Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
22-04-2024 09:04
General
-
Target
2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe
-
Size
372KB
-
MD5
bc9183935bae8bb259558bdbc920676f
-
SHA1
ab7458632fc87b9a265ae6acc83e231d50826dc7
-
SHA256
514cb7f711fba5e8c007f89c1bbf412f832c73ce16d52124381b290f8cc05f93
-
SHA512
d9aebfac4f7d9339e3d6fd20259313f19fe6c855e0e76e001c1ee4d86ca77ffef08b3102e756497c1b1b83d0c43a8f6fee99ea20d0d7690f09996f74a5dd7dcd
-
SSDEEP
3072:CEGh0odlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGPlkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-22_bc9183935bae8bb259558bdbc920676f_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F8815CDD-A7D8-4241-935A-030C93DB29A4}.exeC:\Windows\{F8815CDD-A7D8-4241-935A-030C93DB29A4}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{42D2869D-06FD-4d38-974C-A242CF8C91B9}.exeC:\Windows\{42D2869D-06FD-4d38-974C-A242CF8C91B9}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{452270D1-583D-4621-A5B2-0361ECEE56AD}.exeC:\Windows\{452270D1-583D-4621-A5B2-0361ECEE56AD}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{65857E82-CCCC-4998-80BB-3C856B3FEC34}.exeC:\Windows\{65857E82-CCCC-4998-80BB-3C856B3FEC34}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2F52DDDE-571D-492b-BDBD-064961010D48}.exeC:\Windows\{2F52DDDE-571D-492b-BDBD-064961010D48}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D344D49E-F572-4db0-A246-ECA30685855E}.exeC:\Windows\{D344D49E-F572-4db0-A246-ECA30685855E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5AC0F6F2-1526-4f35-944D-EAB8C6374B38}.exeC:\Windows\{5AC0F6F2-1526-4f35-944D-EAB8C6374B38}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7BE8A50D-6792-4cc3-B0EC-29963055CB23}.exeC:\Windows\{7BE8A50D-6792-4cc3-B0EC-29963055CB23}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{186ABEA7-BF13-40d4-BEE9-B5BE5669167E}.exeC:\Windows\{186ABEA7-BF13-40d4-BEE9-B5BE5669167E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{2AF7243E-E095-4540-B96A-550465007288}.exeC:\Windows\{2AF7243E-E095-4540-B96A-550465007288}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{FF7F0CAF-4760-4506-8A33-6160A0D05F37}.exeC:\Windows\{FF7F0CAF-4760-4506-8A33-6160A0D05F37}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2AF72~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{186AB~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7BE8A~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5AC0F~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D344D~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2F52D~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65857~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45227~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{42D28~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8815~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5601d4105263e6bb1c33a68577e2535d8
SHA1515798c35e7cba8003bc28139341cc286c1fe8c4
SHA256761952a3acd75b0cd9098daebf37cf9b75f0efb2756c310f19567c309c86d788
SHA5126bf53dac0369ec26283c65ac0ecc7c8742bd46a86be71133e67df62be5a71c44a853da8a8121984a451c21729fe33928b8d582ecb016a69a9912fd78e8136df4
-
Filesize
372KB
MD5702545f38ac964da9527a32a8b49a51f
SHA1cade8f76303b08fbab40cc1d734d0b5ad1324b53
SHA2567a107fece7d446a569034cff3b5b56be5a1d3c2c595a5118db973f1bbd7186e2
SHA512a19afef0e23be5871523d879dd8ed1c0ef56bf0be425905215beca32941276a28ab326d3a3e94b4ef715a4c971c63a24317bb12b86a5ac07d8eb688e80489ca5
-
Filesize
372KB
MD5cab93163d460cda5c31ae978d2825a72
SHA1039d62161ea408d5f85a1c38c34efd38ccef3a7c
SHA2560e733cfc1c6eaef8e9ab7967931e056702f901279c4cff2cafd4301b71c6984c
SHA5124fac2e5903ad067b8859b31b7ca5239582338ff85d0fcc449d6b777ef76305a255f3ac7ba80bef9f0e8766a0743a083c6b5bbdc6d97f91130982cff0ae5c8d88
-
Filesize
372KB
MD545050a086c0e43b14d56213917532b1e
SHA1bdafe281b62c0a65033b3f629b8e9d3bc5408eb6
SHA2564a8a07fdb8fb0d2a5f3ec5d7152b2e7a69cd9b3279bef14ffa33a7d3229185da
SHA512d8e77ce6c1d8ee22dcf1726948ef0468343333e9375139465f004a0dd6203f2c456af514d82fd101b38725367cee869c530ecc42b031f82e8b3e3b2144225897
-
Filesize
372KB
MD5237fa7353fcaf5882d3d6c6bf30c3daa
SHA1d85927bcc739fe28874ef211006b8f0884c7695b
SHA256b2e40695dfb4126c3a8a719126682c5114774dab1272557aa5dd8f2dea84856c
SHA512f3c20f4944b2490ad25fba061a8546b74c42efdfe06638fff7fa60dc940f8b8f902455660aef3bd9bd90b54da4f8e772ad0137daa958bdb31736027647a31fd9
-
Filesize
372KB
MD5514972f3f7e3f99d85e1f4b13aa59f3a
SHA19f22d488015a8e460481e6e7aac29a33513595fe
SHA256051ecdf860547dd6683e58715cab0e50c0ed6bc94fcd3005acaa1f886259aaca
SHA512219509540c881fbf8c8edc062faf1367f317fba4c3c69eaa47285ff6c17768dabff8283cf1c1ba598ef360aaa5604fee6150a9333da04f529146081ae6ff025e
-
Filesize
372KB
MD563ad5fa9fa1805440a016d95ccfb67a1
SHA130574c2a2e75a84a931aae61a7b1c1f6506e54a4
SHA25631957bb455504a3f571ed17c467e39abc17a79ac80639518cf921bc311d60a86
SHA512de319263d850ff7958c4bc2abde09ad8988843bb0d47446f30da2498815aaef653be7b8dc235e61d52aca4e23b31a77da3d3218bb280ccd9c2cea901f16e618d
-
Filesize
372KB
MD55e99b291cc020a2cd4e784167690413c
SHA171ed650f2aa9633cdaddbd1a804553ce410a6d04
SHA256c448060878ac47c0ae31a5103743cdf6841306fdd6fc73611447562b5b74f3d5
SHA512ce1f1003c3ee6d686bb0be9f8a7cc9b1677502c773ffc33ff397942626099db7b7a8001e7666116cea7b0333f3efec1c0e03a4e8569c6be974bc4f92955396b5
-
Filesize
372KB
MD505144b1b123e0850eaafaa8e3156fa17
SHA16e8b9058a9e942035ec5f9d1e64d60966fc0e45f
SHA256bd512ad4ac29b20c92a8ebb937738d8b1c6d36fc6ef82c2894335b64e84d3fd9
SHA512347d1c015de6becbc19db89d44eb20487250c491a9c3a8226fae4d438ddff272901f83be46ea44cd34ab79f74d4c62904b238821ca9b422ce42e3199a5d57f89
-
Filesize
372KB
MD5f2ae3388c070407636e077dd56ca818a
SHA1a8a3fb3f2181e0e0565389123e49a4b9b0c66d76
SHA2562352e5edab264a432342bd4cc3d48540bd6a305bc72ed5e796d5699669585999
SHA512a3d97fa811957e2010cc99206c7792676be2f5930a9ee23af5009afa3b6cde626cf064d8953a0f498803fdea465e1529322cbcf98da6ddceba6a705803e32d1d
-
Filesize
372KB
MD5cd2379eebc254ff46a9fe87b2f12c80b
SHA11e47de171c36f35abf6f0cee6fdbc134b20e39ad
SHA256ceef0f345e7e2241927a265b5a1b75ba20ab86278d2775a0e3d6d95250572c70
SHA512843ff5cd96a99c67188ded8994beffa719c5a67e2996a4500a59efa9393a4ef0615ee43fb9a93e5829b02b10c777298a548bd61c90b73a8222a16c378c3c30bf