Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
18/02/2024, 03:24
General
-
Target
2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe
-
Size
380KB
-
MD5
1291db24b89cb4ec023f28662ac14d78
-
SHA1
24d012529be21c465db7d142be43971240fe32b6
-
SHA256
5d54f4b09f09df2856d90273357542a98f7c029a56aac65da1914a2d055a2a8a
-
SHA512
738a5de078e940e996bf8e3d40ca9808d3b9d924e66f3fa8ba2cd1b2641ab6e0816d7472429dc9b89a47c72cae20ac2001599f25103c099b36ed29264c495f06
-
SSDEEP
3072:mEGh0o/lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-18_1291db24b89cb4ec023f28662ac14d78_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7EBC874E-0E9A-47e5-8B40-19EA6E50F149}.exeC:\Windows\{7EBC874E-0E9A-47e5-8B40-19EA6E50F149}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{81BC9591-9109-499f-B9C7-10B85B5450E0}.exeC:\Windows\{81BC9591-9109-499f-B9C7-10B85B5450E0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{81BC9~1.EXE > nul4⤵
-
-
C:\Windows\{3917E2D7-9C60-4847-9046-B842EFFA32A6}.exeC:\Windows\{3917E2D7-9C60-4847-9046-B842EFFA32A6}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3917E~1.EXE > nul5⤵
-
-
C:\Windows\{6B1AE94F-0753-41f6-A634-13254BE7CB37}.exeC:\Windows\{6B1AE94F-0753-41f6-A634-13254BE7CB37}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5A39528B-389A-4c24-851E-D9C0E4CFF641}.exeC:\Windows\{5A39528B-389A-4c24-851E-D9C0E4CFF641}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5A395~1.EXE > nul7⤵
-
-
C:\Windows\{438E65A7-12AE-4e71-BC04-3677A1C387D5}.exeC:\Windows\{438E65A7-12AE-4e71-BC04-3677A1C387D5}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7B432D23-B59B-43f1-8E9C-93FB76F46952}.exeC:\Windows\{7B432D23-B59B-43f1-8E9C-93FB76F46952}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B432~1.EXE > nul9⤵
-
-
C:\Windows\{C1E1DF04-2B8B-4ad9-8CA2-779FF6B7C3DA}.exeC:\Windows\{C1E1DF04-2B8B-4ad9-8CA2-779FF6B7C3DA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{8ABAF726-4F4B-4f5a-8F86-317CB1BFA024}.exeC:\Windows\{8ABAF726-4F4B-4f5a-8F86-317CB1BFA024}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6F973EE9-BCB9-4f22-8430-75E8B3ABF383}.exeC:\Windows\{6F973EE9-BCB9-4f22-8430-75E8B3ABF383}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{D6CDDDD8-D477-45f2-A2F8-D5FC64047266}.exeC:\Windows\{D6CDDDD8-D477-45f2-A2F8-D5FC64047266}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6F973~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8ABAF~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C1E1D~1.EXE > nul10⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{438E6~1.EXE > nul8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6B1AE~1.EXE > nul6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7EBC8~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD50fc45ef160f28a6e12e01068ca4a181c
SHA16539fb6fa20df130f4b625b6202e0a1996ce43f6
SHA2560ff1b632f58c102fe329989b128153760302a008e65f9a6e00260e4a8b625d36
SHA512bfa08f9ab4d02163c46cb5c37c6d8f3b13681b37f0592502fb4915e1cc8b3fcd4fcc6e812bdb25ed7a89ab6b9fb3cbf3cc377b952872525c7ec31b03d16ea865
-
Filesize
380KB
MD57f87eb397efe1ce48fa99f068ec92086
SHA1b67454d7290b0d4981c7bd16b97e713eab8e540f
SHA256d764f76026f8a47a7325376bf3e7a0ba5628edbf077f3995c834d8ae2b8fafca
SHA512b20d35fef30812f2a7e9b4523b5e044ab02d416a8c53528b12781c8bc6e99a70e0ffac08de7ccfc44c2159bb2807ef1e091996d33978dab78b9f08097f211ffb
-
Filesize
380KB
MD5d6f1f802372ca323b806ade9e55ea907
SHA1c7745c47ca761eca5e46940c2b49716001feb0bf
SHA2567c64f696d5f344dcaa984cda0d10d60b97bd47fa3033e77eada03f41169dda6b
SHA512bd4fcf581519c7cdcbddd6214f828e30aada1c370670cfc7685725b7e59f14e93b6c7501a6649366e17c7b80718ebef92009a2c337208ade08c3f8550bac316e
-
Filesize
380KB
MD53a258f6784e1ec651c1b88d3f023ab60
SHA17b04bf56bdb6019e92f042195104a177aa571b13
SHA256ab0d6217b6dc085f1b96289966b2b4f17d60c20ed39b13bac4158d4d6154b4fc
SHA512e21e2f12384a7fc9cfdd8ab3615b67e2209e62f42dd6949be516e81747be842eb1b359b1fb7e45f837bb586e86d41d965561c5036e422fab7eb57cedb8c42938
-
Filesize
380KB
MD5d1ceae6a7a9ae900f485a0fdbf1e84c0
SHA157cdacf647a58d9c639a193adedd37570ec53a2f
SHA2561a57c74d4d5c316bb3f434b9818ce27167006e8a74f5388c9fbbd8c8ce3eb99b
SHA5128bfec066d6f65f01246825419cb343f7ad635b22867c743c38e857d1711e713445cd2bfcba77409d04371d1ae53acb2e832c3b19af9bc1c2a1b33d4399c36d86
-
Filesize
380KB
MD57e58a222a2148f844dd39d7b6a7bb47f
SHA128e89444400ff7192e11c218ce957f8d99e2d5ee
SHA2566583c53826a687c6cbca13f828f08b662703ce2a454614c4ee09a8131033a5c7
SHA512ba474372c7c2b3c0dc2be0795138e20ecb71ef4ed238f72be2b7d9e4861490f893c3c979a9c09181fe3ef02d10bad146310a5eb338fb0b6b332e489e1e5a2a32
-
Filesize
380KB
MD53d004a59e8e121028f6aa5086e5e9b0a
SHA126cd207f409131b79a0253fae329e2f5a7492ae9
SHA2564734a9ad8c51439a25654ab5655e855a884e686147caf1390aafd451ebd9f13a
SHA512a150be2c7d1aaaf0e95653231943d07de458ee8e71dafe2a6a1ef676e6c08cd6dd68000fd41f9be6b8dbe91abda370b01c5df03c93f60d4e327563f86493fb32
-
Filesize
34KB
MD53c3e21a462cd9863325474878ae8a756
SHA11d8434985cc3d85b8c3c469650d7bbf295b43fff
SHA2568830478c7754b4063806c30b0a4351bde784efe26c2feb081707d8fbb50ff6f3
SHA51273da5d4fbec73bd1f73ff6b7d68ee3bf7b9165780c1fe3f712dc53feed14e10ccc0c9711cf5563117f29b6fcaa22159504a7f985f7e61f8dfa3f256ba072c394
-
Filesize
380KB
MD58c992f140c0fd5ffc95b232c2e981396
SHA1e582cfe30936511b2d7a1eeaa5ad4a7049c18a03
SHA25645c241103014ee6849541f39689841f1b989a28dd2678f48a1526a42817395ba
SHA5121e58ca8e1f0827b5bbe82a647a9fcfb68e58c8f48f42bbcc55539b14df582b2b33e62992e79237f0901e2680ad88fbd6357ae962a9a1dcf34735dbacf5254fc0
-
Filesize
380KB
MD5aa9fb77d4ab46f17244da2cf640e1a73
SHA13df2f9db3ad5cb83c4c724cda13c54c33430e847
SHA256f9ee0dad395586eddfbab138b55e715bc46873a206aaba48aef84d8eb4db0914
SHA51229ec9a6e4312738886e05cfc192021a649dc9a3c43add8ed1f6c5b629311d0e8cafc1b1af9fa58125bd92d6bf46bc47e25fce713921d31a49b07860e81c519e9
-
Filesize
380KB
MD5266e5f6371726d9a4ea3299844deb8b3
SHA14e675b486367a30d0f830daf661c7762b94e2a68
SHA256b4aa0bcff004cd45448a943bcdd177f463651795a9f13f46d2c3a2318308a405
SHA5125016e736dafca869595c49f7f3bcf1ec7877a47a369f49f5c816bac0ccfdc9fc2e5aa58c9246f778b797edf46a7bd5d7c9aff226bf2e8181574ed24c438d816c
-
Filesize
380KB
MD55b209501aca11b39e75269cffa8ddaa1
SHA1e64cb4355265d219099206dc1b7084243b5b2707
SHA256bae3388d422f552b6ac97f9c8cd7492c1ea471114544578d190369ab851dbf4b
SHA51233998dbe5be98aa2246195be8bda26060db6177f6bdeaf618fa9cac9ce736f330c55032451568cf9573f6bcdeea64a4eb8fdca16482f79e998197234f86a4436