Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27/02/2024, 18:25
General
-
Target
2024-02-27_093c1d93e46cd7e3daf2087e39ca3e91_goldeneye.exe
-
Size
408KB
-
MD5
093c1d93e46cd7e3daf2087e39ca3e91
-
SHA1
95577fc4b21aecdbc912d6213484d6fdfd9ca505
-
SHA256
d2420f525a9f6a8b5793ade7107108f78814ae1c0007c05167b2ac316b4fba8a
-
SHA512
b915e4dcc42a1c66774a01ba5ce03a3ebfc9edf8cf6ed98aae8106df79bc76d1036146f04d3cbc1be9a379ed514d678559e4b8555dcd76fb1bb3911c3f7b641c
-
SSDEEP
3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGZldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-27_093c1d93e46cd7e3daf2087e39ca3e91_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-27_093c1d93e46cd7e3daf2087e39ca3e91_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EBBFAA54-2B2F-474d-8B42-8A7500397156}.exeC:\Windows\{EBBFAA54-2B2F-474d-8B42-8A7500397156}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{20544271-E5C4-4b3d-BE59-39AB2BCFA676}.exeC:\Windows\{20544271-E5C4-4b3d-BE59-39AB2BCFA676}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7F567F9E-2C7F-4cbd-8CEC-73E91AA59966}.exeC:\Windows\{7F567F9E-2C7F-4cbd-8CEC-73E91AA59966}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D3C65B07-6470-499c-8B26-C9757BD17412}.exeC:\Windows\{D3C65B07-6470-499c-8B26-C9757BD17412}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{10D89AFB-5AF9-4d47-946D-1883ADB8249C}.exeC:\Windows\{10D89AFB-5AF9-4d47-946D-1883ADB8249C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5CA9C093-7186-4897-B21E-11DB15FDBAE1}.exeC:\Windows\{5CA9C093-7186-4897-B21E-11DB15FDBAE1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0E6BEEDE-E560-452a-B87E-7CDB3BA07D68}.exeC:\Windows\{0E6BEEDE-E560-452a-B87E-7CDB3BA07D68}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0065680A-639C-42c9-A5CC-9DD66D7D361A}.exeC:\Windows\{0065680A-639C-42c9-A5CC-9DD66D7D361A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{DA7D5A77-3ECA-484b-8E6B-82E169C44953}.exeC:\Windows\{DA7D5A77-3ECA-484b-8E6B-82E169C44953}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{C372E424-CE1C-4bd0-8A5A-C3391C1F74B4}.exeC:\Windows\{C372E424-CE1C-4bd0-8A5A-C3391C1F74B4}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{4484E672-B6CF-4819-85CC-10297C8D81CA}.exeC:\Windows\{4484E672-B6CF-4819-85CC-10297C8D81CA}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C372E~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA7D5~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00656~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0E6BE~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5CA9C~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{10D89~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3C65~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7F567~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20544~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EBBFA~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5001efc846c01b9b1b147c72f7d7c7489
SHA1d9b4c304594b6f22b5581677d0a4c3f0ed22f53b
SHA256ab26d0adef0dcde8e09f86f8baee7eb43013e5eb9f1c698d7f776c0836cf4c11
SHA512a5e266532a4913bdf1281bb1338bbe15c7af912c06d3337607c7c470b6be6a9b6c44722186b3475b7d1de31ca28a9549ee113b2af61d179760d899ecbb89783d
-
Filesize
408KB
MD5c9ae56b02152db597366da2ef641184f
SHA16f2a48f741a52f1d31abe539b2e646234773bfea
SHA256ec349daa9fddf8aa625006200197c6d790f60d0a1f3da7d763ba01ba56b35427
SHA5120768d56696b6cdb141e89c6969991022631f749ebb6ff886abe8fcb560aaaadcaabe085de1163e6d510625208e85f79ffc18e54660e33d14fda244262a35fbe5
-
Filesize
408KB
MD585183e40beb82b5e6aad722c04f3391c
SHA16d9d79dc6c268a7066d617d0534cea6e007419a4
SHA256ffe0a91e40ba673287f0c6f16bb0619dd7294e41748b8cb3cf6ce7198ab827b2
SHA512f0e0bf1744fb82f09eef954222c93104a505229a0c64f59fa8df5856c01ac93bea9f49db65558db1f923e8c0f870117a91a406ecd7219a53659833130064ebab
-
Filesize
320KB
MD5fc6c7d81e479bbd0c8deaa560b9f0281
SHA1c277d8faca2a7e21b38eb3e636e33d00cf6ed3b5
SHA256f19b3bcea0d6e1a61858a4350ec5a62ca79eea9ec8612960cb0bb57937ac9385
SHA5123d66c74c9fcda47ec757c448d504cf869fed09ecba8793d8387aa8f09ac273b508ef4c7380f5cfd03e63d923e9edad68af9baa4589880803967e7ecf185830c7
-
Filesize
408KB
MD5edad3bdf8d6a3d8a6927db216c76e081
SHA1a442bab867cc3a534c367673bc328aaac5a0afcf
SHA2562582c9ddc899ad545bf811187987ca61eb64ec7e0ee02a795867bb74bfd19ab0
SHA5127c5fb66bd59dcd82ee6256ae3c1506a2d27bb337bab49e06f19a9700cb7eda8621fa8f4176d21fcf4d78443252be6d9858fc74c426809bdb301cfa5a32e7927b
-
Filesize
408KB
MD5af50d1fba2bf2b46c8136ed6fbaf5855
SHA16585aaace0f862d0e88d54624a6ac386c1edc25c
SHA2562adeb9c3fc315e3a8c691066ceb2a9a6df072b8c07f22b899ce398393e31ca1e
SHA51241adebf55879930e313d6dd6ee177b1889fa0bf75ed70e93a5b585c3e838f74af31905a95c2ca6716e1c5c7f64a82f63e016f004eddf1c2ec24020afee892650
-
Filesize
408KB
MD5bfb1472ab334d3d6ddf112abf77137b4
SHA1c602c93d153018c42c6855c7bafb18b8aecc397e
SHA256424e2b450a632ebe1eb990d2e5c2f51a2ea268cc3cce77032174072be94b5a80
SHA512c3d458bcb8c0a43a42d569531c4522ca75fd00c85c342d0cba02e62488a6f0934a755f371434ca78c7fc9b193b11558b294887792754a3c647bb01911997a9c9
-
Filesize
408KB
MD57a6d8223791704ad2c3cbfd00aee00f6
SHA114857f52316bbc474b44976dac7d60913c84f497
SHA25656a0b50fd7b04aa9aeb8f6a156a56cfdb6190a0461b0305637739dc5c2919a6b
SHA5127452db5a417808f47ab723147a39a9f929b5ddab02cb9607f0007eff7fb8adfe88afa9b97f08774c54e7cd07f3f3343c112e13a6795c25f7b4b5152401cf1ac0
-
Filesize
408KB
MD5b28250fc350a7149c33e7c8a059ef493
SHA11f56b1ee83416630b16b414a3faddd2ed27ba9ae
SHA25659d896ea0be2f4c0ae6f6843a5696fa3807adc005efe30254e403284d9024f35
SHA512bbeabab922ce913d1d8bb7a1d92699f213b6d09a2a3c090673492c286ca0f1dfa9421c44d27ede597132a7c8ab5d9e6248438424eb5061082852468b1d20c387
-
Filesize
408KB
MD58bc6caa204d2554ac8c6a06130c5c3d3
SHA1fcd1c64b937f96f47da3f49bcb9c49de42d43d64
SHA256d9151d36bc0ddb2ebd8af2e3171f2002eedb287e716e2f7d57fa9b2c38dc4a1d
SHA51227c59237fc0b331ab8137fb1f36d463b8882f977cb0a12d5e4eafa9c0f0875bcd35e6829f06f575a67c6b884de149ebca7d25b489c6af8e91db02036d1f9f874
-
Filesize
408KB
MD5593009adef873ae19fecead5ac815ca5
SHA199657e612f2f4ab7fe2b9e723750877167384199
SHA2565ab63e95be24872ed073cf87ef775aa707dda9438e1ff75fa6721eb72e4c330b
SHA5125d6481bf6b165b49cbcd6bd1efb6700c61dcc9bf813ca02ce4a7852d4fc084f601ceec158fc83133e0bad9ed89ba6b3ef6915010cba2c019ed6d9ddbb287e77e
-
Filesize
408KB
MD5a9a0824004ae2c4494c2699f7f340db5
SHA119939511adb23c1ddc9a75c0c666841c2de473b3
SHA256428c2eec8a364b93589329b717c117a306fe76d0674a57f924b37ed46681fac7
SHA5129ab99bfcd58b2289858a04f268633e639dac15609774589032bbfd481dc966f55690d218e7c7317be1f88066260b5a03f6c13f7909e5809f834b7f64ea2555fb