Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
13-03-2024 01:44
General
-
Target
2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe
-
Size
180KB
-
MD5
5882a0b3a771c5512778086a71308eef
-
SHA1
30f3fa1293c814fed5ec7ea37deb47382aed5aa2
-
SHA256
916dc0627aa66dd412406916060575bbb6edd10d6bf591ac2974372b2620dfae
-
SHA512
83f1933ceb0c46c3dcfde88e698ce138fba0205f8c8dfc7d05bd383b688cc8812ec025a1cf8bca24fb6e0d995a725fd080781007c0bd57ee15fd5ffbdb781f71
-
SSDEEP
3072:jEGh0ovlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_5882a0b3a771c5512778086a71308eef_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7DE36CE5-3301-4815-B926-278B24B461DA}.exeC:\Windows\{7DE36CE5-3301-4815-B926-278B24B461DA}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2E498D7F-05C3-43a1-9BC2-E495B6878557}.exeC:\Windows\{2E498D7F-05C3-43a1-9BC2-E495B6878557}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3DFCE37E-C3FB-4d9a-BD5C-6F58AB1A0689}.exeC:\Windows\{3DFCE37E-C3FB-4d9a-BD5C-6F58AB1A0689}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{999F24CF-7D5F-4aff-9678-029597B64526}.exeC:\Windows\{999F24CF-7D5F-4aff-9678-029597B64526}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F8A167CC-2B43-4f51-AA1F-9E8ECBA9C257}.exeC:\Windows\{F8A167CC-2B43-4f51-AA1F-9E8ECBA9C257}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{29D40820-2138-46a4-8CEE-3FDF3E3E2D01}.exeC:\Windows\{29D40820-2138-46a4-8CEE-3FDF3E3E2D01}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{38388C94-D163-4f53-B5A4-524B619BE51C}.exeC:\Windows\{38388C94-D163-4f53-B5A4-524B619BE51C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8694EDE8-9B28-41b9-AA3C-EEE3EA837A9A}.exeC:\Windows\{8694EDE8-9B28-41b9-AA3C-EEE3EA837A9A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BB644FDB-9057-4809-8950-0BC9D8ED1B98}.exeC:\Windows\{BB644FDB-9057-4809-8950-0BC9D8ED1B98}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6A6A10CD-9A89-440f-9199-B86864564759}.exeC:\Windows\{6A6A10CD-9A89-440f-9199-B86864564759}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AA120540-3634-4e13-9224-5A0DA6411389}.exeC:\Windows\{AA120540-3634-4e13-9224-5A0DA6411389}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{51D92270-F8E9-41b8-A070-0FD3DA8D2FFA}.exeC:\Windows\{51D92270-F8E9-41b8-A070-0FD3DA8D2FFA}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA120~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A6A1~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB644~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8694E~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{38388~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{29D40~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8A16~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{999F2~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3DFCE~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2E498~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7DE36~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD526ecec6012a5432ec983784620c7b7df
SHA128d4e06f3d4c8a45cfbd4428b33f79ce15ec4f49
SHA256df815d7e3b08f02eccf1c89a40b4f8dddcb4b988e64afd37459cea062b3f40ea
SHA5126ae3e207a50abe8c626017a7adf3f58a86f8e975564d20c91442f88a9b21857f9166e4f348c8bb737c1618ba791eba732cee9f5b0677044d148e605594c8def4
-
Filesize
180KB
MD52cba2533e070a0c410a420fc90e479f3
SHA1f320cc60725343c1ec40a58a72f6b351dd8d524b
SHA256ce36351f626bf8c1f5e2e2a1afc60dec03fde607baf3f0657d06b4e2b7ac0647
SHA512bd7512717479424c7f695b745ac103c52b70fdd89994c0fdb8f621a63b6056fa4db5c33e556c42521d4692c841685f5bc261898246335c17f94a964b8b6f8eb1
-
Filesize
180KB
MD56788eb477ff3e787d4c6a91d0423bd44
SHA10d1ac0151d6e358bdbfe3c493fa8a5a959cb1ae3
SHA25630dfa9a21354daeac472b95590fb21aac1a531298209effc1824e4d32e340822
SHA512ee39e213da7174a4e33c4537d4424a4aa73527d70b748e27b29ced09bc0bda5795eca9884106b6b6c871be3d120e6916b5feafbbab45e44531c4b7dc894f9301
-
Filesize
180KB
MD540b47f588247ddc893501ef684e28490
SHA1f449147e3790ec7fab0df1d1e361585ee7cc8927
SHA25633ae40db9270b72ca8461191071955d1220b007f60b6e58167bf6868a5783b34
SHA512d0e5c22ec2ad0c50eedf3a672ca3241b4690607f5ac0f72fb301415ddc0eea6eb67701efcbf8edbca4634a2c1c6d28f9135298e4100a5b78e046c1bb6e547799
-
Filesize
180KB
MD59cebb9b212e28f3836ffc1a808134fea
SHA19be43020465e45c83e4f119f700237cfdc97114d
SHA256dbacd19fc1d744fb08c46580d1be220288d07a3ed0b66e18e0546196c3bd73a6
SHA5124041f948f6f95e4dfd2a228f1f76c1aa6990fc16739f4956ef46444950512128825d21093e4ccb090154042959dbb8c68b84e12563d6c11251de8f74b4578168
-
Filesize
180KB
MD52c1c1629a9255a40356f2855c7c3d1f1
SHA1b94d0c8f317f2621a1b6537cc8018d947bd82c5a
SHA2563fed20bf0f6df3c4b035f6a0982e5eddaf670deac80b7cd5966ffb387a22c7f8
SHA512cefcf7e0312c793d8bf58c63ea39b1af3cabe505acc77152b7398752a0159a265993b8f0cbedc7d7fd33d26eebd7bee8657c10df8071968fce31dcdd3d9b5922
-
Filesize
180KB
MD542fe5d19d30447b946699523a967ae94
SHA16138d5207e953b1d65006ddec17a82bf5c284b76
SHA256ab81564a1942a69fbbd1745493a43f8dff113d25895149e85ce302c52fc7401e
SHA512b97be41f326ed5a3e2dde025f2c8dc8a5d8633e8e3e00eaa0ca6f9781388d0715212b8af02d9be62319feb1300f649b3942295d9a24b576fa8a6e369ecf7fe65
-
Filesize
180KB
MD5d6a3e26782c03568c6e5b0d80edc0588
SHA126779e7888d0671467606d0a3c9eeb2c4e6fa7a1
SHA256e734702da21c0ca8b5a6521de7e7193984f48fb78b79fa684e4e6b76998bc8d1
SHA512e859f5a28c5e869975ae2cd523b92cf3c8b0061b86d9a8c8337912abb8ced5cfd74c8f6c46c2522d08610f20075dad0ebffc51a864752b8685f506a9c8b5c891
-
Filesize
180KB
MD5e7bc1de98fdfb383790b98f01b92e4e0
SHA198ced3fcf486146a3d258ba08024a92c9095fd4b
SHA256e811e954fab0c55f8d88389347a75507e70d5380d9b7177a065e7c6957c5788e
SHA512572ee285d29105ed582773e217fc0935da7955f0c86a217116eb604a643c6ea005c3733f4e61ba798f2463d8448ca784777b2986d6aa0d6e66c5ab77c2396631
-
Filesize
180KB
MD54ecf6056636ce73f9b5a255ef8eee182
SHA1a40904fc5e25978fe49650d27b39f60d51bd0974
SHA2569d77392a43906b9b7d37389e9759e7e7108d0369895489dd2b3029543e4c8caa
SHA512577fe3768c7c8f2a8a25a472ca112413b771ce0332d4b99c55028b2b37a554382fa0c0f14aff0410ee24bf19b717157d083e01c2aff9bf95bb11fbe1deae29b9
-
Filesize
180KB
MD5e16749e94efcf7d4853fe39ca34bedc2
SHA189378782e1dee9112bf4f3158b218276c453320f
SHA2565a10c4162236873e6aa7463d33bcdc43835de454ddb272e24e18594c70ee5fad
SHA512f0d06b83771b650334fc8f31cd4f63faf6e689286e22faea20bb65c18c649c714ebc1f6264dec75ed961a94d32bc25f20fa69fd0080e2b96d848a7c3b03f45c4
-
Filesize
180KB
MD59176f2326feb42693f272d23e8d8a913
SHA191f2342f7603b45db50b74464450ddbea1178fd2
SHA25613b0a6e13648302d0174488510bb2b37632dc92b6ee0e99ddc4365c7654e421d
SHA512f4417a37b5eec68c404bfdf1c2d3759f79c190fd8f486a07a8050943e0506de01293ab94ac76ec286ea5d2bb342c4bafb1326ff67534e5757bac567771c7698e