Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22/04/2024, 12:52
General
-
Target
2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe
-
Size
408KB
-
MD5
70b675a73947d231543c0c872fdf1d41
-
SHA1
c5f3b3d868c91d519af8fddf3f25d2a11f9e2a3f
-
SHA256
b2dd5d6f21b74e2086a67341b11bf6c6b12e7e5b32727ba1f6e28cc9dae536ed
-
SHA512
63afc55ce42202d4c3713139d9d4c889737ed19040dd331c109585d7675c479372eeb262791062921db5b3f96b6b2e75d5585ece79e18c957bca05ff7a53a28e
-
SSDEEP
3072:CEGh0ogl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGmldOe2MUVg3vTeKcAEciTBqr3jy9
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-22_70b675a73947d231543c0c872fdf1d41_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{94A689B1-8A02-4403-8CC7-D18424422E80}.exeC:\Windows\{94A689B1-8A02-4403-8CC7-D18424422E80}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E27E0BB4-7AC1-42ae-BFEE-74EBE26DF3ED}.exeC:\Windows\{E27E0BB4-7AC1-42ae-BFEE-74EBE26DF3ED}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2B3D4AA5-FFC2-4a84-A068-8DB162A8019F}.exeC:\Windows\{2B3D4AA5-FFC2-4a84-A068-8DB162A8019F}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{884A11AB-B9B4-4452-839D-381E38C688FF}.exeC:\Windows\{884A11AB-B9B4-4452-839D-381E38C688FF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{865406C4-AF29-4c4a-9582-B1031A94DAA9}.exeC:\Windows\{865406C4-AF29-4c4a-9582-B1031A94DAA9}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ABE638B3-650B-477f-80CE-2C66D35337F2}.exeC:\Windows\{ABE638B3-650B-477f-80CE-2C66D35337F2}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E9ADDDCD-A8DF-4931-9B85-AF9099E3844D}.exeC:\Windows\{E9ADDDCD-A8DF-4931-9B85-AF9099E3844D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D9FD5BF5-E6BA-48d6-A0EF-32DFB854A2AD}.exeC:\Windows\{D9FD5BF5-E6BA-48d6-A0EF-32DFB854A2AD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{C8D1AD9E-C08D-4a07-B575-4F5D1EFF4A5A}.exeC:\Windows\{C8D1AD9E-C08D-4a07-B575-4F5D1EFF4A5A}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{212D1457-F864-4ea4-B81F-A6CB0451E0E9}.exeC:\Windows\{212D1457-F864-4ea4-B81F-A6CB0451E0E9}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{A8A6DA94-87F0-4abc-9F4D-006CF6D5AFBD}.exeC:\Windows\{A8A6DA94-87F0-4abc-9F4D-006CF6D5AFBD}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{212D1~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8D1A~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D9FD5~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E9ADD~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ABE63~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{86540~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{884A1~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2B3D4~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E27E0~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{94A68~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD59c7fc03140854798130f39e6edbd3e9c
SHA12ab2314b9ff7740eb42776e27319bed58457df4f
SHA256cdda03d9d2e7c8679bb30a41ca7bab4dfb41b17a9062b44c02dda76e6f58781d
SHA512d3f8efdaf4326c10cb0b00cca34bb35f5b02f06e6ee4d79317b14edaf3b1dff9f56e2495a805cbaf6b7bfec95060d96a6a87864ceed60d5f66819d80022b28db
-
Filesize
408KB
MD56c9be40eaf2a4229d93d64a781350463
SHA136602f5db4bfafe19af41f79037b66860fa6bb78
SHA256b02a00e14c6449eb90444532f9198ce72b8f08ac5ec65a0476f837e3e27fab2f
SHA5120b18e8306328286e96db5f8c910e95295bf23f29658bf2b7dab8e2c4106aba3f47005488183e118a38a060f03a544892bb0a875295515830963966358c3888c8
-
Filesize
408KB
MD5821f60a56d49ada470c625de61cc0913
SHA179748dc7f3afe664288c9d9355734f663d0434cd
SHA25652968c4a608b23a91765738db77f196745f75fa85451918d7bf9585bd784abff
SHA51249c848b5c43a746223f93e2a139b1e884d5d932929009bee97af3850b6ce765c2a26a6c770960249914162b397da20de42e325a5931efba3f9cae4b01fe64493
-
Filesize
408KB
MD531c58cdc5882f46eadc6d576545203d0
SHA1a5522cd444808e8a5767950ac2bf43233505c5d7
SHA2560451b4e172b519d34f1b13e8bfff57b454f6f7010a2560c6faab2f382c94fe09
SHA51208c878cd1f0a51cdd9e7be1df7091983a654a0f021bf2d39cda26a9af862b8bbe24a5a557b9bc2d704e4795446f1e9b5fcd355baa4b6df14948f5215dd2598a6
-
Filesize
408KB
MD50e5ad4eacf5df609b9cba8df4c539585
SHA1eb052793c9b6680240e2b799d8ed920b0adf904b
SHA2561353dd54c38d6912bd899c25e1e58ce2e92090f743c7596fdb878d4a91b67876
SHA5124cf27c196842182b99852d7630c5e7d0ce3c17f6c6c816cf7861a0fb81605405d4369e65981a172a6ab0f9e085da61de6cddfa94166802b9d92125010e0c1071
-
Filesize
408KB
MD53856dd57ffd92b1b2bc8466e28657897
SHA1592ec39031d0673bec4146f354ccbacef2db6d64
SHA2560b4bc6e2307a388214703845853867744ba6b7f0fbb66bd6ca2a47aef3c5e4a1
SHA5129a322420a1a5600b37c33dcbfbed24e94a5bf2b65bae0127ce52bcbbff13d17d2ea060db9709e161f3de064568c25a2e7d74b0e28af7d4996668417a77635261
-
Filesize
408KB
MD532bebc20d874c8acb9fac08e3c6a5ab1
SHA18008b27da6fcfafc00c897a1612e562298b08cbb
SHA25626c716b8f5195f76268c2dccdfaaad277669e02a763074388e3327acb60c5fbf
SHA512ebd4f306726a9e64ff8784b08a6f0d20a53a74b5ea44b2e83c5c1fa662a77e7f8ff0ce867c5db0ee0bb83abb0e0c65ba8b94cbe70115b8f53f7c6328bbf98aaf
-
Filesize
408KB
MD5ed7196b942d75d736462293e11a21592
SHA135c717e39b3e17ea9d79a18779f8e6e8cd4bba41
SHA256c3fb9b82438fb4bddefce0675ee955710685a390812d2fdd9764c209c0a7edc9
SHA512d0dfed5ac17be608fb8c82a374bbc1ba587f6abd22930e5d5c263c70174d29aa56fad1fcce4c4d4770e0237531142cc66d2f5ee726b8e4477d289cdab571e423
-
Filesize
408KB
MD5a8efde0403b462750e336b29c14d6578
SHA149154d6995266a93f024b00cc507216c771f6bb8
SHA25624dcd3ce1d0fb882278a045608bcf2ecd0a1b8e2458d2d247de1170f8a7b58ed
SHA512f75f4f42cda4972845c37da84ebb57acdb46a9710455ce3109c5d4382c26a1a3394a00305d21b8039364d05711ef9388a9a155d97b90564162130b0fd92516ef
-
Filesize
408KB
MD51664d9eb9ed86b9dd0633c56a2199655
SHA14a838f15114511d3fa98251bde005850a2b99093
SHA256d7b8cd1b4c0bef35c8530dc28697004f8320275644ee7841d945cc6207dfc144
SHA512052cec64643f491a7df2da98d7b5cdd3317718a097f90ae8860453790e1b03a7ccd6e85f83f897bffc0f1af1420e65c9a0640090d592f1738f178b6800956427
-
Filesize
408KB
MD5ab0a6479a73060de339f4840d0133d4d
SHA16c74f356b1c9e99dd261880c85ea37e3609401d5
SHA256193e67695522b12a0a2b2ab19cc09d1277df09d0c92cb20a866671d3e747e4d2
SHA5120ab4c52c9ad5604aa27dfc1339020c220285027a15eb4850491fbe72d3d6a615462fc5d82cee6437c2894644c6bd12da6e7776ec67263fb2ca9676b3e1309ad6