Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
02-05-2024 19:55
General
-
Target
2024-05-02_9d48b85ba24e21c2043b38a2c8e6b03c_goldeneye.exe
-
Size
180KB
-
MD5
9d48b85ba24e21c2043b38a2c8e6b03c
-
SHA1
f746d7414adc3189cb7415e9c4b246e34ca022e4
-
SHA256
9b51f4d68fbd1578e08837cdcf4bf84b1c61fdb75fad82ba1e1ebf6df905742d
-
SHA512
9b485ace8c7937747a25a695c74cd1e78dead2de57e603c431538be8ac9bb0adab27e20e40df2422bd96c246531117c0f87436c6096da311f1ef9c96fbf663ee
-
SSDEEP
3072:jEGh0o5lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGnl5eKcAEc
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-02_9d48b85ba24e21c2043b38a2c8e6b03c_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-02_9d48b85ba24e21c2043b38a2c8e6b03c_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7E39C429-A5DC-4658-80A5-73FBBE3D198A}.exeC:\Windows\{7E39C429-A5DC-4658-80A5-73FBBE3D198A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{578B65E2-CD04-4162-AEFE-EE35D2905E5E}.exeC:\Windows\{578B65E2-CD04-4162-AEFE-EE35D2905E5E}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F78F59FB-4BCE-4a60-9EED-B3839A779FE4}.exeC:\Windows\{F78F59FB-4BCE-4a60-9EED-B3839A779FE4}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7FB8CF3A-66B1-41e0-9D3C-81A36A5BFB47}.exeC:\Windows\{7FB8CF3A-66B1-41e0-9D3C-81A36A5BFB47}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7D36662F-9BD5-4be0-8DAB-FA3B7DAE9160}.exeC:\Windows\{7D36662F-9BD5-4be0-8DAB-FA3B7DAE9160}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DA4B430B-D753-4aaf-B28D-F96D53A71B4F}.exeC:\Windows\{DA4B430B-D753-4aaf-B28D-F96D53A71B4F}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{68F73E29-EFC2-4613-BB85-916F3A57AE0C}.exeC:\Windows\{68F73E29-EFC2-4613-BB85-916F3A57AE0C}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{421CE38F-DD63-4c9c-98D9-7BB08E5B73A1}.exeC:\Windows\{421CE38F-DD63-4c9c-98D9-7BB08E5B73A1}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{FB457770-E532-4f1c-8791-AF0FDFA4ADEB}.exeC:\Windows\{FB457770-E532-4f1c-8791-AF0FDFA4ADEB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{97574B86-9321-4e54-973B-8748B1232599}.exeC:\Windows\{97574B86-9321-4e54-973B-8748B1232599}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3FF00FF0-1093-4a14-A539-6C47BC83A7CC}.exeC:\Windows\{3FF00FF0-1093-4a14-A539-6C47BC83A7CC}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{45CBE0B5-11C6-43c3-BF01-064CDCF18CD3}.exeC:\Windows\{45CBE0B5-11C6-43c3-BF01-064CDCF18CD3}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3FF00~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{97574~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FB457~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{421CE~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{68F73~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA4B4~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7D366~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7FB8C~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F78F5~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{578B6~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E39C~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD511e0b65952220797be71e1cefe789a33
SHA1724ad79c8ef3a5028821a0db01d537656dea7cd5
SHA256c884472d1ab5eb5d1f27226e0b47d0a27ebef54010bc7c27cdaf9b6e25471e95
SHA5129212c47e2ddffe4d0ca741a7866c9f74e07124d5f5d3063ea3f8c174d7a6d1121a725b8e84ce98cf1645337f46a0b33bc6517236a43a1fd789369be19174b98c
-
Filesize
180KB
MD5a4d6f68819b5e6248d96019a6fb3fb9e
SHA15f33fefd4daacc442939deccf725a0ecb2f4ed93
SHA256411e94b42635cfc28de0077c33005d90b003b8b8c33f70046a98692a98217174
SHA512e428e44c6c2eb5b33f44e2d8e762591e3fd785817066e014a2b01a83924b0df20236d892764dfa8d56cb95815037bafc3fb7e22f0d55b5c09b564ae93db5d2a2
-
Filesize
180KB
MD501942b9bd4af905349bb2ec2b0f3c563
SHA1c352bc74762dcc66125dd6ee62994cf54cdd5184
SHA2562391e96e7566c5715559d9371550d4339aaf3f1591c66d787482dd02f612c966
SHA5128e4783de52828d4e39d0cfbde779d281d0fc6c406d66d90a01632163634857a1748d6541194aa7641963d54d37a9aa8d8c4b82e3915623bea61d0a49b1c4521b
-
Filesize
180KB
MD5d1c6e84a18d20f8bfc2542751d4b18fc
SHA1dec9602cd045e5708735686a787e79a027bfb3ee
SHA2569828216f366c1a91ab9fde52c53b48a0eb27e1ddcf85970980970e41a33630de
SHA512de10559cdd1d923a691860b963761566a3e11fa8ef1b582dbfc619f2a6245c236d4144f047fcb687021948b34bb045b631c8e5ba703210652a5847ffcdad1855
-
Filesize
180KB
MD5e78c653369985637cfeb08e759af5bb5
SHA1bf4dc2cbc055c06be2e423b3c11a8e96d0769411
SHA2562b48f733800ff66917cffb3384ba5c225f887110bee89901e0413738c0be63f5
SHA5126533b35c5454ec08bb41eae02505b383e0282b7d3c3cd12db3bd07563d9be2ae9c67fcae7c366d1f06d86cdecc5ffad63ca3f37461e1e8ce0efbaae426393801
-
Filesize
180KB
MD503f7e0dae17c4977da100dd3055b66bd
SHA19ad6e82cbae99e6823e67e53793a59f46b8f8f8d
SHA256c3dab3d32a3c4a1c64524ac65fda64b0f7a72e4f306730a4e2e79b09b0ebf13e
SHA512d7fd87207278bcfe3d0d7e783b1d4ac973426163e0704237c20ebb31aeb671ab3b2f0ad87a518d26b32f0a588f231ccfdc28dc57f73ace9cae236e510632794d
-
Filesize
180KB
MD5375cfb27279ea59e8768f7c58f63b4c5
SHA14c85129a838069538445482da4183414d7aed441
SHA256073260c9bf2eb407f30eacbc25da4ba6ec17a90a823d02136b668ea1094841d6
SHA51269570760361e8499f7dcf53d02309240439dc9b45db353a3c119c326fd1fe4bcdcbaa001052910696dcf4cb94a5fd71ec6e9016141eabcb11156e2a3e8f2bf5c
-
Filesize
180KB
MD5f7e82fdb2e57bd37115bb37c98e6880d
SHA105cbaf06ee860a081cf80cdc1c609b08c1c3ebce
SHA256a54573c06a96754f4ed3be1d4a02e156d0603ced7b9ba60f2a94abb176a66daf
SHA51249befa23f555cb61809f260a174367853cf8277b1b9264bd57842620cc1fd3c0135b9cd79a9d5091470f3640607d4bcd2ffb244ad020a2d68d8e4f0f9735d1fa
-
Filesize
180KB
MD52a497baebff6db1d9b918c4143c5f026
SHA1c2aff31d032c40e8c289a6c32b2e602e07042324
SHA25617620cbc1730be2841d9e8a9553e32a31eacb47ce19fa66ba1d84d16b49dfb6a
SHA51256c7a4a19a36364d02b41cb1247fbddb7df30a7406ec1df8783bcf143ab08fa01a05f8bee9e76a2df35cc30086c2d9fe31cb0def3d40fcdac3529419d4337379
-
Filesize
180KB
MD5009acb5bbc8e15e1dc047844e96cecca
SHA1e1bcc9a11d1fc8777bb21906d442dd4289100196
SHA25651fe2bdcfb011eff77bf072d5685145b1062d774dae8ca44507f227092d5bf29
SHA5129ad35d5173d72028528920a71c19595e182368165ec8f0a15576495c5346cb307fa60c83638997d099aca65d1a9c1e7c035f72a2486eeddb0af0348939d90560
-
Filesize
180KB
MD5fb004c4d1ba010d23dd27977f53592c5
SHA157793e470064f533f460d74ec752df179d23778b
SHA256ed9a1dfd1ebbc53d1886682fd442cb889de82d6933bca29927e8b70a6c4aa629
SHA512b74015e38008beac2a3950d6c8addef6cdb3ed433f047f6213b03972db5a8b5fb7b5154f017337e1672045c1ee826f3815a97ff2a5d51fd863750f47d86075f5
-
Filesize
180KB
MD5234091b1d4b8e996f1653cb01ec729fc
SHA1a6c8e41be279ad1d753842a4a4a746f8529fc5c4
SHA2561d55c41919acc25d4aa644601de7609a0d5ac172aaceba39fa25344bb7eb3ced
SHA51234ce9c3ca894afbd289d9e3adb5f4774732dcabac29db9b707c6b596e62a5c20412d99b84c7d85cd2dda12f097dfab73d468d8577c3dba368ecd2a377b130689