Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
-
submitted
08/04/2024, 10:51
General
-
Target
2024-04-08_8ab10b1fc90b8742772385c1572980e3_goldeneye.exe
-
Size
372KB
-
MD5
8ab10b1fc90b8742772385c1572980e3
-
SHA1
5b2bce88565c6fde9a196f33d3357f609c1daf8e
-
SHA256
b18d7e330b315aa665c77e46cd0a7b76ed558dad4e7df3760db5776c9dd6ddea
-
SHA512
1941323e571e3f5d8a9082b2195946522d0ccf230fe311a1c89a6fa8047ccf183a6b9025ae2e21f99b71d0bda3de18cb5d39e9e5dd87405b669aa1893338fdc1
-
SSDEEP
3072:CEGh0onlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGFlkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_8ab10b1fc90b8742772385c1572980e3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_8ab10b1fc90b8742772385c1572980e3_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8E17993D-F997-43fb-B2E5-7D04E390E5A1}.exeC:\Windows\{8E17993D-F997-43fb-B2E5-7D04E390E5A1}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1E884B4C-2C17-43be-B25F-FC75AF95A7E2}.exeC:\Windows\{1E884B4C-2C17-43be-B25F-FC75AF95A7E2}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8599FF2A-EB8C-4388-826D-4829D6811A4B}.exeC:\Windows\{8599FF2A-EB8C-4388-826D-4829D6811A4B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{823814A2-32A4-4ab6-ACBD-405EF69AD0A9}.exeC:\Windows\{823814A2-32A4-4ab6-ACBD-405EF69AD0A9}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{232267B9-FC4D-4ce7-9DB3-49B0871494DB}.exeC:\Windows\{232267B9-FC4D-4ce7-9DB3-49B0871494DB}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F9834504-9396-41c0-8E10-3396B544CCF4}.exeC:\Windows\{F9834504-9396-41c0-8E10-3396B544CCF4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{500DC854-6ED2-497f-B646-2C582A4CC8B0}.exeC:\Windows\{500DC854-6ED2-497f-B646-2C582A4CC8B0}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9228606A-43F8-40d6-86CA-198A86AEB0A9}.exeC:\Windows\{9228606A-43F8-40d6-86CA-198A86AEB0A9}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{31B2DE9E-862C-4aed-AD94-A490DDB67922}.exeC:\Windows\{31B2DE9E-862C-4aed-AD94-A490DDB67922}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{9AC0C14C-51D0-4ef4-B3D1-1508F8B7731F}.exeC:\Windows\{9AC0C14C-51D0-4ef4-B3D1-1508F8B7731F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{ECFBEEDA-5A80-43cb-8744-BAFC4EFB518A}.exeC:\Windows\{ECFBEEDA-5A80-43cb-8744-BAFC4EFB518A}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9AC0C~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{31B2D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{92286~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{500DC~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9834~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{23226~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{82381~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8599F~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E884~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8E179~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5f852dcd16d31c90395a140576be6694a
SHA142f98c3f77ef40dafc593f46da482926200c8487
SHA2565e69bf5d052a347dcfcfb249c84f44ffe08285ff39f46bf3f8c38623c4301499
SHA512ba537e93580d3463855c791c27456e09ef65336d8b21be3968c2f15bbc41b7c47c9350730810145aa7b6e16878dd371267b2960678bcb7db05e3faafeea88689
-
Filesize
372KB
MD56bca7cf32ea6decd2c7b4b9a87e6f8df
SHA1bb401be824882e08c274f1aa0a05bc2626ca61de
SHA256ff0224879370f6de1220529cb0430eb677279d4ac36177ba8c2d3e34856007ed
SHA512f4b494589eb7acc94fe7434d5a447b0d9fc416bd47c7ea14bd83a8e1a8eb31671223bcef1c9e06be48417d26fbd6d066b58fa365209f6294272b8f37c5532f2b
-
Filesize
372KB
MD51c2f37555f5777a283da60561ada4578
SHA1e1a2acf54e6c5061c6b1f71c941c92d37ec53bbd
SHA2566215df3621e55fa43f537ce48a2a77b1b852a28dbc0327d26ce9b0bae1453c5d
SHA512134d4cedf1b6ece429cd6361ddaae23c99e14b8ff43cb539c0dcbed134dcdefde2af790b733f2347292a8d99a7b23432ac981e183a64d52b02f6f9a1d6798a8d
-
Filesize
372KB
MD5aee64ee35e85c5dd78949367f65444e8
SHA1fe0312dd686e37d74eefedeb452bfbab9961395a
SHA25668ee37ef3bc2a7cad86cef5d2033d59ef84ca109cb4f935f9e4eef69b07f9cbd
SHA512623589324bdffc7bab18f99f89e2e908ab0aeb4451f833b365d906043b60c0d84e2a8ca1daa32fa9d07c46f60995683e8aa5c7dd5379396c942d79b6fadf0e6c
-
Filesize
372KB
MD5c10992aea1b070129dcf5af3c6660055
SHA13787d67768eb4debae43295f47349c3c4d27487b
SHA256c0dcad195395acd35ded602d3fb0c7bd1f15d2349495cac5e526612e5fca19cd
SHA5121d46273ffe152c581fa902e897d8a53e0761fa9fcf88d7eaad8d67fce3fc0dd7e26f025b0b621ed46ed191ca6b5efee69720c5d4c394a4d643ccdec6017e808d
-
Filesize
372KB
MD50eafa43a4906df175a154815fc5e1991
SHA1b85d4beea58b19cebe119f5b09b25dd821cd4107
SHA2561fc170a406b55d7a2d8fb7caa6b2dd09f540d682a1e9e70b512d3eb9377d0327
SHA5120464728fd22d7056c1b2bd73145c8009a394ce4fbc9046d9a47bac5c44026b86cf2ee15c7dd7b05e9def13ecce0bd57e2539a4a7d2c600b2034745fa1422c1b7
-
Filesize
372KB
MD5fb523b2549d1b10afad1bdb3970809e2
SHA1bb59227cf6ab92527ffd2302aa3f4e743abc5c5d
SHA2561eee03a269cb5af960e7e129c296c3d6678437f05f3c118c231e1ef583c8407b
SHA51224cfbe450cbd4168d39a2e9eb225b8eef4e17d28c1fcd48808befc8011f7f48aa08493cb5769ee6ca98fa6c4b1afc7631c85620e42ff010e1b3e51e6706c7780
-
Filesize
372KB
MD566cbe9ca4b9a5b35d05fea01aa88205d
SHA1fab2c8799ec5e55ab364546eaeec6b765dbd21ad
SHA2569a1ae50413d97737df6cc2f0a60b67cb066dd780831e11b395c83a3e56298d59
SHA5121d86f9efe0f8886db86358053f70fc442432c6bc351224790b47dad1b74b4dad54c80c6af5cc9d988b37a9d4ae463a837ade051a9b91d1668dcb0fb53295c667
-
Filesize
372KB
MD50a331fd14975dc836a48331da26d86a7
SHA123d211a6a2db990335c8aeb4e4c518cb16fdb083
SHA25635847f18bc9d59e311bf88628df9bed12963b3ea7508b2a40a23fabfc63d1620
SHA512657c29e9d8bfa9a2170cde2a7ae17c8056e53414f787a186800dc5f9c69a082e9067c1221f7d02600002611195be481575a06015bf0af2e0c7ddb9fe8245b3c5
-
Filesize
372KB
MD58cd833d2294ee111b2c721fc52aea3bc
SHA19483cfa49ffa9172f3c7ff22c86e58266b95e317
SHA256fad35ccfd17f50eddcdaac16ade6a8c3392fd7b97438823c2ef1e0691b4b35d2
SHA51233d582f5fe0d2bcf8a847c32f3ab1db8562a6a41703def5aab59188508724542712d342aeb795598109d8602fbe3fd7fdbc937cebf44fd26e65758970e1e0aac
-
Filesize
372KB
MD52bdfd7bd7d32fcb186bf10621dc58ac2
SHA117f4be73cdc5134af72d4f404350416136a54e0e
SHA256d5ee274232fa0938dcde710d6bca0b593ffd39d3678cc203f52a488ef6026534
SHA5123a20ea187fb8a94856d240672b64f5609fae561ddb974bb4c1cf77f262f8c71e6f3dd0c246c366ea6eb04b62e3d20fc41448bf43f248740b4c001a182822d8c1