Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
15-05-2024 15:44
General
-
Target
2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe
-
Size
344KB
-
MD5
3ecf06040e090df8f50709fb0bbb8e76
-
SHA1
d3a16a547a6ae28cbe1548a7f4f3727efbb6076a
-
SHA256
214650f284173ce5f7520fd8bd229771e11af6f7f955738279ee30a96a5de15b
-
SHA512
29d3d521c27d15c752ebb6b81e49496ac45297441aa82a310c987d90c882c857db63a2f48c328f201863408d678cb228c704f5fa9ad42314a0bffd0309e3f412
-
SSDEEP
3072:mEGh0oplEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGflqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_3ecf06040e090df8f50709fb0bbb8e76_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{65055F97-47C6-4e7c-ACD0-3A19342BA53A}.exeC:\Windows\{65055F97-47C6-4e7c-ACD0-3A19342BA53A}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9A178C70-BC4D-4ee0-85CE-DD76729CDFC8}.exeC:\Windows\{9A178C70-BC4D-4ee0-85CE-DD76729CDFC8}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{49B8F162-C222-4cc0-9EA2-0CE846EBEBC9}.exeC:\Windows\{49B8F162-C222-4cc0-9EA2-0CE846EBEBC9}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EEAEA010-BFFD-480a-8DE9-480DCBB9041C}.exeC:\Windows\{EEAEA010-BFFD-480a-8DE9-480DCBB9041C}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CD7067E0-35EA-4afe-9B4F-160293E03BDF}.exeC:\Windows\{CD7067E0-35EA-4afe-9B4F-160293E03BDF}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BB1271A1-87ED-4c64-A70C-A8BA656D1DF0}.exeC:\Windows\{BB1271A1-87ED-4c64-A70C-A8BA656D1DF0}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{05C05B07-957F-4184-8415-CFAA646E0313}.exeC:\Windows\{05C05B07-957F-4184-8415-CFAA646E0313}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B1CF996B-BF14-40e3-B40A-857F486EF256}.exeC:\Windows\{B1CF996B-BF14-40e3-B40A-857F486EF256}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{DB3FDCEE-8057-4f1f-89C9-D1C66513FAE7}.exeC:\Windows\{DB3FDCEE-8057-4f1f-89C9-D1C66513FAE7}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{382ED6AF-0030-4da2-830C-748C48113707}.exeC:\Windows\{382ED6AF-0030-4da2-830C-748C48113707}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6A5B0088-490E-4030-8D67-C0EBBA08218A}.exeC:\Windows\{6A5B0088-490E-4030-8D67-C0EBBA08218A}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{382ED~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DB3FD~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B1CF9~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05C05~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB127~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CD706~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EEAEA~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49B8F~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9A178~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65055~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5bbeebe37a58778a270c169ee296d5e38
SHA1d5771c15bcf579015e7733177f365f88f1eaa7e4
SHA256ece61210a3138aa8c000688d2a7f021939e37d6c2204ae6978c9725c095e55bd
SHA512d2ca4852484271ba98a9fefbf0452eb9286cd6f383fba4b2e7737d4695bebac2275af87a441d9dc37c102f2fc24e9dd1b4f32dacdd3388e98017e7dc07e81eb9
-
Filesize
344KB
MD53c6029600d6bc968ad050562eac8bc38
SHA13ee3345042674b7243ef946dadb3c315cb307aa4
SHA256f650b4f60c387df9b60a2b583500e9b90a0cfc64b46cc78ae889a6ebda52e097
SHA512614c84d2c39d5b636cc5132e616e668a112dbe25d6ead6eef31047c0932bf7715a03e8ed886175c734f3f965e748c73d4c960692b2ce7a5eeb74ccbf1b7cf8b2
-
Filesize
344KB
MD55b5243179ad395dfb83409a393f9a051
SHA1eff48b00eaa6049df7854158d9476063042758ec
SHA2564a73020d52c27dc7f020406e52e5a737766fe2de41a47394e86b86d1587b8214
SHA512d27fd971e65fdb2d93aa0934cf65a3881d8899f40dad674e6f4e68a52558ae767e3aea8677d6287b791b93523c96b7b429cb39b560009d8167c2700ee9dcdbbd
-
Filesize
344KB
MD5ea994a0c5f5697b76791423f615fe4f9
SHA1ec9796802a31289241ace6b7f5f04ff7c6c1e407
SHA2562de77ae9a84befc7d85f9a150e890db928b00eda479177a32257229810ecc3ea
SHA512455c0a6d3ac4f377579e2e84e1f33a7e0168cf1bdafc486a3c19084d5506424adb8224dfa0cd30e1d992db37a17915e994a4f67d1f925174b73f571e6d5d6407
-
Filesize
344KB
MD5483c88787cc421199427328d4e605e68
SHA1f8c3c4e5fd41e782cb71f1623bfaf2f3d84e3b70
SHA256d2e784188eb2e29421623929f6112750e3348c4c6a698d2178e7234c21d51d0a
SHA512e86dc6a01c02b7d1716a7c9c6ab180c0bcb0255aad696d0dd4fc5e86110147c22b01aa5f5e6a5e5cbd421ac9dc743f97bdbb1343ec87d71c15799008c14219ba
-
Filesize
344KB
MD5b31f0a8e2486189cd4c4273cac046dbb
SHA1fe6c0d61f00bb8e208d6ed95d26de669efeb5d63
SHA25672cf31edc3181d67fb852f5b09a810d49876b96f32ab04c212342dc01c5b399b
SHA512453029978fb93cf81d84c582301e9561b9d9f62974cb6ff3a469ee9308689de83181f2fd0f7b814994abceb03c1a0f20502b21afbe806928267b7c028aca905e
-
Filesize
344KB
MD530e596b418818ea0236efddb2af2423a
SHA14537208228659f1af92a5a31ad250dc10b5343e1
SHA256bb88d7fafb896dbc4d9685770bcd7258f209f2ddc9679f0180f4b9653cba1145
SHA51285719a8091eaa8ee15c4deeab8ba943ce0d578f0c2e6dfef0fa673650470fa776cc4531227b30ca68362c14af6abb0e93c331d221191e866c7990517f6114614
-
Filesize
344KB
MD59260d55267b920459dfd0f71f40e9666
SHA19a58f07c57e1d8a9f56f5c72f94715e5bb6783fb
SHA256d24be5f3696d192515f73d0c024a3c89708c29fa07bb00b3060f724498672ede
SHA512b9578ad203132eea4f3b4ba3e1fdf84d2dded222cc9e9093d2d65ebf5a4c5d0c3c2b82ef91f2640fbc55d43f4e60efbcbf2396815915715efbba0d98059f1093
-
Filesize
344KB
MD50395f8d0352d05d02065196a3f436b99
SHA1b893abb43feb1a52d89fdc6cd652afd2433a1d83
SHA256bea8c75f04ef9a462b82966bda752a90dbbd01ab281b18cbb43d3e32e806ad9f
SHA512f847456fdfb3925bb5bc69a0872156eae8c42099401ce81063017ef8df2bece102fe270d38fa7a3467a74428aaaab21e918890ca710cc83c0c753fcaa30c31b5
-
Filesize
344KB
MD5d965c71ee7bc41e63dcfa40bc4439af4
SHA135fad50c6e5fe23ad545258dbdc0d036c8e360ff
SHA25697db07d7436df962f9ded68aa3ece5dae1c4b89a5c27771cf9f114a8dc9f60bc
SHA51205d04eceeb4565ee03cbdffa00a55df4e574a4eb0263df3392e065011104b5da3cb90609d7298678c8b1ee66f3c362235b43b55305f990875736cd4b2e73c646
-
Filesize
344KB
MD5d7a5b55089ba10a27309c205dc1d0efa
SHA16cefe7b3da4e1a91549c298f4c0b342d51389ff4
SHA25689707a8905506813f41bb3e2183eb8c4762691016616539303f57c4702714c9d
SHA512994a89915886b53e2e33f1d5dcf6d16fac539ffd07df2f7d1debfb6b1d80c0220889e69d79c14c34c397a867e1dd8a9450757e204d04d50961d4bc959350a181