Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
03/02/2024, 17:34
General
-
Target
2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
-
Size
408KB
-
MD5
dfec5c61fec25e91dde9819d0af1839f
-
SHA1
643ec0651aa1f5c8588f83bff744653c5fbffc1c
-
SHA256
d822d4fb710e0200400d1da87c06f450573f36cf5b81afd28fd9e327e58c39c5
-
SHA512
44afd58e3324e78167bb67091e13abfc48a71d3d5569e5898e4bb8401a38f47fc62566a2c26a7cc45077bcb80ee23260eac23a951ab38813d03a88a5fc0e5d7a
-
SSDEEP
3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BA3C6E45-F07E-4555-868B-A3B33D3384E1}.exeC:\Windows\{BA3C6E45-F07E-4555-868B-A3B33D3384E1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0740BBD8-55B6-4f2f-9A67-29CB846A0F8E}.exeC:\Windows\{0740BBD8-55B6-4f2f-9A67-29CB846A0F8E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9D0F03DE-65B7-4099-AC52-32E17ECBBE00}.exeC:\Windows\{9D0F03DE-65B7-4099-AC52-32E17ECBBE00}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7BDC4DFF-0BC5-4a6e-97A4-62ECC4D442EF}.exeC:\Windows\{7BDC4DFF-0BC5-4a6e-97A4-62ECC4D442EF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FA0102D0-82EA-4366-AB36-DBAB66683C6D}.exeC:\Windows\{FA0102D0-82EA-4366-AB36-DBAB66683C6D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1936F2B3-3D0B-4956-A393-4983E36546C7}.exeC:\Windows\{1936F2B3-3D0B-4956-A393-4983E36546C7}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3A85C4E8-8A92-404b-8F51-977299776611}.exeC:\Windows\{3A85C4E8-8A92-404b-8F51-977299776611}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D0446C4F-770F-40fc-BCEA-516E25C0B7FD}.exeC:\Windows\{D0446C4F-770F-40fc-BCEA-516E25C0B7FD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{CC9E6BEC-D81C-4e47-AC6E-C26981B0938B}.exeC:\Windows\{CC9E6BEC-D81C-4e47-AC6E-C26981B0938B}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{475292A7-CE02-49a7-B95A-6C702A0EDC7F}.exeC:\Windows\{475292A7-CE02-49a7-B95A-6C702A0EDC7F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{AA7B544E-218E-4a95-B590-5D3D89E2B100}.exeC:\Windows\{AA7B544E-218E-4a95-B590-5D3D89E2B100}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{47529~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC9E6~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0446~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A85C~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1936F~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FA010~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BDC4~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D0F0~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0740B~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BA3C6~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD529d8c78f451fb3a950c00ff6ff89b88e
SHA1835e9f0519630f024047b3bf93eac678a2135eaa
SHA256156f96cb308cd79791b77e837770dc7131ae63b499b0bc7d54c63b12b996aa8c
SHA5128ac8a99292e1c1b329a29d2b21285556debc5d1dc0bb89b1a46bf187d5d00cf2ec5f9662f79f8f191deb6fd8077e7323a9794bf419ae984c5713dd9787f825eb
-
Filesize
408KB
MD529d960f2bbca71d8b1c71d338e858708
SHA1d6331abe0122addf3b8e24ad7b28b57983166b41
SHA256a3b63a99e153ede07baab42a7937c915a1ba8e0d7283885e4a39363e78f15727
SHA5121b03ea765fc438a891c1ee240fae511178cf2ef2920062e1da878f85672e953b04fb9710cf7b2e16889ce729718e202cea13be8c852068627c7f04a8c600509d
-
Filesize
408KB
MD58340f797da96f573a08ad4a2deff9818
SHA1e17f093854a95be83b1b82f8f3904c817c9f9db8
SHA256d8a924f915d5bb9101de25aea62d1274464ac1bb9d5528f05d4fb40c797190d6
SHA5124b772c3387914b989c3f37ba4ff0289bef71fe6e954dac86cf0ece741df0eb3625bac0802d8b0a319fa645cefdf3cd16e98bb325f704295f3ec835d5179ce1d1
-
Filesize
408KB
MD5cb6bc1a29a93b1d93da0647c347db195
SHA1f0973b51ed5512b0a673ce470425487e42bbb57d
SHA256634920a3417750151fa8f00331749746be9040ff9e0aac9b779e25275d626378
SHA512edabfbbcf1a5aa14b4b5494ac97c704bfc1397f66a74c091a2f73479b11020da3fc2e80d5b1211d51b6d298edcb1c204f08f01c102f56ffe4f4bc122d9b5b8c4
-
Filesize
408KB
MD5b50fbcf5e8b95ff99d9ce08b62d50fd2
SHA175db66dc7e3fb7884395313016fa4118416298a2
SHA2562c26670d0f016c202494f04c536fa3eb3acfe0b2f391a2d8b480e91dda226770
SHA512088d16522b7348060f2ece705eda31d69b575fe21a82681cb4549cec121e8c1661de2db91443b2875109b97f68ca7fc7b8dd971bdb4a9068b3210ff5f4019b3a
-
Filesize
408KB
MD5dfbe8b03f32673c7f5ee45d5e69a455c
SHA1284316de4b2b961ebb7175a47593294d857c8c5a
SHA256899c142d398f1c903f7d009b695ddfa251e0e3470f2503eb17805a797c91d3c3
SHA512b78ab8fd0b3009699c04a1f6e0cbd14f8f35c6026042d2e8282bc577728f35a5acee81335a4f380ea2a71d075d528fc6169e2c16a92f998a08b728602185b6fe
-
Filesize
408KB
MD52581c701bad4b96d082d79301e9338e0
SHA1278b159bc82800a3966880939fc37a8365fd2145
SHA2565e93b3c4605e9cfe55182a6b6629dc726a6d5efc83fb3eecbd589ae8868df80b
SHA5123108c24c02a16e44d1d2a05f8ab4a1538eb81f8e4b5fdb1b59b328d498241b907fbe245e20ab41cebd9d8a9cb1c73a79066dfb5405d094ec74bba5991d2c2752
-
Filesize
408KB
MD5e8b68df4b0ce128c7497215e199c5aeb
SHA117a3f62ab2e7862836e28bfbb45050535af4f296
SHA25646ad56e310cdb61edb3309542494522152f25e4f93c4176680de3f4a020a2fc4
SHA512fe9b883a220192b0c38578f004358d970827b4bd3ad3a9aac8f3cddc292be9a1d85f2c1d5c84dd19b1528845809efdac2cf3953f4c71cef40c9d34390f708ecd
-
Filesize
408KB
MD5b98bf3637e5cc8be9083b6a7edd452f3
SHA14da17c05c14254a334644045979cb36d3edf7fe0
SHA2563caac5ee56b4ca25a90da893cb2f2adf3fbaa2c8fbe60cd086c1dde7d3eb0f12
SHA512ff5c6618855c40438ec5c12411f8a88c9f8a03ed9c787d7153a553caa1032c1d077335de8dea5eceef840a7cf649eb44ecbeaed3cc0b43f741edbb18c93141f6
-
Filesize
408KB
MD5c820b14f31f91adf6572bff5908963b3
SHA17189db32b41bbb2450cea366f94431effea6908a
SHA256aa4297d00fcbb20b67da030f766a4ffe3b442fb67e8be2ef4b4009122891603e
SHA512dfe56cfeef2dbcfc0b7c631dabeb400989fad32655e5ea5bfd506f35093b91ddda9908ffc3c12aee88955a2feefc4234f091add3f899bb81a2678980fe43b42f
-
Filesize
271KB
MD588010c201f557205ac93786725b411fb
SHA150cc1805ad474b542924e5ab0ffe5c98500cb493
SHA2563ebedcedf3b870c8dc88b9974487c3c0effa4c250e18e889185c288e4beb8533
SHA512424af91dee4bbbcc40da44274fa9ad0d54d70a40a634280ef6d424274de394cbe128f11132fe1a8d7a8f15c2d1183398472925a400ef9ae9ea4c1788f8487cc5
-
Filesize
408KB
MD5fc55ff4c1211e0d3c9032bc3f600e917
SHA11f89dbfe9cb89d3f88f853918add7e1471d3bbd4
SHA25633f3d1b02f712e4af258d102bf0786dda828922cbb1eda5ed9e5ee2d2394cf64
SHA5129bd6202dc6d023ba3c5171ca92031a63627d31d98f8760e96a906dfc21fef2419eace00fdcbdbfb9d49b2972a5a9d57c405c4286867ad8a81866d34144d4f0e5