Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 05:51

General

  • Target

    2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe

  • Size

    380KB

  • MD5

    d79161d8be763949d02a1200640b507a

  • SHA1

    13d49858e50a26a76ee9783fa484a720656d553a

  • SHA256

    50360290803234c43c2cd6c009befa31c17d11a6ad7dfb4b26eae8880fbdb8ed

  • SHA512

    b73155e49cc9a4b3f945d7a2efd9adf099252cfe5da4b220b26fe71208b2cf61b45fb2fa003c73291d452097d2840a7974ce3bda2c0c1e84aec3b3346b6c84bf

  • SSDEEP

    3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2028
    • C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe
      C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30B19~1.EXE > nul
        3⤵
          PID:2812
        • C:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe
          C:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe
          3⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5C6D0~1.EXE > nul
            4⤵
              PID:1964
            • C:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe
              C:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe
              4⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2656
              • C:\Windows\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe
                C:\Windows\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe
                5⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1908
                • C:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe
                  C:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe
                  6⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2968
                  • C:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe
                    C:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe
                    7⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:276
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B93AF~1.EXE > nul
                      8⤵
                        PID:576
                      • C:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe
                        C:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe
                        8⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1520
                        • C:\Windows\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe
                          C:\Windows\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe
                          9⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2772
                          • C:\Windows\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe
                            C:\Windows\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe
                            10⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2372
                            • C:\Windows\{7E791280-0797-4270-B356-A0D7336359CD}.exe
                              C:\Windows\{7E791280-0797-4270-B356-A0D7336359CD}.exe
                              11⤵
                              • Modifies Installed Components in the registry
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2252
                              • C:\Windows\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe
                                C:\Windows\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe
                                12⤵
                                • Modifies Installed Components in the registry
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2392
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{65361~1.EXE > nul
                                  13⤵
                                    PID:2484
                                  • C:\Windows\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe
                                    C:\Windows\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe
                                    13⤵
                                    • Executes dropped EXE
                                    PID:2456
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7E791~1.EXE > nul
                                  12⤵
                                    PID:2368
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CFEEB~1.EXE > nul
                                  11⤵
                                    PID:1068
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DECD8~1.EXE > nul
                                  10⤵
                                    PID:2308
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB30~1.EXE > nul
                                  9⤵
                                    PID:1304
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{3B224~1.EXE > nul
                                7⤵
                                  PID:1692
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{C01CC~1.EXE > nul
                                6⤵
                                  PID:1356
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{DF491~1.EXE > nul
                                5⤵
                                  PID:2920

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{26E451EC-2EF1-4cb3-80AF-B4D74C9B3BC1}.exe

                          Filesize

                          380KB

                          MD5

                          4a8b60b4529f028d16f3feba0ffc57de

                          SHA1

                          66dcdb3ef4b88ffe503c8857561c65bf6e94bc43

                          SHA256

                          d98528785a894012339e86ff0e73925e0b016ea8e48b8ef86d4c998126eab55f

                          SHA512

                          7c9634cc212e1bc3ee70724ff47248121a1afc9a6fdf5257072a10c4b2596b097006694cccaaa024a93507478304c0d88427a4093944d38701ee71872c7fa189

                        • C:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe

                          Filesize

                          346KB

                          MD5

                          2a7eddbb5b15af895c070f08138daea8

                          SHA1

                          f16a4b6a130cde9c491e6f3585e99bf58040897a

                          SHA256

                          124cfdbec809c5a8a5e2357bdd417aa10fd2a366b5a7b934e14f75958fcf98e1

                          SHA512

                          423ee1d6a00de4bb91384b6a18261ce44dac9b0d0ba0cf052b1b4819a769d8293cf21aa6267b7b6a0c46951efed2d452c7fdfd8d20a4f380f4eb5361c05688e5

                        • C:\Windows\{2DB30FB5-1C63-474c-96E4-5A60F42A7F95}.exe

                          Filesize

                          380KB

                          MD5

                          e83b6b60fbda1895df7396261a401088

                          SHA1

                          48d3cae2f0de7f204e6793b0358fc5e0b499e713

                          SHA256

                          ba9e59ed101620227d66385b48998f2080413e7f20a41282317def360d2086ec

                          SHA512

                          197bdcf9844bd399bc63ac97920ba9e087dd53f0d95429fdef3370fbd0fe0b4f9121dddd968fc476a4980cb83d42ec5a78337407d0f577f5e919463dca977be2

                        • C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe

                          Filesize

                          3KB

                          MD5

                          dffe52d098c09c52571ddd3f86c90bdf

                          SHA1

                          9fe7335ab3edb7d41b9a29b1dd5585eb168df630

                          SHA256

                          a97f3f2be2f3f86bc4cc7dba43e2dc946f3c7fa320e3d4f1778ce455b00930a9

                          SHA512

                          0c6662c3d2d0e17a7bbfe0bc26b5f810c6cc965e528c110bf6182b716c01f9e4fe53757dc7309bf892c1caf5a96265db9d191bf2462b5c6d48f6abb11ba69ec4

                        • C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe

                          Filesize

                          12KB

                          MD5

                          474487c5d82bd5abbd66d1edd34cd82b

                          SHA1

                          c770dc6a35e62fd6ab95e0bfc38325e66b975e5c

                          SHA256

                          17a4113ca4dd52b2a00c0dece32a52a40c538bb66819dc746b4b3759c1743bfa

                          SHA512

                          0c6307d68f44172ad2d4ee96a471eac31dde98eac92bb1b46349a5af0e1060a6fbe45032cbca26deff5560a5cd4c343825373b019bb1dbd7c4d500951418d199

                        • C:\Windows\{30B19D41-999D-4749-9B80-D39C90AA7AC8}.exe

                          Filesize

                          1KB

                          MD5

                          0469c37c06779c374b10516f746e54cd

                          SHA1

                          a554cdfb5bfe2fdbef5626dff44175a0a14c9aa7

                          SHA256

                          42a50b9c0cdee18b6513ca0684fe36d5108fee23b4202466ba22f5312f2c43b5

                          SHA512

                          8116e597ca3fc7d7b801424a1b37533ade4fbe62b33f7045e6eaeb6b03275c7e981498b4e237230262e157aed9d257faadb6ba1586191f0ebb8d87f292cf4ce0

                        • C:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe

                          Filesize

                          380KB

                          MD5

                          3db569563a15b652212d494d5b29d59e

                          SHA1

                          b303a714c55da14ed73954b712289e4a75c79f45

                          SHA256

                          e827116202bcd555b2845cf07306669066e167e9deca6b3bc8f32798362d2d57

                          SHA512

                          a16abc32d69eafd7f80cb4407da6286acf10be488dc5aef3e822db251dab53538d022f2bb6e03fc6f28dbf210fbdbcf5fcbf3a7d4db15ee3f9a7ada37ffd0030

                        • C:\Windows\{3B224AA4-A413-4111-A7FF-137BB53F4E14}.exe

                          Filesize

                          295KB

                          MD5

                          705d4fc540f7f8bd37c86fe60db29ef6

                          SHA1

                          d8aa426e9a4bbdb74e8f144487ab4f3f87dad0a9

                          SHA256

                          569a97100b3d19f0fd6deae1ffee7d591f4f0918de32348e550940903d19fa18

                          SHA512

                          6e6d761a3a64455af85016b59f1623da42a966e2d4b117deed0e80d2b3f5f10a439eec8fc90299fd64a64d8bbaf0ae7eafe28a1a09b6ee3da87a223aceecde0a

                        • C:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe

                          Filesize

                          33KB

                          MD5

                          c7152e6dbcb8d0e0103fa0ab857026d9

                          SHA1

                          d43f3f3db1c109d2b21ba5107bb6137807b9a057

                          SHA256

                          c45631613d2ae4aa483b466e8c3044209f1567b0fb6e04b975942bebacfb689c

                          SHA512

                          940838d56321795761bfb7a4beddf655ab782fb8a340a54c1684c37ab2492589174669d78f51b43d7d0c43699b1c546516bcc1b0e7492b65485d188f3c12249f

                        • C:\Windows\{5C6D0AC8-363D-454d-90AA-6724DD043C6E}.exe

                          Filesize

                          20KB

                          MD5

                          bdfb9406da80a97474a5594d4acb03ca

                          SHA1

                          91ac779375347ce9cbfa2181e07ecf961bf87f23

                          SHA256

                          e488d7d797697ead5fe1a0f58a9be859bcc2c4fa4a0fe6c0b9ff4b38118685f5

                          SHA512

                          938fc5e893850aaabd76dbeceb3b259d307908c5e525e8e8ad32d54d9df9574000e8852d31d4f727dd5529c0c2bbf762b3617f817b618f8613cbbf6b8349071e

                        • C:\Windows\{65361CA3-18AA-40f6-B3F9-CBFCE93C77B9}.exe

                          Filesize

                          380KB

                          MD5

                          62640385c688e5bde68d1a29bffdf949

                          SHA1

                          c2d810d46be72b9dc81d0eeaf68982b885ceaa7d

                          SHA256

                          3844b469e0fc772d0d3f4d8841b8d0fc223542a6594ef5b32ad5b7b3d664f48f

                          SHA512

                          4408fc3d29407ec7cb17b3385ddf4b1ff06478843ef7df370a33f55ef6bb60e1826534d7ecf91213cc2b69c5a97d51f02e8e172f85301777f6d45e39cc7994c3

                        • C:\Windows\{7E791280-0797-4270-B356-A0D7336359CD}.exe

                          Filesize

                          380KB

                          MD5

                          b9530276dba257e87bab0a949fadd3ed

                          SHA1

                          7b7520154492a40dd0fa7aa58b74a95aae99925d

                          SHA256

                          6b6b7bdd30451f15f4919044347e9f950b7e95a3ccc9ec7c731980d1ee1fe9bf

                          SHA512

                          d7732f78e153fa0f98815220559619b5d9dc4b3ac36880291f735517fefb5779ef5e5b6d9d52359934e3389f5e5cfca1179c372b5bb27628b7b64122f0b284bf

                        • C:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe

                          Filesize

                          153KB

                          MD5

                          781a42e16cfa68b358d9562fe9ee943d

                          SHA1

                          7dfd50f9ed568a883ad477033ba95c7c7308db89

                          SHA256

                          086fca1de4421f4987e3893af945a9fe5434ed31304e3fa1edc3ac4e95fade0c

                          SHA512

                          d5ac1757e54f9407d8b00b3962e762b691b58bccf164ee5c644e378735fbee13e03aead63967a5736748b256e985a1e5ed2fb993da3c6e64a8da1caca898edf7

                        • C:\Windows\{B93AF61F-356F-461a-AF5E-AF5FFBD5C7E9}.exe

                          Filesize

                          380KB

                          MD5

                          661a86a3a840f5a17f8f3a24e58d3f5c

                          SHA1

                          5524a4ed16a7c17629885c5c3e4e749fcd8d94ee

                          SHA256

                          78624fdb1704b1a31fc98bb5ba4c00e1ee96e57857e8c1980b41ddb1858c3461

                          SHA512

                          7ca5e4f07178b3e3f435b22254844047a428f6f3d2188e385b07ebc13177da0d8bd296f5196086dcb87d9f76f159ca150166391a8cddb5f5f4cadd246cc9abc2

                        • C:\Windows\{C01CCD14-B7AC-49b1-A438-BB3390E70E03}.exe

                          Filesize

                          380KB

                          MD5

                          4499b626976da77ee9121f55394ef63f

                          SHA1

                          b71a69b31af0224ce4ca4303ec0f52a2dd3a03e4

                          SHA256

                          124e695d11a40e3089f58e29d09cfcecd611b6145279dd3e8353b44fb4897ecf

                          SHA512

                          c1d515a226548043ad23b43672f98426e8c797eed8a5e193b4fda5950c58b0148e193ff0df82caeda73a26b7568be69052425f056de602e5c16d0aa719ba8732

                        • C:\Windows\{CFEEBB71-FBED-4abf-B480-0151A6C27564}.exe

                          Filesize

                          380KB

                          MD5

                          98bcbd2e953c392e449cc39713cc57e7

                          SHA1

                          3c7520d6303cb8dd5710fdcbe5230cc0a38451fa

                          SHA256

                          028a54b83b5c253a64ece263c5f02e5fe1d310941fbac9125ca337f5a45488d8

                          SHA512

                          d92c57da2cea6cd8bd26a158a08c313aac7b319f5b24d416ba5e2e0012c462ff0b10a551b7b1d6def59a2943649cadbe30bb19a4454488cc4ec7abbe706dda7d

                        • C:\Windows\{DECD8D62-5C1A-43fc-ADC0-A567CA06F4AD}.exe

                          Filesize

                          380KB

                          MD5

                          33018838d2f0d4e08f81c4461aad750d

                          SHA1

                          25801bbe756f49e7938146a042fa40fb1a352bff

                          SHA256

                          a00d0d22c2ba33570e79595099ee936978c56bec6894b2cefb9a6635ead6208f

                          SHA512

                          45c03d19f2b299cc60aa58fe5f1cd664afeb25f6346a8c3ff607e9abca534576603d188d29099b240633a6df12d513a6544ccb8591d78126d11b3977d8cf5c25

                        • C:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe

                          Filesize

                          43KB

                          MD5

                          2fc7285b9fa334107b454095bea93e09

                          SHA1

                          bd201fef1f94f89a7df2574ff17ec912319c79c9

                          SHA256

                          c81bea898fdbbfcec83bdea8d8e72aa086ef5d3926a7095378d9e073467f238e

                          SHA512

                          f644c5abe2c64ea68320567559c8063c78709b3b0f9bba8e924da72fcd44a150724073135ef7a9e8b15eee543ab29335cb2d6d7b6dacd67e3d8782915b4eb16b

                        • C:\Windows\{DF4914DF-AF08-4d7f-8270-72E128ED0B1D}.exe

                          Filesize

                          380KB

                          MD5

                          49c9a9e6115efe33fb8242a9e3490ea4

                          SHA1

                          67e6a986b262c3d926b8d70f3379b06b13a80f42

                          SHA256

                          cc9a89783fcaad4d60916d13fafed30fcc83fbe78490738c53c67c28e2bc88e1

                          SHA512

                          4dd4f28bf1a8e9326dcc9ec2866c295dd455dd9f1b9f3f658faff6dcc529787976fa2e5f61ee8390bc89b84772d55cc9c27f76268afa6a118579c5026348269a