Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10/03/2024, 06:28
General
-
Target
2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe
-
Size
372KB
-
MD5
3bd9098534fdb10761ecea97b2da5968
-
SHA1
b68349b58c12301a5191bdc71e002ab59a69f34c
-
SHA256
3c1adf7c9d36d074403ca088bff8bcb2f446291f68b58c37dde47cd94aa8a818
-
SHA512
a253119f247dd436dac033f0ba3b6aa9d6efabe3b70827a50acb649dd6c469ce138e615cfdafd2c1b89d2ec16a2e79d42011c9a82449243f15569e2e7e620adb
-
SSDEEP
3072:CEGh0oYlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGalkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-10_3bd9098534fdb10761ecea97b2da5968_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{60BC0436-8EDC-4f08-9664-DCF6FE0A0DC1}.exeC:\Windows\{60BC0436-8EDC-4f08-9664-DCF6FE0A0DC1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B80EFDDD-6329-4883-A455-D93512F04833}.exeC:\Windows\{B80EFDDD-6329-4883-A455-D93512F04833}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A7BEECCE-FED5-4819-B986-B1D6A760B624}.exeC:\Windows\{A7BEECCE-FED5-4819-B986-B1D6A760B624}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{420255D7-9442-4a67-A23A-BA897CD0DCA7}.exeC:\Windows\{420255D7-9442-4a67-A23A-BA897CD0DCA7}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{138970E6-BC30-45b9-B4C3-C9108D80CBBC}.exeC:\Windows\{138970E6-BC30-45b9-B4C3-C9108D80CBBC}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{49709FF7-E921-4c00-A62C-5068B4EBF498}.exeC:\Windows\{49709FF7-E921-4c00-A62C-5068B4EBF498}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{43D9D7EE-48F7-4df3-8C96-7A3E92E0710A}.exeC:\Windows\{43D9D7EE-48F7-4df3-8C96-7A3E92E0710A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1E627E0E-307B-4b55-AAB6-4A7007344BE9}.exeC:\Windows\{1E627E0E-307B-4b55-AAB6-4A7007344BE9}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E4209BA0-073E-4b09-83EB-D7C67704276E}.exeC:\Windows\{E4209BA0-073E-4b09-83EB-D7C67704276E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BB4D48F5-5130-45d5-AC60-FD8727894A44}.exeC:\Windows\{BB4D48F5-5130-45d5-AC60-FD8727894A44}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{A25F326F-2307-4563-8C97-2F1327EEA31A}.exeC:\Windows\{A25F326F-2307-4563-8C97-2F1327EEA31A}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB4D4~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E4209~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E627~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{43D9D~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49709~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{13897~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{42025~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A7BEE~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B80EF~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60BC0~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5f6744bd1fedd90a0a7ee9849470f4a0f
SHA10896360a05136308340753ca5ade6bfb0bb83d6b
SHA256b976fdc90b78e2d9954bcda11765a6aa5eb8fbecaba7999f318997842caf408a
SHA5124c4c95708c1f3aea5281fac87d74658b3636dda334af72e4dac79f5e817c621d04b19917dad4ea96a0299483fc9e33871b424c307b731287d939dc7a5320256d
-
Filesize
372KB
MD50c105e45f525d4977ca76f28ea189941
SHA129603e98a9249ab68656e070b882cdaee1f2d07f
SHA256464c3668f847a62ae1f279bbbf7ff576295cf7b92e61c1bb35bc9bc9972dabe1
SHA51245164275c7900211bf1b30c09b19a0349a93d107fd9fa39d23d2913e3b4cf09dd829413930c7204ca0eede4f3154f74b32b51cccb3a4c44b93447b1542de1ad9
-
Filesize
372KB
MD55b7abae453f97750c2c6b0e26540cd75
SHA13180e9ea93515dec37228fb9fc8f53143a381009
SHA25696bac2346a8faf6bcba2689fb893a7afa4c3c24e5705a7c3619cfdce0971b60f
SHA5120a45e121acbdee5ff0c571097527cdff505821d6b6792f33336ee613191681d9b88a7a105a7114feea8a9f9b50ef3efe9c5b0c50a18c14a410d6becc500b38ab
-
Filesize
372KB
MD561af4ceb14635e6dcbfca2e4d7749c20
SHA1ab9f6ea5db02c48101070ff1a855ce0a2bde9952
SHA2565b59932cd55d5b66db956901b0adfc6aa8d4bf326cdc627e50dd94fe6370cc0d
SHA51252be17a8c96b23bfbbcb77bf8de8ed294b6b2b8d85949f01e8270dcf44bce48b0879b39ed15e45184c6fdfe80643b8d14e5a74eb5243496d777f9d0b5802dabf
-
Filesize
372KB
MD58a02bafd5dbfeb5fb0d482dafcfc476a
SHA18882b131fda920d45f2408f1b341dcaa0b6ca9de
SHA25609fb08674c33c8d0f0dbd2bf5fe7958fe29b877456a1a238248d80bf844d63f2
SHA5125429da0fa3f9983e98350f6c17eb7b3657b6fe1aed52756c5b543f98f8d2d3057baec24e15d9eb6e5b3a84e7796b23dbb5722c942a90a8a2f691165c4738a625
-
Filesize
368KB
MD5000a53c40af583288f0f58e914db37d8
SHA1006321ea9d26801b04b1eed0c026ff0b1379dd13
SHA256b259e43aed22a6856bb8234b9cdf5e9f32a38061db060413b72a7356a614c503
SHA5120113c9b6f0916a57b68693b25102fae9463f965ed8068e606bd2f7414fcbab7259daf0715438f62f72033155590707993d58957286d51df2df54e5b5605dda89
-
Filesize
300KB
MD5d56bb6b1e2e05229aa7150d86ce37587
SHA1636aaa08347180c5d63030816daf1a3c12e03227
SHA256174eb37a582b848b67790c6ff4fa4137ac4ff1638775ebc25f55aa5e7c00bafe
SHA5122dc4c0a899e364cbc24968b9ba0d092874f5967d69bca4230e98d695e57ffff8e0334180a076eaeac51f5b1d680b2f1a4a787b38a945a327d5de1d777b3d81c5
-
Filesize
372KB
MD59b761c7e800b781d239a9aee0bd682eb
SHA1a102aa64bf68a1d25226710d44d4f5be02852cc7
SHA256d0c22227aafe4502dba313233b0ee811c84f3b3aebc90f2ecbfe1dbe9ff5efcb
SHA51249f1d5b28bc3014002befd61ba669531beb0d5a7a5188cc174fdf3a9883cea8f285db0e4286ee08a062a53d9ad517b54256088c646e550b92e203f172dc4eebc
-
Filesize
372KB
MD58c2db5a89cc7568c03c1729d24a4ea62
SHA1733b32e639e67e9a5a8e2e5e0ef1b6ad3676615f
SHA25683754dd2aabdc0a90599a90391f567f96ac4594cf98d1d32d26df2533cf9b4c0
SHA51221f1b9140c64875ae5a17c85b1e41f4791aab3fb5aa5a005e4b01475a84ad17270636c39bdcf9426a3cacad933835ceb0adbed134f3c8d0d9af9f5f49d17a191
-
Filesize
372KB
MD5a8a0e3b9f11093270615eb6ee688bc4a
SHA12de6814c48437f3efff46f670ad5c835719ef295
SHA25628bf83ff1c2dadae993c1c57995bac11b6d984fd16d44ce93b8ed1be1af4b85e
SHA512ee4b0b15534568883a3441315776c10489baa7b8a36d7940285e41cf5f008357aff55f3fa71396f5405c17be572aed51b9c2693b3259b1c02a921ec2f033d5bc
-
Filesize
372KB
MD5b04c5198640a6318bd250afd759a9ee7
SHA1daa627de6c46e70bcb676298feeb5136d9c7cef7
SHA2567af56b1d7e28424658fa13320ae2ebd8b1b6b06e5d01ef3e6c3aaba2fb6dac95
SHA5120ac576327f3b98140c08bc883a0ee63ad4d12429f34a215c2a5f2bd6eb3d31e012833bca91585cdd99d6d31e1b53bf9775491a03065ba1296a4872db80de8af9
-
Filesize
372KB
MD52bdc632d4238e1c2377570205695d2db
SHA19585897ff245cb657aabf3bd03fbfaa41849bce5
SHA256e713795bb687dce7fa7edce2e85ba1296e5bf74008e317ef8a242d12a35804b9
SHA512b0eeecd8d0f2d2cd4e28efa27b9b884e72d5b4ad2e190613cea50418aec6fee95e609cdf497525f240aa049f8cb70dafd6628c1d49bb3b7882b2fbb3d2504d1e
-
Filesize
372KB
MD5eb079c8845762681eff0d7ec479d298e
SHA12312599bca00ddf5ab4d922cc0d92a8371760747
SHA25660d39cc65a46338d0b1bf6ff8a9dd0a3b14c781c763335711ec03eddccfabb54
SHA51294410a109add3961db463c41c0d8790f80d722506247f00535b9e769c7becf7524031e639b170bbb7243a77a1df17b15edd30ed6bf344da58434f1cfe1e00016