Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
09/06/2024, 06:47
General
-
Target
2024-06-09_287de4024681a217040de9387e6431ec_goldeneye.exe
-
Size
372KB
-
MD5
287de4024681a217040de9387e6431ec
-
SHA1
b54539b660169ae332920d1a64279dc6a13b94e8
-
SHA256
74a04d922b9ea02ac8deb5a75a98cbbac65cbe9d66e4b2a89ebaa0333373338c
-
SHA512
aedc5b5a01e6ddf20d57c3492dc59865e0ba43298f8b80c0b58e3bf460d3b7d15cb0ee27b76e634b46d5b68aae0e49a745d46eb132dfdca577e5f0ac32daa5d5
-
SSDEEP
3072:CEGh0oelMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGclkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-09_287de4024681a217040de9387e6431ec_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-09_287de4024681a217040de9387e6431ec_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0B275638-0ED9-4760-8944-F8122DC32368}.exeC:\Windows\{0B275638-0ED9-4760-8944-F8122DC32368}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AA5E99DE-BFC8-423e-B252-49B51DB755AB}.exeC:\Windows\{AA5E99DE-BFC8-423e-B252-49B51DB755AB}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9BA3B657-B54C-46d9-A7D3-EB0E2E97D676}.exeC:\Windows\{9BA3B657-B54C-46d9-A7D3-EB0E2E97D676}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AC870C92-8EA9-49e8-B49C-0E4BA24F34AF}.exeC:\Windows\{AC870C92-8EA9-49e8-B49C-0E4BA24F34AF}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{02EC91B1-1B93-4001-AB3C-39F257FD98CE}.exeC:\Windows\{02EC91B1-1B93-4001-AB3C-39F257FD98CE}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{53C5E2D1-1D99-48cc-BD0C-6587003D00C4}.exeC:\Windows\{53C5E2D1-1D99-48cc-BD0C-6587003D00C4}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E065D0D3-295B-4752-95C1-4606A9E52043}.exeC:\Windows\{E065D0D3-295B-4752-95C1-4606A9E52043}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C7DA7439-5196-451d-9492-12486CD952CF}.exeC:\Windows\{C7DA7439-5196-451d-9492-12486CD952CF}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{1C48E80C-0CE9-46a3-AEB8-BA8CFEA80CCF}.exeC:\Windows\{1C48E80C-0CE9-46a3-AEB8-BA8CFEA80CCF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7B5962E6-140B-467b-BA9A-26400477E628}.exeC:\Windows\{7B5962E6-140B-467b-BA9A-26400477E628}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{FAC50E93-5480-4d5c-A1CA-E4BB939F577E}.exeC:\Windows\{FAC50E93-5480-4d5c-A1CA-E4BB939F577E}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B596~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1C48E~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C7DA7~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E065D~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{53C5E~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02EC9~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AC870~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9BA3B~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AA5E9~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0B275~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5acba9d8ed8c6731b23dc4565119e00c3
SHA1d2d94e2eec5001005c76cf7effe57d7016f16456
SHA256e415e32c1d39360cd93856be7cf21c4dfb3bd39e5191a8a8818bb1948bbdd1b3
SHA512a63fa7c15cd8e64efe07fd4e518df142f047173adc50e3ab85ac99937482bbf85ed5328a11ea18008cfe7349ffb49204d31099c77b480cd34cfbc658bfa2bd9c
-
Filesize
372KB
MD5349c0c8e685b8e176980e4d65857f259
SHA18d929ee6afdbf24653d124543296f9118c1514b7
SHA256cc45788f7f9605edb357dabdf5cf2b9a956972c4224a300aaec210fca4bb9211
SHA5121ce79386261002e7f740e5d2fe0dee148d010102e10f6c458e4ab4083eb154723812b545f784022d0522ffcadd66bf58717f66df8a20135b4b9f0d788784d3ab
-
Filesize
372KB
MD5cc2986dc0aee02c5aad1b32cae22fce2
SHA1544b6376ed0937811c0cc9cf4f4ae16d77036185
SHA25675e7e19a1dbc2113bc286c6ed005b53ccb514f14e27399fc80694061023c4767
SHA512745bf61dbfda70e94088af2b3ade8c66da2eec8d03f9fede2c9972e07931c84ac3d923eb8b6169acc14419b2ad2e81a0fe0dc73d1a7649e3f3bcc881ae98187f
-
Filesize
372KB
MD5d51a43b5e82ae27c91dd46673c75753b
SHA1919a3f5ceedf403b989607e968834c661341b551
SHA256d0900d3370a08aeab2ff1ad7fe537f591b87b15cd57768ca01a11f9438ae0dd5
SHA512ceefbbc7bc82c80bf19d90242a8676040bce95d4db339cd78cbb6d225fe5c416e9f7303a6e4a409e0440ae0316590fd911710338a2f70b777966304d80a5c7b0
-
Filesize
372KB
MD5a02a3cfd4d7d55b346ab607568143234
SHA1cdcedd5569f0be330010f8b348a213a7b46e5a50
SHA256ac98388384cf0a2e9d73508fd6f1cda6effd42f8822e30313ff2d0336a36169f
SHA5125fbcec59ce4dd3b46bed7c4640ec2b92a28462d864d18dd4ed53e549453090137c3e63acec76e336b2786857f9c170a50bf56a02d69097cd0216e02de7f91cad
-
Filesize
372KB
MD5efcd36ed4bd767dcb56edb4ab6ef0e2d
SHA199b97ed9d97e144f3e261fa84de0649c619bc501
SHA256dff6e17411c1c2e28e95ccafd3a6702265e4aff96856abaaccfe92fce54e484e
SHA5127f031c255e2eaae6ebf83dedc03a2a8249900be3ff68774e87dd8b3a61f371b3cf87f6d4e3b037d05d3985d0049defc40e6e7924c09db09b5e3294179152403a
-
Filesize
372KB
MD58617ad09c17a949f66a7a6e88e5d7a0e
SHA1477461c3706733fcc084babcd93af823d4e746e7
SHA2563f7eb7b304afa7062796a0f152d10058af6e0d5e0b1f75ce4a9e8d53b4140778
SHA512b819fa764537acef3dd4a6c0ea2d32650e03fb0dfe6cf3ff3dde4d7170273b9283ab45a7204e8d70c8baa4fd50d3d0cabfaa5635654bb4c9831fb199708868af
-
Filesize
372KB
MD5415d9303b03ca67b0a5325f6cb9f0d1d
SHA1f5e0d687491540130a9e723dd5c8aded331ec18c
SHA2569c0a740c8def30ca6c6809301f1a9fa3379692809cc4ba6d5cf820170a0b594a
SHA5126c8913915665de0a3c971b6d3edb2d42541fc6e45263515d8198ca4197199fdf341b0ac942e1c28be0538b63ae844873ab877ae025f9b50adf2952f988a8243f
-
Filesize
372KB
MD5f043ca4fa66b2dd520989312d91865ac
SHA1335ef0e34e35c5e906d8b204031f3c8727b59a34
SHA2563039ca3cf796da286331eb0adc7ac2bad18ccf7bd04d7dd6cf29ff2694602b71
SHA5120e1ba20e4e1572d75eb1a4b77e477450157bfc6ec1d0729174de5bee22352ae95aecb1c3b5c2e2e506818df309777058c8eaaea6ab7ffd381bf09f12e1297ddd
-
Filesize
372KB
MD58db966539329768d4f1c0dc23aa80551
SHA18ac36ec0e2c2071793ef7a3a83bac91cccbe3c17
SHA2569f1ded4b83f0e4f97e7b2b1bb2a893576a89bfc302dfafc941741dec2ce9c827
SHA512f55d04791030f115d01cda8f14408e3813da2dedb7d45956ca7b5c293c8facdff3f98a1100fc1f230161b99b0502ed394ab02129b381bd9761b3b0309933fb30
-
Filesize
372KB
MD56b1d9b6425d893bc428cd0486669e03a
SHA1563314ed28e4534274d19997fa477371fcc708a4
SHA256030148e683a9f0bd16ac615543d2c73cbcf52170ea3c13677a6a2f0f74110191
SHA512f3917f62b02b0157213cd6b3ff167b25d9e4d893c9280cf6b26bb8be6c302566df39ff9f3dd44eb65c8aab070c9a121566a7ba04a628d167b30edcc99d25971a