Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12/02/2024, 07:45
General
-
Target
2024-02-12_79213cfa504d1553a041234a6a829718_goldeneye.exe
-
Size
216KB
-
MD5
79213cfa504d1553a041234a6a829718
-
SHA1
efc61f02978df7254345e131487670422a1bab73
-
SHA256
be379fced4b9205ace31dce2313bd91584efc90ef97970e237eed9352d4a763d
-
SHA512
b114314569cc38da6eb2c5f3293b94e3c531663542c91c212adf003e014b637d3c411c70a26352f9d9cdceefe53f94af3605f041de588a5dd9954a21a33fae23
-
SSDEEP
3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_79213cfa504d1553a041234a6a829718_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_79213cfa504d1553a041234a6a829718_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E148AF2E-5805-4421-BB23-3C6B7B1C8F75}.exeC:\Windows\{E148AF2E-5805-4421-BB23-3C6B7B1C8F75}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EAE794B3-224A-426d-8C08-387710BDC0D1}.exeC:\Windows\{EAE794B3-224A-426d-8C08-387710BDC0D1}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B2F482AC-55B0-4ed2-A0C1-FAB212A0C40D}.exeC:\Windows\{B2F482AC-55B0-4ed2-A0C1-FAB212A0C40D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0B15D0D3-B576-4334-9567-18A22EF5A00F}.exeC:\Windows\{0B15D0D3-B576-4334-9567-18A22EF5A00F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8C36CD23-02A5-4b51-A165-40F45F69F59F}.exeC:\Windows\{8C36CD23-02A5-4b51-A165-40F45F69F59F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8C36C~1.EXE > nul7⤵
-
-
C:\Windows\{80FB3AF4-D527-4396-BD70-C84FA39CB99B}.exeC:\Windows\{80FB3AF4-D527-4396-BD70-C84FA39CB99B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{80FB3~1.EXE > nul8⤵
-
-
C:\Windows\{5C771874-921C-4842-9079-93BC2EDEDFB9}.exeC:\Windows\{5C771874-921C-4842-9079-93BC2EDEDFB9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7E868390-D47B-4d2f-8718-95AFBF6ADBF2}.exeC:\Windows\{7E868390-D47B-4d2f-8718-95AFBF6ADBF2}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{5D3F637B-3776-4ed3-94B1-4A5ED4AA468B}.exeC:\Windows\{5D3F637B-3776-4ed3-94B1-4A5ED4AA468B}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E28979DF-3AEA-4b8c-986A-7790CC9021CA}.exeC:\Windows\{E28979DF-3AEA-4b8c-986A-7790CC9021CA}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E2897~1.EXE > nul12⤵
-
-
C:\Windows\{62DDB428-CBC8-4d1c-B017-30A16B609A55}.exeC:\Windows\{62DDB428-CBC8-4d1c-B017-30A16B609A55}.exe12⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D3F6~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E868~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5C771~1.EXE > nul9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0B15D~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B2F48~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EAE79~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E148A~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5c4bc984da83cadad43fb06a8656e015a
SHA13db9af79dd883a39dbfe3ff69b3042018ce60f82
SHA256d5aad33e4746c054a7efacd7215483b87a4e8844598ecf6dc06778a84711d1d8
SHA512a27ef905e2b7e9797321aaa510618c204226a505ac6443b93541e44f578f2912607e0a496f0511f54340e3e3dc1cfb7ffc2ad174a2d2e05e8046a332cfb9092c
-
Filesize
126KB
MD50c95d6ce82af849ddeb2b28c62d277f6
SHA1d766711ff185a28dd7246a7c5e5a03f6966e0172
SHA2560cb41db26c723d36decd92f55c45a90f67921d223bb724ab1787892ec2b28bd0
SHA512f13e2b7fb5848abe09b91a32da715c31add61efbc9411d5d68edc9f99135ea9572dda2fb0e30aa14773e36fc8276e18f4ab35270f264b8bddda5841be94044a0
-
Filesize
216KB
MD58d9a6fd87362330e26c762fbc063e9ab
SHA103b87b9e3aa3cc1db7e5f0496e9986c2dc74f342
SHA256e5fa008253831f2a4f437175c1eadf03d6610b0599a7475b58c53962927eb102
SHA512096adda135087098dd8ccb49fe8f745f788f68a174d47f4c16066ef08eeccff6faaafd029905c9a39c83e0bf927e306c120b46ca528b09fd62ba9ca8907075e7
-
Filesize
216KB
MD5631d2fe91200d961da808c53213e7f9e
SHA108f84602ea8fa14b945ca5918abab7ff2ebf8a8d
SHA256c588a0b62bafa43de7ac6ab7c11b29ef613d2607ce41362d625777efd91269ab
SHA512eb2551d74cff5198f295654a88b68ff14168943682127d42f67535ec963660e789efcb90d083baf0723050c11762709f43a1bf9aadeb0cbded4287c996bef27c
-
Filesize
216KB
MD57ac647416c37a53737c47e790ee60352
SHA1f5e00b887f1be923140701ff1cdb03488e7e08f8
SHA256a9009e664bfe3c81227fd31fb7d5e6800c3044ed500e52aabe2740e15c9f441b
SHA5121cae93418effd665dbf6a0e520bae9c58fd1e21d8ae7abf39702b959f90b3d4082f6961b34b79eb0eb22dc48a7467346379d23157435fd38c04ed5e8496f6c6c
-
Filesize
216KB
MD50e4611eec8cc7e707b5416f5f125b62f
SHA191aae20d0ee5f7100efb0a184da39fe3033f9299
SHA256be1b0cb196013b03f9df4a23fbf13c1e77b2599e30f8eca1b178ee9d9887a1ab
SHA512074a854b54c6cfc4321a4b2e541c9365e2478b009f1f306214f1df177d59ab6ada6e72dcc5e489e7cc77c25902c26d27ac6da69d791d57a253604b9d9de40943
-
Filesize
216KB
MD5b625a56acfc649437a099b6dcafe532b
SHA1cc3915e92e09f8881a68e1084ed1e20c1c4538c8
SHA256d21f370e1c75d6c3eda712ef481ed0fb0a24d0b8e334bfab923fe827cf0be38e
SHA512a93a7528f93b80fa8edb50ab71f36544a9177ce6332bc17166d9b136427a5bf1ae7532dfbfc0ad323ad07e3a31f213bb4c286587b2f39a788f47cf0c960557a8
-
Filesize
216KB
MD5ee58d875061a51ed8104274b13bf62b3
SHA13da8cf8f95cb5a85ce55cecb5ecec97e826ff7f0
SHA256e35bd293f37372e04a9bc0582b9b0d1899927696e0b7752f86542215d7499021
SHA51269549afefcf41e631ebb68f2df9ac77994b2b89a9a89be8ea99542b4142082021ac6003f879401e84ea597c1271c0f58214b51285866528e57bde0e41f32df02
-
Filesize
216KB
MD5784c3d51ae6df438bec9ff097f2eb89d
SHA14bdd9308fe1a4379fc74591a02efbd927b067905
SHA25679cb003be5c32af69d4c20f4f301ce23050c3ab7c418825aa34f83f694033033
SHA512c00baf3c793b26e59584ff110c1a333100807838fcb2eba1956e2e8d7230a28403eb27837292b739bba38a5fa8e153d5fc9e94f1c172df749f7bf46a7393414e
-
Filesize
216KB
MD5c5253b0ca657d8a8590270bc4e3fbefe
SHA176e5913d9b75467a6686673995429270ca75bc83
SHA2566d144aadbac3f169d06c0360fecfec31569af92c2442d3c29c3e9751f1fd0b08
SHA5128c9d77178b15d68f32a496b548e0fbe18956cce596c31fa69d400808f84b5ff4a9fe75c0d2a80e776d5e92605dee385803d05ad94f662d593517cd538790afa1
-
Filesize
216KB
MD5839f6066668386edc151f32274eeda31
SHA1e61d3fd728bee902c776eb9f492f0884cf5c4ad0
SHA256c1cb169511ac43e29c8366e5e5ad048cb02a20dd2ca2272a2a3c33d1be22069c
SHA5124adff71ce9826672b3d329e3fca06ac5caec8d3a3835af0e571a5223970c617eba2d0bced32beb78cd898edc6a9ec2e0d4e28bec0379aa823a9f6f01dd26a311
-
Filesize
216KB
MD5e9feef02fc331e0a8401a6bee453c50d
SHA148d2ad9133e72971ef24c26b153f2efeca6ee4c4
SHA256e2c467d370a8afbb15d17eb1c3c245fc4290573032f130cc69630fc3fe499d0f
SHA512ab10056bceec8220d8fd5009d589c6b7f9b36010b027a7625d30227c65ab23c005c442555d92957505433322e6fa1368d7dafd2534cf37a1b1cb72e0575a5768