Analysis
-
max time kernel
182s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
02-02-2024 02:43
General
-
Target
2024-02-02_f1e60aa596eb60939085f33ae13e3120_goldeneye.exe
-
Size
372KB
-
MD5
f1e60aa596eb60939085f33ae13e3120
-
SHA1
aad82b114d279da0f0192ba71aaf1be9a3bf9d1e
-
SHA256
b5329c84ca73b52df9c4a7310625c6d6455865d9b6a97f462bc946a52c48ef64
-
SHA512
eb52302a68c72fb2dc79f08ba2fa834b5e522b92503089cedcdc54e87290a929a24dbb33a8df28586bac69c1032aeadc3a4c4a92bda2f9b496a422189ccf00d4
-
SSDEEP
3072:CEGh0oXmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGcl/Oe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-02_f1e60aa596eb60939085f33ae13e3120_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-02_f1e60aa596eb60939085f33ae13e3120_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D19BF45D-6646-411b-9872-74AEC7088A95}.exeC:\Windows\{D19BF45D-6646-411b-9872-74AEC7088A95}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AD8BF44A-78BB-4379-9CD9-781524F05F7F}.exeC:\Windows\{AD8BF44A-78BB-4379-9CD9-781524F05F7F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0761CD79-8945-4d79-BFCC-879871E950F5}.exeC:\Windows\{0761CD79-8945-4d79-BFCC-879871E950F5}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3A98672B-84A8-479e-9E3D-D3466C2B3C8F}.exeC:\Windows\{3A98672B-84A8-479e-9E3D-D3466C2B3C8F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{04883CAC-B802-4f7c-B512-7EB8112456E1}.exeC:\Windows\{04883CAC-B802-4f7c-B512-7EB8112456E1}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1E2B5120-074D-4263-8F98-C6078DE88082}.exeC:\Windows\{1E2B5120-074D-4263-8F98-C6078DE88082}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{17544D4E-BDA4-480f-B4D7-2FE8539D5AA9}.exeC:\Windows\{17544D4E-BDA4-480f-B4D7-2FE8539D5AA9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D31F004E-5166-4b92-91D4-0A94FA00ACBF}.exeC:\Windows\{D31F004E-5166-4b92-91D4-0A94FA00ACBF}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{4149D5EE-77AE-4478-B427-C952C54F03CC}.exeC:\Windows\{4149D5EE-77AE-4478-B427-C952C54F03CC}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{71437C66-A93C-40b9-9312-0EE7FFAFE1FE}.exeC:\Windows\{71437C66-A93C-40b9-9312-0EE7FFAFE1FE}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{66AF00CC-9801-4bd5-A026-675B794A582B}.exeC:\Windows\{66AF00CC-9801-4bd5-A026-675B794A582B}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{71437~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4149D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D31F0~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{17544~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E2B5~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04883~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A986~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0761C~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AD8BF~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D19BF~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD56083ac50b915238a076569bfff48cdc2
SHA1df36703cfda901dadc2b0fa478cb263959989fba
SHA2568900da06b20c42464b3dd51c4025f5a476964f5adb0790f32f063bede3ba67aa
SHA5129a4e5167664805983e29dd92459471efd12b48c946d82e1f8f60fd3cf572bfaf8cca9074d12b2d95ae1a673e872d84de59ce801fa38a011a96686c374160a3d8
-
Filesize
372KB
MD57a2bbbf25b9f5493ccc498b2bfebe5b7
SHA197123ca04655caddf720d8efd096ca0656d28dbe
SHA256991f5e58ae80cd94fcd2be322c577129b12624cc85ba094edd908a30d0a99795
SHA512579970ce7d8d494e38528f3d2c31f6fb187d204a8334986c3aabf7dda1643f5f3349a7643d6a8e9ecc76865b58cdb32f3a65a3c7faf791fafcac549d73a2dde8
-
Filesize
372KB
MD58a5d1260840923456adbb724e7a1f5a5
SHA1f6fe2b1b4e9bbc3c8c155f442946eb89a49aa9bc
SHA2561de18062ff9cef6442de1771265bf82c8ffa2ffa3d5d58e973a86132d41353af
SHA51280f25f7e3802a8b36003eeba6ea1d03311f20824944d8b0d2a2f29eddeccee5a0e60fac1e40f9e4afdbc1b06a4a9d3b0224467adf0b4fd663d720f8a0581acae
-
Filesize
372KB
MD50f9d4e8b495d4b535575fff4130ac5d2
SHA1d7b9da51eb694664221d5aebb356d2cc6995edc8
SHA256f00ac320e9dc90e342e17b80bc3fe78bdb25f2821cf3c9137554df977256eca7
SHA5126a97da23069a14f1606cfc8f5f10ad12ee1d03e6ecada0884a92639a4ace22069c64540736250c90096ae1d99ee82509f80055147c4cfd4dd2d8a4b919903106
-
Filesize
372KB
MD5278e17851d3617fe02417abb0d5ab463
SHA1ed808fb523e4b1274d7d63163470a173d07a5828
SHA256453264834b122c1cbb8d446b4db530dfda4adb208e1269524c0d53599be28d23
SHA512b0ae12bacf9903c382c6074273f8b5678bd29fb7f1400bdf8739baf7b061e1849cb5311f2f42070ac6b6847c1974c2fd0c0a55cebc1b814c750622e06616cd41
-
Filesize
372KB
MD5340b870ace5bba8f720d994a570ff908
SHA1e8d5c7a4528163baa540d1b8298e06cd97296148
SHA256ff7de7bfae44915b46a5aa18a18f5512140b7dd96205bc89470fb1c7f00a4b87
SHA512565378240eec5a4bd39380b8a0ea377d4e6c870879799567bac5bfadebe8f271cd41152b8d0d44321c780eca23434cd5f444e1da79519a7a77dcfc17190d0b87
-
Filesize
372KB
MD575cd77c527e8010170151e6f0cd754a8
SHA1f7afa1ad4c297ba859c893e2c02463cf86fd2d74
SHA256dae8367872e2bd5ffd7252a5a6da2cafb08a43cf2e274c909817337033473e25
SHA512c265cc3cb3517001faee4621c17a7285bbabec41f25d4e8a893ee8eb84a615bccf7e9ef284ee792408c5eefdfee196b9ef3f59dca89160e607dc042a1701bbc3
-
Filesize
372KB
MD585e5107e3bd105f374c891200a4c71b4
SHA124a318a914cf139b5be71be205f21f04f54cdbd1
SHA25684d520772ce20686af38a8064291e7b4c66034c36443fa75d1ccbd03d33c2349
SHA5127b716c8fd9ee9f2405d87db0f184d36143e963a4bb3f6a2c8a6b3b5ba7bd0c06b9f5ff76a583128fdd7fa6927cb7eb275b7286511047d6937993c18d9fc070b0
-
Filesize
372KB
MD5c3d4a310a4ff944f197f8ff652630126
SHA1d826aa8c5f759141bd8f8a742719fdc0a48d1985
SHA256a09a07923a664bd21a7f4a8271b6a14755f32c29e37aa2b21c03d50cffd5251b
SHA512d77d28a00b0178f2f85c077c7fa5ad556ba8972cdd1a0f0c7ad53b018deed508ad6256e97ee5a91406569923b143df3f9007ea04efb48cc904ce63a315e1b419
-
Filesize
372KB
MD5cb2b3ef6221b1e4bdcf1449f0adadd8e
SHA1b822fe02145b170831031e41bc8f73b654ed6064
SHA256c148f55df4eab47526551f99978bafe93198ddfa5303d7d0025fec5c88348581
SHA512f4b8ca889f5ae7fe20fafa42ceb837e418b6f34bb2e48fb7a22257b57aba8602b4119fb8e222d51cf2d44a951c1ca257c2099a7329832a97e76c761f2c2bb1e2
-
Filesize
372KB
MD5464ebed981ce1610a92295abba9dfe03
SHA1ebe9a0b01adff999efa6c4e89b2d453cb40e4abe
SHA25631a68714f6023c765b013ee3276aa301fc6b56139c72d5b42aa8317ceefeaed2
SHA5127153a803a7c9822525f2e613f0f9bfe01ee4151d574bb3187cf6cdef75c32f20b70e19ec9c03a3b751470470354dfde854134bf3c7f44995a9fd8b752e510629