Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
14/03/2024, 06:02
General
-
Target
2024-03-14_cc1809ea83b2a6765964d176a2733531_goldeneye.exe
-
Size
372KB
-
MD5
cc1809ea83b2a6765964d176a2733531
-
SHA1
ed2e45daac7b3349748d0c2bce51c77e95a7fb8b
-
SHA256
01f7813938391a5f29c8f297e6a439ddc4687fe80b0c119c256848a269368d8b
-
SHA512
e9bd7d1b0a330147acf243879870a046b64e74772d5398a3c12b760e060d01bc34aac5a67a109ba68d3ef098a3661addda625428c5263565efad3d30f2696352
-
SSDEEP
3072:CEGh0oDmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGol/Oe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-14_cc1809ea83b2a6765964d176a2733531_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-14_cc1809ea83b2a6765964d176a2733531_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E721494E-251D-4745-B765-78E8302E6A13}.exeC:\Windows\{E721494E-251D-4745-B765-78E8302E6A13}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6A459338-6FED-4f45-94F5-617853AA1220}.exeC:\Windows\{6A459338-6FED-4f45-94F5-617853AA1220}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{02070DC2-042D-4b2d-B2BD-A30F6ECF49FC}.exeC:\Windows\{02070DC2-042D-4b2d-B2BD-A30F6ECF49FC}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2BAF8C7E-EDB5-4505-A840-714E4A24292B}.exeC:\Windows\{2BAF8C7E-EDB5-4505-A840-714E4A24292B}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A5EE89F7-58F4-454c-8202-84EADAB7FD78}.exeC:\Windows\{A5EE89F7-58F4-454c-8202-84EADAB7FD78}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D5D06E42-8602-433d-9CEE-DA9C9400F95E}.exeC:\Windows\{D5D06E42-8602-433d-9CEE-DA9C9400F95E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6C1F9C1C-637D-4a80-B85A-8E0BF2E6558A}.exeC:\Windows\{6C1F9C1C-637D-4a80-B85A-8E0BF2E6558A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{30AC2818-5FC6-4d83-A45C-C49EEC6468B0}.exeC:\Windows\{30AC2818-5FC6-4d83-A45C-C49EEC6468B0}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{19166403-F0C8-4c9b-9C9F-B45EC7001A1F}.exeC:\Windows\{19166403-F0C8-4c9b-9C9F-B45EC7001A1F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{1645E6C3-CB33-49b5-B246-9585445160FE}.exeC:\Windows\{1645E6C3-CB33-49b5-B246-9585445160FE}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E084BEE4-74D1-439a-9A68-0E62EC3B0810}.exeC:\Windows\{E084BEE4-74D1-439a-9A68-0E62EC3B0810}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1645E~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{19166~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{30AC2~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6C1F9~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D5D06~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5EE8~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BAF8~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02070~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A459~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E7214~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5f0e39fe2d40d5a37ec7484859a4d016e
SHA108e59fcc89b4449113f8710f74245b87b98067a4
SHA2565ca34f0e2585a3194f802ed15ee09fce875e52c51844c2eca541ebd610a2ab75
SHA512f87c7fc4c1d3b8264e09412bc3a16ed846f39495898d8bb5531c88013a03fb792d34bdd82a9c308413b2a779092d78b846476e7d3c6ea9ebb0a396027fbed4a7
-
Filesize
372KB
MD544551dd423e830cbb81e5a2e5339b2a1
SHA19115b080484caa82b704f71c1ef0a73cc297971f
SHA256947d7a3d3922f3d39d70c1875e6fc72488565e2ae8482879eb7499d535af81de
SHA512fe93386dcaabbf652af1ef5a901845b46bf8689f1fd1373421513e81f652b4b661ff91b8e87b58e962a682745766260ad2bac51fd0574dee7164035ce41a9416
-
Filesize
372KB
MD5cbc15eeddb6a4c9244b050bd2a5ef081
SHA14d94ab0cd1920b02beefa712f31d506843b89a92
SHA25658a11c722b40609765d836c5973c624f601bf91830fab4ab542dcb3eb201d76b
SHA51271313da62df4e09a317d6f9e278a8252a330e29578726dd72c17f03ded16f68705a2736ee51822beeb6edaf60bf06754a2e33e15da6ad251ee69c492bcc657d2
-
Filesize
372KB
MD55793809d26194bd65a00c12b6253a6e1
SHA14b434263a651963b4cae4ed1cd630ccfb19dce48
SHA256083e53d0ebcb00dcf495e799bfc740a26627d953966a05a6a97723eebdf1f832
SHA51214383dd4d85401447ce7ce36eba66de9f2c83c446592b7478e5345d59e188e25b879191b132fbc2f7f83cf539530f1e6eb7b70e1bc83a162cf9871b92fca5026
-
Filesize
372KB
MD566a401f51001d5103f5b0fc4696b927f
SHA16b75ca5b0ac1327a37a5becb4a3f7bd754885757
SHA25608d3febc314aebce563bba35b07e53556cbd20796265c09cc4c43a29b44d2aff
SHA5127fef40e945df3d50c796d73c41fc8225eccbf09dc3fc778ef20e3e533a85f970a943e6f08a20557bae7797c374be6a19b8c51fe4969e9cefeb5b3b60abac7134
-
Filesize
372KB
MD515caa0e461057e1db7fbf04de46343db
SHA13c04eba33c3378cadcd35b8874ce69c5085181c3
SHA256928ff7ca729cb06eb6773170edba6c21c31bc6b21fe866f7d72c9f30950c623c
SHA512ce049024eaf649c408786965a8c1217c84e9ad30d0a225bc98285c87b9a685f0b8d841ba7153388de5a371e07b0daf1a1f6060ff921f5dac9efbc8069d111d66
-
Filesize
372KB
MD5e166f42fdabd0a612c7599365d06c196
SHA17d180d83eac3ad1d390600f025a0c4c7703931a2
SHA25632d70b5ad9b7f6bb2a75a899e4340fc6586976812b9d0be5a6742a60691bd4f8
SHA512adad7dba20153774d5e860050565b45cc5c5699f44060ba1c0b695211c1d354ad2977879b0abb7088686edca7752adf4222ab3e63a7259c2eda8a14a549a7a0c
-
Filesize
372KB
MD58ac50933c58097841eea525fe53fd036
SHA1dd5723402e44eaae49dea33d3ff876ac1f374234
SHA2560254a629b600344b20180c3923724c48c3f3d8b6b4ebfeae467e4c88e275370f
SHA5121f4a7daba647941951f35ad144adc67686a895529a16e9965daf0578f6cda49f784d4820388b06a1a937f4e20066ead7424a7c8003558d9acadc079bf584fe3f
-
Filesize
372KB
MD5efd9a2fcd95014142164b8dfe03c57c0
SHA1f782f6c03a8d1b91f6eed269129847a915dffbcf
SHA25645a6ad903aec8f7051b530b6fd3172fe224273ee507c1c0e8c32840faa1170ff
SHA512f074691cd0978a2e1e2b2b1fda67a0c2d569965bd9967f60a11d3fe101f5d6f0fffa18c8c01ff81fbd7a223d5e38eb5bc6fe6af968524b044783aa95c396a4b3
-
Filesize
372KB
MD5cc5961e394556921dccf22cb48975bb1
SHA1c2d361d7e90db973123a1c49609d045158c038ab
SHA256109bc9bdc559dcd8d83094d6463b7d1c827707bc06cc0cfda5a42f8d74bb466a
SHA512ad8024b55e83fd0f6c945212f57aca182a8b87658aed2223b30cc6b4ef046fe1868d5887bb4bba3243aa4afdd7e020e6d6f19ae345e989530909820a309afb3a
-
Filesize
372KB
MD55e7bca7ec192223acc49eb5ae885b07c
SHA1aab9ed012b921987d73d3756ee1672857384d11e
SHA256916adf24f80e1c7e604e3a108a84fcff33d6fbd765ea76b2bd10afb35d870189
SHA512cd04fa6327bcb37344665833c0cfbf517a4c78d11647ca3651fa85168760432decd06e6acdca8296000b82c61b585e1905b533708af63eb4f15484de6aa22a4b