Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
07/03/2024, 21:33
General
-
Target
2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe
-
Size
204KB
-
MD5
6adeb49cc9028284eda20e999a3f3ee3
-
SHA1
637286c68a0e0e6431451901b6a6ec657e1c4d66
-
SHA256
b12da6c471f9329549cd8028c28d640612851f53a2c4d32933ca83f51f4f9af5
-
SHA512
dab9406a1533b02c58c1ec2ec710320393c698048d2c9eb416c54cc9c599fb732589752e71d5592c199b437b34f711e83b3b61840f51a68b732fa839d0db044a
-
SSDEEP
1536:1EGh0oJl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oJl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-07_6adeb49cc9028284eda20e999a3f3ee3_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{45D65C0F-9B2A-4890-BA20-7F04D3FABE4D}.exeC:\Windows\{45D65C0F-9B2A-4890-BA20-7F04D3FABE4D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1954CE0F-D2DC-4292-A287-149F16E4160E}.exeC:\Windows\{1954CE0F-D2DC-4292-A287-149F16E4160E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BE6B5EDB-30B2-404b-BB85-2FDCC0B44F10}.exeC:\Windows\{BE6B5EDB-30B2-404b-BB85-2FDCC0B44F10}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EF590F94-C577-4b8c-B36C-AD02541BF39A}.exeC:\Windows\{EF590F94-C577-4b8c-B36C-AD02541BF39A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1763C1F4-3ECC-4112-9862-381BB3ED7AA5}.exeC:\Windows\{1763C1F4-3ECC-4112-9862-381BB3ED7AA5}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6DD6B473-9095-42e0-879F-6F0C26B42614}.exeC:\Windows\{6DD6B473-9095-42e0-879F-6F0C26B42614}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5B8872C0-D494-4aed-A26C-31219D30FA29}.exeC:\Windows\{5B8872C0-D494-4aed-A26C-31219D30FA29}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D0E08CEF-4CED-4b5e-BD70-6FC579B757B4}.exeC:\Windows\{D0E08CEF-4CED-4b5e-BD70-6FC579B757B4}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{CB0E0F49-D1A0-4fdc-BB8F-2F78919FEC8F}.exeC:\Windows\{CB0E0F49-D1A0-4fdc-BB8F-2F78919FEC8F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{24C1A51B-4732-495d-A1C4-1104B63B8536}.exeC:\Windows\{24C1A51B-4732-495d-A1C4-1104B63B8536}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{343DDE9F-E24A-40c1-8521-4D95300C1E13}.exeC:\Windows\{343DDE9F-E24A-40c1-8521-4D95300C1E13}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{24C1A~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CB0E0~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0E08~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5B887~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6DD6B~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1763C~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF590~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE6B5~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1954C~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45D65~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD59d3f9585e5aed1dc3b5bca02ba7cb982
SHA1ff8267e8acea59ed4a3cc8ad24cd2b563e680a33
SHA25672399f8221357860b5cf3a2cc937e73b1ffd9de48500e16bb2301795e7fd1218
SHA5128a7e9a45fd6ff8ce0b7d15cb2a19faa22c634bc29e3f69acee000f99e6976a232c5652bec2a50b78d045a51adf7c85b944d92c3ec9b197aada85a88ea4cfa859
-
Filesize
204KB
MD5b642756c0302b502dbe65a1f7ae32661
SHA1add322eef2446c9c10c78a828aa866f88f0b5b02
SHA256bc7aa7ec0b91fc474cda5bebe7df49b63cddc45b63e22b07afe908a39659b813
SHA512283f739ab537a8e88f552dedafa3bb1ee7bf76dc1761debd8b45b921ec6331ba0bf1e168c937d750b8aca4958cdc864a37a3c3d6e1781abb7e4597b5c0dcf9c7
-
Filesize
204KB
MD52d57a06f28438c155aeb315af7619ff6
SHA13f65225da51d902792c103409a444d87c9e869dd
SHA256c6eaa63f699d64fa9efbc8bab49c58eac270954327526a8e6fa15fcc92759905
SHA512a3a1aea5f029a8208f17e6e18a3f83854d1e318d78de83af2aee804fa0c7c9d158d24530a0a7846048dd36e378e42cdd6e91801048d05174c925330f1434b358
-
Filesize
204KB
MD5ff71ce4007eb12741505707ad602a78e
SHA1cbc3dbbb2b2465aea0eb1021a8996504eecfd9ef
SHA25618e1780660224dd6c9d7e1bacb57bbc7bb78abb889285966ce34f50c22e6bf33
SHA512f70b82ac319d67ae8ccabe7a6db8eed99f932b96461272dd1c08bacc98e7bcfabfe9514b201733408520ac55806a6056223c25ca2faf45e63f8478a2152de0c9
-
Filesize
204KB
MD536705002ab939ea7fc9aeada3e58a8c8
SHA113bb124b7564d4f735962fa33f82f729cdfb6351
SHA256f864dce142096532ecec8a392fd3869b8417292ac2d5f4336c41f26476a0c7a8
SHA51271bb20380cd1bf54d19c33e7c7bc08b47bfd601b0b3b15c1d5fa0e3f02ff21d0d58cf6e99a8b811b425e403e21d15b5af9dfd3a8b9c2922086e4854da295b2b9
-
Filesize
204KB
MD5693e1e5de63542ca41646cfecea43cf7
SHA1185ce6f0700a35fbf4e9339e8e64dae6b0998002
SHA25643828b4dc1d292cfd9fe7b47946febb961ff0bc40f9f73ee3419b29b3c8715c2
SHA5129dac1b225a2e66bcfb1e7c1a26fe6b9c27f39ab9b091dcb0221ae8130f97a79c3ba95f9a631ee344180b92682ab840066c9f09a20ec95a30108ea8c3414d8329
-
Filesize
204KB
MD586dd1ad19484376a241bf47036fba760
SHA1f20bd83e2820ac4f4b1f32d4105dbd7dbe60155d
SHA256f07fe0369310201dcfc999b466ec54548dbedcc2f7c5c16e26c42f010897ca5f
SHA5122905382a1e7ae237dcd1347164dcc918af1520badb6ecfa818b90ead338aed952d065542a880ce310783775607c54b7022c68bb1a0acce62ed9bb335bfe2b45e
-
Filesize
204KB
MD54fb40c009eaab0a2591ab9d2c5d3b276
SHA1daf4dd299702032e483ab9aac6432c58a1da2994
SHA256d2b99c059c8a98c7ba77d1255d4f5026b06120673f501de89a96ae46966fbaea
SHA512db6fbf2d35dce3bfa1991ef96b94fbb4eb3f47f6bd1ac45a35bb1e52ba5c0c280d5bf69b90ad78e66c333bc1b92263cedfcd8da9ec027ebd586652f0ddc53787
-
Filesize
204KB
MD54f7b98376442c0a92948a6ffaf53c036
SHA1ace2a0f94a0d01e64b6b2edaec72387f6d35bd7c
SHA2569d7c33e13cae1d405d3dde8a4fb2ed1e663222c034229bba8a93f381d379baf3
SHA512e5e6148b2e0f17fd1bea2f5193441a4a54fc8ae30565e24dbb15ec91444fd33b767b1803612f6fdbdbf41e43caa140f320c3d2fb63689c3bfcdc26b83db830df
-
Filesize
204KB
MD552ee5780a42fcce9267ec19eee5d2b74
SHA1070eff606e347cbb42e103369f6b9ae92bb8cb12
SHA256927edaa0026c14b03b77cd5e19a8bddacc1a444c640399252928bb7d1b7e5165
SHA51282e9b2ab6a869912b2f38e83620eaa7adc458f7640c2b730a7f1392de37e8fe8b1ec82990b0933389c9dc4001eec26a6e83b96aa38a19864c92802389cde7057
-
Filesize
204KB
MD542acd05fb831defd404f903aa71dfdbd
SHA1c7a56e39c6fce5bfab9cc4b1ec33146d013d40cd
SHA256e1607f782eeba9c9ec00b28340e31a7d61da691f33bf42e13ec7a0b974c65945
SHA512542420428f31d6105a8b68f14e78b4f3bd0790b51c96110d09eb4e78f11c6eb70a242562004eb5d52755b544f15f4d5481d39046f4dd38db60dfd24864250c12