Analysis
-
max time kernel
163s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
14/03/2024, 08:44
General
-
Target
2024-03-14_aa5b4e69f65f4c40bb82eb38fbfa2884_goldeneye.exe
-
Size
380KB
-
MD5
aa5b4e69f65f4c40bb82eb38fbfa2884
-
SHA1
9281fa547640478410faf17ce58776d6f0dcf915
-
SHA256
cffbbea26e94db4d5db9a26d676f25d725268e6d4fe3c7a689aa297ac13f657d
-
SHA512
cbd9752cbd41ca4b0843a47d081f91b98cbc43049a48e5cd430f8882536e261723ee58acefbcefc23211111170628958c10c2adac6aaa2843cef6ea3a6d2cce3
-
SSDEEP
3072:mEGh0oclPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 13 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-14_aa5b4e69f65f4c40bb82eb38fbfa2884_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-14_aa5b4e69f65f4c40bb82eb38fbfa2884_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4D777163-0FC0-4687-88E5-367E2B117EC1}.exeC:\Windows\{4D777163-0FC0-4687-88E5-367E2B117EC1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{66E3E3F3-C749-4d69-A039-AB9BEF634FA0}.exeC:\Windows\{66E3E3F3-C749-4d69-A039-AB9BEF634FA0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E1E244AF-B04F-4f07-AFCC-179D2250E416}.exeC:\Windows\{E1E244AF-B04F-4f07-AFCC-179D2250E416}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4DDD25A3-7939-4d66-99CE-74CF7C65D7DD}.exeC:\Windows\{4DDD25A3-7939-4d66-99CE-74CF7C65D7DD}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9AA4736E-22A9-43a4-8CD2-51925F573DD7}.exeC:\Windows\{9AA4736E-22A9-43a4-8CD2-51925F573DD7}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{48344F59-5917-4f89-B646-93EF15C57A49}.exeC:\Windows\{48344F59-5917-4f89-B646-93EF15C57A49}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C9A68BDD-416B-4ec6-8FF7-35D76E550406}.exeC:\Windows\{C9A68BDD-416B-4ec6-8FF7-35D76E550406}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{626CCB47-F464-4f8c-9FC9-A81F0511A3E8}.exeC:\Windows\{626CCB47-F464-4f8c-9FC9-A81F0511A3E8}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{FD85F05C-CB5D-4e82-A55D-C1AB5E427EE7}.exeC:\Windows\{FD85F05C-CB5D-4e82-A55D-C1AB5E427EE7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{74E837A7-EDEB-4390-A8E3-3E08254F9695}.exeC:\Windows\{74E837A7-EDEB-4390-A8E3-3E08254F9695}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{EF1FD5B0-9E9B-4520-A06E-7EB78E4FC966}.exeC:\Windows\{EF1FD5B0-9E9B-4520-A06E-7EB78E4FC966}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F2EE4AD3-295E-42ed-9564-E2FC05119E01}.exeC:\Windows\{F2EE4AD3-295E-42ed-9564-E2FC05119E01}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF1FD~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{74E83~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD85F~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{626CC~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C9A68~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48344~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9AA47~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4DDD2~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1E24~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66E3E~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D777~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD59809a81ac9c6913f6b218035ecac0f53
SHA11637c9e64cacb56674bab0aa2bf5515c6faeb329
SHA256e130f35065c8c13431e669e94bdc713c3ba2ca51fee9e853b6010468897cda89
SHA51221f552f09d326c7deb9bfad31e33441ccfee02b553c4bd3a3c7c7dc7a3848401acdddcf6bf1b778c832b5470dc1c95af6f70bd1622f7c524176053f6f4473414
-
Filesize
380KB
MD502091bae7204829d22a06f20a6721a79
SHA1fdb026e5bdabd96e97e936ee66fc5316a267d4d7
SHA25609e7e6fb3ba5b4ae8f41ce835d23098343705a8a04772db4f9c51f37e638b659
SHA512b8b881973983a37d4a2100dc8d740ad3d0a8a352406d0255a962f707b18829d9c53d0f8983a764130a2d520e9f5e9057f62109bf5962e6762f3223975bd2fd62
-
Filesize
380KB
MD5a30c28de98800baa2db163c542839200
SHA1d7b2245aba1cda47525855ce83f32f4fb728c758
SHA2563c0d69525b3655efe183f3f9a9037ee914d53d4a7b105906988d7298be15cea0
SHA51246d0cee67f0070a35abb0b28b6932fe60ccdcf1417b40b01332fdb7c1c65902dce21514973310737d25c8e928eed0c85b0dbc94a532fdbfe17a2cdec014cafc3
-
Filesize
380KB
MD5ac64607cf2ac9b03eda14048b70abb9c
SHA1121166912303df23375dcd0c73c7d9363dae84a7
SHA2562ae4ea49ed0a555d9d1b623be22e8080adf62b130664f6f8ec8661ee35627795
SHA51266a995b0335819363ed65536f1bdcbcb688be7055de7f969feea25e851ecd617d1b0d938a38c2a1f645df2998d08a5fb0c35eb7a5d4bcefd27f024188a2625a3
-
Filesize
380KB
MD590e02a67bc2dc8d0b42084a2f7a5d833
SHA134b9ee7a98e2d7cfef3b0490939a31c7d7f8297a
SHA25609b79fa16d1ece432558393066ab42635fb47d0cf3baade5c6c50d934e676636
SHA512fdaa7b8232a2258a5c496ebdcc63b3e506eb6a58e13cbb75426e7dd11a972365690547cfaeffe855c55e72610be19ba8b4e6f3f37bb51f0823cefbbf13e23730
-
Filesize
380KB
MD570c53a1e3280a452dd6509c43f285141
SHA13ac339da97cbe0f8ac66b3da5eca405741a68220
SHA256f7b358596c574737d2bde743bc6a39efe99e072c4e82d3eaca665af80030bac6
SHA512ddaa07ceb55a78b5c34a0cccf3cbda6bf3918ec1e380d29708173568a784f9fdfa76a2d0b582fe8fe77a659ba78cce73b18ecca6b9e12754fd9db284f30821ff
-
Filesize
380KB
MD5fcd1fefe92a589a5e64409e2d7545aa3
SHA1778e2a703e6e16ff170269a07dbe49daee167a43
SHA256a268759810457611886861f3168d1f5d0843f484de6b469f847475ccca953fc3
SHA5128a45cca8052b1a7b1ad2252b20c75c2920c8e7b0f1e13498a0410fde5374c3ceebc7966658f48a7325a686872609983bc4511ed9a888a27c5c6662e2e78544c3
-
Filesize
204KB
MD53dd206a9ddb76a70b440e7f2eb8d9602
SHA17397dcc72fc0c544ae1cf1fc33161bab711c2e5e
SHA256a92d2b4f6f4564b59c0d5a99bc80a39efcdf6a3fad9905d2d93b077a704b0dfe
SHA5120d19a0703b1aaac7249cd1f64fc27892b3be8348031b0e1a351f9e7f8969f97c8d8a297e468e31140ac97a4e1d38dfde09f8ccaac946fd88121efb4563af244e
-
Filesize
380KB
MD5d43822263e2343ea6b71e103dd7a4dc9
SHA165f3cf685a81fae86cbb67559b0813a141c6a0b5
SHA2563ebd32983646fcde88b68846180215e8e91dae20ebf574c897285002047fd1c4
SHA512fc66cb3d78d3984705914bab1646f2bde9288aaaec7763de2d992a34e4551c51424846924d891f1177aa0714160c707265b0f19675bb16ac230159053a99ebbc
-
Filesize
380KB
MD5687b75af6aac00e6a72da7c8ef1b5ec2
SHA117a3cb8a15d398f72b7481cde65ab3e590a5b42d
SHA256b92375c24b0a28b77f7caf5cc321cb604e007770d00691a2210963904d7c8f56
SHA5128ad3394a018af0e263cd1873b0891feb7c56e8924bf68372f85ee8fa4d2c0a64f5762b2aa3b0c2a44f0f9af948db73ab47dcf9212cf377cf5c73df53e4018d76
-
Filesize
380KB
MD504190fd10123ac4be4d77b2b5d3b2d3e
SHA1e9204809d3c651299d94b9ffc3160a16c431b0f4
SHA256791807d476f6b0414a33eb68ca754a94bb4a20df1a10be8711f9447c42a91205
SHA51245836c5752d67a967caccb164780a742713e0aa84bd6406d537918d887e7b0e78436381f4905f62d3a678c789a52950b218d84e0c68aeb8ef4e7527c667df410
-
Filesize
380KB
MD52f8df0fd9f7242e7d5d67e62b80a7d39
SHA1cf8f1a703f5613f058f0fa23506fe6e9072109c7
SHA2568e8a1c98e1370448129b1cf36e4262ff076fb80fc058e8f58d424100a1d7981e
SHA5125471fa8a6763d05c527569c1c48ac325af2da5aada897a7204804868057b93ca19bcd3dddd93b0d8c850417754443421b3c2e707df9124743cded66b6d16e520
-
Filesize
380KB
MD5c4a43be6a869947aaa325ca8f33b5859
SHA1be549165af76950522db12a283264b27eb4f3dd5
SHA256dba492005fbc585e466d8be31ee2cff1b4911507200d71adc4808e1035439d41
SHA5127bb0cc1bfa285b58f3245cb348fb4bc28591e8c2fcc22cd218a4ff4776078a1c40a8139303fa497778c6a8b242722786e66e53eaef3bbb1c684941a598ff5731