Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22/02/2024, 13:01
General
-
Target
2024-02-22_ca104afe01c7308991a7640d2a1892f9_goldeneye.exe
-
Size
180KB
-
MD5
ca104afe01c7308991a7640d2a1892f9
-
SHA1
5fb7ca6dfed7f7df909845345ffd434fea350a6e
-
SHA256
7af5c1fd09784a4a3171dd036f2988297ef40935a134f54195d412a9076c54ff
-
SHA512
61db4f79c14e9990671c9d1540f577bb056cad3676aa552ae593a5b9e0353c7acc591ccc3614ea62831044bb38fb34e30ff2a2792265c6c0db5ef449a3a825b2
-
SSDEEP
3072:jEGh0o4lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGul5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-22_ca104afe01c7308991a7640d2a1892f9_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-22_ca104afe01c7308991a7640d2a1892f9_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{056C096C-A673-4292-8715-86838579EF35}.exeC:\Windows\{056C096C-A673-4292-8715-86838579EF35}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CBF573BB-1E1C-4fa6-AB4F-453E2D402441}.exeC:\Windows\{CBF573BB-1E1C-4fa6-AB4F-453E2D402441}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{70647D05-347F-4984-B141-503308D2AF8C}.exeC:\Windows\{70647D05-347F-4984-B141-503308D2AF8C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70647~1.EXE > nul5⤵
-
-
C:\Windows\{168E7C98-654F-4659-9F50-4BF401743513}.exeC:\Windows\{168E7C98-654F-4659-9F50-4BF401743513}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7A9CF7E1-2DC8-4292-9417-C7EA6064E0E4}.exeC:\Windows\{7A9CF7E1-2DC8-4292-9417-C7EA6064E0E4}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0FF6835B-B9A9-44aa-B844-B62599A1AB1B}.exeC:\Windows\{0FF6835B-B9A9-44aa-B844-B62599A1AB1B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0FF68~1.EXE > nul8⤵
-
-
C:\Windows\{48BE3FAD-9505-4a93-AAF8-9C699F069529}.exeC:\Windows\{48BE3FAD-9505-4a93-AAF8-9C699F069529}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DE2D36B7-833A-4000-8145-FA361CB89799}.exeC:\Windows\{DE2D36B7-833A-4000-8145-FA361CB89799}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{0D63A1C2-8DCD-41cf-8F57-6664F4F86475}.exeC:\Windows\{0D63A1C2-8DCD-41cf-8F57-6664F4F86475}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{D1DB83DF-98ED-41fa-B686-DBB9E5BCE383}.exeC:\Windows\{D1DB83DF-98ED-41fa-B686-DBB9E5BCE383}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{60AE8367-9F75-436d-8311-7FA194E59275}.exeC:\Windows\{60AE8367-9F75-436d-8311-7FA194E59275}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D1DB8~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0D63A~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DE2D3~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48BE3~1.EXE > nul9⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A9CF~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{168E7~1.EXE > nul6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CBF57~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{056C0~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5d3bbe0f99acbb76e2431fc5469f87c14
SHA1e7ebb0bae949b744c16c204abbdebfa5ca231532
SHA25653e59dd285bae070e94e7500e5ce949a9741277453249af3956849e210a45f53
SHA512afeb9130d582338bddd27bd3c1e0a520925106e1e651b8df11bbcf527997c7d634cf7521799c7a480a648c3853970325d3041b2b82ddc1e8cc2e567c582fb514
-
Filesize
180KB
MD57e7d39cc92a9c193b638fa27cfe8f00e
SHA1c443a835f3395badb16ffa670e3a2793bec0f7dc
SHA2562072ed8b7ed4dab5216a99bebe0518695d882468493208cb87876757439ad5c0
SHA5122438ae14eab049e58c49960c43fe21768d3c1dad6f0699a6176d7268b5490d8d8d8a8585fa99d95b1729c5cea7f261e6590e543647b8771ec78768ee86adb385
-
Filesize
180KB
MD526474233d777210fa52da1778df93a26
SHA1963617a11800f17f1e181132f5012435d7c433ad
SHA2560122ec1542675e36a45c34a90a2b76075002659f34ab61be5bbf0a0c19a82281
SHA512b7478300aadefe1df38789c5a3e448d6ed7c877dd72eec43cf5cf0749938f97e5fa2b4d52c5c6d7a6c9551d07036ee479ec0f62be5d95c08b88d8d59b14aea22
-
Filesize
180KB
MD5ef2d5b01be7a13b57bcb11606f4196c1
SHA1a5dbc48d2e74b84e9f4a26ec690ddeff2e4f5ebd
SHA256ce62e10522aecec4673244f1d9e2708a5ee264c14f7b2fce2b52a7a1d026d1d7
SHA512ecea663b7ba6e0d0b53144faad9e60e9b161799e72c30352b8d9721ce9d98d6bfebb36f36651a86e3e00df0c7f051546e3d2aeb15197858d4c066154232a8cc1
-
Filesize
180KB
MD5b930c0d18789de0cf1f82ff67a410079
SHA17bc0e84069362b3b21d2cc063ad698ffb1c9516d
SHA2567de5637d1dceb3188b318c16015407342111d837509a3838d4ef7fe8c9ff694e
SHA512eaa6ed69f3d7bcc5abdb997c4b10a0321babd499161fa1b4128e6471aa3dfe9210576f6f78ad7103e62cb97348c5e08fe28fc6310eb95c4c3cceedae4d206fd7
-
Filesize
180KB
MD5b460174d8c338d19f07bb5f688d8a1ef
SHA1bb6897c268a91008a04a0fb63b1f267c974d0151
SHA25634c13c94eeea91a77015b16f30962c1ab360d8ee32d8163a526fad35ce73b8cd
SHA5126bbe12dd14eb60bd2ab27dbd98a17cdb6208ff17139a7268aaa7fceb762831ada22083b865e261c6dd3e4812f6a7866b242023017a8b0bc003397489abcfbcc3
-
Filesize
180KB
MD5f61c2c9bd6dccee27c88260580a5b9bf
SHA19db92fd7eee50ed7758b3e511578ec3d8ca21452
SHA256717f1ef19c4e9cfafcd554c7a4b06da50de0577771b3fc52834209c374729327
SHA5126aabaa6f5f3b9ee773218e5c3e678ba26e7f600fdcd690a33369c82cb63018c820d26269ca1bc045c7e413178d2f67c620a1d9b50c631dd9fd69f219219097d7
-
Filesize
180KB
MD5f1c1e02df031ce718924f4003e6e1b07
SHA16b42d340951796fcbfb12d6e5388e11e8ae790cf
SHA256dc8f026ff09ee3527563b6dc20bcf959ad852b579267dfc6ca1a221af59d724d
SHA5127464f131c850e84cc48615e35ce5934b3fe62c02951d5e0336b3ff5e6832d6a8796c55d7ff142c5821e449cd317dbf25155d3cc84d0b6cde5b630f2a24cae315
-
Filesize
180KB
MD55767c511646c288e9eaa6a5e23e89f3f
SHA1c482ce163a1ed19acda93e7b80ea90af471012d6
SHA256caf92227531184abb681ea917e7459dfc4484f5e80070f911db23b7fb98cfc82
SHA512568beaf384ced4cf6d7cc01d272f2fd8e4a5bba3ba9a2cf0ec343aba53a9d3cf06e3e01ed3a1eaede154d322c17e7bd97ef1cb03c84895931759557526463171
-
Filesize
180KB
MD5ea6fa35725000979faace729c7879dbc
SHA1c9cd4cddd709ed27518fbc8b506d824b65421672
SHA2569c0ad5fe01e88c8f27cc5ce821bda8c1014526ec3fb86d0801e90dcd24026422
SHA5125e49df6c4a195848139d98df53a11088d1cc5b964b22a0884e608309e8da2e006bf56e33eb765ad32dffc6d84df585aa197ffc6ad224e6b4a2f225ab7e931f5e
-
Filesize
180KB
MD5079fb7256e334244a1d9a8454d01915e
SHA133ef75cc8cff6efa49f610291bc64a2b9678bead
SHA256a2ec0f2946a65ebfe621086c049de90f06c6bdaf9aff7831d9f59979accf3c5a
SHA5129a1765d3c88b2ba257bad34ab8c42703fdae0a6158179e6941b137d6fb05db6663b15ac2ca7a61aa6f4af593a1db49cda5047b73b5c67365993822c1c95d2b98