Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19-04-2024 00:14
General
-
Target
2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe
-
Size
372KB
-
MD5
b2f403a833bdb8af1d60927780b0430a
-
SHA1
5a054ffd18ffaf70691783baab645a443091ad1a
-
SHA256
a49ed79fc4e17fba40c27b5b540dc87fa4f63cab8590672e9ffabb659582dfda
-
SHA512
fc919fad06a7fda906b45921dd3142ceacd4eed0a5ef0b436e9702d4c0a391394bdec370a2ef76302574c7786a0aa44fde3638699079b92dec20820d8f8472f1
-
SSDEEP
3072:CEGh0oNlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGzlkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-18_b2f403a833bdb8af1d60927780b0430a_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E0A0BE9D-D2A0-4ded-95E2-094658E6BE0E}.exeC:\Windows\{E0A0BE9D-D2A0-4ded-95E2-094658E6BE0E}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F90154F9-BECE-4175-A70F-D708BAD82F26}.exeC:\Windows\{F90154F9-BECE-4175-A70F-D708BAD82F26}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{247DED71-AF95-43f9-A667-DE78A5EA9E3C}.exeC:\Windows\{247DED71-AF95-43f9-A667-DE78A5EA9E3C}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{46114661-5787-44cd-BB89-1B776E978B83}.exeC:\Windows\{46114661-5787-44cd-BB89-1B776E978B83}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A2A5F2FA-D635-4376-B268-A7D4743C9A2A}.exeC:\Windows\{A2A5F2FA-D635-4376-B268-A7D4743C9A2A}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{797733DD-A002-405b-980B-0F71A7F6B022}.exeC:\Windows\{797733DD-A002-405b-980B-0F71A7F6B022}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5F06B043-F839-4004-BE73-4BE9037CA358}.exeC:\Windows\{5F06B043-F839-4004-BE73-4BE9037CA358}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F95C5737-0AD5-4d90-8096-5285B531E7AC}.exeC:\Windows\{F95C5737-0AD5-4d90-8096-5285B531E7AC}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{88F75A2D-E62B-4bc0-9753-1E435AB49064}.exeC:\Windows\{88F75A2D-E62B-4bc0-9753-1E435AB49064}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{CD5425A3-EF34-4f96-B235-703D9B2DB1AB}.exeC:\Windows\{CD5425A3-EF34-4f96-B235-703D9B2DB1AB}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{FD8F3DC8-EF67-4082-8BC1-0C8A5B73B8DF}.exeC:\Windows\{FD8F3DC8-EF67-4082-8BC1-0C8A5B73B8DF}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CD542~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{88F75~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F95C5~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F06B~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{79773~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A2A5F~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46114~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{247DE~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9015~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E0A0B~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD56c2fe94765f90b3f8af24affd86715a5
SHA1b1352c535c570a953ccbcc9f37153dd2713ef877
SHA25625bba1ea6ff6ec3990158d18dafd8b86e573ef673343471638bd219d95483c32
SHA51222be2b6365b46922118458cf4ed98315f6c5f9514922bf43dfa0e030cf4d09b4a0bb080617aed191bc939135d213c6d067bf2eb810b94399cb9f1808c7341f03
-
Filesize
372KB
MD5d4ff028693378a9f376f15c4e8d1b4bb
SHA1d49e79902c4608b116aeb745f99e0a26f7b84937
SHA256fa7b72c87e79470d8a70c18c2413a2a56bb790d7ec3a4def51d2b776fae6fce2
SHA51286a691b71ce4ec007979a8841f4ae784e705a3a83f6f7ff36e7fd51806f6e0aa16baa3362707509c4fcf167ba8909cd1cdff7f019d29b6cdb2eace59a339a990
-
Filesize
372KB
MD5671baae3ec9cfd7126ff34286c8fec23
SHA1aaa3770620b5238f2e7fedff664002f5a6e88c06
SHA2563ce3c44bb939eadc9b8b01521585f0859b50e6f4499b0114bfc950884d872faa
SHA512b37e73cda17a3a837ac0e26530935d34c977cda181a6a8eedf6bc7cad98746e5bf65c0c0ca759d1e564e71aa179dac7eb5c8f3d16a9c77c91c26ac386a178127
-
Filesize
372KB
MD55e9c302d7eb8ae741858c04792e8df4d
SHA1cc4415c33de9abe702fe93d1c8b83be4e5b346f2
SHA256aee37893009583f442364facf13208288ef6c551605c8f3a3588a4caa0fb138e
SHA512d3deb33fe39d95ee655036ef0a55b1fca7bd6e9e4f8df6803974a9a41e7adeca393d0c2b42dab7c76b895a032be8889f0c5f2547ccc2a504131837a44a96bb6c
-
Filesize
372KB
MD54ef51212f4c81fb9c64cad99af0eada7
SHA1063b4415ac4d0447f736ec65cc5716a80c7aee8e
SHA256c26cfc788b2a23807463cc9a892396063f50783be690ecefa4f2ccb6a149b830
SHA512a095d14d5c3e2eaef004030b599bbfae1cd2868346051cacedcddd716279733aa998dafe9556d4fa845a4d5772aedf1e6682886d18ff36727de101c13c76b29f
-
Filesize
372KB
MD5b9d3d93ca81924bdec1a40727f4563b5
SHA12d71effae8f3e1d92a09cfe6555cfb33a8cba804
SHA2569ea437394d47c9d068f4a6f8e0531264f8a712f22b605a203530c06f583d57cc
SHA512b76d0a1082594f6c0f56169babd1870ae0a6be6260049e5266de18bbb6b23c47dddee3d59bd6fc0774c66a1bd75706e7df935bfa273a6fc8292b5954c1964c54
-
Filesize
372KB
MD5daa905fa40407c372fe3098935e1b1a7
SHA1de5c5945be84e13f7e1788cf836438ae8596c8aa
SHA2561ed2c76488db9d51018679446b3cb01fa83a1e5389d94e7419aa55f1830d1a5d
SHA512d3139d3000420447f7e2de8fdc7feea501018c6a881123ccd82e807588733f03679f9e32b7bdfecd91392d32969ab15c32c149adb77019c14468176a9ead64fa
-
Filesize
372KB
MD53e7a65c82f185876fd750aa2fbedf0ab
SHA16565a9c16fed1f6439062911941ef549da7931b1
SHA256819978e5a9ab140d97e73d78e5d885ae91ef0e679385cee85a1459621c21fb4e
SHA5129fba7545aa6159cfcae078788ca54b23c03f28151ff08d3b3a1e0a58949c48c76b0a4669649ac306cbfbde5084d376396959a9ab03d08e90a6e7d997fdfeeceb
-
Filesize
372KB
MD55f3dbec17ca1847ebab28f7c3ab06bac
SHA17c59ce4ad903b544e0ca2c4c253d2cf941a34691
SHA256661fc18e9af93b032d2eae9bcaf2f74263b519f37d369c6e33e6232826da4e9c
SHA512c42a145ade42280ccba18c1ca196f942dfeef6ea130cacc27da069ec587015ed1d128fcec3c0240c612b07b90e945b8088cbf0a5a4383d2e3431e903c67167f0
-
Filesize
372KB
MD5bc0be84a60c07f1f01d5fdc62f4c9807
SHA16a77dee7d7c770df12ebfd4e451c91f57f6d51d0
SHA25621152e684185c34b001ab4499e443f07b9de0399cad766639f3fd4ad1fbaa633
SHA512c1ef6a26a472ecb3f03aeb6b5eb1b7da7e23a6763f6685cfa0a2cc87bf06f0ff009700931e9f6496cac93a0c32560eb9d50d0e7e5f175d3684463930e8b0dc75
-
Filesize
372KB
MD527c16284368c2910cdfed2f6b7a35dc5
SHA1fc3fc79aa7371d401e986e81d4bd39439350a6d7
SHA25695e7853c3d712fc1eba1c5006740429df335a716f64b17d780980ba6f1ff1636
SHA5126dde23f8e6a29519bc756369b80c98fec8270e3be26aa4727a09c24a9c7f0c8162658939ad4ab061d982f157ea2e737ec2215536a1974cbab8765b272acdfe6d