2d6948ff34c782e77944f8be35bae8dcd380a5e98d
SHA5126c051819dd63caa459b0a3dbc9c3e5c20f3e0bfcdadd3a3928303941b1445f02660bf3bcd91f4e92b142baa22ccbb0e3d9cb26d03f9181fd34eab890d613d8ab
-
Filesize
180KB
MD5f63c4e9207f99521c4e2ad881afe2bda
SHA1fe595b0eb43262850fa2c7755f4f6f42640838ca
SHA2561c421c8abc5b8c42327e00272cc6a9b5607b6118a2e742786aa9d3ef0468ab3d
SHA51233a9b79c512d93601ca8eaba3327218edcc99b2c0647f106a40b3e089e598ee5f108c3479894ef3dc901fb5c0e633b0fa495f0b628f94cb80721ead65d0107b9
-
Filesize
180KB
MD5faf38411853f5594fb9d11982e08c4bd
SHA1009a8824a0794a3a5509fdf1a93196f5a5b21d4b
SHA256090164923b64c7de4cdb279277ae36cd55b8c56bf8316815b5c34bcbfc99da15
SHA51245fd0a1c3fb74161da543ff138df89a03c3dfd581183b701f0014395c7edbb9416904fc7398ad624a1bdefe64e05be0a49b799d73776789866b5b902218333d1
-
Filesize
180KB
MD51aad250e43ca9238178cb7678a1df4a4
SHA19aafc1cb0b6bc6abe4aa263960422b5237202f7e
SHA2560dd9d29debeb955595bd81c951c6d6d4426869d32163fad21e68f1e3be1fd35e
SHA512b896771e762df65262e072eb2b0fe3832d365a476f3e4f41476580ffa7ff730d675a07662ecfbabc8006ddbc0b5d36ec87c26002deb7cc8baa2611a2b8ad75c2
-
Filesize
180KB
MD59396e6a6a4a0973a42521ebe6f5b3895
SHA10c671484a44f73662ccf5c4baff6d46db58ab2e7
SHA25601026dd3460bdd5631f9eedd04ad15b80daa034b08ebc8ad9efbfb1922dce55a
SHA512151259224db72a2fa09037d0c096da2282839e03075a240878f8f3fb9ac7fba7d7828193c29dba45d38ea10d465210179dc29b8cf94537ec013dac4ad9cb6410
-
Filesize
180KB
MD527af6573ff8735fcc66cd10f7a898cd0
SHA1c0fb4bf7900e8abfd50f0b654dd6293ddbb47011
SHA2560e9b14fe115ba928b24d8a57d64a694a176dda5585e39abc2abd71ce6b274b67
SHA512f6bf19ccdb4d4060336f8c546f142cca38cd8ea4e51709bcb7b42cbdd144e35a018499d5f2efe3425928355420f56842a3f5d6260b9d27672a94098a38427f54
-
Filesize
180KB
MD549ba31d0eea4f749e9c15aaff65c9ed3
SHA1c7dad32cc4e75befdbe191db4fb9f4300bd857cc
SHA256e0956f8b0e9390cf5ba3b99dab360bd23a3e808c63cc1b101f7cc141fcf75bf3
SHA512a93cbb949cb592e29734e1451cafa1b9509271c3afe79730111b2b928468ad7a90f7a4ed90daaba5d6f2582b0a60adf7fb29cbb3dff0d7a5003b3e8583c9f2cc
-
Filesize
180KB
MD5e4f45356f884b8599b95ac96665962bb
SHA1c422cff54f43274df5cd5e6ebad35c66cd0f2f78
SHA256bbb104e71e81765ece7f4ff7074ccf970d1cffb236297b9fab8b4c23d66146f0
SHA5129f08100a02bafe752860185f8fec951b36d246fb9b060e229db775d4755f83c81663041e723e60fc9908f6e0b7e032506e9b56f95a74fcde93ac96d5d471974d
-
Filesize
180KB
MD5f46e482d48df4e992db809c09a0c9487
SHA18c7213504978bf577f31ba4210b3f4f946c593bd
SHA2568c1e361f5593eb3275e648dc92b9bac5dbdf92311154c931082aa8f200bc6834
SHA5120e1e0fc5518353b635f355bd7da3d71f5eb7733e956fe50f1a3fbbda03e7598c7e3651d2fa9e4863d363450011df34bd038f1911705b493e1ce18a96a333469d