Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19/04/2024, 04:25
General
-
Target
2024-04-19_b8bdf4becbd92fe41587d3969de18149_goldeneye.exe
-
Size
180KB
-
MD5
b8bdf4becbd92fe41587d3969de18149
-
SHA1
cea2012236030470179edf933df9bb1f73c3785f
-
SHA256
b579b81025a40428815fca1987fc1c53d8fbb8f0052d2b5dd83d02d30cf9ff61
-
SHA512
105304719130ccebc85e8715fafb377181d6f65dc3924cee453a3c375c1468e46a707093617fd5e921113119af7a33c22f1dbfb4ac5dae741cca42ecc7685a0e
-
SSDEEP
3072:jEGh0oulfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-19_b8bdf4becbd92fe41587d3969de18149_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-19_b8bdf4becbd92fe41587d3969de18149_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C5009725-DFF2-4341-88B0-069D49860572}.exeC:\Windows\{C5009725-DFF2-4341-88B0-069D49860572}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E62C0F40-4CFB-43ec-BE91-70E3DFE9E040}.exeC:\Windows\{E62C0F40-4CFB-43ec-BE91-70E3DFE9E040}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4ADF1F5B-33C2-47b8-979F-8BB03FC7DEBB}.exeC:\Windows\{4ADF1F5B-33C2-47b8-979F-8BB03FC7DEBB}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5D261F0C-4DA4-4580-B226-25D2049F4601}.exeC:\Windows\{5D261F0C-4DA4-4580-B226-25D2049F4601}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AE4B92ED-C7C4-4c3b-B139-CFC99CD5D14F}.exeC:\Windows\{AE4B92ED-C7C4-4c3b-B139-CFC99CD5D14F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6EB583D7-1386-497b-BCA8-BC7EBE7E31F1}.exeC:\Windows\{6EB583D7-1386-497b-BCA8-BC7EBE7E31F1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5B2335C3-F6BA-4bc2-B1DF-8A3BEBE7D7E3}.exeC:\Windows\{5B2335C3-F6BA-4bc2-B1DF-8A3BEBE7D7E3}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8B8C9392-DB5D-4617-B1DE-3081432551BA}.exeC:\Windows\{8B8C9392-DB5D-4617-B1DE-3081432551BA}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6621D040-ACC0-4dfa-A3A4-BF25C5CA2FB1}.exeC:\Windows\{6621D040-ACC0-4dfa-A3A4-BF25C5CA2FB1}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{42DCF8DE-5836-4b0b-827C-34B39D59CBB8}.exeC:\Windows\{42DCF8DE-5836-4b0b-827C-34B39D59CBB8}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2EE5A387-C0E9-479f-8E58-D6C2DBB7B22B}.exeC:\Windows\{2EE5A387-C0E9-479f-8E58-D6C2DBB7B22B}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{4E611FC4-6220-4e25-AEFA-C9C74882551B}.exeC:\Windows\{4E611FC4-6220-4e25-AEFA-C9C74882551B}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2EE5A~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{42DCF~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6621D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B8C9~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5B233~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6EB58~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE4B9~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D261~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4ADF1~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E62C0~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C5009~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5abafbd8de6930436396a22bd5ff7d063
SHA107ba8687fd84bdc7605121d466003c1b8268bc95
SHA256a8cf67db4cfe890e774f6c8858af6808e27ac536dfa7468faa4e59fd29d546cf
SHA51275fafcf902637753888e6d461b2e34c39bffec9f0911ae987547bbe02fa236215872fadcb547ca0abdb83cae338723a323b468c1d9ddbe6ae4e46d7536a719e9
-
Filesize
180KB
MD531151204825326a192dbe02540578898
SHA1fc2219ae9bccee61c840894fb3c0d4119ea9f8ed
SHA256747f99b2675a745f96c284cb4d353963dad734f4e22565d02e1d666373f7de56
SHA512bab19aae6fad14801de88c3227020007525317958f2e837b2815353bf67b0683b896e643ed8f13043a5262fa19fdb50b8600eaf2b8b5ab66f6a5902bc9daf9f8
-
Filesize
180KB
MD5ec2ea0b00fa6c552bc7dd137a02b0120
SHA1c68114641b5ca4bf1774cdeeff0dcf4acf597402
SHA256d8b61e4f35da3d7f698f199eaa0be00aca0edec139b4ce9f9d1fe563b0d73762
SHA51255fdbfd143b16b6ba9e33b4b7d37b1cf2b1d9dd38b80e5b16ebf1f985a0bf1ebb0341b136501760ae2fc16539bae665d5eb9156e6146347609cea94f24f2cae8
-
Filesize
180KB
MD5e367384a49cc7c8d121db4248831db18
SHA1a939b8ce7a714408fb4fc51ab7a91853683087db
SHA256ddf0bae1f4b56218c00f92a29f1190966c434aba6a4347d3bbbd40e71c07b482
SHA5129f3d585fd4c8b55f2badf6d79c033b32946c34752ae26d41b0b99c3e9ad818ff412c07067bdf4e5242356bbace520bf5c7f3ef0f602b6b984b25d501a9674cac
-
Filesize
180KB
MD5a3f3db671c573e3cf6528318a575aa3b
SHA10e7a32724e503df2aafaeb39418d13b6057514f8
SHA2560f4a0488294b9ff931a0560d3e8581ccd1a1fd1f29141ea9312bcdc81a237a08
SHA51247312a8f03925cb221191bf2b6601c2f879e45757102dec33809ed64db6dc3d3c17f7abb5c5f24356a285226f97a8d06c4717d659af092c5dd326b4cda63d038
-
Filesize
180KB
MD5ca2e2299f47e5a260ce804d4e7d4a6d6
SHA1e67dc4465028479f6c8d572d14a2b20b04ea8221
SHA2562e3b82791fe332fec7a2ed10f7e821f9730953b2b1e0346b716345f636108e4f
SHA512705ef50ac9c753893bc5cb66cd3e2d1f767164ac80a7de02ed8192ed1284bb1870b84de929b3a003d1d65fc50bed95b99e4c46fc81b56044ac90fb02a1b65a75
-
Filesize
180KB
MD5049b9c6a8d56bfadc89ab8f7b9c1cc69
SHA196a6c1f7c71c6b74c2108b4700c5dc1c5563c56e
SHA256b353543d7d621f28a30a6f4735aff32a054c1efee939cd877eefd44fcf5bb7f7
SHA5125ac16eba80690377fe6b275213ce6bc0611eee9f9a47f712bfb209234533eaf28f27a4fb006d7f8f048b1745cbbed78a88cb074c45241de3043c26bdf51a6a06
-
Filesize
180KB
MD5d35a9dbbaca55b10b161713a25f58183
SHA1d68fd0756666622e382a77d308896a7d187112e1
SHA2562c07ee79fe12c6deb5f547e2c592252623969460121ebf2af3df10c814767128
SHA512b810344a08f63ec7456a54c05bf5cf28a35828c0b556181ad7b088e791f7d0004d2f86a8e343d3b88c3ba5b15828e35aaf5dd91c2b16d13dadce32d984985798
-
Filesize
180KB
MD5ce155256aec6e81be69e4c2bb75d0e01
SHA1a01a2d5bcf7400563c55a6d24b726b09339debbe
SHA2564b7944e45836d71d48a3009765e0aa8c3591c1a8821a7082a79683a8c3997e3f
SHA512105e21dfc15da23de1c7dbaefd58648c92079094331781bdffbcab391312227b2f2b7d72a6b11bd72f8f107d079d2e66124eaa111e8c1034db0b1fb35e75abb7
-
Filesize
180KB
MD58dbcfa1a0addc63b139fa953fc72d73b
SHA1a23e1cc75577d7d22f07b21f660bc1f7cfbd1af0
SHA25652718beb716526d804541c667e449d5332f323908755e32fb7ddaa665f32cd6b
SHA512d8517c091ae3fef9dd1b0536cc2b913088870d45879be32a3a7bbedd5ed9578edc18659a2f4cc4d97770854c5cc35e7f113fbecc082f08df9351b886807ceac7
-
Filesize
180KB
MD557e8c08f0b0bd8e22335d87f1de74423
SHA18e4456a92cffca5c373f0c30a572bf6e619a449e
SHA25657c7ec07905ae714f4251752d97cb506270dccab0d1ea861f7ede723c7c5af61
SHA5124520154bcf0183153b09a24b3897f4fc2da2562b051a4d318d5ff3fa1724e63dc7870c0139e169d5b48ec3cd1f42dfb83ccbe6d8b89bfc20e80cd4f746e78f9e
-
Filesize
180KB
MD59724c3c6e0ece34544862029fed624e4
SHA1a7362530ccae7c92555ccf6d5390ef1811f07558
SHA2561a1a9fce64ddb070d33d3a23c05b46f9479c43fc58212eb6a020e45ae15b48b1
SHA512aee3adeb335add95f7e9c0c8b39da7183606fc75635d632f2fc975005c006cb411e9b25778fbcc8c367854fd8c10c1d2e979bd1054232a789fbae0ccf92ea3e7