Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
04-05-2024 02:03
General
-
Target
2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe
-
Size
216KB
-
MD5
a161ab4f8de0391157483a332987ec09
-
SHA1
de7742f0f332cef0718fcd1daab32c7d40410403
-
SHA256
8c3d1cbad4a040ad37d5815b9ce29f993f1e9865916e4a5fbf11df5b73e782d9
-
SHA512
db1391de93f919b11bfdc8e16fba743865b25001d3dc84aaabb51e4f603e0855a922b826ddf4b40e1e0a95681a8cb3d1b8c0b81d4800017cfe80e6afd7354d2d
-
SSDEEP
3072:jEGh0otMl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-04_a161ab4f8de0391157483a332987ec09_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F7B8A393-FA72-4138-8A48-7B71D59C6CD7}.exeC:\Windows\{F7B8A393-FA72-4138-8A48-7B71D59C6CD7}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{30730575-FB09-49b3-8FCA-92AB751D6C8B}.exeC:\Windows\{30730575-FB09-49b3-8FCA-92AB751D6C8B}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BE9F80A6-EB43-47b3-AD82-6D3C7E3633F3}.exeC:\Windows\{BE9F80A6-EB43-47b3-AD82-6D3C7E3633F3}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{55E954D9-F52F-4138-BA32-081B7E304B21}.exeC:\Windows\{55E954D9-F52F-4138-BA32-081B7E304B21}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BE6EA39F-A539-4ad0-85C8-6E2ACBDF7751}.exeC:\Windows\{BE6EA39F-A539-4ad0-85C8-6E2ACBDF7751}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{68396ECD-E25B-45ea-AA0F-CF54CDFB512B}.exeC:\Windows\{68396ECD-E25B-45ea-AA0F-CF54CDFB512B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A3F8CAEA-4AEA-4578-9A05-C6E7F18AF11A}.exeC:\Windows\{A3F8CAEA-4AEA-4578-9A05-C6E7F18AF11A}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{49988062-1410-44c1-8D3B-C0162737894F}.exeC:\Windows\{49988062-1410-44c1-8D3B-C0162737894F}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{90D02207-14A3-4461-B424-26A1FE8DFD83}.exeC:\Windows\{90D02207-14A3-4461-B424-26A1FE8DFD83}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{16CE7770-0C19-4803-AABD-943A36DE1EAF}.exeC:\Windows\{16CE7770-0C19-4803-AABD-943A36DE1EAF}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4D9A0507-8E66-4914-970F-C8333749AE20}.exeC:\Windows\{4D9A0507-8E66-4914-970F-C8333749AE20}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{9C31A56F-5B2F-4a47-B3A3-B773FD6E2768}.exeC:\Windows\{9C31A56F-5B2F-4a47-B3A3-B773FD6E2768}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4D9A0~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{16CE7~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90D02~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49988~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A3F8C~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{68396~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE6EA~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{55E95~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE9F8~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{30730~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F7B8A~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD540cfd73be8f26358627ffb1e7cca3893
SHA17f81ae0425b489db181b14b6c1b91764e001428c
SHA256141f0747a994298af497ce923a63967d66b75d4e63aa4c386181eb492428373a
SHA512f843ee6eb3baf51cba7c24c696354035f1760ed2c4ab957d776b1fd6cabf06e8b7df83f9091f447c937a540e1ccb579c1968a63c92fb30efcab68ca5fb2d5145
-
Filesize
216KB
MD5238f4b4db12aba827d8f28b879ef211f
SHA104566bf3d924400d0a6f5c64a873702a3e62415c
SHA2563f546f94e0414b184fbb05eb1e6c5e9a7634000123b66f0249bf23e6fadff6da
SHA512c7d50057e11f55a50db35c4a911430bb3e12abc9eb3335b7a9baade286d4fa88f844aed219b00ec0ded8930b79ad9a35c36d50b8a50c3ef022b843afe511d3cc
-
Filesize
216KB
MD54847ea802767d55286d180b1606399bd
SHA1b49c9cd5bd540fac559782ee1fbc1d3ad4362edf
SHA25693d5a69c15cbf3eca609919126b886e92244fec0db072c52957401c161b29fdc
SHA512517036f7475389986f8ca9523a0534ad8ecd1e132f0ead19b30cc134d3a6b05c3b7d981bfec16b7f3cd6ea9e575533f69216d4ec586e1d2ee0a17acc726a0287
-
Filesize
216KB
MD5580aca238e2b489dfa3d5df391d9da01
SHA175a07133354ac1903ee8f3bc4902a81913074b5d
SHA25657e930307840626a29371107e961edd0b0f914c44a6a51406c8de36fb962b027
SHA512102c1e388f232d545806ec04007299158a141e659b70279b9ca08e2e004d322c8cca68cea694c50c2612d3bc7a787b1c19188b004f3192682ff1ca905d151824
-
Filesize
216KB
MD56958a88f8320481e2a38c3f0e5eb6965
SHA1be9a6e00fb1c4385a8edcba30d8fa0e17cf94575
SHA256d305117ca00366c88ebc353fc5e790661290c580a42987344a20717d045aaeab
SHA512c0d695e1ddd3074915bfedbbdeb13b9a7411d05ac97bf29ff59f8bf7691d36f792709e5b1902d2d334003d0cda7def0f34b84cd3af8685f71ec6c518408e3b36
-
Filesize
216KB
MD585743ba0755e699690e2357cfcdce4d2
SHA144a80fca1ef54bb3c6699297588d1ecb9a09c0b3
SHA256439b026793be4abc65f676f5859e27153d48c14afd4f3abcfadbef621b390c7a
SHA512264f736733453e5a57314ad6c999425d02721d7732af112f1ba14c6456f809fe8e259f976d684ddc4acb5154755fe715fc5ec20f4eaff74e6593c629d52b2302
-
Filesize
216KB
MD581ce6235a3c39485bdaf0306a37b7860
SHA1c665f2844f1b85cf61baa21818d862671014edec
SHA2569bf63b7db89e400e3b011078e12f5edc0e3c43eaf1627274c861fba0caabe8d4
SHA5124b9eed6b1cf2d1a3ace578bdcf5434a5899204595e3fefd77588aab1a10eadc94bee4c2a584e584c609f2e4ff945149cf89d20ce8a47b4533df8ccf77297e814
-
Filesize
216KB
MD593d23aed5320ddce57c3442d2037dfd0
SHA126d959e808c7bb32a4061a0bf345a684f0bee418
SHA25639e253bf9f709fdc8ec70a307b4320dbcf9813b16cb095919f2a9f8c30a162c7
SHA51298a1873f4f1b5034247d4f1c072155d7ddeebf4f0f27897cc29bcee34474402e1cfee3c01b2b0663f7590c8b29dcc2b7baaddf9a86ec97d48c0aeab01159c65a
-
Filesize
216KB
MD5a9ec7fe270c9ebe52c32dbcba06fd2f2
SHA1ac931fb84ff967c41f5fba462e4e801bfec153da
SHA2563dda03079217a3cdc00c1909bbe812706bd303a885e419ccf6c604e58132b949
SHA512760b6b61f9afdb3e29006a18e72781029a8fb17b9d11feac92d40b1c1e9f1b98237ef0ddd0359e1c594357433f5d953354f828805228ccbaf4e3ddb29c93c4d9
-
Filesize
216KB
MD5d677004a87674c557ad0e3baef5b4123
SHA12ab19b75dc0c2944152eb5d196cf570a39b5056e
SHA256f2eeb6ed56c8b01070d60c65471f3a79fcbfea83b4de36ff4bd0b6afae416bf5
SHA51236f5138984aa2a39421c78729efba2a62438a12ebdd9c23d0bed63711ff8340ff5ed5c77f3d6f8397e6b119e21ce8823c99506fda614753a09c01cfbcc5a6694
-
Filesize
216KB
MD5601cf29bfd27ee01c18931675cb7c76f
SHA1c19fa8049150befc6920937c5cfd7e19028c5774
SHA256156b8803172770f4bcdceb23fb4b441b5908139e076bf4092459d4a633cde32c
SHA512fb0d921dbf93c51f0cc4694a8310362a55c82a88f636a297867d9b2ca05f879f3d48e1d7706de342ea096b37ed97466ff0409567372afa3197486bb57d40d61c
-
Filesize
216KB
MD5cc721738909d4fcaea55a37ad663259c
SHA148939fe47d48a96de2b68045b6a8a97f58311ea8
SHA25629e83d1b7c781c793fd4f1a7e2e4400a18c9655370f9e3152d7515b13f3aab66
SHA51211d57ca8d29666ffc0087ac537e691ce7971f6a4b00c61bfc0b5b97df675f1fe7e9946ab295eead13360032b988ad5c82feb97542368289a5baabd23163d51e0