Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
26/03/2024, 09:31
General
-
Target
2024-03-26_3de38eaa232261602b1553b86025cb6e_goldeneye.exe
-
Size
372KB
-
MD5
3de38eaa232261602b1553b86025cb6e
-
SHA1
f80c5cdc53e6d76933c0201868711144ae2149ad
-
SHA256
d65ec313306f57c1f4fad92126a950e4f1a1f548e48c8a16fb5522df3030d528
-
SHA512
c2e9bd29a9337312b9973c11d00ad4e58d97a471037c514918575c35213282454e8b5e886da8b0717578c372fbb02fd0a5f5cc1a137b11be94cd9896c114a9f9
-
SSDEEP
3072:CEGh0o3lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGllkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-26_3de38eaa232261602b1553b86025cb6e_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-26_3de38eaa232261602b1553b86025cb6e_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5F621AD5-D16E-4561-BB43-22B0C6E91C8B}.exeC:\Windows\{5F621AD5-D16E-4561-BB43-22B0C6E91C8B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ED3F700A-AD88-40b1-A7AF-3259531EEB8F}.exeC:\Windows\{ED3F700A-AD88-40b1-A7AF-3259531EEB8F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{826A4923-12EF-4809-ACD3-6EB7A443C23F}.exeC:\Windows\{826A4923-12EF-4809-ACD3-6EB7A443C23F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7BD83284-F1D7-49c0-AE2D-82F35F04F1DE}.exeC:\Windows\{7BD83284-F1D7-49c0-AE2D-82F35F04F1DE}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3BF996D7-0F32-40f8-85D1-C61DEE4DADA6}.exeC:\Windows\{3BF996D7-0F32-40f8-85D1-C61DEE4DADA6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3C42DECE-3C3A-4c09-92ED-B57DB632F231}.exeC:\Windows\{3C42DECE-3C3A-4c09-92ED-B57DB632F231}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6E578BB3-7900-4cc7-B9A7-5849EC3B98AA}.exeC:\Windows\{6E578BB3-7900-4cc7-B9A7-5849EC3B98AA}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{53CD93ED-71A5-4da4-891A-08B2A802193D}.exeC:\Windows\{53CD93ED-71A5-4da4-891A-08B2A802193D}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{01AA3EE1-0A40-443d-BB4B-A99B6DEBA669}.exeC:\Windows\{01AA3EE1-0A40-443d-BB4B-A99B6DEBA669}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E0A9491A-6D44-4f2e-B6A1-3152488FCA2E}.exeC:\Windows\{E0A9491A-6D44-4f2e-B6A1-3152488FCA2E}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{65FA90D5-3D6F-4f20-8937-F499877C2A1C}.exeC:\Windows\{65FA90D5-3D6F-4f20-8937-F499877C2A1C}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E0A94~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{01AA3~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53CD9~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E578~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C42D~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3BF99~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BD83~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{826A4~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED3F7~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F621~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD55489daba747f3f69fa04cd11e1df0fbb
SHA1e98a6b1c2594df0d59c1711d1f8b9dab940ad9d4
SHA2563ad0dc50f950b2b9debac40a4f4493a9d0000e7b6adea6ff0164f3986f5a3952
SHA512dd378359ac99fb9c7176f1371450ff64df040e167e60f69be18b37896126611129b58759b50e16f8966772cce345fb02ac44d63693c313f8883d087f944f9879
-
Filesize
64KB
MD507114844c18e73bf772532367529092a
SHA11262ba9849cb969f6b352ad943a4a02f0960133d
SHA256f02272ced9ebe26e4acbd98a3bd376ad3b20d96363ba313f389d4544014e5f4a
SHA51263c37a08d75de86d33e54f11d5357afb79c6df9dcb47687330afb6cbe2a47cdc003d02679fde7a3c9fed56539911331111d3cec391e1aca390150935078a003b
-
Filesize
372KB
MD5910a7db67a83d03e3df5fdbeeaa2f52f
SHA16453f0269aa367247644f01a800699967a91b681
SHA2563060befae5209eea9efe138a86fb3c7c961c067c42136fa0504ee104243ce87c
SHA512d67a3f47c76cd728f8fef5f7054fe879da405eadc12217ca24637ebb68ad71cd38167a996975de006a0f1519e5a20af827e1ab50cc50702a32b546d4b925987e
-
Filesize
372KB
MD5035a9b7be613af2aa67570ca01c50528
SHA1b44c3c920430368aa00179845fa92ae31f10a8d8
SHA256acd801e8fd0cd55dd5416a494809ce60f74d191339ba70db13f18b4349edf990
SHA5128348e43fe07feb494026e444c2005ec2d724acd91d27c3d6118315598661365d2653f4842baa0ece7147ea60d83e9c81e2bacb8634830e07795541fb13f1770b
-
Filesize
372KB
MD54b69474795a6d9a361e8c56c629cf778
SHA13082d1a6a19fba3f4914b16583947c6ca9a88050
SHA256aa7a38c7397027616564183d68cdd6a00b78d8c21cee4f00a4a27f5218fb4935
SHA5128f37dbd215d0ea13136f59c01e4fa9c344296b065565865591b31175507e10e3f5bdfac58fe88e958652838aef16a488afee074945835aec8d2d2fa912421526
-
Filesize
372KB
MD5b82939cb2b8773b971f09e56a6588f35
SHA135310e1a5abaad689d63e557ceb87dd0d521040a
SHA256e44092b54712f0deb28f2bbf411684ff46a6ef4260996775435e04672804d531
SHA512f849b382f5d95b842b0531e800d6c477aacf846b29d44dd3189e05751fbb83f41bccbcf25264776cd0c7eac07198772b11a860c455b4ec4210a5fa5394d92a49
-
Filesize
372KB
MD596ba61f1a57ce2e9db9aa25561e004a4
SHA18a8d065a499a63ca0669c556b6eccce14e92a45b
SHA256f81d55a27dc707a40368da2556cd27a2a4014836989edc50145260f541440948
SHA5124bf3c8308083487f99f6928d55ab7bc814179300d2c7fdf140905da1e63007f4af8c257148e615c87d5b2635296cb935c56cc021a8bcadeba23e9c0b88c86410
-
Filesize
372KB
MD51019889d88d817549b0a3f6ee3c4031f
SHA1b3ea8610d378f7d31716596b945998e1cf003a14
SHA25634656a1f56321695ab406e93d4333e98d6a9dfa596f3f9b325557712ba4ad22e
SHA5120168c01e3dd840e79f546919a4fc304d0203722c62e6c5f5665d6ffa9c117bd6c9344aab8e3acafc25ea28ec6d25c58266acca5c53c2b65c204f3aa59c70431a
-
Filesize
372KB
MD5a8dc8636f02190f30570e74930ba2003
SHA1b02970f31da6d0454eab8fc299a05695985bfc59
SHA256b8e35a508e457cd022893556d634dfed9cf5f03c111ce0afae1c5b09b713d307
SHA5120cccec642b9798c892a8c0b09e383fdbd2bfa16c0bc6c6711a250e5dca93d629fbec5e0eb582f0f5019ad37338cde1b4114287763b3aebadb8ea59960e296f5a
-
Filesize
372KB
MD5dfe7a1c1eb61ca5f31626f4844c023b3
SHA1de68b56e4d4b1d7267ce25a7bc7a3d8f3208842f
SHA2564bffe70992c5b62275e0f70fbc40f87ae2b6b963c517b255c712e788b292a695
SHA512e7ff2e177eede78bb772b9d10cd6769196de93221520f65a7c23d0e21687bfd962a7c62f4f8578b6d7f35b24fafc26cee13e9b211575e49c0d93318e4825fbec
-
Filesize
372KB
MD5e17220505af375e3971ca34675c6aa2f
SHA10c30e7af553dd7985c018cb849435d27366f685e
SHA256f611fe484e2151a93f93b5a15de7ef09ab3e5584286ee57fe49b6354875e4e0b
SHA512f49ba6e9e676cceb968148607e84b292ce73965d72377abfe060cf629c3807ea8783af2dd2de8468aa509703fca189a428d2ee5ba7e35ad0e4ddf85e41e6b3ba
-
Filesize
372KB
MD5eeff16c03a0001a35ba46134f0285d64
SHA1ba9bd4493929a43f29f71cbb49e915269ab94ba3
SHA256e3134a2e0b8bc5179e5ee4bcf9091999f1833f9aee2db86c0f00585174526cbe
SHA512e291cf805fa95971d0b87848214f9a945609821250a7eda7f7d7c49a4d0ff0df6c52a310942bf2c0f9351d1535f95dbc676e7f03eac20108cf4b0abc28750dd9