Analysis Overview
SHA256
328cd97394fc1bdd4f7ff410d4617313fa86f7378fe8c31c9dc1b2ef7fa4ad75
Threat Level: Known bad
The file 2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
MetaSploit
Detects Reflective DLL injection artifacts
Auto-generated rule
Executes dropped EXE
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-01 00:34
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 00:34
Reported
2024-06-01 00:37
Platform
win7-20240215-en
Max time kernel
4s
Max time network
1s
Command Line
Signatures
MetaSploit
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe |
| PID 2328 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe |
| PID 2328 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe |
| PID 2328 wrote to memory of 1032 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe"
C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe
"C:\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe"
Network
Files
memory/2328-1-0x0000000000250000-0x000000000026A000-memory.dmp
memory/2328-0-0x0000000000230000-0x0000000000246000-memory.dmp
\Users\Admin\AppData\Roaming\{3342960a-2a90-41e5-9922-7913fee46717}\netbtugc.exe
| MD5 | 73a3209d8cbc944b590a6f8a214fffd4 |
| SHA1 | e58cd1d36cda61c366bfd05b09e0909e3d67d36d |
| SHA256 | dcf7cff709faf0b70220ac1790b3896d3a5db33e73c72b6af114542f5d651244 |
| SHA512 | bcf8fdb15e683adad9de447c4e2c27dd291a4e737a955c0de4dd6d7fb1b4aa1da2084ebdf1dc6425978b8541845c06472fbeef82a6708ec3d6e1c4f4a8bf91d5 |
memory/2328-12-0x0000000000250000-0x000000000026A000-memory.dmp
memory/1032-13-0x00000000002E0000-0x00000000002FA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 00:34
Reported
2024-06-01 00:34
Platform
win10v2004-20240508-en
Max time kernel
4s
Max time network
7s
Command Line
Signatures
MetaSploit
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4936 wrote to memory of 2236 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe |
| PID 4936 wrote to memory of 2236 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe |
| PID 4936 wrote to memory of 2236 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe | C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_31264aee72db89daba8014e491e3e8c9_goldeneye_silence.exe"
C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe
"C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
Files
memory/4936-1-0x0000000000A30000-0x0000000000A4A000-memory.dmp
memory/4936-0-0x0000000000A10000-0x0000000000A26000-memory.dmp
C:\Users\Admin\AppData\Roaming\{ca358d1e-f165-4a4d-b740-6b58e7e24e02}\ReAgentc.exe
| MD5 | 296dfd96df11ccece142a4ec5e4990db |
| SHA1 | 276d7041ddd61d86fa9129db880f9c850198519c |
| SHA256 | dcf957d521b3d845fa7df58d6109bcd6c262a13fad982712a423681cdba2320c |
| SHA512 | f90090e1571574398be2a32e72ae0bb421cb5428c6ae0264cf0ace721d4735b12a186e79d03f0e79c77091cf036794938fcff46e14d1b57eee2ca604933341d6 |
memory/2236-11-0x00000000004D0000-0x00000000004EA000-memory.dmp