Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29/03/2024, 06:27
General
-
Target
2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
-
Size
372KB
-
MD5
a21859979d0c14c0b578e0d17d02e1a0
-
SHA1
37aa9875b3265454ee2741c6ed61d2829a57c12d
-
SHA256
cf53726f2a21abfd10b84bddfed1dfb5e2e01317dbfe69103c3946461e0fea74
-
SHA512
7d797a6745dc9eac9d596facf1191460f790dc187fcc52a10dc4894953908a50cbcb3f11f244fb1373f4f0d4e1fc0c39d377b70d45c4fdc17fedb9429519a2d2
-
SSDEEP
3072:CEGh0o7lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{03156149-AF2C-4dc2-B4B2-D111BD485C05}.exeC:\Windows\{03156149-AF2C-4dc2-B4B2-D111BD485C05}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1ECE1C8D-FA57-4ade-9027-E00DF794905F}.exeC:\Windows\{1ECE1C8D-FA57-4ade-9027-E00DF794905F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DBA85607-C63B-4c40-82FD-D985167BA393}.exeC:\Windows\{DBA85607-C63B-4c40-82FD-D985167BA393}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4B8EBF7E-4492-4d0c-BB83-0C91161BBF00}.exeC:\Windows\{4B8EBF7E-4492-4d0c-BB83-0C91161BBF00}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DBB9CC29-5E52-453e-834B-70695819D0A1}.exeC:\Windows\{DBB9CC29-5E52-453e-834B-70695819D0A1}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0FBE46F1-73D6-4a84-9F33-22CD3928C227}.exeC:\Windows\{0FBE46F1-73D6-4a84-9F33-22CD3928C227}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4970F132-596C-4e47-9661-CED35FCF084E}.exeC:\Windows\{4970F132-596C-4e47-9661-CED35FCF084E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{514A3013-97D4-4279-B71B-FF07FFD5C9EB}.exeC:\Windows\{514A3013-97D4-4279-B71B-FF07FFD5C9EB}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{B17DEE02-7230-452c-BB3D-FE4F5C8E5FDD}.exeC:\Windows\{B17DEE02-7230-452c-BB3D-FE4F5C8E5FDD}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7C0F2122-769E-498d-BDDE-7A62F04F510F}.exeC:\Windows\{7C0F2122-769E-498d-BDDE-7A62F04F510F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{5110D4E2-C617-4a6b-BE81-C6353C03169D}.exeC:\Windows\{5110D4E2-C617-4a6b-BE81-C6353C03169D}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7C0F2~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B17DE~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{514A3~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4970F~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0FBE4~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DBB9C~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4B8EB~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DBA85~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1ECE1~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03156~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD532b9075c3b752d61d23aef4381fd9beb
SHA1f0b718b189880e690b1216d2a4063ca095570aa5
SHA25690e4e0a20ef5cea33b8235c80deaedcd5bfc4de4bd00e071f87a4897a4f87bea
SHA5128bc91521d1f60b2a4e0793233b773e753cda85004fcbaa2704d6cf4484157ba207b3fb0ae18b4c5321e6ffc1afa0253696624e03a6dbed118bc7e656debd8a54
-
Filesize
372KB
MD5db006b12c1601ba80e1aab6c0213c5ad
SHA1f688c6210481630fa7a5c8f323d3042384b1169f
SHA256edeea820c64b2e0a4b14464b97c6ea2b87fa3ead57e1efa542d5865f8cd05f2d
SHA512de4ff07c9d790974d9d2a9e1797202fdd2973b467d5c42c0dd74fc16466976ab7b62b3b4f296ffdffbb4a09732c4d23b7e2d8fe821315ddeb9f431ab3c4082db
-
Filesize
372KB
MD56bee65a7e612f9e6c06ab516115efd21
SHA17c4903c20b65bb404e96c7e2f3e6f9ad38dc61f2
SHA256be4f225780a02442f10a25bb3c1adbeb3afdead7bf978318c197ba06b2a95d51
SHA5128380461f01e8b176144d0ab1f1ea14462eb44389ab26f6fd63c1e92e077caed0cf9a8b070498b21dd652cae3bbfaea189fb724c9a5c3effe3f5ea35a0212c9c2
-
Filesize
372KB
MD51d497c3a27a07f27149f729aecb146e7
SHA1224b08e8197a1f83b791fdd057f5678705c23bbd
SHA256f09d2666cb9cc3790511c69fea0b9e86e7cfb4d0ae96f355dfbdf133ae704488
SHA51219beaa4e780ed92ed948ab52684f25f24fe6983946932310d313cca5d1526c906708dcb34a833d54b7fdc9d94b556860013871441ec2439a83cb8306ad23e900
-
Filesize
372KB
MD5d7c9a3b2871b0dc8cd7b2565c6532946
SHA1a02b8edf8c30f8000dd86bf5ce59b8d856e6905f
SHA2566e06f0e3e594e461db6b1aa84bab3df5f48c94ffdb2ac3625ee5bdfddea2871a
SHA512100623e5d9ab24111c6c45a2754b1c128102d1fa436a306f1aeb4fe2e7514537c38b5458a2197eb4e2d873e18cc06d34376c31e7769b7c07976aeb274737cdee
-
Filesize
372KB
MD55450b995d8cb69e14876ee82b6e6814d
SHA194a02808553962343c05cc69dc1616116ca99f81
SHA25632e5415e65a364b55769a5309825bb9b596e481b4a1067c9680e5984410d1bb3
SHA512e5af8ad9a7bfe5c58877057843db7ef6dd9b21907d563937358acd82c0632ab04e31276f1fe070c6b9161cbdb19924ce58042845499b1355b253d734277fb893
-
Filesize
372KB
MD514fe44e7e30c16244e84bfb5890ac98a
SHA10849b306d50a6b3b989d7dcf899c0a6676ee4324
SHA256c298aebf5dd1ca9fd7fdc19dfdd85399b14a7eaff8ba3c73d266f8e9949a135a
SHA51273bc086e080f5f4967baac85f5d10f2e6f3b1c19cc0ef94c30933fc7f8831f1ab115931a9a6c6b1595f439b8ce34c795991f795c3f3d3cd861d605aec71d4c91
-
Filesize
372KB
MD584584cf5e5a4c6f74a605b745a5af276
SHA1088c18071f05522a916924ed08758879058a91f9
SHA2562442b6e4e465760425c3f39229cd70349c0cb249568b2358b2fc10374eef5420
SHA512eda9a26c4fee0816a4f7065cf4475b8b385eceb1bb64d96e1d3ad90010d779d7157c105beba214f2ac580bcac69fc8d95aa1fc4d0404a13e7bfdfefd5ae40368
-
Filesize
372KB
MD557dd740006fe998ac467da15f58d5ec3
SHA1dee1ee071de718c4a2486f1ba6c90479cd9a9245
SHA256d4977bd20f200381275fb1d613820c58a7dcef4815feb4ef9a74019cc4d5bf93
SHA512ddd63c86d5554623fbfa7f21de1404a799404ba6823522d03664ff624428a88c0c6050dc69d6d1b481e0a02726370d8dfaef1daee8daf665aab657104f66e957
-
Filesize
372KB
MD5a176868b2032313640c02791139a1031
SHA1e7d4aa696a0a277c59ad6d7da5869c5f84391e9e
SHA25621c43b334f5db0213abd9dec0a1f5486e052db324bd6368104772b5f1401ae40
SHA5127ea0e37bf0224ac46f21df4f29b72dc2c9b746582f933e36b75bbd21365d12fb9e6dd123c6e7fdaeda26a4b7047bd6efce023daef9f56350f58ad5d2c9a086f9
-
Filesize
372KB
MD5db6a69fdc09bb1c55e23e4efcc91ca16
SHA11222158a2f67e61c8e962c402f3ee46b68cd4a62
SHA2567a0f11356365ca6858c2cf3dfdbd290cc957cde2ea4e8eb2fac800ce1954762b
SHA5125d485f64917624c5a10c34eeae96decc39f39bff421f9fee81526f2aebdfc847b6b4f2233f82ad54b2b167a3a8abc5cb485a120e0af2396505f60853cac26cce