Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
23/02/2024, 22:24
General
-
Target
2024-02-23_33175efecc74924a71e2f737d45f5c8b_goldeneye.exe
-
Size
408KB
-
MD5
33175efecc74924a71e2f737d45f5c8b
-
SHA1
77869c848a95cf1bf4c9a4f47be5df607a3d9383
-
SHA256
4e98185021c4961096908112456eaf83adce76c24155f2d32eff9cf630f93cdf
-
SHA512
58e51c9100c7e660686eaa8554a50d6fe1f73c9f9ef0e759c2171b117bdf9e458e243fc24771af6f25bd165ef24e2746a107c8af6f6dc5eda4b8c06bd2b287be
-
SSDEEP
3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_33175efecc74924a71e2f737d45f5c8b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_33175efecc74924a71e2f737d45f5c8b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E286ADF1-34E1-435b-B17A-0D8811A14B88}.exeC:\Windows\{E286ADF1-34E1-435b-B17A-0D8811A14B88}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7F4D2DA7-9C19-4d98-AC41-A3894304C416}.exeC:\Windows\{7F4D2DA7-9C19-4d98-AC41-A3894304C416}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DD804E2B-5618-4331-8880-319F2D47F14B}.exeC:\Windows\{DD804E2B-5618-4331-8880-319F2D47F14B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{74D39210-2ACD-446c-8142-6F87BBB10C14}.exeC:\Windows\{74D39210-2ACD-446c-8142-6F87BBB10C14}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A249B984-EE7D-47f0-95E8-A96F51BA081F}.exeC:\Windows\{A249B984-EE7D-47f0-95E8-A96F51BA081F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{130E55F6-1C85-4054-A457-F349BF847F14}.exeC:\Windows\{130E55F6-1C85-4054-A457-F349BF847F14}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7A5C1189-F07E-4ab7-A836-9E06C169A48F}.exeC:\Windows\{7A5C1189-F07E-4ab7-A836-9E06C169A48F}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FB8382DE-7031-4294-8B54-44EED5489304}.exeC:\Windows\{FB8382DE-7031-4294-8B54-44EED5489304}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{086EE8B0-5186-4b42-8B84-020FD0DFD899}.exeC:\Windows\{086EE8B0-5186-4b42-8B84-020FD0DFD899}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{086EE~1.EXE > nul11⤵
-
-
C:\Windows\{3E396597-3C8F-4715-A2A1-2132E99F27B9}.exeC:\Windows\{3E396597-3C8F-4715-A2A1-2132E99F27B9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5C4092AA-5AE5-4d2c-AF71-652896686D67}.exeC:\Windows\{5C4092AA-5AE5-4d2c-AF71-652896686D67}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BE1BE0F6-7AB3-4a97-BE56-23FC1291F354}.exeC:\Windows\{BE1BE0F6-7AB3-4a97-BE56-23FC1291F354}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5C409~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3E396~1.EXE > nul12⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FB838~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A5C1~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{130E5~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A249B~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74D39~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DD804~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7F4D2~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E286A~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD55766cf51445343866c99afbedee5e2ec
SHA115e6abb6f0cd4d87cba37e11dc98ee4ccfd55c45
SHA256e5f85ce8ddbd1f8bdf3773768cf69347622ec45189865fb2ae50a7ce78b8726b
SHA512d95c29f2f02ee2fa7b0b21f1df36ee3ab91ff782c6d1ccab6e9f648207dc32199496edfb71bf529348f375eb0754bd9c0a0c996e236f1d14ec9c9fae332adafd
-
Filesize
408KB
MD51a1e7c4b75c53f70c6601a3fe7d5f349
SHA1c91788df15b18bc8aa3116f16e516bae7932dbee
SHA256df9670f0de0a26f235ebaa627420f913e48c4d9ca99fbade96963ae7498e3525
SHA51299694ff9eda4f0a096fd9d5c538b3a968629be5c85bb088672056c76c0f7238136a8c45710bfdf5b2ca81f170c9872e483ec69a9d68a640a6ef76054221535a5
-
Filesize
408KB
MD561887b540c9b5dc7e9ba655a632331d1
SHA1a313c3dc1540c288f0811aa6fcf6c585db8bef5b
SHA25632525c182a1bc117aec369737f6223e3807a502c40b36d895a2032ec6c0f8a40
SHA512a60d7d61e2cd22fea570ca4e201764206d76719b0eff55a17e0a14df620d2d47ebb7ffe77484d1ed1793475fa6eda2bc99fc097a43df42f704f1a4176865761f
-
Filesize
408KB
MD5d9893060ed6858d845fd8b0ad4ecb92a
SHA1b6bbef73114e0c740bad32af75f04d2bd2ff4de4
SHA256372a1165fff7a5f88a50a224e549ea5990ea971d3e5f5922499e4454f70dac7e
SHA512aa1993c8f33bb896f27d3eebcbc5409ef7a95f8634f5e0c4e4f0d429ef25f500178b92156479938957933e207e7374d0dc041c5d64a895242a3c851818586b50
-
Filesize
408KB
MD5cc7ce7ca59a61f02375f8e699a8ee0de
SHA10db9d3e226d834ed0fbe539780657ac05cf5e82c
SHA2567f384d59c498327296a7930935fcecd326a52d214b86d94c6d85847b8b5515cb
SHA51230591da8e0c9cc0a4a58ec25b6c9f8b724b0e72e00fb6fc6e119cc7db8df1d9d89bdeb7ab6a322701dca2c19146ecf7b223b9e905d3ae0f476657a7986ab8b52
-
Filesize
408KB
MD5a000ed8a99a44b11d9061396c57c864e
SHA14db164b93690dce19cfdb31925a5e4dc0d90bf7a
SHA2569a50470d818b5001cc36c120e6e2ba8b678180060c64b243c51b7781a143f283
SHA5123b72657992e0608f5c126245b28f3c35b421b9c636158f5fe66961428d0de51b6b4ad74f9e3a292038fe412ff96cc5b17da7686e475325285f66e9b3faede1c0
-
Filesize
408KB
MD54529b3e4f0b005073ae76a5e2d7fb77d
SHA19ebd25048bbb01c774abdbcb06f1231723e4c5bb
SHA25690aaa5b7155948496f2d512c416b59f6ef14052e85a0bd495cfa43e887f79ec8
SHA5129d437f49888deeb7ca55fd7d022c9a4c6a89e13022625768c0bc4f120a14d17dac6d3d79f4b587c4131b6151f91844daa6d756f50ebd14ef103de1d0408d4ce7
-
Filesize
408KB
MD55265e8767c521b9ebde6017c59aa4e28
SHA1c0ea03376ac65f3142abc7708cdb69d0adfa8c66
SHA256b79ad44df2c8707029a088a95723488312200825889e33d032f571680cf08a67
SHA5125f1763a19095e5921d46e321b1b8bb9e243b65d817c6d04802a12216ae6214e4227ee56d911cbd29d89cdda715556ef0122fe76276c7df22eedcf41ee6b93a31
-
Filesize
408KB
MD59e12014b63a61f28e43ea85673d9e63e
SHA105d57a42b9dc57b5c6c0470c5484cc343373c149
SHA256a5ee7d51c1ecf6ce91ad60d74735e06792a2cf988f634856fa0944529eef4dc4
SHA512a914b4354a98da96bad5029666c66d716ac2e7b7b022818748d214b03df5d26d666e621767dd0c9d0e8c9acd72c66040aaeb57e0a97801f8d2fa9d8f2e1ce0e2
-
Filesize
408KB
MD58d3b45d2a5ad6b0927d273599c0aa1f6
SHA1097c1f8153ef838242bac973b78e18803184d0d8
SHA2566dfd3beed3bb72559893718953b37b4ae570024e503c14a47fd2b57597779105
SHA512b30ef4e206dae3a5f58c0154187bb90217ec00dc1fe770813e5ce96ee852b8d893492227a021f1c3a18a3f483edf5c8229f8626b40cc8e28ed981a8858156c62
-
Filesize
19KB
MD595f2dc5ac1cf4a47cf6213c31563b2c9
SHA145e85fc4b9b1ae4840df64dff6bc9db1b92df70a
SHA25695a3012033f5bc37410d497173f10fd3f11f7b18c1e44a7fbe85fdabdef08132
SHA51276c8bb17121d861abd09d1000e438899ae2f32ee281f74df7c05a4ae4a63d6ec685a57f1e5d6d20af4d7bc48852ad739f9e7d0b5a456244d68b5c986877d1271
-
Filesize
408KB
MD50d95cdcf097fe226361f24d9aa208a2a
SHA1bd46f38273f905940c721cd85e11df44be7356d0
SHA2560d6c1456a82f7828201f217fc8a0f0b535302d89a8ab239110519815bf7dd4f0
SHA5129b85d287890e40c89d9d6ae47e168da9846342bf50fc3d24f65f085f774c1a19329874ea2a4cf0864e2b5c103aeae226286718ffb58f8fde7e42f81bee2a10ec
-
Filesize
408KB
MD520409b21d2357031e2887e4864ff1e93
SHA1a1808870ca84ac589aaa16d21820a65c8f5048ea
SHA256f6d2b040bc2d6f0f156e22e4a14ea9a130b5893debe11dc80f27e32c6f2b9f1f
SHA512a738df1b3fff03ec2e4cd9d036f238535c24284ff68236a6d86d39b826019c0ac9dd057941629f18af107cef0c55576cc83aa5084ed75154036f58249a5c113f