Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-04-2024 05:42
General
-
Target
2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe
-
Size
372KB
-
MD5
0a7f1b0f2256b78d135263d93fb02202
-
SHA1
5586236647458a93f77143f9da33c2b25727030e
-
SHA256
c874ffc8f0d844ac7620e00f10649cc6c8575234779343603c91a6b7f1361116
-
SHA512
bd51621a5aaf5901077c91e2a89fe637c8ae6607944a0db78edbf29fb096a84f80cb559172d9c9b4c81d18eab98b303980a3a0bd226be8395399b3ab429b471e
-
SSDEEP
3072:CEGh0oKlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0a7f1b0f2256b78d135263d93fb02202_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{206E750E-C0DE-46e3-8BF4-8D28DDB90FE4}.exeC:\Windows\{206E750E-C0DE-46e3-8BF4-8D28DDB90FE4}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{04BFE05C-2A09-4b59-958D-E22AD7159F5D}.exeC:\Windows\{04BFE05C-2A09-4b59-958D-E22AD7159F5D}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A8998BEF-94C9-45fb-A739-A351D2EE8CBA}.exeC:\Windows\{A8998BEF-94C9-45fb-A739-A351D2EE8CBA}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AA4AE005-2BDC-44a0-9A05-409B916AF82A}.exeC:\Windows\{AA4AE005-2BDC-44a0-9A05-409B916AF82A}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4F7A39E3-B2AA-4058-A49C-57C630E243D4}.exeC:\Windows\{4F7A39E3-B2AA-4058-A49C-57C630E243D4}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{66F5E79C-AAEB-4b2d-B0EB-9B1AFEFD9DF8}.exeC:\Windows\{66F5E79C-AAEB-4b2d-B0EB-9B1AFEFD9DF8}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{592E1B0F-6F83-4369-B7E4-655BC0707FF6}.exeC:\Windows\{592E1B0F-6F83-4369-B7E4-655BC0707FF6}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5F5672EA-622C-4fec-829B-784F34FBB1C2}.exeC:\Windows\{5F5672EA-622C-4fec-829B-784F34FBB1C2}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{0004811E-C40C-427e-8604-AC4FDBAF00A4}.exeC:\Windows\{0004811E-C40C-427e-8604-AC4FDBAF00A4}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{70AB047A-77ED-4c9a-B6B8-150F47AFA84D}.exeC:\Windows\{70AB047A-77ED-4c9a-B6B8-150F47AFA84D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6601D069-81D8-449f-8AB3-A0231C21E818}.exeC:\Windows\{6601D069-81D8-449f-8AB3-A0231C21E818}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70AB0~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00048~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5F567~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{592E1~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{66F5E~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F7A3~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA4AE~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8998~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04BFE~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{206E7~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5ab2bb6ba1c059d518963e6484df8ad0c
SHA11674dfe7676f608c9ef71200ab1124bb11242d09
SHA25661708e54e2aeaaa671b618ad4ff4e35ecc861e970f1f3734adf0ae1a658c11cc
SHA512b83eb295dcf0a63fc18ee375b7172eff0158af8a7cc9e7ecd92a34e0a73cce7b2e41f136977f71ed0e4df66ab4db1bc23cf693383e57e33423545a5a8d9b8de3
-
Filesize
372KB
MD5359776c205e91d003391cf98d5937d43
SHA198820e04704d37170817fbcd2f352bc9582153fa
SHA25646da071d890a408096c953ef2932108d7e5a14f81c2a285c77e1241f9166c222
SHA5129acd8fe8cc7a778450462efa683db772b2aaf81780609e7575be4cd747d67843d45500860c36444bdf9cab157180193e5ecc28f434b8647a163978235de6764c
-
Filesize
372KB
MD54a8d5ba0a98f6313d0fb0abed97bd57e
SHA1de7dd7b444cea8dd1e4c31b453c6e179118dcc0d
SHA256edf06546b9865cb9c79dec2a53e2c9ef733ac3305f290a1e0f04e3232ef82a85
SHA5124471d49de06e6b42490f91c836fe9d774d4c6e5e5890cedb285cbf2b61792fb0c4e939d419c9bc8f0a1ebd3f65e04b70c7ebb67807c1dfaba871472b3049548b
-
Filesize
372KB
MD5ba5b892c86e38e186ea718f4e75745ad
SHA13d251f19d416e3f32bb54ceb7e9cae7f3fc1efca
SHA2561a32ccacfebe7251b8bd4caad722e527c2cf257f8b2169908df4eb8f6e91745a
SHA5129ee1ddcd0457c21371a6fe56fdf56fec706a1902fa59aa6cee69992102afc8807f34dc9ea919a78f7527274bbec3411d06ccd8af2d83cbc338d298f3c8e268a9
-
Filesize
372KB
MD5225943b01f89cfc3653ce9c48182c5a9
SHA11bf8b432ceee3f50ad9537cbbe8aa48350afc3e6
SHA25665a5c21828bccb3d4546ddb68c22b264398382f0a89f1bae1d05094e4b3889d5
SHA5124a548d7b6c08dba579e8bb30cb5f44635f9ea0239f8b5835ff612307b66973f064e08106798ce8b4a940bc8b62061d3542a198e14a533835b5e1e0512825e639
-
Filesize
372KB
MD5a7f6d7f22d48991ebd62ce57e2e4c7ae
SHA1d1928ce48c95d83848f3625a3d6fba617290ae01
SHA2569941483d4f825afa5f6d7efd579e18a7d2dd9b2d483d5a0f83eb441718d0342f
SHA512c730a2807ef84dae22e039a508b95d67b9d6016163640e53964caf92d6a9f200ae47c02abfbc23ba6c025b95331dca9f107f1813e966211b0f89bb3c77f70086
-
Filesize
372KB
MD5078421decf856b534d2399a04a112325
SHA16d8e3ff317a37e0b4a99871c06a413834d79d001
SHA2565ed78f6ecabc71a83427f2fdf854025bffb62be50569996c24f013e4c01ad8b6
SHA5127449da1303933da5f6a42735db5ecb7c42ec640e9b9db498dafcb508bdc0fd2db2e07b74dd8a61fee007d977dcc0895cb0fbdbc8391930d0b9cbfbdbec27021e
-
Filesize
372KB
MD53ae966270f495c7184de24ce891cf3d8
SHA16892a3b187885262f593b4d0eca0adcaf8c6af31
SHA2561809680ab296f649761238f5ecb38204560cc452472d8465abfb978d7b55e653
SHA512d58fbb79871e71bd6500cea7f7e7dbcf504d07874854f1619c8bd6afe4a6515a74b5d29270d15b2723869c3422a600cf1bb402b4f00eadba0833f781a4960424
-
Filesize
372KB
MD51cad9b03e9f4acdeb138547e40d68f67
SHA198253fb17499adebe43225da705e5a32dec87193
SHA2563ea5fc8560c8bdcc3ccebb067412835353ca013fbfc594cac25768a2b9c03bd6
SHA512f20f7f93cb8dc22820328e10890d034f7058ed5a60aa7c5aac26a4c8b95cf3284381f90178161bd38afa9fdde23f57e624583844bdbf9eb02a7f7b5b0f94e4fa
-
Filesize
372KB
MD587c8c411e1db8c9b728056b52e7fd41a
SHA109b33cd0d7d5a726417cb2f40a8754deace59d00
SHA256783230a8507e2c40a754e3a2a7657f146e1ba26b39b1d88a23f758173de87293
SHA51206c380a7777e54e42ed50009812812c5d61539c72eed6d3eceeb34ae1762513670c3702edeac8863e1ae2a2b018f5fd7418c815d3f7d739bb93a3c377df94dc4
-
Filesize
372KB
MD5cc126119d5e5a44c3f429b059cd61b97
SHA118fe35883ddbca59ccf97c4502a5ae0c16c2c118
SHA256cb168ca9635ffda4a6c63e6b525c6f8537eee971f14829849d63beb14acc2ec2
SHA512dbf00a6690014f8882633ef0e2b08a8a72fcf5122fb0714f6ea455035fe5096bd1a8092c9f12f77998d84b95744f08fb00749dd0c966e2f0cbc2e8ddebb42789