Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
28/04/2024, 11:56
General
-
Target
2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe
-
Size
344KB
-
MD5
54be686c600b9abace98e9850f72fa24
-
SHA1
8b2e3e0f0a8cca58ce7046d0018731ad1c028d83
-
SHA256
b61b64190517ae8492e87e191f76cf8fccc2770a6cda0266071f0cae2cdecd3d
-
SHA512
996b8ab55e29a3366ad9d9ecfda4cb0a123015ea4df1c968725abd3a16e127b5d3441e973da425183c81ab5aa5ed59f9533b094596f055051c9f42b9808bd8c3
-
SSDEEP
3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGRlqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_54be686c600b9abace98e9850f72fa24_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AAF72FA3-4760-4a1e-9BA2-7269CF390037}.exeC:\Windows\{AAF72FA3-4760-4a1e-9BA2-7269CF390037}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CC5A4F20-5FAB-4e8e-8F20-3C0700DECDD5}.exeC:\Windows\{CC5A4F20-5FAB-4e8e-8F20-3C0700DECDD5}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6AA2C6CE-2365-4954-8E45-F2CD3A964FCC}.exeC:\Windows\{6AA2C6CE-2365-4954-8E45-F2CD3A964FCC}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{00953721-60A3-49f2-9746-B65CB1B8E2FF}.exeC:\Windows\{00953721-60A3-49f2-9746-B65CB1B8E2FF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7A3E863B-0F96-465e-945C-4CCF2B1FE436}.exeC:\Windows\{7A3E863B-0F96-465e-945C-4CCF2B1FE436}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2D8AFCD1-1DB2-443f-ACBC-BF263D7D3660}.exeC:\Windows\{2D8AFCD1-1DB2-443f-ACBC-BF263D7D3660}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{46423FCF-E791-490e-B577-A93035827A03}.exeC:\Windows\{46423FCF-E791-490e-B577-A93035827A03}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B3C028A1-788C-4cb8-9A58-16D4AD171FA5}.exeC:\Windows\{B3C028A1-788C-4cb8-9A58-16D4AD171FA5}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{409CE841-BD91-4219-8C5F-41D9CE618541}.exeC:\Windows\{409CE841-BD91-4219-8C5F-41D9CE618541}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{130820D8-83B7-4199-AFEB-8E439FF725DD}.exeC:\Windows\{130820D8-83B7-4199-AFEB-8E439FF725DD}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{8C121393-4E79-4a9a-BA51-334383148ADC}.exeC:\Windows\{8C121393-4E79-4a9a-BA51-334383148ADC}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{13082~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{409CE~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B3C02~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{46423~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2D8AF~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A3E8~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{00953~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6AA2C~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CC5A4~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AAF72~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5c1eaf13ed10b2cf4e8eed848584f0903
SHA1462bdfe1f196a721145c152cd0408413fd71ab63
SHA256a59f9cc6ed4bd8f035564913d1ae3fede7e6570c9702b4fcf841ee73112aa89e
SHA512a9ee18c995997e41c575e61d434911c4cb2ffb2fab0dbade2453b0dbd9c87ad0403c3186f14c35310963c33acb9f87632fa3f57c798b5ebf420c91b2db174a91
-
Filesize
344KB
MD526f26179ea5330da937173b7adec35be
SHA1a420fdf291656fdd789e6a24d34e70049231f988
SHA25643ad0a059ab235389edc8b3b4dd2d6bc48f85cd3dbd9b606d098f6770ba3d499
SHA5124f19647d1c4e4887e0eebc35f865e22156caff798d55e015bb9a5085868b604174ce9bbfed23ef78c9d00ee1131c065adc41430917ed4f6a2e89828f2415b9d6
-
Filesize
344KB
MD59d047c72a467d7ae916d996583de9a0b
SHA1e71dc8d2b3fe528f244b7b0a24b158e06525f2e3
SHA2567df3ee9c43f90ec01724756b1451ff4f7ee53bd2471a1007a42b3397eb0af64b
SHA512bf1ddb964490a0f305fc03bfc3edec9113885ee5fadc4e02051ed91118491dbd810df5c094ce21fdaea2c22b89a8d31c87fbae283501f9bca037b5271b4d10ac
-
Filesize
344KB
MD548925654011b064a1cb9b0dae9668301
SHA1dab31b8aa360d6bbab546d1c275fe130d26ce07f
SHA2568d0527a8acbbe30fb4b224c80d9c47318d71ebb5fe8f030992840eb4f7505803
SHA51244f469e2dcdf8b270cceacf6bdceb6d616e8913b227977204d20b3c37c61fe59cb0b6699eac1a6248b1e10fc3fda9baae526aee8fd221681fc6330841cd8351d
-
Filesize
344KB
MD59a2ad5c0c716e02f28ba9fd4f43eab49
SHA1240a62b28837f69a43b93f84b94924b7a674771e
SHA25622256d0b41c20715a0761d81d9e2e6a973328f07e8d90f0dcadb18d3c4053aab
SHA5122a53092bf06fd7b921e137e047842cb9e73264e8d702368f0066d42ec157c7aca9aa5ae4998b45b0c275b5651b423a283a4e93e96d2b505eda64a3f174b99087
-
Filesize
344KB
MD5002cddeaa648aa31215dec02667cf2b0
SHA145079003c63505128338f49e188ef7b02e8eed81
SHA25682c51a5687e9db397727f95ff53591f073bff3723ce2c7c96036ca9877ff36e8
SHA51220a0eeca1492faca4832e4c8d6a39c0dd8efa7832d9397b407eeb2cfa62d6fbfb6183f21b9371a02b9e81cdd302fd6e1a903a2e29b4f0eae5c2d7413dcd24306
-
Filesize
344KB
MD51d0e25ca2b009af1bbe99bd393d6dd6d
SHA145197c4f11177b393d8db3618505ab3f61f06213
SHA25675dd6e6ef9e2ea1829be87328c2358c6fdb6e228aabe8d86d8feea6835e8b4d5
SHA51248e411646ba144f370e8d0a95b7b8155b6ab12382a48d48f3f0125e7336fb2d6e88563cedc1200081d1496c168b1ce61d3450eafafeebe73c150d44f3105e396
-
Filesize
344KB
MD56cd51b7b6177736da19941cbc8bc365f
SHA1f66ef67fcd2c42738072620e2425e3efdc39787c
SHA25681e1759ba2a0d4356d7922176e886b34848c48174a5b802d58d19e2dd07a071d
SHA512bf291944a481a92eef7e438ff890484070487a0bed43186875ceaf8e33ddf0cfbf6b9762bafb0393164ef3e38f08a90b2bf290965f4b5929acc87b8088afab45
-
Filesize
344KB
MD5f652c9796a49715b3db9d3c1160f4798
SHA154780e9ca7a0605b6b7a5d545dac5e4186ef6d26
SHA256e6b79a009c7d6d0f085a1eb966bc3681cf2371b0c6433ae87dfd7774feb3e66b
SHA51264547dcf8161258049fdf58b2b41717535be89046bfd3a8f8ba6a26a643b4f964fb679646d04aa9baaa52170e1110a9e79084e1db8e614bac6d42249c58bd04f
-
Filesize
344KB
MD5644f75882eb370d399c5b647184e3aa6
SHA1f1f33f43b1ef4f5bffe7df1c4e9768fbf292bb04
SHA25633d014886a4d1e9a92fcc25cdf4e66ef1d67cb9c8fc991341390f8e86f552f8c
SHA512ee31b14f57fe407ebf01b9326792dbdd6f64ea276f41e20e9da91da65fec153eb029428e95859020c5b49fdf22c9d7ae0641d0abee819bcee2d2c10dfc50554d
-
Filesize
344KB
MD59a94d9949ed5c9cbf57fe3aa29865515
SHA18c3a4e14a6d0108e1d02c9c847b6b8a51109d522
SHA2569edc4369beda366c249cf331d179a93e2df8b10e87ec2043cd58743afbafed0e
SHA512f5e4686d71379509522981c56db2be85f2661c8c612eeaf5a36fac6c503f3ad76e43a98b3e337cb332410ca766e079c276d9046dabc888cf2638d01811d066fa