Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08/04/2024, 19:26
General
-
Target
2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe
-
Size
344KB
-
MD5
87aca315993ef818fd1113e829cbffc2
-
SHA1
5ba0239362967c16fdc9ae8d94e9a5b72950cad0
-
SHA256
32929b60e13a23f86b88b99c636d46be9104fc21becfddd5e990bfaa2f22e4f6
-
SHA512
cb6c9a5ea0cb0a086f26057645498eb7c37b94109bb15878bc483a68e55ee561c7064946b51e8e55f2b6bd261b2709e5aa64f94a47be27678aebe02ae124414f
-
SSDEEP
3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGelqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-08_87aca315993ef818fd1113e829cbffc2_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CEECECF1-875C-4ab6-B320-8DFF13968C1F}.exeC:\Windows\{CEECECF1-875C-4ab6-B320-8DFF13968C1F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EEDDF394-67B0-4ea1-9841-F54AF50313EC}.exeC:\Windows\{EEDDF394-67B0-4ea1-9841-F54AF50313EC}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3B44F951-E0F4-4afe-B097-246EFA626202}.exeC:\Windows\{3B44F951-E0F4-4afe-B097-246EFA626202}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3C8C4575-249B-40fa-B644-ED1BC495F810}.exeC:\Windows\{3C8C4575-249B-40fa-B644-ED1BC495F810}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5FF83B8B-0787-4428-B567-2CDADEF5FAAE}.exeC:\Windows\{5FF83B8B-0787-4428-B567-2CDADEF5FAAE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{99AE9427-18A2-4779-BFF8-A53C87A1ECBD}.exeC:\Windows\{99AE9427-18A2-4779-BFF8-A53C87A1ECBD}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B11C3B18-60DA-41bc-BCB1-3FDA8F44A51A}.exeC:\Windows\{B11C3B18-60DA-41bc-BCB1-3FDA8F44A51A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{73450521-D54F-4701-9C84-C663DDDA84CD}.exeC:\Windows\{73450521-D54F-4701-9C84-C663DDDA84CD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{3D6F8384-F7D8-41bf-BC4B-BF2020CA5F57}.exeC:\Windows\{3D6F8384-F7D8-41bf-BC4B-BF2020CA5F57}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{646E1C95-9618-4d7f-9D18-B330AC901292}.exeC:\Windows\{646E1C95-9618-4d7f-9D18-B330AC901292}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{073D3023-FE38-4b85-AA01-E411681D3C68}.exeC:\Windows\{073D3023-FE38-4b85-AA01-E411681D3C68}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{646E1~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3D6F8~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{73450~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B11C3~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99AE9~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5FF83~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C8C4~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3B44F~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EEDDF~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CEECE~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5383175cd3cd323fa1ff3917f3d1dc68d
SHA12f5cb39d2b391f65f66137e4f90a14cd2bc89ce2
SHA256f3e290aa78f4ecb8df5f1959f84c630bca72dcef6e7ca230062a4eba6cffc558
SHA512008cd4d423fc281e8da809d3d7dc441522f0d0d7ed76ed76893f79dd376bc9e396f0a16c3a3f687740377820a5affce43a45ef898fd668ab056947eb2023846f
-
Filesize
344KB
MD5bf8e4486020780c35e1c08784b39432d
SHA12e0fafe8db18089ad7ea40072a05533e11940a55
SHA256f20482a8d58e33da561cf8e70774c37b4ca13fb8c999392f1ab9ff63bbcc2ee2
SHA5126533118051f3be4a53b66b0fceccd4f6a48cf682b46e3a4e1550ba3d3936378e8d6a01fd83f5dffb3ea4ae5f4d5e90c0922d830a79d59f98bec1a09fae89fa80
-
Filesize
344KB
MD5a105032b3356c4d948261d163e07bdf9
SHA18724a760111e6084372c5d650f022f9535f3078e
SHA256e8146ff0695f14cbd8485d3ec56a90cb9341497e5dfbea95db0b2314ff639da7
SHA5125834b43ea9a1d26e6d7e1d76a8483f5a98862a6fc8c3a3c6413d04dc77223e493fbb7ae12070d54959e8242ecec8954afe2392876c266f72d13d852d725ebf40
-
Filesize
344KB
MD5f4cff380a753e147555e4c8abb7a528b
SHA15fd4a7a3d39d2491efcfcca35772cefe107bee5f
SHA256caa8b31cb60c2890241bf7964e68bd11b421bfebe48e7cb0c3dee191f3b11ec5
SHA5129921ad248dee47698c8d3a3b3584cce66c9b9b626cdae2be876ad55cdfc7ddd9ae62f6bf2bade0078041c08831672f481217536592795459034dc0bdf0c4a289
-
Filesize
344KB
MD50bd5249364a301b18bf45b3e2de9dc3b
SHA16ddf785d1c015077c430f998ae49fa0515a51cda
SHA256170cff8e4ff55907d53d9da5a62964009af16700dbfb6d4e9289df2d52065b81
SHA512caa855877cc26b8600c18e0a1a8ef5cf172a5351d0451d2a8825d9de25ee2458200e251e1e3c957821f5275162f9773812e5245e55c9c07d057410b3bc38ddd9
-
Filesize
344KB
MD572315685d15c4b666654e819bf54e996
SHA198db43035c8ca330d6bc65330847724bbf7ebf4e
SHA256b8e9c7e2f1ff1f3e683e538f6cbb48a777bf44fe7ed0912f7a124b0a4cc2d932
SHA512f9a44efdd081acec3338cd11db7f4ca349b95d07b22a2daf62774e3221a25fc24ef1f9886a9569a45c9b45f0a38ba95e266baee9b25117f5f211bfdd558b15eb
-
Filesize
344KB
MD55e5a835b7f272429e7b904cf267f13c2
SHA1da7f551b3220e5a76f82bc08974eaadf350176ec
SHA25654f092aae6a87f5797ba3ebb4e3a7d8919e17ac89a6f23063aaad1c3a52408d5
SHA512151b85eeaf3b085fd2b293090a7175f5ac5874d200fedc626d074ca88bef6dcf5513902108640fe0ec33defeb8f9b6dc195e9062b1545982f2307a634b763f4e
-
Filesize
344KB
MD574f7dabd25b9365a33eec8d3f18d7ac7
SHA1d211d5a2bd82a2a6278df83cff871cb32ab1b9c3
SHA256463cb6d31c89f543bf4c8d1eddeb52756a90feeff66d5dd28d6ba65d4dd2dc57
SHA51272d927b1a68f99bb43c545150e11e6d39d8ef0b6b3168983e1e7a17eb51a3b2741519713cb28f74ab00c4a13e1a0603d28b992421a4aba9a6d0f287e2df4fb53
-
Filesize
344KB
MD5b2cb6b87afa2cf8f43e748e63357a68f
SHA1cafa4a242456b0da73e5dbeecf5959472fb6760b
SHA2566f289e2d83b60d565d158a28fa448e3cc9ac9ddfc741bf820cd63393d57693da
SHA512736301f140120a99acf502f816eda7b4fce030d29fd149c7bbb3a539db3469c1e3c70fb127ab25f2e824159a6abca5f78b9ba64f06aeeeefe867def49cfdc395
-
Filesize
344KB
MD5cfd8f2d4df120d5a15f2ecab6deb87a5
SHA1dc66b17e842d390dd551ab141c79766786e55ae0
SHA2565568587824f0b1375339acce1ec3d7611fd93bcf5f6687a4bab9f2eb6ad3164a
SHA512b05f7d8229ebb7892b258e1e88133bfd82e27d252134679291491e5f3cd6af5d0751fde6b8f059bb168fcb3ffecdbe81831baf12c39902a23d9155f705f66b5d
-
Filesize
344KB
MD520fcbfc98fcdc5cce0084d2683484e9b
SHA1d8498266b94e26d0994d27b28ff62bedabda440e
SHA256d0365715728ddc4da54bfe188fcb9a2e6771189aa8f25752ac79b4c62e169565
SHA512ce2385616c6a67b53d394f70de02e34788ed8f3dc857615fa0b3100f6626a85e410c36b0467c0489613d6ad73ced6f38a5814e5b6b51cf3fa7eb891394b96c8f