Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
12/06/2024, 11:47
General
-
Target
2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe
-
Size
408KB
-
MD5
63491eda1deeecab79878ac00a7cdd2b
-
SHA1
b1c660e932b753248763d9a20d32cfa703c432e3
-
SHA256
acfc29b2d6b8d6d0d796db1fa0f07c46133aa670b0fa313f91708ee8e611125d
-
SHA512
6449c23e7307785f5ec6345616a112ee46203a30f97c82dabf1451990c4749a922df7d8575ae3d9ecb90b64666c1d43ba76ec1204f44cd8f313047c839286df7
-
SSDEEP
3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-12_63491eda1deeecab79878ac00a7cdd2b_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1CBBBE5A-0B1D-44a1-B87B-EA49CF82DF1B}.exeC:\Windows\{1CBBBE5A-0B1D-44a1-B87B-EA49CF82DF1B}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F208F434-82C3-40b1-A1DB-91C0708E3B60}.exeC:\Windows\{F208F434-82C3-40b1-A1DB-91C0708E3B60}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F63DF959-7556-42fd-AEFF-575C3F81289E}.exeC:\Windows\{F63DF959-7556-42fd-AEFF-575C3F81289E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{293A2381-6937-4de4-8482-169436BE4EDA}.exeC:\Windows\{293A2381-6937-4de4-8482-169436BE4EDA}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9F108325-CC17-4f42-A9FE-467C2FACC478}.exeC:\Windows\{9F108325-CC17-4f42-A9FE-467C2FACC478}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{874873C2-0AB5-4ac6-A079-D81249EF28FC}.exeC:\Windows\{874873C2-0AB5-4ac6-A079-D81249EF28FC}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D876134F-C7AC-49c3-80AE-35117CA6D7F9}.exeC:\Windows\{D876134F-C7AC-49c3-80AE-35117CA6D7F9}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2977C455-EECC-4dbc-B4FD-4F30AFABD1FD}.exeC:\Windows\{2977C455-EECC-4dbc-B4FD-4F30AFABD1FD}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BAB3D35E-E2BB-4372-B7E9-99AB517888BE}.exeC:\Windows\{BAB3D35E-E2BB-4372-B7E9-99AB517888BE}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{4ABCA75F-9467-4001-B776-F044403FEF1D}.exeC:\Windows\{4ABCA75F-9467-4001-B776-F044403FEF1D}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{61B7DE7B-5955-4076-A82A-E59F529C1F50}.exeC:\Windows\{61B7DE7B-5955-4076-A82A-E59F529C1F50}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4ABCA~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BAB3D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2977C~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D8761~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87487~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F108~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{293A2~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F63DF~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F208F~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1CBBB~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5ced9cf88ca2ca2eb13609b701362eab8
SHA14aa89d1dad93b086905c77c0ac13d595cc1bccf2
SHA256fac839c3842f258751e98819856f41c7cb273b2b05508b895942680dac390501
SHA51242c54abb0ac8a457b5b9aaa976f569f083546e813535eb23442c7ae27276550668a521f6048c56987ac4d8595f7e6fa65c84d5f163cbd267ee59244e3fe46034
-
Filesize
408KB
MD53005e5b4ee926204b1c5cc7c9da9b170
SHA1b8e71aa521c624b9b72a8c56c4e8b92ab53d05af
SHA256b81842dd14d6ee1b0e9df262fff35062f8f9c39872de81f677748a8cdcc64c95
SHA5123d993f25d9abd5a755fdd08902b20995c7bbbfa85590f941dd11ce1497721dbe2ef55b6696ee4184bd8e397d82eb012acbe4f386a20b5083da9878b5ca737d8b
-
Filesize
408KB
MD5761cab7997c70ee281d23241946a50ea
SHA1530679d63f397ad92941531e09515e6357475743
SHA2569202328c1faebd0c9ea802d1a914fc73a3ccfbd6e042dd23faca2393c5ec04aa
SHA512a2201f312e7bafed762cd868555474e40835969a41f8094a3983a609318565b978102b92bc77b4306dc0df05b6ef9e60d3efeaf19c028afee4489daadecda728
-
Filesize
408KB
MD507f52e06bb39176f6d2a747e16fed66c
SHA111f3f2f7b5d8189359b3f33c24e146acc5081091
SHA256bb18638b0dabe2dcf201bade8c4bd365f33d47fe675361a9bda908ad558fea90
SHA51294e1505aff85fca3adca648c3e0ea586c6884fa8728c4716d7c2cb0c70c5156ef718dd20aabb3c70f1d8ff864baf55434bcde73df159ce3a0ef80faf604e1f11
-
Filesize
408KB
MD58353256a441e8704bcb420747e64b46b
SHA108826da936e9245aaf75ec725d2ee1db379515cb
SHA25623e94ba831a882f5e0dacb8b79951d18634547313e044449459fc532760c755f
SHA512db0adf0fc098b240defa4778580fbe24672071a5f9b1fc4e079dc01e0b4db2ea959aebfb5debb5bd8b398b7003855bae761f2edaa61f3152e4206a9e94653413
-
Filesize
408KB
MD50f1943d4ef1405e6646b0db6954d5833
SHA17ba56c74d4124afcace663a0f4281b03a6026e1a
SHA256a801b8c0bf60988bc27591ff8787afc0a25221f91a50b371a53b2fbb591ae9fe
SHA5125810192c4d3b691a618eb675d072f0e1c104fcc2e2721871aa589dc168e71e0571cdceefc064821ebccaaac35dc08275e55755ad582f74fd2b3913801c1f8b3a
-
Filesize
408KB
MD5188f7aa6a628841a0c283c2c602aa480
SHA1f2b13463610e05bada68ef77c80f37fa9e075d79
SHA2567e823bc9dbe2b3b9d9af9934d9ee81f903ba5099a27e4cf1c1fe6a94b19899c1
SHA5125f3584a5b76f156d21f76bfdf210623e615b503b1e8fadf7a6fa3873e44d1c0692701be5631b8dcedf6b2ce76e9bdf61472a015e57bbe7f0f774087a1a97625e
-
Filesize
408KB
MD5401634dbe0930277ae8bebc439da7d0b
SHA1b12771efc6c9119b2100faeb95b52b78d4dfa14c
SHA256f370c96f81138868b82f7677bbd7509eb3c5be87bf683f744adfb1e02368b47c
SHA5128a0a0c568a504e3a4740dcfc60565561a3e8bef0a33d6aa03b76262184ed5d70d4f44da12a807987181dfab6500856a9cbf9bd870bf2d3ff8a2ef105d43658f7
-
Filesize
408KB
MD532da3da53e8f37a3090a7ed348caf00d
SHA1da50e24ddbd44385a6876c7dee00c30439b2a598
SHA25607ba68270a4c9892dc5ec92dc612f3d8d719cca287f4f4a387561be3de0058a1
SHA512b206606a5c0967b056716e59eeb327035cb0538831809de38d7a3574049889b9f839f5563c420ebb6978eebbbd153887f6a1d9b3c07fc19d5c6d956a58a90310
-
Filesize
408KB
MD5b915b0b7b1c2f772b034d78decf0a90f
SHA1e0326c695a2e29cdf07ac740d10b098e170c7f55
SHA256f65ad87fdf83c642292a0c626e93d76c6087a9c61869e969b55b542b6962cc63
SHA5126e2e76eae3a5346c4e241c7c3a1b6bba8c147953cd9e682f2580e8d98574dc37e50a093a27d4c9e1d26dffcc984a10a7d2a79f09c1625947880ad4a87aba460c
-
Filesize
408KB
MD5d0b09be3e7072b0955a9696158b9aef2
SHA19bd8db132a6b399331e6d757ba6befb106e8d3f3
SHA2560bed1219ac58ca7c9f0db202cc38ca93f60f3113e21e65e2a369d30eadd19ade
SHA5128bfd3d3a19c232b311d39588e70a88d2c2598db75e32f4c6aa83103d3fa1f2d026845f557cd3ba0eb576b86d3a079b9b46a444f708a2e5a2b8bb031b3944af4b