Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
06-03-2024 01:29
General
-
Target
2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe
-
Size
408KB
-
MD5
15e6527190928265146135e5a096a12b
-
SHA1
8d68f1f519f97dcb4f28f8c8bc0128e524996481
-
SHA256
ed2b610d2e804064a0445c3764790e1677bd8d476db0da7a6a2957f66d27b06f
-
SHA512
7dd806c5c84d3b3cfc3bcf2335b19aac46aa0fd8972f8ace2d2edd60bf09f92500b2301b8bf0a1253a05c75d60e0e795504e0be1bbc3fbd30a04616834bea230
-
SSDEEP
3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGDldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-06_15e6527190928265146135e5a096a12b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3A70EF37-ED60-4d22-9D6E-A4D86B5E1038}.exeC:\Windows\{3A70EF37-ED60-4d22-9D6E-A4D86B5E1038}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A5F01428-AD6C-481b-996F-118E10AFC55F}.exeC:\Windows\{A5F01428-AD6C-481b-996F-118E10AFC55F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6E6DC068-227E-4abd-8E79-06923F79C0E3}.exeC:\Windows\{6E6DC068-227E-4abd-8E79-06923F79C0E3}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{32DF392F-4BC7-4ece-BDE7-306429D67D3A}.exeC:\Windows\{32DF392F-4BC7-4ece-BDE7-306429D67D3A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7FCC90FD-5233-4d7e-AF61-945E9395856B}.exeC:\Windows\{7FCC90FD-5233-4d7e-AF61-945E9395856B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6E351B34-E4A4-4229-AE21-210005C223F4}.exeC:\Windows\{6E351B34-E4A4-4229-AE21-210005C223F4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2D95609D-28B4-4e68-AF28-6D6E32F670A2}.exeC:\Windows\{2D95609D-28B4-4e68-AF28-6D6E32F670A2}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0CF594C8-A955-40ba-A4BB-9118CB140F0B}.exeC:\Windows\{0CF594C8-A955-40ba-A4BB-9118CB140F0B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BC1F2485-6132-40a3-8D9A-15FDA7DC5A8E}.exeC:\Windows\{BC1F2485-6132-40a3-8D9A-15FDA7DC5A8E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F51CD42E-D3C7-444d-BF83-EE33E83F763A}.exeC:\Windows\{F51CD42E-D3C7-444d-BF83-EE33E83F763A}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{D47B30B3-D469-49e5-9B68-2AA10BBFEADB}.exeC:\Windows\{D47B30B3-D469-49e5-9B68-2AA10BBFEADB}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F51CD~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BC1F2~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0CF59~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2D956~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E351~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7FCC9~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32DF3~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E6DC~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5F01~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A70E~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5cc89396b74a7f9cc19d2022444655b50
SHA15838668cd33da1b4a7216e113d6ac97bc02d3b78
SHA2563caecbf8a47a19a5971d747f9ba0de7178307956106ce6c164d603f9fd21ca8d
SHA51288bddc8b22212c786ddbe78962273a5505159699c0413c913b181fc53d69f62472fdf964e886aa492a0466f09190e39862ea52d3fd87ea4083c7e16a80f6f325
-
Filesize
408KB
MD5ebd044721daa756d4b5753bcec28217c
SHA1bd1ee6270c12d4328ac53839c2b6ca2f7d2931fa
SHA25663f95754a7c90a5c7e071e164fa7df39305fe63f056756fc979e38d37eb9346b
SHA5129f9c038a910296daeb70c5a84cd4c4751cb6e2f95945d72f7a53547034b94b6ee9ea52d0c21b8a1e4fbab2ea3a362df31cfc97f7748748418ed7f08c65ede771
-
Filesize
408KB
MD54ff324fd9d3627f1b5c2a329661d5668
SHA136bff1fafd58df092f3421dc146131579cc340ad
SHA256bb903ac69468508d8449522a44a4126c427573783b7a246a6707f1166daedb7f
SHA5124ae963244a22809b584bd35237da636b8fd59431e4fa4eab3e639e8c9688647dcc7b5ad445559d40a83c3a651fb32eab06deadb64877ec27622e761cd32d9f40
-
Filesize
408KB
MD592dddde45e6bfbf7f62a63124e05d668
SHA14151270754b2ada94a2684a305741ff88a770d9f
SHA25628a88a5f1fdad889bba71f886d33aebb3b035a1b724c094438f2a4fa84a6215f
SHA512fe274c95ef55faf0c8511f3f1f91a5188fcd87be45509ee1b992f023fd567d3d2a08c292b05497addd40d69c033e2c74a4a8b384321d4d4822600963a9fa4bc3
-
Filesize
408KB
MD5ee7230cf7502fa45fd6e6f331cd03e53
SHA164f28ef0ddd041722fd6cbd9ecd4094f697e4926
SHA2567436133cc05c1322e69bdd11f6336a0defdc6d71fa45c679e3211731d6b75ec9
SHA51260ad64f917f57672eac03ebe974d68ad9b2361201493f004893d2ac0f213d945e1a3b3043f425ba1609b9da1ae088d1896242983d918c74b703db955bf2fb499
-
Filesize
236KB
MD5df0c506d7c78da204dfbe31254c91ce1
SHA1d498545a182aef754598a8f16ec0bc64312153e4
SHA256ccf058da68af16bf95cfe4da066da8a6958ba28bd039642a7f850ee7f279283e
SHA512c8d3152719c8e98de215e7cb40967b7cd71a33367b938c7831178eea40de52f72001cd21da1a59cc6251cea6217a70cff3d3df2533b039c453c2aa56060b58bc
-
Filesize
408KB
MD5230ef4ed29317b244eaed888d3046bc5
SHA154a38e1a2bfacb73d97db2e0ac07fd4d0382bcce
SHA256c724cb7eddf8880be2e0a72b8e8105f1398fd7278d982b1f8c4df03e0d8b1379
SHA5124b7f9fefe7e99ce98ccac610e0700b48ee167a2fa5ad7a8aa5ea3a7a45cc5f915e149c432fdb5e80228779003fcd68d8d62c0b4f05067d5910ac08006b91bd48
-
Filesize
408KB
MD50a7c79561fdc5ba25c818f3ef624b6ad
SHA157f15ababea562c271426b8ad3aa4ad65e1a35c4
SHA256a4f844bd9c039d46b12f758501550269f63a2c8314b3147f2c65fd3cbf04219c
SHA51249ea58db17d8d3b6fb833e96d8bdc798216c65c002e7a0c2913c229153c2f4161c5d0fa0264818c3c68ad98ab7049e081e2d75a8fa0e9c55e25efdb00abc4144
-
Filesize
408KB
MD54b512accdb1e040bc7d8193b857f1e46
SHA1e56322a002409021cb0e13fe4d50c32d0dfb0249
SHA256f70c12f4c04bfd91d67eb2f45f3a5a346b2ce3f0fe66b225c605f92d89c66f36
SHA5126b43d1a8a7607ac1f1e3b86ae5457e7a88cac4b9ac5bafbbaea232952f2faa91d712af7a81d3c7023f32a78c8581f77b880ab43b1258f7461b203fc2d9e87a18
-
Filesize
408KB
MD59b5661625447c1c79fa99715d69b678d
SHA1153bfdbb5fbda1b7ec54bb2a607a9f2b9f40c154
SHA256176083f40c5f737b315da6e90923a21ca534b43cce5fbddff6d20486eafccd8a
SHA512faa010e124b86d5c7451eba355ad87414aafdec2adce05ee3db0a5319c1c8d17e8e1b41ee5164b170052d3444da9ffa51e9aeed47138b5ab9695c29cb51c875c
-
Filesize
408KB
MD5204e346a72eafe47e5e9f047022effed
SHA186c2534cb39c32b623f3f80f74d7881b03819f4d
SHA256d62ec197600da1d775abcf886f74e6f2e19ea3e393d26c3bae49537621939c64
SHA5125261b162eefa15be8efdbfe660cea0973d7bdb7a4bda24d1b71c10e8fef0783d21d2c7ce6b15d1b36ec4091b54e97158386aa4c06bb96f77136759784fe075f2
-
Filesize
408KB
MD5bfad3c9bfd399a39137723731dcbd080
SHA1836b44293e9a2b332d9beda25ba1384e6e149fd5
SHA2565064b087fcefd72ea57c6fa3ab44f78f09c7204272fb371d788bb0d2a2c09956
SHA51290c2e1be56c701f8a8ad59ec7ef2880d6faa45214af06e5c65064a77acc94b51376d67f0878730277634b118856dcc13ff783acf360f7f842f6f3edd070916cb