Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05/04/2024, 00:48 UTC
General
-
Target
2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe
-
Size
168KB
-
MD5
3d938cf1cf3819b7ade33ae44c0af079
-
SHA1
78a46a9758095990867ef2dea90b88decd89ce80
-
SHA256
ca812f3efb73d71f9bd9009f9499574193a465209cdc1fe8df2234793d0bf812
-
SHA512
5752345fc39307675e18a49519c42b455a6b1f9b9f092a4e0f631fc4857939166cbce00eeef54721cdf3a3bf626ef2cb8381cff97083c4d5fd3042a971225c95
-
SSDEEP
1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-05_3d938cf1cf3819b7ade33ae44c0af079_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exeC:\Windows\{14150FCA-F0A2-4a6f-8B36-F648F7FA4D1D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{488AF874-0767-4316-8578-CBCDABFBB111}.exeC:\Windows\{488AF874-0767-4316-8578-CBCDABFBB111}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{049AB883-A0A0-42e8-A986-40B688539F37}.exeC:\Windows\{049AB883-A0A0-42e8-A986-40B688539F37}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exeC:\Windows\{482489AB-931A-4a34-9CA9-EB60454F37A1}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exeC:\Windows\{CEB39379-322F-419f-AC18-92E94F36C2DD}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exeC:\Windows\{937BB5B4-89DF-4abf-9EDF-1CF8EC8F909D}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{478D9E42-3030-4248-A2B4-A2717C211022}.exeC:\Windows\{478D9E42-3030-4248-A2B4-A2717C211022}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exeC:\Windows\{494AB0A6-C19F-437b-A079-76A6150C1DA8}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exeC:\Windows\{2BC4B758-9895-4e3c-B86B-0F2E3EB23876}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exeC:\Windows\{C3EC2730-19D7-4c36-871C-09BC5DB1B395}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exeC:\Windows\{3A320539-B5A9-4745-A0B7-FC128FD663DA}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exeC:\Windows\{0A4F60AA-C145-453f-B13F-F234CE006DC2}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A320~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3EC2~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2BC4B~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{494AB~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{478D9~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{937BB~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CEB39~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{48248~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{049AB~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{488AF~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{14150~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
-
DNS28.118.140.52.in-addr.arpaRemote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse -
DNS44.56.20.217.in-addr.arpaRemote address:8.8.8.8:53Request44.56.20.217.in-addr.arpaIN PTRResponse
-
DNS14.160.190.20.in-addr.arpaRemote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
DNS228.249.119.40.in-addr.arpaRemote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
DNS183.59.114.20.in-addr.arpaRemote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
DNS18.31.95.13.in-addr.arpaRemote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
DNS172.210.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
DNS99.56.20.217.in-addr.arpaRemote address:8.8.8.8:53Request99.56.20.217.in-addr.arpaIN PTRResponse
-
DNS240.221.184.93.in-addr.arpaRemote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
DNS30.243.111.52.in-addr.arpaRemote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
52.111.236.21:443
-
8.8.8.8:5328.118.140.52.in-addr.arpadns
DNS Request
28.118.140.52.in-addr.arpa
-
8.8.8.8:5344.56.20.217.in-addr.arpadns
DNS Request
44.56.20.217.in-addr.arpa
-
8.8.8.8:5314.160.190.20.in-addr.arpadns
DNS Request
14.160.190.20.in-addr.arpa
-
8.8.8.8:53228.249.119.40.in-addr.arpadns
DNS Request
228.249.119.40.in-addr.arpa
-
8.8.8.8:53183.59.114.20.in-addr.arpadns
DNS Request
183.59.114.20.in-addr.arpa
-
8.8.8.8:5318.31.95.13.in-addr.arpadns
DNS Request
18.31.95.13.in-addr.arpa
-
8.8.8.8:53172.210.232.199.in-addr.arpadns
DNS Request
172.210.232.199.in-addr.arpa
-
8.8.8.8:5399.56.20.217.in-addr.arpadns
DNS Request
99.56.20.217.in-addr.arpa
-
8.8.8.8:53240.221.184.93.in-addr.arpadns
DNS Request
240.221.184.93.in-addr.arpa
-
8.8.8.8:5330.243.111.52.in-addr.arpadns
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5634c25fcf0d7c47675c86d0cdc4e02a0
SHA1b87af5cf9ef3d54c69ba5549a78694020552e437
SHA256d5852a6d64e9dd33815b6cdaf42ed095a05d9ca224a498bc695a9bd37b3065d2
SHA512e4440f01c3968eecf878a24e23aa5757292ed58ab515aa5db42153a4290c4036e4590205bb76c9fe812ba24f8e3ea37c6f72137230f60b06c527ed68927bd130
-
Filesize
168KB
MD5cf707e8a97e18d77347770aebc3a7b1f
SHA18ff3fd38dd27e6a1abd82ade062c8c4b17dff763
SHA256e7fba89cdbde356e89cf73e954260dcd0fca38f82a82d0cb49ddf5283de7bf09
SHA5122c010c4a8dfb1174ea29f07821246520023fd32686693463485d7f43ae9f1166a6b34c9323f40c1f323f4ced7406b6f9df8e07e48dd540758f898d09a091c882
-
Filesize
168KB
MD5c3691b3f31363790909f9672b1d45ee0
SHA10f5dafb21daaa94b9051913e3b025f3337681c15
SHA2563f7dd7046e5588c5a94f294866cfa54940f9d670887d203e5c9dd2bfd99cbdbd
SHA5120aa4d316ba53006278d1d169a1cac4d587358c87ba4d79cdde584ace05b8935fc4c3f44735c0319bd15c480d5092cf0f9968c26aacf9416d26f5051ac04ee583
-
Filesize
168KB
MD5ad1409a6bfdbfc105467dc53888c624c
SHA1ef11c38fd42b66a22062f0363b2538c76b95daf9
SHA25640f744f7bc084f001d087eaa19b66450be10ca453f06cecf8db8099f3ce1f2eb
SHA512eb7ea3973dfbdb2eb86e886ab2055c2c8ff381ff71b45b2b3e5b0023ce973853ebf9c30d9999bdb2bf0e1362290a6357080d5b58318964c011b6de5f05431926
-
Filesize
168KB
MD587ca777dbc4309c9c416d038ff0e3e76
SHA160f312dd68b31567758bd49205b9cba235787799
SHA2563a2af05145caf11fd451733b78c3e6bad2a0f11046887836376b57e8a9be79e9
SHA512ca6dd02b95819b6fda36dbdbbb501a6d0ac4a70884bf0dbf8337657536df0df647c919b5a02855c022d9402c3f126fdee5ca3704dce0c0d4bf41c5d36c82feb5
-
Filesize
168KB
MD5c70af90672afbc8cc7448898a0a19484
SHA1860b1382e6cf92cb3d103c875b1483ecad8acfe1
SHA256dc844dc649f3a09be2632f0e74ce75456afc6cc7c91b64d3081b4d60ad43dd67
SHA512a72e8531917059848f807c7bbdf76ab56549b29a8f71fe0aad74727898d9711d46c084faf7cef3008afd7b83bc2906b3fbe3a0bcbad9307321323ef188053530
-
Filesize
168KB
MD567bec0f3fd9781ef5d9834c2807a68df
SHA1ea3dbc4507baf3454de1f1fbd52c0a106c7a87e6
SHA256d2528120aa473ad1e7d31cd183940e26071a9439664bf3ea6231b79b004d5a6f
SHA512cbfdcd068539aa420816fde5d3f25e685cf0db2e9f269fa90a83667fced3300ff01cc234596a2a31750bae7484b2000e839fb33f1d0a956f01e21728e5d223f8
-
Filesize
168KB
MD52f9f5379fdc3bc2f0a16b78240f51e10
SHA15e1d772aa67431f18443659fab4725dff0fc0bb0
SHA256163985f31080f4e37cf67c6cb8dfb59439e0226487864f45241e0bc477799d13
SHA5125eb3972329c074e556d313b78477a2ae5fdf8035cd4fd221c04c5b242bce1c1d1f7a32c36a85427698efc5b608ec2a3152ff27d99c93876f23195a91648e4161
-
Filesize
168KB
MD58d4493a4245e8063299c2d30d198a544
SHA186748c7a141426171008905304262572c9dcb63f
SHA25656f90175325b15068a26e3901ab794785e35660071ff17ea41610baf026818fa
SHA512280040f479e1ecb6bd6bce2994473724718fab8215dd0e0986e93e9bcc1802c1caa05a2fa9a3c2b89c5eacfd0fc91a48e1f196578e6cffa6be44c1c400c89f73
-
Filesize
168KB
MD5b388de96a93cd6de2a855e34b471dd5f
SHA1757aa4ad2ebce9bfa6cdf8f6782574705f70d199
SHA25656a077511be670bf332b43772457cea82823d06c72fd4df8481d86b076508c3a
SHA5121d346492620c9369dc93f65080e6f4737936e62219f00101625e2f511ccf21add7ab72eeec49b48372b9a100afb4cc03e0616e9971ffae6c71caf44ab4af1c65
-
Filesize
168KB
MD588717be2091fc0b1f6e7ca0237c13774
SHA1c73248df7ce52b12df193862732ebb6f74e26519
SHA2561fe0b8dd740cbd8e5d10fb681049ad7931e59e03ae87b3943cd72772dda59dcc
SHA512aff633c81e165d306dccae18ef36f7248284d8538a1d9ff76e9a874748fcb6dcdd682098f30f1405e7dc352ea7e28bbb29b51a18775ac3657e07d5d8f32d13a7
-
Filesize
168KB
MD5702897da432752de5bd8f40765afae73
SHA1c696f5b6fb4b2bf315ffb9036b49a177f2262246
SHA256417b64f381c62a39d96ece2328f25cfab9baf2271660fbeeb53392daa06f4486
SHA512b71422995ccde73697d380573a40fabd25115c848db67f0db41a96a723ca1c9e50014bc2a5ff5a7506d5e7aa40af7f59b7d8a0f03ca36338f887151f06939832