Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
21/02/2024, 13:29
General
-
Target
2024-02-21_2563e407cd65a7faefe3fba3ecc3a6fe_goldeneye.exe
-
Size
408KB
-
MD5
2563e407cd65a7faefe3fba3ecc3a6fe
-
SHA1
98b580703652634bdc412d48ad233481e1a200a0
-
SHA256
c203b53db64585e905c7d5bc5052d42354f13986e7bcf8ed74517d772d941920
-
SHA512
6a369aa60fc9a1e9b4ad826fa9885aff75446dc7a2307b91196d8a53b9149e401b1be1ee8465b31c81fca208bea6f24b20cc84829acbd754c73313500c03cb26
-
SSDEEP
3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGwldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-21_2563e407cd65a7faefe3fba3ecc3a6fe_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-21_2563e407cd65a7faefe3fba3ecc3a6fe_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{67DB236E-44D7-4147-8A79-504E36B4F341}.exeC:\Windows\{67DB236E-44D7-4147-8A79-504E36B4F341}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BACFD1E4-C1AC-450f-8FCE-8E6AA8E0BEDA}.exeC:\Windows\{BACFD1E4-C1AC-450f-8FCE-8E6AA8E0BEDA}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D8BF8C5E-9248-446f-B6F3-8B5757F70FF1}.exeC:\Windows\{D8BF8C5E-9248-446f-B6F3-8B5757F70FF1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7BAFAFE1-A2FF-4b0c-AD7A-7907D97D8526}.exeC:\Windows\{7BAFAFE1-A2FF-4b0c-AD7A-7907D97D8526}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BAFA~1.EXE > nul6⤵
-
-
C:\Windows\{59D8E36A-0776-44f9-B13B-D1305F42B6D4}.exeC:\Windows\{59D8E36A-0776-44f9-B13B-D1305F42B6D4}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{20CA1468-3824-4936-9E8F-B99E4C2C6A31}.exeC:\Windows\{20CA1468-3824-4936-9E8F-B99E4C2C6A31}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D3A5FBDE-F6B3-4739-84AE-6CC17BF0980F}.exeC:\Windows\{D3A5FBDE-F6B3-4739-84AE-6CC17BF0980F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3A5F~1.EXE > nul9⤵
-
-
C:\Windows\{577EFD16-7161-49cb-B567-0675259E9523}.exeC:\Windows\{577EFD16-7161-49cb-B567-0675259E9523}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{577EF~1.EXE > nul10⤵
-
-
C:\Windows\{A2B0A530-654B-417c-B91F-52FFA2D39DA4}.exeC:\Windows\{A2B0A530-654B-417c-B91F-52FFA2D39DA4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{862C8DCF-0F40-44e1-892C-92537E46358B}.exeC:\Windows\{862C8DCF-0F40-44e1-892C-92537E46358B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{B92B4F7A-6BE3-46e5-AE2D-B8DAB61D3D5C}.exeC:\Windows\{B92B4F7A-6BE3-46e5-AE2D-B8DAB61D3D5C}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{862C8~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2B0A~1.EXE > nul11⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20CA1~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59D8E~1.EXE > nul7⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8BF8~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BACFD~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{67DB2~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5115d710c503ab49713c786b23ad921e9
SHA196461796ce4d00326b27bc111d7d473c07ff2466
SHA256252680eeece4a5a4e4734ecbcc2e7c6d2c8932616728251e80f204912868e134
SHA5128792cb80e31a04988b98d137174a5cde0b860da9e4a23a4c486f76c61c508ef54ce49b4f41b878477aa889b22103ea72786b293eec5cc70470034284bdfdcf39
-
Filesize
408KB
MD5dcbefc5ff73a26698d3b7896bbfefd0f
SHA1ff78e1b5e535896b4304bc8212c2f1f83cf1100f
SHA2565e348a78aafa9400c48c3fba0b071a93384a68946a5923388af466fbe41de81f
SHA51225e41a1086763de72867f20411ff7b3c556a0f6f6fdf709745c1a898657e36958c5e0dea72cea7054678d75a148282d4a9c1719fdf0db46caaa12f6ad17335aa
-
Filesize
408KB
MD58e2f751074f1263a5889f3ad5072f4f4
SHA13bdcfc9f1cd2adf0ab213fe4bda15a2032ffb92c
SHA2565fff791a119418dea3a3bffb843c1377bfc7424bf5164702a199aab07846f8fb
SHA51279f87255da75f5ce87f9a0774beba8f1532efaa0f22fcf76c8c1c6a0c0725eeb15001b61a6bf5544f8817cea8c8a3e9291c7e7e63c4ada893895273d5dfca96d
-
Filesize
408KB
MD5fb8f4db0e86aaf8e51f14fa99d8d7033
SHA15276dc4f655179ca411aec716440ec45dd9d5bd1
SHA256e75c87f398f20c593a883436bc04aef7faebc7da7e198dfb1f1e32b3d5ba2797
SHA512e0734e8115b8736a57fbdc1cb869307254a6b89621b71b05a468cbacf64ddde75aa368a09439c1bc5687f15577f2dbaf63cb8e2a98c2bc875164b5a92b1bb3b5
-
Filesize
408KB
MD5244e7d121a1a4c7635ab7467413d5d3a
SHA15680329907fcc703e62c53b13e5942f05510f967
SHA25697803943ed2382551dc46e737f6f39c69721941eac2812e17a8edd433099e900
SHA512c40a66d2b32a58e38bae4753b0a84f0d6f40f9b55b2fb1676bf8fb46c51ad4f1bbaf998a66e4532bd19b0076fde8dff1acf4f4bd6252c5b5f3ed9e7e057e7048
-
Filesize
408KB
MD51e4ad43a054db170d8d08b5c94ce4536
SHA1558324c27f28af58c37a663698e54a9f6f167d67
SHA256c18df84ad3e61ebcb44f3f9098b7b4aeff9eb0e0c11ccf733603bdcd57704508
SHA512afdcdbdfb761a059897488c4aa6fbffec494f41ee71963a727a865c94b03cdeb8fd6c66690a627370aa7bf8f6ccd880af2c3d11cbeffe485c07ff9ad6b1d8c4c
-
Filesize
408KB
MD523fb6312bf4442924e59c3c277a8e1db
SHA112ccd67cde5330bbcf69d091a1972971e5a00e29
SHA256917e75ef4cc2e4705dbe9e711bc8534f1cecf5489b28c18e109a3f5b0f002aed
SHA512ebf8bcad16ae800826ffe81791abaf221508a0f49839501aa97e3df574a38af724cb4fabbe34b252fd15b1efac26369f81c76b2a3c93bb3280cc9ef83a8d2bb0
-
Filesize
408KB
MD569edf7b11bb9773ac85535b5cf573905
SHA1cb7c4b89d77e50b6e2fa037de75a6a5c5820f658
SHA2564ff82dfbdbb6ff24349592cce4edd38995149b3e3d9ab064042c742a7a027ba2
SHA5124d64ccb97f69488e67478ef26029c88603de54a4bbaa19bd4bd720b03a14f5253b8fc0df2adfa4608b91bdbd36f4cc1a659efcbbd2bfb10be8c762126f778d21
-
Filesize
408KB
MD56e0adc2474d43008cb88ea6e9e9c9181
SHA186552a436929063651c4225e342d292f88462c77
SHA256423230ad1c73a8fefcff2462b800c4fdf239e876168dcc0509b4bf1f677cc3aa
SHA5123a050befa57792356215cc3ab860dc2770288954645d324e0b5b694453f6ff8a71c738e7e304d841e93625cbb78721ce0bf951bcf0846d9e0a2b103ec884235f
-
Filesize
408KB
MD54e3765018729c843870f6b4b82256c15
SHA10cdc19e67f83bd8c9f2f39807aa4bf0d53dca2c0
SHA256812ccd700443cb0ab8259aaa6ff4954c153d17bde7af53b23106ba931a25b450
SHA51298c443aa5adb7530ef4d804d6873e6b2d816216f36393fad1be93ec8e9942e52da072dfb694d8f3f4f9ac69c5f2bc024f1c5b5f22b7ce91dd02166c1c9098026
-
Filesize
408KB
MD5ed5b315b20eb3d325f74ddeb061664b7
SHA1c70f47e95c5e5a2e609e0c758cc4f4849b79556a
SHA256f28fb9b7417ddd5739c5fdacbc524681b0fe4c8811b50d0fd387f8eb3108920d
SHA512746668f81d54d8e9ae763fc91111f670f90ee9fda4b0b035c02f47834531004b54e2d015972510aac4ea87de08949f61c1c74e4bf9d0c18c6ff59f2375073f0c