Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-04-2024 18:48
General
-
Target
2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe
-
Size
344KB
-
MD5
29e20b8b542e72ea5a61707def858260
-
SHA1
4d8aac46263a84d8899b79e459e460431c2391f9
-
SHA256
fe5bcb9f0906fd3fdc6eb4fe4647e4b174f2805c46b02ac0fce8c844f6b15b59
-
SHA512
f97f8d9ee6184bcdd250ccdc80d1092fb19befb2129ea5ef34087b81560913c986376ee6489eef5dadf934a727f831fb90c5029a707947360840fcdcca597dfe
-
SSDEEP
3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGulqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-24_29e20b8b542e72ea5a61707def858260_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{83855AA7-BD1E-4322-83BF-7DBD3D74C752}.exeC:\Windows\{83855AA7-BD1E-4322-83BF-7DBD3D74C752}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9F085190-90CD-4262-953D-C38D28044345}.exeC:\Windows\{9F085190-90CD-4262-953D-C38D28044345}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4E69D098-8C31-49b2-B151-0E41B656ED2B}.exeC:\Windows\{4E69D098-8C31-49b2-B151-0E41B656ED2B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C6353DEA-89C6-4fa8-8BD7-825BE45B9094}.exeC:\Windows\{C6353DEA-89C6-4fa8-8BD7-825BE45B9094}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6858E426-88E7-4a3c-B1B6-51FFE0FB6B93}.exeC:\Windows\{6858E426-88E7-4a3c-B1B6-51FFE0FB6B93}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D65059ED-36CC-4e23-AF99-79457CF81385}.exeC:\Windows\{D65059ED-36CC-4e23-AF99-79457CF81385}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{59F250B3-9610-4f84-AAFB-4E81F9C21C28}.exeC:\Windows\{59F250B3-9610-4f84-AAFB-4E81F9C21C28}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C1DB8ACF-07BB-4a55-8F69-4B6CB805D020}.exeC:\Windows\{C1DB8ACF-07BB-4a55-8F69-4B6CB805D020}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{1D6897A2-FCF4-4c7f-B1F5-94FF6794B64B}.exeC:\Windows\{1D6897A2-FCF4-4c7f-B1F5-94FF6794B64B}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{5140FFB6-6BFD-4132-8907-3B241B8A2B82}.exeC:\Windows\{5140FFB6-6BFD-4132-8907-3B241B8A2B82}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{D6BBBFB0-991C-4b80-BB55-407CD340E13D}.exeC:\Windows\{D6BBBFB0-991C-4b80-BB55-407CD340E13D}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5140F~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1D689~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C1DB8~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{59F25~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D6505~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6858E~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C6353~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E69D~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F085~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{83855~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD531d04d7fb75aa9e57a0b0cb03a178a13
SHA1f982bb496f3152eb7add99611f288810cc6a1bcd
SHA256803bcb166997dec776440570fda350e9e981b5f29ea051ce75d6abafab84372b
SHA512a049c8eff9c3b5c0e1adb43dbd23300910d7e0c57365531b1c6a2e601ff974d9b85a767d73ca857ee87a9882e8dd6c55cb964c25ee8a778343abd27ce2281e67
-
Filesize
344KB
MD5a15ecaab1d54a2aead20d34b362fb0ac
SHA139ff74539b61cda1e7d45ee0c2db8add439ec00e
SHA2568a1661ba138e3e27b9b4e5d5cbd03ee18f86b985f02bf02fed874ee0c349be33
SHA5126bf894124e51cbc36fc5dce2b2866baf9e8742f6ff138eb144c21887574cd4f0d5974dd171fca078131e65b7395a6bf262affcb9e7e4f33739f64e8d87c92775
-
Filesize
344KB
MD59e52f4d90e76256659da2ce7deb3e186
SHA1ef8e8e93bad6d96f605dbb4ff4370427d692bc2c
SHA25647fb04334308b3fb00af3febdd47b68b8762e6ce6b9e451ba2a8037c6a89e41e
SHA512829625524d3757336f862cf49f0a6074b73eccba59e943eff3f8fd6230b0e48c1d929880c5d61d40a10f955ea27e6eaf2ccca84ce17d2623161bb8e62f345f58
-
Filesize
344KB
MD53150e41ddc7b4e9fff5336430a23d3f4
SHA11619a3ada8ad576714215a84d41f64d61f5f917c
SHA256544ab4608d68b0e62b1373adaf374de04d8ff0fbee3317011b53592d9456a2c1
SHA512046be4f65b3e2cbc3473504fcd175c82682ae02cd74901d4debcefb20a0e380b095821060b1a8c4e0d8506216dc68e8a5313c2390aba29cbd4bfceb89a7c1eb0
-
Filesize
344KB
MD5c0a4702aa462947f4846ee6990ea2c58
SHA15781ffc9efe9ebe8444e4e6fa10824684e15f69f
SHA2564b9592af1d5f652b96334cd2bbab2e381538deab8b0b7f05669cef9d33b2f1a4
SHA5120ac4e01605d605b952a5439cd6d1cd288f66389d49cfb9fbe45338829a6e035d362e0498690b5184925113f7ce34045886d383ee0b4ea1634bfc828029ee83d6
-
Filesize
344KB
MD5ae140fce5a58664ed677082a09717ba2
SHA11ec8b769cc6fb03e01de335ca78e5121d4eadb77
SHA25653df26e3c55e8dfd29d24fbcff8f58668c98daa6f6b47e480404db5c5ac8f65f
SHA5128439931bccf51833119354f9f17205d4f94e7823d88a12357bbe6283038993598a1b2b37d9974d93683d187dbfa4ccd7fb706bcc91919e94a2c8e00c68a94a29
-
Filesize
344KB
MD5dc6528d56fd524632fc52339e488ea7f
SHA12cf1cf951fb527493f7e6d3beb97ee31a59e2c30
SHA25692f7eb8a3a80615cc91fb4adce623d85a2b24e15755bb0ac77a1d384cf162300
SHA5125dbdd4fe0e3b1b367c6072cdb8eaaa1adf21aacadb5636b8e528b2a39c93d535a84761cf2c2cb684f00f28264b2fac1bf1a7fdfab0c6fc92e83213c302b9c75a
-
Filesize
344KB
MD59914f411c463d740eab1b17729a65d90
SHA127cc3eb7fc67bb37f27c78c3d80277c1255bdb45
SHA2569c6b94f552d81a49152a522a5a21abc67adc82aa7f22a9ad3f5b9fe97832db0b
SHA512491f3d6b72ba3b3def3752cfc4156f399327a79917f82981ddefebba19e50f32fb4c5fb4b3491b5420b236fa9985ae0af6788de200e81c56f626118a3b14ad76
-
Filesize
344KB
MD537400e0a4ab235d7ae42f22bd2a1bbad
SHA1bb2ad9f599ac3fb6c6be86d6e49ebed5aee50128
SHA2563dc463f947d5a598f3942645e133e3f21800a494d17b450c182d4eeccb2e8685
SHA51203732dbfb790c6797e3155773f4fa4c2c3326e2759d6a824823c64de232fabc99c75f8f1e14848a812407f5298ae9c9c15a7e79fea1b4f0632b9dbed8f70e6c2
-
Filesize
344KB
MD50a1c6f8b817ae9cb064b0ebab2fea4f9
SHA15d636ef97c01255ee0236d7923f0be27a78f81e8
SHA256cc85a6a3104189dc140265d30c4c3b6c00529faedf4f1a1e795fc35cf6c2446d
SHA512b6f0dd11c2bbfa5b43d31a0b9517596940fb1481ffc3ae2b8397b867177bf8259648ce6a39f5b8ae43c5080dcb4d1b3aad5fde469d837d9b18b70da63b5b3560
-
Filesize
344KB
MD58476d474535ff152e1773d474618e78c
SHA1d280c1a22c75878d305e935f7084fe173466a8db
SHA256a25f53b0eff2e93a43e886883b1b8c34351db1cad1fac2fd908d6ab9de6377d9
SHA512ccec844c54d654279aecf9268522b0080db8ba0c0e78e1e836d444eb1268c91dc87d61ad727c250ece29217e5b7397cb3efa222cba0546f891cdcd5b703c89e0