Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28/02/2024, 04:48
General
-
Target
2024-02-28_48f617d048133defdaec5b7f3cb6f825_goldeneye.exe
-
Size
180KB
-
MD5
48f617d048133defdaec5b7f3cb6f825
-
SHA1
c49ee179007f0f4475656f53ef0dad90e1a6b6cd
-
SHA256
c96a0e2b9d22663689fbef648ab360ff6af804b8854e589398d02f810fc43493
-
SHA512
64ab64bd156c93f534a7a958bda2fe27bc91be8683195fee69a60b63d0438d516c7ca264ad8157a162089f2b491f262db2ad7e65c31a7e90d32540ffa965b674
-
SSDEEP
3072:jEGh0o5lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-28_48f617d048133defdaec5b7f3cb6f825_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-28_48f617d048133defdaec5b7f3cb6f825_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{882E23B9-DA51-4960-B117-D033B2213067}.exeC:\Windows\{882E23B9-DA51-4960-B117-D033B2213067}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5A06D301-03B8-401a-B405-5AD3E9B406D8}.exeC:\Windows\{5A06D301-03B8-401a-B405-5AD3E9B406D8}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5A06D~1.EXE > nul4⤵
-
-
C:\Windows\{A8FE231C-1B4D-491c-BB31-18D24C36B05F}.exeC:\Windows\{A8FE231C-1B4D-491c-BB31-18D24C36B05F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5C25BA85-F316-4ff2-B7E9-3949986AB56D}.exeC:\Windows\{5C25BA85-F316-4ff2-B7E9-3949986AB56D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8EECED37-C4D1-4a75-8D48-C52A5415A7D7}.exeC:\Windows\{8EECED37-C4D1-4a75-8D48-C52A5415A7D7}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8EECE~1.EXE > nul7⤵
-
-
C:\Windows\{AE3A870C-A4A0-4b41-9EDC-111E4A1E2200}.exeC:\Windows\{AE3A870C-A4A0-4b41-9EDC-111E4A1E2200}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BD548F8B-72DA-40c3-B082-B213C6C7DD34}.exeC:\Windows\{BD548F8B-72DA-40c3-B082-B213C6C7DD34}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{229C9870-4DF8-40b5-BA91-0BEFB4FC0DF5}.exeC:\Windows\{229C9870-4DF8-40b5-BA91-0BEFB4FC0DF5}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{229C9~1.EXE > nul10⤵
-
-
C:\Windows\{29AAFC97-34D2-4dfd-81B0-21A03CA424C4}.exeC:\Windows\{29AAFC97-34D2-4dfd-81B0-21A03CA424C4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{EFF07CDC-1504-4142-A32B-F523296EB278}.exeC:\Windows\{EFF07CDC-1504-4142-A32B-F523296EB278}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EFF07~1.EXE > nul12⤵
-
-
C:\Windows\{DB77AB90-1E2F-4f88-8845-94A7B7F392E9}.exeC:\Windows\{DB77AB90-1E2F-4f88-8845-94A7B7F392E9}.exe12⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{29AAF~1.EXE > nul11⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BD548~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE3A8~1.EXE > nul8⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5C25B~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8FE2~1.EXE > nul5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{882E2~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD53c41b64cb192e9a83732d5fd9d461f03
SHA1ebdc4bf9449164e2128a1f59cd3ae24bdfebd6ae
SHA2564ad1add67a68141a0df721707b2da997b08ad955e20d7efd858a366d047f72b2
SHA51248fefa07bb8d0c2d8b112ab4fd93fa7abb9e063feca49750460447d910a534e25df0371f24164368cd24fc4bf3315cdf5dd1a63c0b9874881cc07dc27d9b57be
-
Filesize
180KB
MD50ce8afa663f2791024205e7bf7199e73
SHA11b738c289c1782c35885e3fb4b7f81e625e64211
SHA256c5a9b4b3e6c663ba38b7aee01865786ba614b1866d5979cbfd973df5eff9c2dc
SHA5121d700abe7145c2186e81780708fd62a1bacd4685cb3d2d11ca5c17bd758f538f236543508a6bd30fc8b0d9e20c079005309103b77269cedf81f2a950cb8501e3
-
Filesize
180KB
MD565e6e045cb4e0dff97c72ef3a94b024d
SHA1f7d3532704a69fd98acea5553ffffb9a5cb03ba0
SHA2568a3badea5de3993f8a2e6bb45d010a3b3ebb229f14c9f841db796bacb5f602b1
SHA5126dc3d14ce3f1467b07716abc1a68ea06734a512e19763a89e28c4fa526ff92b54c0238730831e6f5c3f2809a4cd583a94594425f8040a10d3734a0c9f3fc0368
-
Filesize
180KB
MD50e65b5cc3fb5d932c5bd5d6fbe176430
SHA1837fb31d1211f9fa125e1ba7f1cadf390c965f97
SHA25687acad6d76fb567c2b69cab1cf79e0dbb656576cc19c37cb93b4a6c2293a39ca
SHA512008af7242b12eaeca0242cccefde24a2292f710f4d7644946e5e0ae8f6c8788b75371b84e4777fc3f23d0bb2e36efeaf3171863e0cffc13472c516f41d891bef
-
Filesize
180KB
MD50181ba5c74a1de24fc7897a3d7592a72
SHA17049dc6b71ab07b7fc869d1e96bbd07cb42916a4
SHA25672b01181fc589f1e0256844c2ef86e21ab5ac9680c508cfc127138243c0c895b
SHA5128186bfd9b08ac8e3ce57a3252e8fe31f2a27428efd02ce185951c6519ddaa272b85d0c6a1c19882fe45b4dbae782fde9a021bf465f678444242920546825f4e3
-
Filesize
180KB
MD5f42e636792ce4ce16209ba1d8b5e1b14
SHA12c010afb6765ec459ae40059e54f3a4180db0916
SHA256281da9d555693ecb077c85a354802953866a19a3f634cd3cfc571e4614a52d6a
SHA51275e9807d0d5c75e2829fa0a837844df62dbb5a627788540807cfeafa0fb11df8eb7587d61194ff01096dfd6ff28b19e2b2740fd7cd0c8c022309a05a1ead7e21
-
Filesize
180KB
MD538e4d778ce6e8a19626222d0f37a5049
SHA10701669ec16a72ddf083a344c96b39f2ddb4b765
SHA25627afce76c649cc671adade3a3288ded58ed3463deef2ea942d64f88834f147fc
SHA51276caaebba77abcb1ef837e0a9350cad9a21bdf60bdc4e6d4585e2bb9764a3c1901e3a1f277714190dbfdd4167964e20d4bfc26393aee21615cf2b31eed4ae880
-
Filesize
180KB
MD5273615e0936093576460ae5fe580925f
SHA1197337a3d7eec50f6ff4ecc4b37c92efcce2787c
SHA2569dbe109dc72a84a4ecdec9aedc75b1c82647601fdf479061a112bfce2f9a618c
SHA512845e5e06a03c6706f3fac8314e28fd82b6f4b0a1e2cc472295dae6f017b6678597d3c2763f1a670eec4d509b0a38eda05e56e11a767764ce26502a55526bc918
-
Filesize
180KB
MD5e64e8f5389b006ad1194abc6b2f73773
SHA1f485bd4c30dd05cc8dc2c09ee114519ff438929b
SHA256a0ba58d1ece359d86c8a4a41a273e86ee979b9573e7cec944bbd31e22530b6b0
SHA512053bba1644bbd8252c1fc29480e043417b925bcb6c7cfebb084e800a80c60932a1be56e440f8265762200484d62da95873a719fd7252717d081307ce9e941396
-
Filesize
180KB
MD588c05cfee4222f19aed2df7ec77ceeae
SHA106dc1b07dd53c8ad5a179c044918ceef93dcf5c4
SHA25685e3f9084d8c21233a98aabbd10a6e47e17b22f22c31a0634f97227593eea71f
SHA512c151a39edef9986b62c30ae13fd67a4cc98c7a25195ce8cb5bfc4eaeeafde8936311c0c96f44363ac98dd6ec966b9f35754bc04f19dc652984333f0112bb20b1
-
Filesize
180KB
MD5a022b7b2f490eb2b00d084764bc241dc
SHA116a8ac153fb3a23c5234ac8cb7c687a2c0780c43
SHA256547fd2d30774304f92edf0fe38d6bd425bde5f012c171bb8327eb427a1255558
SHA512338c9e6e8a3c69e7053450f60d3e09e065afcd93a96b25e5522ed2c9fe65bcba086de587cea63a5dd7b14d4d711f713f06b3ff2c653062a1ad14d170246eadc4