Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08/04/2024, 18:37
General
-
Target
2024-04-08_9b2a1b89bbc7ac2eda545cd8739d71ef_goldeneye.exe
-
Size
180KB
-
MD5
9b2a1b89bbc7ac2eda545cd8739d71ef
-
SHA1
0108429243d5748f1306c0409eedcc096e93ed74
-
SHA256
1daa47bb11509b125a3173e44fa06860116369042fcb1cbc557f5921306ae712
-
SHA512
3162d92d89c813fe0a73078bb4d262b97456fa154e1c16fe28892c5172ebf816e3cc9f6d01491c689c16779396f4929b3a25e90bb9dfa7d66716c9ecfbb4b51c
-
SSDEEP
3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_9b2a1b89bbc7ac2eda545cd8739d71ef_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_9b2a1b89bbc7ac2eda545cd8739d71ef_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D764D45A-7E0F-4e05-899C-7D89989AF2D4}.exeC:\Windows\{D764D45A-7E0F-4e05-899C-7D89989AF2D4}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E1749DAE-518A-4b12-92FD-4B6ECDC32803}.exeC:\Windows\{E1749DAE-518A-4b12-92FD-4B6ECDC32803}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{136C6EB0-AF67-4784-8ABE-775E183F0B50}.exeC:\Windows\{136C6EB0-AF67-4784-8ABE-775E183F0B50}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D52F9FD9-24C6-4b5e-B6AF-A4CAE3C8F31F}.exeC:\Windows\{D52F9FD9-24C6-4b5e-B6AF-A4CAE3C8F31F}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{96F73B34-E93F-481d-8D51-6FEE48076E73}.exeC:\Windows\{96F73B34-E93F-481d-8D51-6FEE48076E73}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CB8079CE-ECDE-4277-B4D4-B14F5853C5CC}.exeC:\Windows\{CB8079CE-ECDE-4277-B4D4-B14F5853C5CC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1B3683FA-5F61-4076-B896-789D6EC00BA3}.exeC:\Windows\{1B3683FA-5F61-4076-B896-789D6EC00BA3}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8592887C-C64B-4471-8A6E-181032DE13D4}.exeC:\Windows\{8592887C-C64B-4471-8A6E-181032DE13D4}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{64FF05FB-1B18-4f3f-A24A-862B3E512BDC}.exeC:\Windows\{64FF05FB-1B18-4f3f-A24A-862B3E512BDC}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{77E047D3-D435-46cc-9B7F-9D98B6F32E63}.exeC:\Windows\{77E047D3-D435-46cc-9B7F-9D98B6F32E63}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7402D816-70A4-4f8a-AD38-9DBFACF15563}.exeC:\Windows\{7402D816-70A4-4f8a-AD38-9DBFACF15563}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{DDF5BC96-9FBC-49c0-B529-672A30BBA876}.exeC:\Windows\{DDF5BC96-9FBC-49c0-B529-672A30BBA876}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7402D~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77E04~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64FF0~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{85928~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1B368~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CB807~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{96F73~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D52F9~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{136C6~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1749~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D764D~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD57f22cfae44f601e56f75fa740bc04aca
SHA14c7e6e9c1474454ba6f50be7b22ec39b183d514d
SHA256a2965ab066d610ba40f54c32fbd3d387cf82ce036a96e25bc9f4945a28f5dfd6
SHA5128551397da7537caa9ccbb64286a8738bc36bec99e5e89e05057f664a2e32756ca87439e79e97458391636f2380498650d2a8fdb7aa18ddbe5be09b59b3cb36cd
-
Filesize
180KB
MD58660dd25ca9d16efcd19d556805bc274
SHA1eb58f57e720ffa63dcfb7ce90455f5e31e8bff49
SHA256c4250c7c301a204c315199c5ada0989d68e8e59fce703bcf9c1e212ae9f01516
SHA51285749908401ac05ae940a681f669032628f326fbc60245e51a98f06c8409da62f15f7088ec5fd80b188a6ba48b55350c519a73db016209e30ab982cd7bd22039
-
Filesize
180KB
MD59dfeb34a0c968809195307274364af01
SHA137acd3af3d21c75b7ff5f2e43f999a86470fc583
SHA256afba518ca763a6f987addd01d6feee447f40d81f46b4ae62fbb99d4683298473
SHA512f72d01f477004b7eaf407ad0530c2ae91b35c5dca1519f7d6611e74960b2b8764de91f78ee15247e77a23bda065c10e4c79d9bb15d1162e4ff8ce31efa378fd8
-
Filesize
180KB
MD51257bb52659ff6ba61623e4cbe15c002
SHA18f37ed8e0be2ffde742154ce2152f98c8c4c0ef8
SHA2567ebefccf8563e545e38bd95790399fdc69736be461f9c476ce14faa3645529c4
SHA5121c707a8617f6848573f4af18b931bc89fae59f1399a8b21a502510e484a972ba009e5250006a32dc457cf27d1b715f92711c933df56e83658cf6efec6f6a7032
-
Filesize
180KB
MD529cfc5f7460d2c1b2ed1b02f08ef43a8
SHA12e37f6546c0adfccb48f55bdc31ff4f4aae24903
SHA25697e8bb9b2185e3246dc2cd8a210c11e9af1bc02130251d5568e5f45df9b9d51c
SHA512a859fb38752427faedddc4d81d3508204866723fa1b45776309ad99c08a74f932aade24fd530e63c65baf49ab872494a763e76a39a504e9da13527c0a6c354f5
-
Filesize
180KB
MD57e094e710e5e48b24fa2d69cc9738258
SHA110b1898d2414de12f8a833f9c3f3b0b53ec44d5e
SHA2561636dc57bcc929a5208591a373a81fbd9eaa922142aff20059fd7f768c046211
SHA51228890b7d51746d10e8d27ce28d5f9de4bd3ded4dd68bcd8a2a20bf1bed69f1bace9b2311da6b2227271e87c0f602ebb19ed788a28ca5613a0a228f625e37e0e7
-
Filesize
180KB
MD55a8765d72d7dd736bb88d17461ccf8b8
SHA1a2ac2b76ccb14e3ebe7058a35c2256d3f485c31d
SHA2568dc3a0fab0b93ab9aa1afcde37450905a2abb4486c019ff5251b7ac874bcd3aa
SHA5127ed226cc86698768b5eddf2d7f8dfcf2b0655bb00d3c8895bbc5be40410af6c7141fb27bd079fd37019468ba9438290cf5f7c0766dc79ccfe5c195bb4312ab8f
-
Filesize
180KB
MD5f60a17e70b345e89cbe7fa1ccaf7a169
SHA118a2638d92185a4f7f0a0a08faecd29dde4d170a
SHA256825c2cabe769069b8fe3252704b5aacdf0813eb4c1abb57a7789543b68d3198e
SHA51253e46019f6d977f7b1e00750ae511e63bd0075dc52ecab3bb96f63d9c6afd465ca81875504b33fa25f6bc16507cabcfc29264167a7de88e2d477d4d8a9683f6d
-
Filesize
180KB
MD5b11e11cd7237a95e76d6958bdfa32e88
SHA1328e9f70fbc3d80cb6adc9e51423d80aa25430ac
SHA25605cf7506d6248fcfa51231eb6837cc47b515c0423fe54dab073dbd12cef065db
SHA512659df8eeeffd58cb8f35e6cf2d11959d2b95af6024ec8c33e6de5d7c74540d81474c6367e43d0afe4f984690fb719cf489891b6d931e96f9312adf4fdea13310
-
Filesize
180KB
MD5bd7d802f45659ebd14677b4cff110d63
SHA139d340635a89062213de1b99f3b69846ee6c7ae7
SHA25632d3f2ad8fb756905e66cf58d986a4a20a0b822d6130d9f995b529a710c8e6f5
SHA512cbef41421da481b2d8a40ccf9380609d3b059b36da490a20e9eeea1ae0acdd68e59e0060cfd7bd2f15b3e9c889a7a1e177049fc709ed953a1667a6cc5486dfb1
-
Filesize
180KB
MD55b29c1078a4d5be3856833bec4feb46d
SHA1df5223c6890b47145772c497478885810ac8d1df
SHA25658bb6d73105d7674d8f207076c28e6a181fc62be0b715089dcda968a6c3adb46
SHA512d184270a3b95cb56b01f3ebe226a68a779257934c68da7d2c3d66cbb53ce0745e67095168311f78e19a25f20439a480aaf5bab7ef78637da78cf7362e8c0eec1
-
Filesize
180KB
MD589ee51d10c5a1b30101f048e879ba038
SHA1017649903187cc389772220c7b1ed7478ce14a56
SHA256737115971847e96e79ffe8451a44e41282fb1c907c57e68d5db75e21513694c2
SHA5126ddb65782c01830740358fb3a294c67d992f679fa61f7e767026c10242875fb76089ee8e541d8ff05c7d09656cff884961975efe9c7953442b4ec446f97d9d5c