Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16/03/2024, 12:48
General
-
Target
2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe
-
Size
344KB
-
MD5
e27a0a0b1ba49079e57afae075de9c57
-
SHA1
34d24e9511f097743831fd29e939a29700f81375
-
SHA256
84b1445750574bc4c5aff2a40f5c88cd953b66fabec1321f8ed08b46f1768fc0
-
SHA512
6957c89c48b366447a8a8d3dbafeeacd2342ee40b0b6f34ad38e6f5e24f4f1118c44000ed505d28d2cb37d499b9c0502f7ca7a727df78901295f451b0c44f3f3
-
SSDEEP
3072:mEGh0ovlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGJlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 14 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-16_e27a0a0b1ba49079e57afae075de9c57_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{65A7F89D-4BBA-441e-BFBC-DB2BD349600F}.exeC:\Windows\{65A7F89D-4BBA-441e-BFBC-DB2BD349600F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{41B0A4C3-463A-4096-8FA5-8479B2B102A0}.exeC:\Windows\{41B0A4C3-463A-4096-8FA5-8479B2B102A0}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4FB990B4-2996-4c70-81DF-4C725B16EEF7}.exeC:\Windows\{4FB990B4-2996-4c70-81DF-4C725B16EEF7}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7DCDF6B8-0FA2-4b5f-8EDE-106FE76014D9}.exeC:\Windows\{7DCDF6B8-0FA2-4b5f-8EDE-106FE76014D9}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{883D8F1C-C7BC-4a09-BDD7-095856DE3E58}.exeC:\Windows\{883D8F1C-C7BC-4a09-BDD7-095856DE3E58}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{21CCCA6D-5686-4821-BEA5-8C2B92270244}.exeC:\Windows\{21CCCA6D-5686-4821-BEA5-8C2B92270244}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{92D05591-C1F4-4ef3-8CED-0ED1CF1D3144}.exeC:\Windows\{92D05591-C1F4-4ef3-8CED-0ED1CF1D3144}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BB18A1E6-3BEB-435e-8AEA-FAB1C84D2D1C}.exeC:\Windows\{BB18A1E6-3BEB-435e-8AEA-FAB1C84D2D1C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4BBF26EB-0B4E-4301-AA6F-8A680543B540}.exeC:\Windows\{4BBF26EB-0B4E-4301-AA6F-8A680543B540}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8778E5F1-B81C-4711-A7C0-A0B29A98FA08}.exeC:\Windows\{8778E5F1-B81C-4711-A7C0-A0B29A98FA08}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6A1B86CC-E5F0-4b32-B769-5501B4B237ED}.exeC:\Windows\{6A1B86CC-E5F0-4b32-B769-5501B4B237ED}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{9ABB2D05-47A2-4025-A0CC-991FF5073193}.exeC:\Windows\{9ABB2D05-47A2-4025-A0CC-991FF5073193}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6A1B8~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8778E~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4BBF2~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB18A~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{92D05~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{21CCC~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{883D8~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7DCDF~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4FB99~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{41B0A~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65A7F~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD598cfdc8dd4ff598b24bf84f2e098ce89
SHA1f845cafc8b0895e0b85f8d46f51b50d02f0ff711
SHA2563fd3e247e5fb526371e1bb01d581f6e0e4c06bb9fa18c2d16e079359d2a025df
SHA512c1aed6be8fae6ed7347969d827f72c0d11f44ab03874e5ac80d62c94f910a046849e67f50a6b16f76e142600ffa35f72153c1bdeda391ce3ad325238bb49faed
-
Filesize
344KB
MD5aadabbe0a224da6c80cbd2f9ae436aa5
SHA1d8c5292dc672b21060568dea6d9388fc72426e5a
SHA25627f9cdcb06ea8eb587000f213438b963d036a42954eff2e2b9912092bb0d48ee
SHA512f0cd7b50e63c270b750ac8f5421bb60498be2a427c7ed6a26601453629b5e75cc7e68c22c24150c8f5a2ce9caa7f9b6af380e973cfa8875482c104245cef7ca0
-
Filesize
344KB
MD5779d3f5d0e84b305dff3aa6b9cdabd52
SHA1f4f932b4c44c5f7725c3e59687767c1fb3b548c5
SHA256a940c7f1536110ca7b11b01c251cfba8a2f28d9c0fe4db0d5e5f7c7a652982a4
SHA5123e32da0b548a12e353214305d77d8364e56919aff26b9440b1230ed0b9f062d3ee03efc91c30a41105cb74f9fa659dc56ebd42ab9ed287baa03c91a0ee43064a
-
Filesize
256KB
MD50f78be301e9835f3bd4c1ae2c95fc097
SHA18b86c4d593952eb2d96e790c67ae4c51b8ab7d97
SHA2564a4894ef87fa4acf16039217551420c0d189f7ce82febcd461d34c1bf7b0f7af
SHA512bd49746bce538230c2958fa26a1fa46da5f5a1bc4a5a6894f2fed83e5f2def6a4c0bed8e352ac4e5a392209357a7c1aa349906060532f01cc0d00f0a3d8ad732
-
Filesize
209KB
MD5d0b8f1b99678caa3668499f71d4155e7
SHA1629d6dbc27a50cc5d6953f36bb4057fcc59d09a1
SHA2567680a07526f91893e063a5b89a2a60a619b84e9b3fb2d1ba0e84da5f288f85ca
SHA51222c1c284bad49fb285cb4a235e48ad3696b5ea6e9dc3ab567c5f6c284a2942e1d6309817653dc8202739a01810caf810af31cf68021a96bcb2aca1abaa8fed65
-
Filesize
344KB
MD57ef19e0a7f0b4985cbb7accfd076d68e
SHA194ab44bf0a00de3ceb49e77347744e8129404c28
SHA25622b69458defa18a0f89640766b350703a2074f39ba37e63a2b69f5875a3c0f96
SHA512fd9c902a6b250a8c412901d90f7d5a4cb9d67b3340cc736d08a51d1194e0de01c7bd3d3633162804ec980d6a7c70da01eba9017a8d28f01b66cd18530b600c42
-
Filesize
344KB
MD5ef58fd906f80f27c338c37fa8abb38af
SHA1947f103114adc3b96039381e4da08f3e0ab29561
SHA2565a379c8ddcc6430e20b05609e310c060652c8bf65cdd655c3644401bbeb73ce3
SHA512c7a3d5185afc33f837cc909a69c4e783896b4356cb78853fc3ba1655e1eb2fe7d446dad095ff9e6fbb1c6c68d62a5d9ae049e5bace750ab2f461444ea6283990
-
Filesize
344KB
MD5d6b3526d1ba145d7e0660a0c68e83411
SHA132b13330133c23022850e89169ae640286005095
SHA25652a9a2d0951c1aa208a7ef736a27fecfc01fd3ec84195b8c5061f50d25e94a1b
SHA51216cd45233438b42d0ae84d5375fd1300dc0f216d957453b00f31d37e65f1fe72320002c24c14dc404c2d6f3160bb5bb076ae654987c81fb0bee2c5bd57796e2f
-
Filesize
344KB
MD59727ffe657f5be0c78eb88fba0e2296a
SHA1817591d0617f5a6fc39eb8d972b4b0cb91e80996
SHA256029a580d1bf51d9e6d7dc832a0380bbebf3a3df82220fe5014b9d26e7da8fc09
SHA512ff94063889f498b4ccf8663828b82e7d7ed4ed6d0eb99f4c90d241f8e5cec941bf7d2fee9c71281a5e01fd6d907542725086aac1616a84570b2deac7c32f65ef
-
Filesize
344KB
MD562d3aaeb4c6540a7c2336b91ab4f8791
SHA172ace4b0a3f74e5d98949c823fdc7dc612f22e48
SHA2563587c89e598770ac50cacbb610c483f74ad61f9f54187b6f30436948083acc0a
SHA512400d4c1944587c5f62756525638d8967f2e1bc20fd3537fa48ef19cb68f7174dc1036bfbee8b839fc33fba29e86169b723153eb624dd8b17b5af6f8b558e7e63
-
Filesize
344KB
MD57baa941cd74121d0a078b1dac893ca93
SHA1f00e816d55369b0118141e2d2372a5dfd5141e6b
SHA256148b3ba5ac8837a4ba28a029974095b65bca51df4e41c505d95da771108e7332
SHA51204bb17ca10057cc375440f8c2752e4a2e0181651f37a52a812388dc0f245d5b73063c0304db0d785aaf5af63447ccab425865d9da3aa266c036f8643d86fc626
-
Filesize
344KB
MD550bd12f3313fbe5d94cf1633fe82b6fb
SHA1a770c3b57f8e3badb1cf97028e9e56daff4d888d
SHA256dfed87c1af3f327e30dd15619c464faf6009833c195b92c1ede8dea7256827b9
SHA51295c6d025a9cfa8c8a5830308d6c3ae76a61edfd6784114a40a295641e55bdfcef7c044edc89737d2f8565b275e32c2f04aa920aad332944f1ec5b25bacbcf758
-
Filesize
344KB
MD519437dbf32c5027daeda21d68194f7ac
SHA13b626388cc72a536c513fad41ab72a5e30d1f901
SHA256426c84d56bf1094920cd67f1491ddf03ace19a85e96e68f82d97d7e8fec0db7a
SHA512b631495be515eb4044f632455f5fdfc18f1c3e85628b8c9125b14ca4df9b5b5cfa1679d3968ee36e6e7f39d4b880b73cf35a04ec39f1413b938a5f0c68a30b48
-
Filesize
344KB
MD5588787ae078abfb2ce801fc4ccb4f5a3
SHA1516e7c2e79e85aacbe8bd0f69193722de4fdfcdf
SHA256e53f2e31dcfa891be1c28f53f9b22c92a5c3e5357f574e8e8d44f5127b931d5d
SHA512629781315ae7c2f6fd169318eb48d63b5f269f7c52a72a6c3cd63717ba1b3d2bd336f417fa963717bcadbce5a18b70eab83aa76dbc526191a71ff094ded544e2