Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 17:40

General

  • Target

    2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe

  • Size

    372KB

  • MD5

    e9ce5a1b440fb4114446d8dee06b7782

  • SHA1

    037c2635b615c2e552667074c4b6ca20a2c93801

  • SHA256

    c54d81d3a282103b95ab0bd828f1f44f4bdba84b31d12c6f78c08300485a18cb

  • SHA512

    b2c33d59289e9529b26c2145cc4b1466069b6b3608c7c95c7fa656674fddeb1f480c19df2f3256e1120dd6ff24c00ee98a0eec2f585c7fda228c4d46db8d9687

  • SSDEEP

    3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe
      C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe
        C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe
          C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe
            C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe
              C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2960
              • C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe
                C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2864
                • C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe
                  C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1772
                  • C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe
                    C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2880
                    • C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe
                      C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2088
                      • C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe
                        C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2044
                        • C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe
                          C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DE465~1.EXE > nul
                          12⤵
                            PID:1476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4EDEA~1.EXE > nul
                          11⤵
                            PID:2072
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6DD33~1.EXE > nul
                          10⤵
                            PID:764
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE81~1.EXE > nul
                          9⤵
                            PID:2204
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFAC1~1.EXE > nul
                          8⤵
                            PID:1784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D726E~1.EXE > nul
                          7⤵
                            PID:1544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BD045~1.EXE > nul
                          6⤵
                            PID:2092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E427~1.EXE > nul
                          5⤵
                            PID:2284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0C4E2~1.EXE > nul
                          4⤵
                            PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E860~1.EXE > nul
                          3⤵
                            PID:2652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2972

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0C4E2CE4-7D0C-4661-9DDD-C9F78247E588}.exe

                        Filesize

                        372KB

                        MD5

                        907cbd884bc873547063f340cbf7085b

                        SHA1

                        5681e6add60981ce458d7a0c53963e99871cde23

                        SHA256

                        5f3a871e94ffdf58f4bb26b8ada1c05ab1418fa3772ef879fd8c31d3bd820d20

                        SHA512

                        90ca3b205ec1bc6f4c9ac88c767f925ec2b37eaa1883038e96fcd7b3f52359a5e277232e417ee927dd177e4963637eb8b3ffbc12ee64f109bb89c85472720c1f

                      • C:\Windows\{0CE8157B-DC36-4640-AA7F-10138D83644D}.exe

                        Filesize

                        372KB

                        MD5

                        b9738adc5d6ba50b1fd490a96c97dbce

                        SHA1

                        076578dc792b7aa995dff9ec0e181cfbdc095a2e

                        SHA256

                        12a44f9c0a4a8c80ab9c02c5ebbfe68f4d3d8499600ac50684931998f80da0ed

                        SHA512

                        172008ed79709f97669e5bd09a28e8b316d8bf008f3741a76c36020bea45883236969e293ac7d3bc7700e5d591226ef75cd4d7561338755ade1ee1d56e079bd9

                      • C:\Windows\{1E4279B7-1778-44d9-9B4E-1B2CBFD46BD6}.exe

                        Filesize

                        372KB

                        MD5

                        895c9c4752089e4e752062c5b2a85306

                        SHA1

                        e018149c1e0bdaa676663c7d90a68d0f20be1ded

                        SHA256

                        505c2cd6059b38662ecac735ae80121c2deafd628719c1e8031bfd069b6c7d45

                        SHA512

                        521b0d2d9555bf45fda19e45153088bcdc388b851f0ce8fc17c33194a34fcb2004763833539b65e1ca712287f228cb38647ba441d0c764f5eb681d618e5dd893

                      • C:\Windows\{4EDEAD96-2EEB-47ed-AB56-551FD047CA9A}.exe

                        Filesize

                        372KB

                        MD5

                        5e6180a158e5f5c4151abfc05d58fdca

                        SHA1

                        5a9be92a2116bf99e3f4ad5279bcc7e33a401d3c

                        SHA256

                        6c73d50b6556fb111be7e43d605461c817d9f017d81919f4fbbef4bd22856075

                        SHA512

                        e0947cb7c153fc041b768ab8f27c53991223334862e275d4d6ce22aa791e60323feee9c497e98b85c6a371ffc88b244a60dcd6d5c9d6dd5092bbeeae1ddce432

                      • C:\Windows\{679C5439-0BBE-470e-98FA-C2E90739110C}.exe

                        Filesize

                        372KB

                        MD5

                        b14cbcdfe47025f626967e9509f194c6

                        SHA1

                        dd25222056ee90edb108cae942c7860f9e7aaa2c

                        SHA256

                        b58bdf24c5c0b74e39c60ef7d658da3c6f94510357ec31eb80736ce7214b83f6

                        SHA512

                        d1ddb4875678254370b02d333b0c46f08e1107c87594f3302bdcaabf135634538cc95f2f78b5ac5ae4f45cdacc82536503708d2e6af0ad6c2589b4ebef4ce1ba

                      • C:\Windows\{6DD336B9-65DA-4367-A754-3D29E5E3F5A0}.exe

                        Filesize

                        372KB

                        MD5

                        466bd219fbf8077940dd6074fc49c7be

                        SHA1

                        83224ff0d483d1da73b306cbe2d843abbd7b3f06

                        SHA256

                        cab15fa1349fc97187b8c0ea6da18bd8b05867bf955eeaed079510cc69e4c011

                        SHA512

                        76594f3d59999ed6abf9172dfc561bc0cea39764c9ebb1abb2726c266aa7a9923b2964493fa12cfa7f5e0a5cc3051cbba273f326477e9164b3ccb0f21f436962

                      • C:\Windows\{6E860016-3A1C-4bf7-89C7-847CCE1CDC3B}.exe

                        Filesize

                        372KB

                        MD5

                        b51aea40f7d4f7cfd9fb4a96e5f4a69f

                        SHA1

                        4c3711895d97638683dbdc244aa31b87543281a4

                        SHA256

                        2227ae2c69177d2d5a912e15ca1716be1f3a0bedb46f82b3c488a9d306c014c1

                        SHA512

                        8015105cb322c78d16d931077f1c34d7b145b97156dc67d33128cc19d93ecaff87b7b6f655221ab8683fdef65513c3fc83c53605e78cf9c21635d2db6def4478

                      • C:\Windows\{BD045A06-0F31-4f80-846C-846174FAF3EA}.exe

                        Filesize

                        372KB

                        MD5

                        066ae44410e5c09af80d9a848a988bdc

                        SHA1

                        b6beac6885ebb1dbdccf641db30078621668f20d

                        SHA256

                        5dc772493c7d6a208c4e05b4cc2d5a793f3ad8a97f5123562d50ebd68e7aa8d4

                        SHA512

                        92a361cb240b6adf94eae3d70ebb5b9f29aba87fdfca5b7a73075b89b67a3d3538735c2675e6dd708d82f02484d2607eb44024565b077cd769d0688ed68e8960

                      • C:\Windows\{D726E3DB-1DFC-404f-BF80-78C2F3232C47}.exe

                        Filesize

                        372KB

                        MD5

                        02f97f4aaaa777cd7477af57a3c034fd

                        SHA1

                        e5f49efebc0e3442c8a60dcd529baae22fc33a24

                        SHA256

                        309a3347a88cfedf87e3f393803d0c631edc82d962f29e6f7c398ed8d3741f8e

                        SHA512

                        5cada2e938cbad3e224aab08c8f44ae6a1788459e1bf60b42e2474fb2bb1049dd7ee3d184ccf154dfea5cfa4fcf53404755fbac57244e7f2928bb16aa106ee15

                      • C:\Windows\{DE465E0C-A716-40da-A7C2-FF81D046B430}.exe

                        Filesize

                        372KB

                        MD5

                        efa1329c5eba06b2c094aa76c7bd84f9

                        SHA1

                        32a88fddc69939f42b39aeaaec86644bba8a7331

                        SHA256

                        21e29fa2596cfd4ae9d5d613d063d13c32e2b255964f63d50cfc81f82dce95ca

                        SHA512

                        121c0b9169f5d9800da7e21592412db08661005e67b50724b250a2a7b3d9275319823624dcb53bc94846794bf4daa14f351d74280fb5835b2f69ec44658b6027

                      • C:\Windows\{EFAC13A7-BB65-4890-86A9-D75C8E2E5AA0}.exe

                        Filesize

                        372KB

                        MD5

                        fd7a602c9b2ea63448c3da3802bd0300

                        SHA1

                        307d9667fa231077a5f15557007633e2fa08d7c6

                        SHA256

                        02fd3eb4f49d42c6da7e632233349970e72e2c744c64bee0f2411a5d12b4d98d

                        SHA512

                        610521f6e39170849b8d80ce8b3e2f5d071409f7786ea22b9eea013a11a8839dbec07910faffc8222dde195efd2e5a1c0b9f72d09514ede066de44811da121a8