Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25/04/2024, 16:01
General
-
Target
2024-04-25_a93fe8be0b5607db0655e3337ce32927_goldeneye.exe
-
Size
372KB
-
MD5
a93fe8be0b5607db0655e3337ce32927
-
SHA1
7583e88a6f897fe6deaa19c0d4f5aeb906419d83
-
SHA256
989ba5861e8a1b123f77c89e7127e2cfbf3d29033e9ebc8c5f7a0c56470a9449
-
SHA512
6edc1888221623f8c268f51ddee7ea325101098375e379200dd1965d69a0bb3e6fd3a9465dccb65cd0d28975a8368bdb5f8c87231c539ba249b2a5dca2f63701
-
SSDEEP
3072:CEGh0oVlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGrlkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a93fe8be0b5607db0655e3337ce32927_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-25_a93fe8be0b5607db0655e3337ce32927_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B8D36D50-8DCA-4000-9FF1-4D9F8203667D}.exeC:\Windows\{B8D36D50-8DCA-4000-9FF1-4D9F8203667D}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{46712BFF-6F06-42ee-9761-BEEF1D8256FD}.exeC:\Windows\{46712BFF-6F06-42ee-9761-BEEF1D8256FD}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{319CB7D7-7D3D-45bf-BBA6-ABFDCD90C34B}.exeC:\Windows\{319CB7D7-7D3D-45bf-BBA6-ABFDCD90C34B}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5589ACAA-6B40-4c93-9FFF-1FF14A7F1F6A}.exeC:\Windows\{5589ACAA-6B40-4c93-9FFF-1FF14A7F1F6A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FC0DD25A-9F2D-4a79-BF50-51C8905C478B}.exeC:\Windows\{FC0DD25A-9F2D-4a79-BF50-51C8905C478B}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6AB11AF0-18F5-4389-B295-898F3533EDAD}.exeC:\Windows\{6AB11AF0-18F5-4389-B295-898F3533EDAD}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7411E9E6-672F-47d5-BA4E-7494B6E9236E}.exeC:\Windows\{7411E9E6-672F-47d5-BA4E-7494B6E9236E}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D091D8D9-D826-4d65-8A6C-761C4D595C52}.exeC:\Windows\{D091D8D9-D826-4d65-8A6C-761C4D595C52}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{F387FFCC-D3DA-4d58-B675-07E9DC0440CA}.exeC:\Windows\{F387FFCC-D3DA-4d58-B675-07E9DC0440CA}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E87D2508-5EED-4630-B841-AC02BE82850F}.exeC:\Windows\{E87D2508-5EED-4630-B841-AC02BE82850F}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{FD72030F-3CB4-4429-A831-C932E8B0F7F5}.exeC:\Windows\{FD72030F-3CB4-4429-A831-C932E8B0F7F5}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E7D02106-1E44-449b-A37E-B3C0D2FD614C}.exeC:\Windows\{E7D02106-1E44-449b-A37E-B3C0D2FD614C}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD720~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E87D2~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F387F~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D091D~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7411E~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6AB11~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FC0DD~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5589A~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{319CB~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46712~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B8D36~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD58ae4fcbad290f3b0853b03f9bd95d2fa
SHA1adcf47cadec65fe521e5d654c07ba58964160c2e
SHA2562f3774c22da2d2bfbd29bcfeb472c16cf64d47110b10d580cacfd16bf4fe5b6e
SHA5122db9b00785c9c657ee7a94b81f826638d478f2879aab2f7c372ed77256023da3f5947310a899527e99f823ba508ba6cd0c13f35b937196bcc407a6f45a98761a
-
Filesize
372KB
MD5dec46c45739d71deb2628165228a8538
SHA1e1e23de3521406b2a4baa5512e02b1e793339e8c
SHA2565e0e50f86f9e788a458a38607e7a91372dd0ed88522cc38e66b7aa95db9ad32c
SHA5121b992890038eae978a6ea14777c6f8bf1265267d006533987f4ba63945759abfbec00f669c22295efeab811ea80a33d63cd6d9217a5da5810faa04216c7dfee7
-
Filesize
372KB
MD588de015697add30c3558f86ac17d4188
SHA10be719224bd2cfec126545c51546550c256922c2
SHA2568c86cd2296209e6124b5c3a3c7ceb224f6c1f77cb0682ae35aed8faecdc312f5
SHA512a0082a3c8f64d61db74884f14486b82f2c61779fd0ac5289d8257141d4d8f87498b3f008cbfbef26e8241f7a9ebd27268953004b8c79e31f5457b79a9cb811ae
-
Filesize
372KB
MD52b0f60a0eb5babec83d4d5c7b95bb6f9
SHA17256e4063050506e9ab03bcd911ac71db7aa1e50
SHA2564f2a29007c841048fa46d2b2896b784b1ac6f69fad8f08a9c0434a5aa91afe0c
SHA5127d26ddd13d497dd6ab8088c29693493c259dfd73b589d89dfbd785b753c31cf573de01c873337f4513cf4e50b5c43fe5a6343b0ef852dd6aedff7738d7738854
-
Filesize
372KB
MD59566d79e2995e31e31dd7b538f313db8
SHA18c14197078702ed59431205acd057e4384988cb8
SHA256fffb9a04009a304dd871ef65f409fb844cae7a566dded6f6802b76e1bd6fa657
SHA512d4f5c20c6fa0c3c6fa62a9a3094e82fdca34a49c2b590b2cef5b8dc17b3410093cdd1d8e986ca770d45dd5f94c73126d1a2eed799bb009dd746d72e362a31d72
-
Filesize
372KB
MD5948d026767741f64ed7fb192baa4e10b
SHA1ca1d44b006fa1a6c954a1268803c6ae729583f4b
SHA25652ccb14fc9a61a1184bd7281b5a7d1493f295f5806665c5041d9eb52cfb2028d
SHA5128b489011f94069b60665ee96baad9462ff57186ba369106f76d9157000d5cae1f3748c9aaa85652bdd4d7c77558ce5a2ce736ffed0da640cb80102a187e1e152
-
Filesize
372KB
MD5b2de580e59eb171f606664ff63b81681
SHA157e4037b8dc9b7b4690cb457ab974d59868ec43a
SHA256f902e67fa528149a3bedec9a806e34bba2a0756ccec80aa09f5f3b6c0b9e556f
SHA5124f8a147caf2421afb16f6f86f7329922ff3d4cabd55d2e2b87f602aff3949546f964936379e074ed1398dafad49303fdc20bcacede34c214084e208bc23867b2
-
Filesize
372KB
MD5f29fceb7ab77c9613e5954f2b39708fd
SHA12475af944b5d9f3c79b24652066bffb0fc8ea745
SHA256914335a9ded9b715e63ebce7f72b916d3773af63d13407d4f93b43dc5c29b106
SHA512fea831e47299e548c153a0ad64dfbae6a62a6cee42989df94eb8a6d3e957b4ba8990f0bea6bb45f04c65b9cc49f0cfebe1c23ec575930ed4133e5a6d1c29783c
-
Filesize
372KB
MD5b2584c211a9c667fe491bf460b3e59b4
SHA16530a6ad8a34147c5d7fce4e058fcfdf520649f7
SHA2564b8307164e8835653a656bd406fbac3bc1d6f6334500892bdd9d8d244cbe9df8
SHA51258c33067697468fbfcc9275934e8bdce0b9b512c961519e00f5258b317daa2f0c1c7e442f3965498b3273e228bd3b3d07f9c204806b9dc5eeb74366ffdc7f343
-
Filesize
372KB
MD5bf4b1429857b1bf4feb62a6c48e84f4d
SHA1f77dcdfe1768d0897b2738f23aa3f4efee7dc820
SHA25604177283bfabde7701ceb4599e26c4358a8a71a73cb9008fc58e3bc4a4430240
SHA5125432b8f55006e2ce7805a0f9a52cca99cd868868c6216a259c5cad35c89722ad606a9d263070bfa4aabb2f50faae1e146350ba85743c3e35e77a0312aadc4213
-
Filesize
372KB
MD51f4e0d0979616d174138cb3eb08b2978
SHA15060a927593b12893d05ef517dddf240422fb220
SHA256f47a3f7a5c2885bb3e3fcacc63a1aafcf9c76b97f7f37e78b7bbabb02625b649
SHA51288041f230940e914255b4cee3ff0fc0c296875521b0645ae783b6d68143a17dc9ce005b722e6c838d6fa162e710cce587912626200f7ebb3ef0164b335a6d29b
-
Filesize
372KB
MD53013aafa98d1937cea120f6efbad4e2a
SHA1c2e9a1271a70a1b3c614df1379538d5dafe86dca
SHA25677f933daafbe7ce52eadcef61295aadfd73e268dfa96168a4cf5e5fde47e316a
SHA5126edf9be080fc503d33355b1e3f3eae08f67613b426e2046cb888534b7505f49c0e872732dc39c47beb778a7d9c8f1d18218f355563c40673d1943f8ecd8d7a90