Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
11/04/2024, 05:27
General
-
Target
2024-04-11_31554424de54fb03c822637050bcb42f_goldeneye.exe
-
Size
168KB
-
MD5
31554424de54fb03c822637050bcb42f
-
SHA1
e71f5d2999a5edf0c159f6dc91c997c902179442
-
SHA256
61dc0782753bf9af2aa67cb5c83964f1c9ef8dd55a0581ee5c31edc99a657a24
-
SHA512
568aa838dbc4b904c3035c4a2c36e5e9aa8fcde870987c7f179646d6666329d08e451dc13aeceefb8824a4693d9715f2d5b82c2fdf4f4f03a4be45d1ed4d7ca8
-
SSDEEP
1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-11_31554424de54fb03c822637050bcb42f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-11_31554424de54fb03c822637050bcb42f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B0D58533-931D-4c59-B8D5-DF61D67E68CC}.exeC:\Windows\{B0D58533-931D-4c59-B8D5-DF61D67E68CC}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1DCA3895-BB76-44a2-857E-5AFA3DE9AD6B}.exeC:\Windows\{1DCA3895-BB76-44a2-857E-5AFA3DE9AD6B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{826369BE-D034-47de-A7B9-7C4E6A67B34F}.exeC:\Windows\{826369BE-D034-47de-A7B9-7C4E6A67B34F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{35C28D3B-9D0D-4af3-815F-25C495ED3293}.exeC:\Windows\{35C28D3B-9D0D-4af3-815F-25C495ED3293}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7B0181FC-0F50-4e90-B10E-7F82C97F1182}.exeC:\Windows\{7B0181FC-0F50-4e90-B10E-7F82C97F1182}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EB4AEBF0-8B9D-464b-A008-6663365E3110}.exeC:\Windows\{EB4AEBF0-8B9D-464b-A008-6663365E3110}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{683A148A-759F-4d2a-B065-31429D6E14B1}.exeC:\Windows\{683A148A-759F-4d2a-B065-31429D6E14B1}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D40DFFFB-05B6-40f8-99E8-50A3FC1B216A}.exeC:\Windows\{D40DFFFB-05B6-40f8-99E8-50A3FC1B216A}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{98CE5F4F-C7F5-4c87-88B0-27591016525E}.exeC:\Windows\{98CE5F4F-C7F5-4c87-88B0-27591016525E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{3C9F3FD2-10EA-4fae-8356-F992F3622B24}.exeC:\Windows\{3C9F3FD2-10EA-4fae-8356-F992F3622B24}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{AAE1511A-FA73-4128-945F-49A73E932FD7}.exeC:\Windows\{AAE1511A-FA73-4128-945F-49A73E932FD7}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{ADE8653B-32AA-4239-B11B-50D87A1FCE31}.exeC:\Windows\{ADE8653B-32AA-4239-B11B-50D87A1FCE31}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AAE15~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C9F3~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{98CE5~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D40DF~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{683A1~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EB4AE~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B018~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{35C28~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{82636~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1DCA3~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B0D58~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD52d08eb4f86489468a046a0785094d9e7
SHA1f2a4fa8e11658e108540f37443df359da762543e
SHA256e29190699cadde3ae31481f0b036d4dee956fcfe573110eee237d2c48f5666c7
SHA512c8e957933fa777c9db0250974e6d661897c91e04dd08533ad59225801c9e39fc52ae01cb7c8b26e501b625e94ff9d6b75986072c2a4e36859c3f92a07be9763b
-
Filesize
168KB
MD5f82f7f61352fd13753c05c3c0b0f67a6
SHA11884f9097aea6c42277fb92ebec04994b02764f1
SHA2561022b4a4f260f4cf147f436cdad7971c1e36dfb1b78e8e6fb98be1dbdce26354
SHA512a6e10f68e05e52dd9bddd219e490295aa6b27ae757e0427274b15990b52c6e5eea6b5c151b9e6011a5e99c04a03bd341aeb5328ca8ded6ec7d9969a6aa81825f
-
Filesize
168KB
MD5192644308bc159b4a149488240ef2435
SHA136c9fcb27a3b0982ccd5011b2d392305f6bd2a09
SHA256b5fc89264c9b1c2e95ec3d5e0558187de201e6ad912cfa634baceb36bd83f79e
SHA51273ea6aefd1aa1f22f2214c2f4bab3b569cd2c66102b97f9c21148f44b069ee915c89c3f423f9e7e9d17b5520bdd7692dd6d82341e7a4e85e68a01a7f4be57e73
-
Filesize
168KB
MD540e12b4c88596632c8fe566ba4b39071
SHA1b4ef951a676e89462bec5fe3c56e4548799d6eba
SHA25670e30b5b3680f41c0f28ef17be8a9cc48b89035b82c0385ddfc4766478d122ea
SHA512650550d564a6da38c2b0e5fec7b757f29feca05c1e5125abe4a43596e9de0c6de93fa7de1de5a49dff4cc739428117d8c9a8c195d8fe00335d5eb315dbdbecd3
-
Filesize
168KB
MD5df813b869ffb5702439563c0f88e637f
SHA10c161ef625474056cd6ba69f1d525f6c42f495cb
SHA256128fa8d56c377c2426c144252e3733fd07d3016c560130722be3fbd4c797d6e0
SHA51203356c0df09e82d02083f8a07d5132a599b832b963390b1e38aa5edfd462412e04cb17d2eb99eb8827004ee9735ac70b769072d7715814bd9e01daf2865da74c
-
Filesize
168KB
MD5c52ab96ee52a043c78f8c8b6eab7eec8
SHA17a6cbe874546213358548e136e705e8fa95cc7c9
SHA256964bcca7ae1e9c251523d741d77fe326e333c91bbb402a6249dbe2ee1d2e5792
SHA512731a9242ccd087b933a62fa5b7ad8280b44a6f643b0ec612aeec899a4f4824f6ac52d720a359018c4968adab54c6449d457c36a8bcd1b81f07078456a280cdfd
-
Filesize
168KB
MD5e77e0612cb3692cc127036f02b7407ea
SHA116bbce5e4a26f78f5d2a81a5a5ebf22324819466
SHA2563751ca2823dfe937036d6efaad459e5d889722b3b76cfe893406313a3006f409
SHA5129484bc90287d79700eb4e64c8ea7d290d49188f22667bae4ac6a9cdc66929750f54c1eb9845b43d30c3fde569122f3edec8bd6c21ca3c84e9aaa7b30f0c72080
-
Filesize
168KB
MD5c059de38a2772e19fd8d98b3cd5f1dcc
SHA12158e0c2cca14e560afebd467e1d6cb89df32d4c
SHA256f0ed1f29e1575cf2459b14a24d7fa419ce99590bb4cfcf6118cd90343617a890
SHA512fba4a10d9bfcf5a98a25c99babad7b91d62a097c290e8942f261238d972a7d5e895489aa6d7f7473b1eaf7257e2acbf0907c018cd24c49a2d5d77470b5a72098
-
Filesize
168KB
MD5ce1881d2b81a05da74519fd355f7d6e8
SHA1039556f1cc420f206ce7e0d47124e54a648cd4e0
SHA25648ad29eac577cfbd7acb2075f023ad856f521120f93e2fede88e187aebe8d810
SHA512c5a81a3ea58c90f595be6f88fdc037d60a39248db74824ecaea921f82ceebc15b994c33de73a86ff133fa88a89851af0a79462462a8cbe84d2aee89b6245aa6a
-
Filesize
168KB
MD5981c909fd9ad72e4a7f7a21693d56c5a
SHA16e3c5560422e1c586f4ce9a884cf7aeeff07a5fd
SHA2563798e868927a32564c06270218e20d5fd8c3c4d8166ad7d955777ec998ed3b3b
SHA5125e38c3baece4b6411d72a592820ee8c6d681b65f312795d2f91972bf0df960c96721af51737d68daf59e8d197ad5e77d3ab95fe36352be502fd1575d526c2c4a
-
Filesize
168KB
MD5677e743b0a4b425e2fd2aa58444f62bf
SHA10394fa358f1429cf0b8ef00392f4ae4c5b173b27
SHA256e546d1b676581a35629a2271dc80016f35788064bfef0b79180c7563e6d53d50
SHA51205e30909d62d16414becd98ac5d2147f3ce1aa21f6ca3ac1fc5faab275d155b20a271e64f67b192ef0897cedd7f6f0855e5f1cb2d69c29ed26be06e0f75d2261
-
Filesize
168KB
MD5c757f0b0113d37e904772ce98715865f
SHA18d2e4feeccf9f89c0178ef46c149ba51013fc7d8
SHA256cfc75dbdc881149c75b079fa3dc8fe7022f3b94454dd9d1ebdd81073a044fc65
SHA512681202d390c7b20f9a81b77880c13e25909347493391a39b80d9026eaa4df5de6c8920850dc9e3a6b9e1838664d64f50760aea059911057e0df584e8813900b2