Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
13-03-2024 00:29
General
-
Target
2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
-
Size
204KB
-
MD5
4ede1f20c01989f6fc2afefd1c7fd0c8
-
SHA1
9fcb63da846cfc5b37d933a77819758806c123c1
-
SHA256
0db813dd449574cfd56b459480a155167338e8f5e19a5ab02c8335d98be295d1
-
SHA512
37db6856dc67475166c05a86eddc8582789ad3227d3e15d1abfdcc005e3fa305373a835d99264ff775804db758e970e689a16369e24892145b54808eac17a460
-
SSDEEP
1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oKl1OPOe2MUVg3Ve+rXfMUy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E713E96E-0F6E-4693-971F-9B64995124C2}.exeC:\Windows\{E713E96E-0F6E-4693-971F-9B64995124C2}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B97086D4-A090-401a-81AF-08E3385BAC59}.exeC:\Windows\{B97086D4-A090-401a-81AF-08E3385BAC59}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B7E94D2C-20C3-47bb-9C0F-E73EF016335D}.exeC:\Windows\{B7E94D2C-20C3-47bb-9C0F-E73EF016335D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2E8FB1AB-BD88-4337-B539-6F07ED19C4D6}.exeC:\Windows\{2E8FB1AB-BD88-4337-B539-6F07ED19C4D6}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DCF4320A-CF14-4ba8-A839-B9B6D7384458}.exeC:\Windows\{DCF4320A-CF14-4ba8-A839-B9B6D7384458}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{12960F67-10C3-4d1e-84E0-84192D29CDAE}.exeC:\Windows\{12960F67-10C3-4d1e-84E0-84192D29CDAE}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{44959D66-2E68-4387-B7FF-AA4151A4CE73}.exeC:\Windows\{44959D66-2E68-4387-B7FF-AA4151A4CE73}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C614DD44-2EE7-4e2a-B071-274BD7B53A20}.exeC:\Windows\{C614DD44-2EE7-4e2a-B071-274BD7B53A20}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{95DF550D-B1D6-4c63-B9D2-B92DA8FC3C31}.exeC:\Windows\{95DF550D-B1D6-4c63-B9D2-B92DA8FC3C31}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{8F54F69D-6386-4f69-B875-DB48F34D4137}.exeC:\Windows\{8F54F69D-6386-4f69-B875-DB48F34D4137}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{380BD3AA-EB29-4cb9-A7C1-8D4895765D4C}.exeC:\Windows\{380BD3AA-EB29-4cb9-A7C1-8D4895765D4C}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{57195892-CB3D-43f7-9EDE-16C1A2E57146}.exeC:\Windows\{57195892-CB3D-43f7-9EDE-16C1A2E57146}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{380BD~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8F54F~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{95DF5~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C614D~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{44959~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{12960~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DCF43~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2E8FB~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7E94~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9708~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E713E~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5e60bdf6836cc8e6114988a3c79e0b5b4
SHA1e203978702d9063fee0f85de17d6d3e65fa3d4ec
SHA256d76b0b7dddd2c08bd224f0a261e71d35436b1fdfc8d20365fd6a113ec5589911
SHA51213bc3298a74f337c6cfb456e76a67d57debc791ee4c2a42fe4190e1ee09a8e4545017a9d7038af3bafec8e522aac99a2c134cad3bd19a214f6e3f85e3e75958f
-
Filesize
204KB
MD579bf74bf62bce5d694e828bc14ca6a72
SHA1ffb0851fe2b7ce3196eabd5d8b4d08ea3e2f13ef
SHA2567512592d3cd9776a29f89dd837145906ca89a0f8a137f385e2c0928ea003c6a8
SHA512f42bffe327e58e50310b227a0acf4a0189fec89ba7bf95979c667c69e1198174d703f2134ec0fc850b24033c5e4f9e2e86e3952dddfa6307f9bd3d018bfaf237
-
Filesize
204KB
MD5487a5477265c6b593d46dafd295e1fbf
SHA13551d7fd8c5fd6e0475d2c92c64730d1700a862c
SHA256db294645065f24f04c02cf0dc4ac83e65b3cbde3daa4eb3730760fa2661ba9dd
SHA512c34d42e7c19108e6d27f0fdc0641656fb0f2cc83284dca0704261a998cea38cd4a7d76e85fc2269663745be0d6635a8fc11222943eda37326442552a79b98dcb
-
Filesize
204KB
MD58d5da1f62b2895518f8e2b3231fa6fc0
SHA1b6cc8ff6a0043b8ddcd47079217dacb3fc645ff6
SHA256c5b128eeca295fba24f56bccc5309a1765167c3d165ad37765c362f72f1d934d
SHA5120d8116e349e191e09d07f86d1da1413d48222899c1baf8b364bdaa2af29562b92d4f62ef6ef7c7a3e27c64da5d99beff01bf098fdb326d164ef900a77f10b278
-
Filesize
204KB
MD56cc3d30a07ac1d2f64fbb727dabe3afe
SHA169736ab73673b36541a8c3f46fbb5059d210cf6d
SHA2568f847ca643a0d3a67ecb031e49119ccd29605f0e0568856a091249121997f4d0
SHA512256d857f7a0450b3810229bd5a1c9e77d53f7c7f7e0808c0dd0391c499238b08b1e663ef24ada7f96b6d61716e6665bcb9b9fca916f3fbf8865048d65eeb2489
-
Filesize
204KB
MD5c27299e1b104f10f43c8ef949bd4a633
SHA1d6ac4018fc7a4f68cae735e8b3315a1e0045e6ba
SHA2565ae8a280568cfcdc8f5f6b8b799640ef4e61509dfa19edaabcebe572f49d4573
SHA5126f3846706f85faaca86072e8c99027a09e147277c895568e92f0ac48fb2fe6df4a2fccef7678b1a2ab7d4b235b1802719755a6e0c687be6f3951c4057ba3e312
-
Filesize
204KB
MD502d018dc46b6850e2809ad3fb7c2266a
SHA1c44731c96af75d1a7f339d1af9b392af275d351d
SHA256dffb3dca76d61f9e054fa151f84678d62df869e4df65c14d4891f5250988be4c
SHA512a0035f0e23b506db84db7db047e0a2556974d17f2040e50c70c8dd1b77fe19e65aa2dc184c01d70cdd3d550b4027575413f4e9f961dd058903216ac102b765dd
-
Filesize
204KB
MD5cef411c047a02de483004446f006b536
SHA1bc8b52f98fd2bd0a0188e25a67df491d0b04759a
SHA2562fe5d0798ff46e0d5f5f05c9973484ad2cb81fa89b421b0ace19895149b6368b
SHA51250fb2372eecf6cfea073076bf922ed60cf8d903f62c96b2100a2a957c8423aeb782ebad31aa16a6a3e90496110c32d174a54aabc8521475ecf0c64502fe12932
-
Filesize
204KB
MD56d2c704b2e8d2d005e97f57dba3cb80f
SHA1432bcf1e54d929efcb8de770e351859e11171cae
SHA256047bd11cd672dd86d03e831611591333a58be837649f7030cbf858402ac53539
SHA51287dd2c13bfe4e706e44f5f9c002870eb7aa4dbc8656b61d9b731f127cf5f762d107eb6449e05f2a7c60436fa31e5b5c3bd8892f134ebe5e4286edd1f52efd29a
-
Filesize
204KB
MD5e7f409837889cbe62b5ace32dbc92080
SHA170d5ae7e7ef3adb081a98af922874d9453dd9686
SHA25686fe6af9f196551984ac00bfd44528977c7ddf7843190eb8b1c31b91d40a3b9c
SHA512e2791f78ab41f67d544a4acd4008eac4e41f3dcc251b9587bf48fc2f49e3bcfe6c46908612306fb63198eab3aac5521f7ba61956de139ddcc6534f55029154dc
-
Filesize
204KB
MD5b0f20363fb0be47d73ba90e8d5cfe08e
SHA1adef420844478e97a5aa93d426c23701ddd35cc5
SHA25672846b6584058e9491752fb35441c5544a1dc5ec1277b6c9a86a27bab6db8a80
SHA512005ec0b461747a451a33074c80cd4e8e12d516d62358b5e5336fb89c99e3f966831b6ca2566e03ccde85ca6bb7ca98dd2fe3dce3dd946d27edf6e978d92a8c78
-
Filesize
204KB
MD55450ed693fa1bafe7576da79c3be33c2
SHA16d829fb0df207d3a9396035ab3da54b24bd58eae
SHA256500162ce43bc40b84a4361424215eee8f73447b5a6e44654354364e36de3d628
SHA512624e458273e08fd1785314fe17e988fa8551ad2cc1b104d0e691b61cb8d08f2cab62d17de01f6ecbca57559e51c0095bc3b0ff6663a577441494c984b990cebb