Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-04-2024 22:42
General
-
Target
2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
-
Size
408KB
-
MD5
d577f7e788fd9a50112955cf07553fcb
-
SHA1
5c42fc5a7ed19105d54d543c0fe9d71c3dfe15e6
-
SHA256
5983d104d260c0ae6fd7a81f518f55fcb6865119330001897f6cc2a1b307fb0f
-
SHA512
f1d115f2fa0678c7a7fc8b38aff74ef3b988424b3980989e7ffa033329a51c3bccbf9447d12c9b8dc808c7e776b771354385bba3170d264599ea67e82617a3ba
-
SSDEEP
3072:CEGh0oKl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGoldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B887E73E-EFF2-45b1-A34B-05C780C33E7B}.exeC:\Windows\{B887E73E-EFF2-45b1-A34B-05C780C33E7B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D0E9444F-67DE-4226-A80A-2B8237C1F378}.exeC:\Windows\{D0E9444F-67DE-4226-A80A-2B8237C1F378}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{76CE152D-6F78-4a71-A05D-734DCF935152}.exeC:\Windows\{76CE152D-6F78-4a71-A05D-734DCF935152}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{32641A59-BB22-4fbc-883C-17A83D52B2F2}.exeC:\Windows\{32641A59-BB22-4fbc-883C-17A83D52B2F2}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{59AF87A8-247C-4eba-A510-59DE3E07FD7C}.exeC:\Windows\{59AF87A8-247C-4eba-A510-59DE3E07FD7C}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C39149C7-1448-49a2-AFCA-3E4D13B9F901}.exeC:\Windows\{C39149C7-1448-49a2-AFCA-3E4D13B9F901}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A2206B2B-E6FA-4223-9631-45F0223D0040}.exeC:\Windows\{A2206B2B-E6FA-4223-9631-45F0223D0040}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{13C39B95-FA19-4839-A4DF-D65BC5B710F8}.exeC:\Windows\{13C39B95-FA19-4839-A4DF-D65BC5B710F8}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{62B38583-BBE4-4af1-B16D-0BF4AB82711B}.exeC:\Windows\{62B38583-BBE4-4af1-B16D-0BF4AB82711B}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{5CCEC6A6-6193-4d79-A1E4-7D1D5B2C4F2B}.exeC:\Windows\{5CCEC6A6-6193-4d79-A1E4-7D1D5B2C4F2B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{D3503E0E-C4FF-4a63-91C7-056CA08C15B7}.exeC:\Windows\{D3503E0E-C4FF-4a63-91C7-056CA08C15B7}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5CCEC~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{62B38~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{13C39~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2206~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C3914~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59AF8~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32641~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{76CE1~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D0E94~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B887E~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD505d31ff2f6ef4d893ac6913d5e4f7956
SHA138ce710b640c2c79194f8d5d0b624a1a33c9f0be
SHA256426e4b8cdb29fe6dc1175d8baf08046b3ecf389268a763689a5e495ca72503b7
SHA5121cf8affe017ededa0044ddbd8af8defdfe3877b062857b85307b6e60682c03dbb2826be4e7cfdeeda8a957c4e58f6647ebd3cb1ebb39be8aa19e046030f8fac5
-
Filesize
408KB
MD5367d3b9e8680ff16052eee1ed7e82b91
SHA13087d60d8c8441ba41608df7d4093a5f7778cc4a
SHA25646d81d3117643e16e17137af6fdf736b86cb72c56c382bb8b15ff6654854c841
SHA5125eb7c9d8d0511721c0137d4b46327363e0ea2fc3c8a31f3949850c6d5adb1cd556cb1444a58b07eb74c42cdf67f0ea980ebba6698086c64e39bd002930a912bf
-
Filesize
408KB
MD58f65e51d45885e6107ec2eb0111cc181
SHA1ba57184dbfabb7ae5bf5e775165b2f4f24aab6d0
SHA256bd2c1a58dde1ae8cf15d0c0f1262d9a792a993eedd2305d17d2e15e05abe861f
SHA512c3056a676b86203614bf52f88d87321686f7a04679e1b482d882e901fe0f7eb9bfdd0a16144e6e31adbee61e282d7542ae77ecd7940b041574c349ea5f7050e3
-
Filesize
408KB
MD595cb82de267d3cf3a565043f9c9b599e
SHA1960e41054fbfc2709bd6f3dcfdc6d661889f32e4
SHA25684a17aa5232df8378a091384ff31822042bb062e77f8212d74f16dad1beb247d
SHA5123d7490adea08725d38f03fce94825b6b55b540ce53315e2f0a90115a8fab54c248a057616df3f61e19e8c67aef6cf1fbad2b6c5fb3c6d6f7fa1ababda56e9ecc
-
Filesize
408KB
MD571e8e806b051df5e63fb65b43912a2a1
SHA15f469b87188f192c5c39bc19cee0c0d7f9ad784e
SHA2565c4169fb06ba786a8fad5553a529857943fad132ac4778fdc25ab9131112b51a
SHA5129150038305602aaeceb0aa692d2aa7e40478186ed80e3c6ecd5d555606b0ed7049521cb567cda0b8cc320b73174ef1eca8a584ffb4253026d7bedcfdcebfad30
-
Filesize
408KB
MD586c85b72fb45fb07e15b8b63d8bb2e14
SHA124386303979fd8ee51dabcebd60c5e489e04fba5
SHA25654ff6aa23b2da11c25e11318b94ca7a41ae78dce11c1aefc7e8fa1134d8fc48c
SHA51204fffa67bd49a2e7daa576303d2364ac13e072a38a78785b757f026531256faca8e1f39ff023d7d389fbc0aa3e65fb0bdb0e39f7e29de8a0463bf87d10c31fff
-
Filesize
408KB
MD5deca2ae6d066388e8856157a6efa8ed8
SHA18989349ce7ed83ada665519499f9d6c6666997f2
SHA25649247657b1d09413c2775a31c83b57cce744c26152586d2f6387eafa42f69690
SHA51208e5790ff69c1beb3e65ab2c3113986197509267a36138afb2fe18818b08fc11ff827167fad57cb0b3315a83cca3c06f34fc4412781328e7b0e46b6f4b4759e1
-
Filesize
408KB
MD53dde660f1dd77480cfc5656d304b5d63
SHA1da701bcd65d616c46e89df04fa37a234bd0c11e4
SHA256021dba3be3a3959b77e4fd0e3ac8c5465bb6985d67606e18e9529c1c8b88ab7e
SHA512e2eb5bdc9de1ed52bec1d8d1ca7d5b4bbd93b104899f057bef2dbf3ced1b1dbc0ac21f4e3975c8bdf3d07490bbdabe2c8b53219e5dafb90299c797c4ac10e061
-
Filesize
408KB
MD58a50a01776bcfc295140b984949133f9
SHA149f9cfff9dd2e4482aee518a4fcd02ecb7484e2e
SHA256b6a50378f482139531694bb0237fb9d3053c2e0efc4061f33a27656f9f876b31
SHA512275ff9f2b4efb749eb566536ee8e4c8a3bdb6bea04ccaef5a67d061cee6fe999b21696b3e2dbcbff158c669f6e0d4329bae46f71e4dcc4e82edf5c7fb1128ca7
-
Filesize
408KB
MD5bc13bb704c5a073fcede4390d04ae469
SHA1305c5017c494d102c8f17dff6d4ab9dea4aafc2a
SHA256130999e8e1b3a579d9fa598b584e88a93e47f60c1b56a4af74f327d6b8b14786
SHA5120791e600b887bf8482f0ec07da10001f81f2f344d2bf95e62f0b451d56ed3090e09a8f451281ca6d7614eefe48455b76c53586b012a3f1c7277d3379b6a34c79
-
Filesize
408KB
MD51f97cbf278964b5b82a4f7d166126465
SHA1e7d49b16102a61b4f93e442b89034fda7a8a8029
SHA256d39dfda11d7e05cf305fd557d87709d3982f90fd07e902f8dbf66ad5d342a2c4
SHA512b53997e48ba2747e79a66c0c59096eddc939cedb5cd63a20e262d4faafe94a842636f74d8a4396bd9d421c1cca571c6aeca0e2d4255f30ed70886829a30c1c6f