Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-04-2024 12:48
General
-
Target
2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe
-
Size
380KB
-
MD5
99137d5a5a4f7164d19fc43992909ab3
-
SHA1
8af1ed97175debe661e338af8943d3edb663cf9e
-
SHA256
eebdd1d4b422a9a6b7549d5dd2ae15f3f746420f6b9f964aa861f8d60c634cbd
-
SHA512
6369a22bdcb9379a88a09b8f720cbb3ed46bc33e0a2c6797901d2f04708f6f730439b8dfce16b14a54c1ae64949a03795c8c7f3a61d376c36f32a4f562edf631
-
SSDEEP
3072:mEGh0oKlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-18_99137d5a5a4f7164d19fc43992909ab3_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E92101E3-9237-4b73-AB7F-EFCBE48FD3C9}.exeC:\Windows\{E92101E3-9237-4b73-AB7F-EFCBE48FD3C9}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8F208A27-BC4F-4909-89B7-01586919508D}.exeC:\Windows\{8F208A27-BC4F-4909-89B7-01586919508D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ACCD887E-B915-4691-A2B0-821AFF0F7C04}.exeC:\Windows\{ACCD887E-B915-4691-A2B0-821AFF0F7C04}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{60B07880-78C4-4dd6-AF19-6722F65376C8}.exeC:\Windows\{60B07880-78C4-4dd6-AF19-6722F65376C8}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9F6DFA59-D4DC-4847-A1D1-FA04715A32F0}.exeC:\Windows\{9F6DFA59-D4DC-4847-A1D1-FA04715A32F0}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6101732E-31C3-4ffa-A846-CAC553E2317B}.exeC:\Windows\{6101732E-31C3-4ffa-A846-CAC553E2317B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{70190C30-6449-462d-AEEF-67287D5D450B}.exeC:\Windows\{70190C30-6449-462d-AEEF-67287D5D450B}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8C2DDFE8-7815-47e7-840B-5E8CD9A75F3F}.exeC:\Windows\{8C2DDFE8-7815-47e7-840B-5E8CD9A75F3F}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7EF80216-01B4-4c22-B288-A138037BA352}.exeC:\Windows\{7EF80216-01B4-4c22-B288-A138037BA352}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{4029F95B-6949-4181-8D84-18BB2D92C082}.exeC:\Windows\{4029F95B-6949-4181-8D84-18BB2D92C082}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F9683DFA-7F38-4e1f-B485-47DD1B0AABB7}.exeC:\Windows\{F9683DFA-7F38-4e1f-B485-47DD1B0AABB7}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{8A0A3A6A-5D3D-4d84-A49E-BCCF3AEBC283}.exeC:\Windows\{8A0A3A6A-5D3D-4d84-A49E-BCCF3AEBC283}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9683~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4029F~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7EF80~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8C2DD~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70190~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{61017~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F6DF~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{60B07~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ACCD8~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8F208~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E9210~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD53842eb10189803b1823ef8542fb2e20e
SHA1d45898c484b3c187afd365198b6cdc621789170c
SHA256f4e20837b7ebeb61a530bab62f4c95306580b38c36e468f806e4cc9be66af2fe
SHA512566ff631c6bf471bb77510eb330feec5d2dfe47fad3d9e6380f20fdcae175ee2cd62be8d351b799746efa9f8ca26541b218dd9c5317af091e8b9ebf314d2e769
-
Filesize
380KB
MD57625c2b88bce43d38188401c699239f1
SHA1b32c11b3d99dd39554f25a4745a920467a9f5b8e
SHA256feb1a2f80f323a1849a26a049f8b2801b1c2e965b342e725d321f7661f9183b5
SHA512ec909ff5de6d0c051fa009deeacb7f0ab385d171bd2e961479d1d77a7f7847648f9a102adc8c3145efd14aabbf443dbcac2f00a1a75327c32f0c41629c2d86d6
-
Filesize
380KB
MD5577523b2c272f0dd61f187cd76db3b29
SHA1649daa38ccdacb91f3453151c95f7a5049aa55c9
SHA256678487e328d86115f556d6f634e9a9630265a95c31b3628bba193127400bbcfc
SHA51203d8bbbb02d4e3891d595e0038c0943ba2b79ec81ec97d086d7ff02a3c96160b65e3455911aaa8cd01e7e3cab16f334a73961269240bcc14e8ddead2d973750b
-
Filesize
380KB
MD5efe8d97dc1b165298f89c1cc955b1711
SHA1b7c6e2075c2f3b50eba84dc4b9757cb237ebf8db
SHA256f0fb75d94396adca8678099af03ecf488a0dd41da94ac38f588a281f2c56706d
SHA51230aa2fe79d0b6273410268a45d67b7e51d65f8ea7dbc879581530239b429c074f2a6c293a7ab6a0f05cff3acea131d1fd18f3bcd9ddf6ce555c17b51cb33cdde
-
Filesize
380KB
MD5adbb6a2b80a007ccc75d4dd039d1f50b
SHA1df6f33521621a007882f109c071a868fd7f1d628
SHA2562af24c21812b967276ad2a2a0e9cd4e2336fe2ad2d5c8e4d182d4b67cfaa6b43
SHA5123b126d9f9ffc727d0806c8d2c482f3bdaa4b3d9e75edc9811272d02b99ee253ff9e507c43f3cbaa1f775858754e2f8adb653cef24cbf4dc062d717d623437151
-
Filesize
380KB
MD5e9acad43307a34f13f02c621e2a239ae
SHA1e50e01ed1e0af181a3dbac9757a1b316dff5a857
SHA256295450581febb6b04ecd497c53dd74463d452cf69d1dd3a2765a50547a813654
SHA512ec07c8e61890071c90ec2dc9ae6ddd79d68cac47c36340257141cbab5f7d25c9407ad4a14c15919f0131ad19d044ce591fa8d7ba95d4811a788d2e45be724392
-
Filesize
380KB
MD540458287f2d9b1ca24d122a12d4ebaa4
SHA1031003e451dc6e74ee4413636ae734268b8de5f7
SHA2569b827cac5a15a86bae97b85fc760bfe6e156292603f1e57f1c7cf99f53452ff4
SHA512e4b38df8ee9017c7795525d079ba49f19c32276c49e057558248a952a8e9f75915afd4a33ce49ce85bd446ba2aaa3481dd742672df422f46e83a48bd1f6f8c84
-
Filesize
380KB
MD549f74cbb0dbf75e1b1ed1ecd6942c648
SHA1dff66ec39e745e937fc4b884ba3fafc61f6fb9b9
SHA2563a810001aa95d8de09a9cfe50082f4b0e8db701bba978dfce2000ae35a7f492e
SHA512161ba2e10f1b7b3e5e49c995d1baa72ef59608382e7b52a3ac1f81248c118d8c30c00ee19faed04ac33f8466249f2ff68249717ee6dd2bd96deccc76c464778d
-
Filesize
380KB
MD503cf5915da708adbc972ab223a17ee1f
SHA1116006c80e7bc2fe762d0388156231cd119a2a87
SHA2567e503399e25a9c6554973cb5e7827987611c8d6a35226b292899e0abe2b4d719
SHA51210d77873bae93201bdc97e09284609587f4a23182b8f4cb31bcfd775a438f11fe47a6605639144a80714b52a9a8c8de7bc849a723599dfb60ebc374d0b4420ee
-
Filesize
380KB
MD5776c917d580aa0dba26e7ef9920bf53b
SHA1e440ed1eda62d735a1a023ebabd5492841cbd1ec
SHA25614e12828abe58771f2fc9416a7178a21304a3a125c825fddf0194dbda703819c
SHA5127910ca3086e652cf8847662d5f1b95fc1400289607f8c36e088d225a10430d8841968b9972b4e191f4933fc934018ba806df17e04240acd600c75985f3942422
-
Filesize
380KB
MD564187a3e930cc2f303425b7957799370
SHA122bc00b3138ff0ef149f2d9d5aa6356e8e283e4a
SHA25659a54348f431e4cb2e52051b43b6313afbe09e415fa3d660515cd4883eb6824c
SHA512e360e87beb7c2b03a9bbfa69d99e93dbe96e4d2fbce18d1feed203772a0ce14d3cc47c3fd8b766b448e8b3a5cb9a7ac89fe6b3defca487c46ebfb5650c096065
-
Filesize
380KB
MD5a46d06b8d1c28ea5029fc072f6e93656
SHA1a3807ae164ef8d7a4788ab602787cdb3963fbc3a
SHA256ab5e5c657ed40626fef5b00e95e834120f13819d02dc08a9ed392f2632dd8f6f
SHA512dfb640af4fa94ab6d8586c68b7ede242854ccfb69f60d1f6d34411d5eda595100853ba4355a318a112f6cc7eb9aaa396a090c80fc8f870b57eab2d12f33b6500