Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19/04/2024, 04:38
General
-
Target
2024-04-19_eaacac06ee7a8234e6a590e715542ecb_goldeneye.exe
-
Size
380KB
-
MD5
eaacac06ee7a8234e6a590e715542ecb
-
SHA1
c9b4229db944d1bf21ef5496b75409265d7cfe30
-
SHA256
b6f749be6e9a3bda78b895ee4e452c62d4c18920c85c542e78a9ab4ace03e67d
-
SHA512
bf4f47c5b300506937e8d89a1e89bd89588aeb7a6f1a2c6d794a905d5be6a25c3278c94d582ba5ce785746ffff73f536a73a4224ff1ace74e9fdfc0db67aacc7
-
SSDEEP
3072:mEGh0oZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG/l7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-19_eaacac06ee7a8234e6a590e715542ecb_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-19_eaacac06ee7a8234e6a590e715542ecb_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{8C880836-E467-44b2-BBD1-353867334068}.exeC:\Windows\{8C880836-E467-44b2-BBD1-353867334068}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{51044CCE-C5B3-4be2-A005-90CE1514944A}.exeC:\Windows\{51044CCE-C5B3-4be2-A005-90CE1514944A}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A5AE92D7-D4CD-4015-A3F1-ED65FBB60F31}.exeC:\Windows\{A5AE92D7-D4CD-4015-A3F1-ED65FBB60F31}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FD432CB1-50F0-4143-8880-9A9DBBB5597D}.exeC:\Windows\{FD432CB1-50F0-4143-8880-9A9DBBB5597D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CFF37BEB-D504-4a4c-B2A9-CF279D75B984}.exeC:\Windows\{CFF37BEB-D504-4a4c-B2A9-CF279D75B984}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{22E1CED3-7F26-4542-BD3B-66B371A440FF}.exeC:\Windows\{22E1CED3-7F26-4542-BD3B-66B371A440FF}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E76BAA90-3D55-48e5-B457-69890A4F4AAA}.exeC:\Windows\{E76BAA90-3D55-48e5-B457-69890A4F4AAA}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4EF8320A-4122-48ca-ABDC-E3203D84673B}.exeC:\Windows\{4EF8320A-4122-48ca-ABDC-E3203D84673B}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F5B3D8F0-8DF2-474f-B240-E59BF6D90727}.exeC:\Windows\{F5B3D8F0-8DF2-474f-B240-E59BF6D90727}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BBE39B50-1254-4c07-A04F-D98E63300F16}.exeC:\Windows\{BBE39B50-1254-4c07-A04F-D98E63300F16}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{226ABFA9-CBCB-4a46-AA4A-5B55D464E48F}.exeC:\Windows\{226ABFA9-CBCB-4a46-AA4A-5B55D464E48F}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BBE39~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F5B3D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4EF83~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E76BA~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{22E1C~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CFF37~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD432~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A5AE9~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{51044~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8C880~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5bfbf697e648ff3cc811ed70a0cfe950b
SHA1d42b63179cb8a3d07f9d8081667ab6bc4736db18
SHA256b5890e06544b6b67ed99a135069ca1413b7167e60667be16bbfaa62310f0acb4
SHA5129076f906353f45664ed3ac7e4beeff6e83a018c24d5b8a48e5cc5d8b7da1c8c018833c14ed48dbe5c56e1f9127588866bf4d4f7be8de2ed1e197bd8a2e9aece4
-
Filesize
380KB
MD59de7d1e273df2a53d36a05c6008ab12a
SHA1a1a7795c2ed3598fec716e609a66c74c4312f36e
SHA256abad7a09818c04e8e50e976044e500614419eea5210bbf7e83c27eb9c9aca4d3
SHA51234dbd52ee76b8010466660326b65e250f39f27e06dfa1cbff9965831ac8965be49fa8eca4ab63e85d95276ea59ca903e18f952ebf81be4c4cc7f5ca65ffc9473
-
Filesize
380KB
MD5eae1fa39d0dd990153ebf90dcb453474
SHA122e073c3ccfd32b733558697ae5706093cba43d7
SHA25685c3564162f98aee3367794ecac3f44759e9b45531f14d2c4f20f18cd717ce21
SHA5124f851cfe4294dcaf13bbf7983ed43457840de7b27362ba93ad5ad729fe6f0576072ed151308075f02dc75fa45a5c588f9f9020954974bb9d1c3b514afb4f207f
-
Filesize
380KB
MD522d8061af6f6c06bc7ac41fbd580b78b
SHA1bd2ce8d2457437988e9d1158879ac0ab2fffa632
SHA25661944a1d8b9e7ef831e5b30b526640ac1c63ceb19ac06cd52897938df04578df
SHA512b238b498bf879da0c9049ea6042c97789352238dfe88db128073e1c368f03cba84cf9ec3e4b2b2a20cbcc0f9d3118849e681b34b204544c284ace1dffb0e239c
-
Filesize
380KB
MD5bc06ccee4ec2f323b9576b5bf9dd2777
SHA1497fd1bbb403ecb37018ea43b36ba415c8da1612
SHA256753bdff4acbc24c3417f9fd72f7973f7512b64fc03dfadc41fe9dcc1dcbe7b58
SHA512c51feee094d78db34f060007c560d2dcc864b7cc4733b3997198a27e21fccfe635c10412480a5a289b0e6042b71026e7ec7c10489f587a072c56ed27d0038bbc
-
Filesize
380KB
MD5fb0d10749858eda3e6042c57e9861ab2
SHA108c0769ad0777f17d706cb19067bb2257b9fc1a8
SHA256cc7432cfe4271848f8220bf955732b342b66a45bb9743fab6a1ab8c82207ce6e
SHA51247626b4ba480a125c898d79e17172387f06d5d6f43ff5380ef6b58a5d4acd98b2ee75a1dd4b64238955e511bda5843005134e67b9e8f851ca736a7551b84247a
-
Filesize
380KB
MD5cf03c77f8d296d8fe2004e465ff1af7e
SHA109ae58b518b0ea5c0341d421f5f632e88ee5a1a7
SHA2569fa15ff7c030efe85fab79c98902d3f763d829bcd12411e3fe93143f3a6103fe
SHA512ddcf04b6e86ed3e5fa541ef1fad4c4942780343655bcae7a7edeeff8c434887366e9dbdb1cc867c5506901efee456a4ded9fd3899e8876a1215f7452270a738b
-
Filesize
380KB
MD53c38a3200d773299a280620c2b0d6624
SHA13d948dd1a6ce729987322efacb6bfd5eba0a91d3
SHA256c245290c0c0027cec08df26946e97007c1870832db3fcafb3b7463027ce7a1ae
SHA512effb89a16ea8c29b1124d3c4baa3f69fa2ccbd42f82694666ff4566af70ec4cf5b4d4a173facc0e90fbc0ca111750f5d45f9d2f1be3291f18df2af892ddd1f91
-
Filesize
380KB
MD5be8d5ae18382c2da92b0b9e65460a9c6
SHA154ce1bdd49da7f04913d21911a5966cfe9cf7737
SHA256f64b90d810ba4b066abbd059dec989260d4d2a4cc0dc843908bbfe869ed0e688
SHA51275740d53014c70da8a6521a1481451d62b736a59706d22918b643e9c2f36b0a3762872e1611e0f1c0a21ad57cf70760501c7db52063754407f63564fb8d46726
-
Filesize
380KB
MD53a12f6dc79e3590a41eecf98f5fc3cc0
SHA18ebd13871c9cb359099012de0675b2846fc5bf0a
SHA2560ca386930d10441f62e3a1fb2c763840cef2d1ed3a093feeda7422486309a1eb
SHA5124330ef8c6ddf87571adea9e7e0a9869a2a4eaa648466978135ef68d540673325d543316df78f8016f24cd6db9c6b36e83cad709b64b9b43802c22f0555380864
-
Filesize
380KB
MD5846f7f7e3fd0bf7769c10083b7f3ed60
SHA1bc67026c8a3711fcbe57f71ac10d8f9ca54d2470
SHA2562da5189dd19fc0776d84fa6e538aa629a8f6bd0bee6d536f3df2cad3cd5cbfaa
SHA51212c8703a24c18e3ad4f3f829951d45efa7640c952b595b08c4048d570f1838ba9f6bcb342a6fe62e8ac2f767d700937b6c34966b4d19446ec1a9918f4e9a80f2