Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
20-02-2024 01:26
General
-
Target
2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe
-
Size
180KB
-
MD5
1ed189c780670462a4dc314820e5021d
-
SHA1
ceb0dd552fe6d730640e789336d0d12854e947c0
-
SHA256
6df4ed8504be361ace5db56808b47c11f7a88871353c28927df4fb7c0f138cd5
-
SHA512
3e9416b3170839f83e2afd2f194cdacd01d5b6dde99cbf1244c341f32f715f628b42f9daa16eb200f7e0b5a129a0145ff6ca8426badc7b31d1d5f629584dd509
-
SSDEEP
3072:jEGh0odlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGPl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-20_1ed189c780670462a4dc314820e5021d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BC638B05-9869-4c0e-9CBE-D4947D92C469}.exeC:\Windows\{BC638B05-9869-4c0e-9CBE-D4947D92C469}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{70F8B18C-EE77-473b-B833-74D3C32E3AE2}.exeC:\Windows\{70F8B18C-EE77-473b-B833-74D3C32E3AE2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70F8B~1.EXE > nul4⤵
-
-
C:\Windows\{66944FE8-896D-4d92-BF00-5CFD31DA71F2}.exeC:\Windows\{66944FE8-896D-4d92-BF00-5CFD31DA71F2}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4F9D37A7-8F13-451f-B6FC-F0BFBFF41E8E}.exeC:\Windows\{4F9D37A7-8F13-451f-B6FC-F0BFBFF41E8E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E70A94B8-2B57-436b-ACFA-7EBDF6E85B61}.exeC:\Windows\{E70A94B8-2B57-436b-ACFA-7EBDF6E85B61}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E4C13496-F44C-4d30-81DB-30DDE106E0FA}.exeC:\Windows\{E4C13496-F44C-4d30-81DB-30DDE106E0FA}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{96F4353D-6700-4d16-B710-CF28C65FF98A}.exeC:\Windows\{96F4353D-6700-4d16-B710-CF28C65FF98A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8D51B04B-852A-4e3e-98CA-448E811A9283}.exeC:\Windows\{8D51B04B-852A-4e3e-98CA-448E811A9283}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{FC97E1D1-92BB-44c4-A7A5-514B62336887}.exeC:\Windows\{FC97E1D1-92BB-44c4-A7A5-514B62336887}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{2B0341F3-68B3-435c-AE64-8F031D600168}.exeC:\Windows\{2B0341F3-68B3-435c-AE64-8F031D600168}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{9308D94F-0095-4089-9702-2155827725CE}.exeC:\Windows\{9308D94F-0095-4089-9702-2155827725CE}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B034~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FC97E~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D51B~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{96F43~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E4C13~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E70A9~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F9D3~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66944~1.EXE > nul5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC638~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5fd7ac538d28538eaa4d60c82a2e5a324
SHA1c8ef4ed44f28cb274102d8f3f65b698918fa93f6
SHA2567980e6a54a0839b9c93fbee69dedcf5413337d5d0e6a4ce33d8c4cfbb8191d47
SHA5120404443a1eaf24ee0c895ca0a296b2d56c9e7bc113a0b50b0b3e3fd2a03b46108321112721f49aed1bb18152aca233482f68c9a9dbd21f24925d92fdf6e3501d
-
Filesize
180KB
MD5dd09b86f18c8d644fddf5b3a4f14b206
SHA15a163d128029ee36d2e0eb8026efb15fc74033c0
SHA2562274c692b4622901aec160086920448f23627cf51dc9b840e897dd28e8393806
SHA512f602dab321841c663f5980c8fb32ec0135483e4f38f3a10ab79767ee49d6c102e7030d7e44c7c603e36bd7010cdc8a0b37e80948c67abbfdc504e6bc6915d61a
-
Filesize
180KB
MD57498d8e4c6785121a599ca4aa7108963
SHA16762ca725bd931323b936300e595bb2b6c26a9e2
SHA256f0dd17c3cd3bec0b5da773d460cce03a0e491725fd0fc102f10ac07677bdff8d
SHA512ca6530594d280a0ec7f982c7cef0103c12d188c3170b601438520b6bdff3488d2c003d8ee80d2406af5ac61e415a397b501eb9e59d40e36f05abdff3c7edb961
-
Filesize
180KB
MD5834773ef055f0c3cd0bd3aa181625744
SHA14d36f2cd31747df6761cf13a2013660726a96d87
SHA2567a8103d86a3986a226c66d1276f2c775942549c1f8247fd0601f1b2aa93f9b5f
SHA51253f6154e52c6cb8def7581a59675efc5bb358429bb37d59726741ac2bce3e852e79fbe93de27fc4a2d10edd95cff6ab715a76044bb9d124080097e27926f816f
-
Filesize
180KB
MD51fe458e3940be95857eab7282d7c09cc
SHA14e6e5db778c368e0a95f63bbd20b791d87c96606
SHA256844e37a528aa111cc3ccf7bc9effb5f76e4784eefe882a157531e5a0f1ed5670
SHA512e2354d05344c1fbfa0a2646d9ce42c7c2e2c08c8c92147f8d978c6361fb525707f7551431de542e8e7a0503b055da974fe7081ffd0ef931963f2956d75f5ac50
-
Filesize
180KB
MD5fea51f9e0f755ee85388ed9de62494e3
SHA114e2ec89066fe3d2046ba9748b4a246456dcb818
SHA256b1e1fe186577176884575b7c3dbb348ea12949896ac7b26ebbd8f288221e69c5
SHA512333aa8be8d40b0d55c8dd5086cf687e70bbd80b2fd0ee3615d3534ff85cf5eeaf956cbbbac40fbd499b9f9189db2b30ce73266b4e63574b7bbd229bd4b2836f7
-
Filesize
180KB
MD586c358979681da0f18d057ea3b66d4ba
SHA15fb3c42a25ff58ba6ce3fe383538251ff5c902a2
SHA256a01dca15f25dc4c8fed89d7dc29d16c506521923a6483a8e55d8b688d844489a
SHA512c4431661af185f171b638a6f6ad26b065289dbe0d6c3a204a7d804886ffd2c59fef7cb34760af92312774c478a0f7ead73069a8c93516c48f69a1c47e295734e
-
Filesize
180KB
MD5ae7669bc30e77d4d973f92bd2460486d
SHA1369da01c8aba44afbccdd76d70bc8690be2ebdfa
SHA256d9af89f08e3142014ce64ad24234d665caf3717a0819b658cf6bf1c90ba73720
SHA512a9f23a1a496d1219e40b91a497a6e4c934edccb1925875a46bcda3873a92378d9d29174953ea4e30b72d9f078407657312d2fc39d8c94d7bd85332697748b5b3
-
Filesize
86KB
MD5b7b5cca71ad3c10bcf4ab458c1ceeec0
SHA19d9d3d7acdb33194a9ea9003f104fdb521ca2a93
SHA2560c940d215dd9980e4e07fd95284bb8243bd93e52b9f2bd4c58dcb9b1de676da5
SHA51214318dfa79497e842f17bc7005ffaad1ce6288ebcbafe2b50157ebb4ed20716867f90b79e441a9257274c46e0fea1914a1a405a7892c7b4ce95acf650e92ee9e
-
Filesize
180KB
MD5760ef40ab661b6af9ac13bd233155a8f
SHA1e97ef2a2d67a920b080fe15073d8a77b75181b3f
SHA25611bb288a58a8b9af5ef04fae6f08318e3ac90e7630dcd07a3a3c180c27d06229
SHA51285d4396b4300d2993d73667f2b6d64684e1a5a8ac362e521a4c2c66afee5028a0ed52bfa5bbe7bf0c133ab2fbefd2fd1d09890144cd39f8261ea2512d6ea1d0b
-
Filesize
180KB
MD516cd33fd951a1de0e31b6a9958391af6
SHA187d0b8a5d1ab3ad6e21c462ceec4175268f43bb7
SHA25692c6e11811d27e072d32a774839093d884ac61d4d565ec323d03bca726ae99d0
SHA512f32422929bf0b69e36fccbea206d30b5f36b5dc3443abdfc132366a097fe07199bd8e3eee243bc7d5ccea6d12dce98f6fb1192ad4df48eb1fa63dd5da83f85e3
-
Filesize
180KB
MD517944ce86404d8b1d07105b006941b2f
SHA1c4edcfd8c2e9a1de794a7e08b81dd6cfef7c8870
SHA2565f86ccdd9b358ce8fb0038065614286c65318f6add8a5cd3ff5be94835bad389
SHA512949173bb6543e9b3098cb9250b9db6337034681a8b222e65a061327a37572d2ec8813da804070af17eb4e308b243002dae8cf796abb75ee58e183a0192bdb3d5