Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2024, 23:24

General

  • Target

    2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe

  • Size

    180KB

  • MD5

    96495a758464e06885b3d36dfe87f2ca

  • SHA1

    21726a5e2ea56c2ac1feb1ed7339ba988282ba9e

  • SHA256

    6135d8a2facd519630a607fad27002069d9dd398ee9aa975795f65a77b541097

  • SHA512

    8b3940203a02cdbcdad2a4f482c63f63b3ec3f0378334715f0d1645a0df073485e72addefbb2e2e56cfec76b493c4b20315b2fa5677913296ef9b8378511c79b

  • SSDEEP

    3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
      C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
        C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
          C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
            C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:108
            • C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
              C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1376
              • C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
                C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2476
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{14290~1.EXE > nul
                  8⤵
                    PID:268
                  • C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
                    C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1576
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CE9C9~1.EXE > nul
                      9⤵
                        PID:1252
                      • C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
                        C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe
                        9⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:664
                        • C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
                          C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe
                          10⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:572
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B6119~1.EXE > nul
                            11⤵
                              PID:2960
                            • C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
                              C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe
                              11⤵
                              • Modifies Installed Components in the registry
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2444
                              • C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe
                                C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe
                                12⤵
                                • Executes dropped EXE
                                PID:1716
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F46~1.EXE > nul
                                12⤵
                                  PID:2324
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{E51DF~1.EXE > nul
                              10⤵
                                PID:1708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{06EF3~1.EXE > nul
                          7⤵
                            PID:1008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0B05F~1.EXE > nul
                          6⤵
                            PID:320
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3AED1~1.EXE > nul
                          5⤵
                            PID:2912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E30A3~1.EXE > nul
                          4⤵
                            PID:2776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD08~1.EXE > nul
                          3⤵
                            PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2724

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{06EF3323-F2C9-46de-8156-CD98A39902A6}.exe

                        Filesize

                        180KB

                        MD5

                        2e32bb520520f4600e4eca29fd7bad21

                        SHA1

                        ceaf19bc2814e368c254c6fdc9628c2a7e024be0

                        SHA256

                        a241d5ecb6ef04fa57b83a9de69d6cda91f1f21f10cf0096160b3979eabb2f6b

                        SHA512

                        c6965f87a64969cf9238390f03261e197ec3070d3830f891d6dc9f64a9bdb257cbe68046d8639a809042e75a82239f6338ef1176f48bce52a2d6cbc4e0d28721

                      • C:\Windows\{0B05FACC-E657-455c-9EB4-2083BE9DCEC3}.exe

                        Filesize

                        180KB

                        MD5

                        ba783672eed8cc370ae70b75b9c4cdda

                        SHA1

                        f78713bc036344ce39371af72306023f41a813d3

                        SHA256

                        7c77f9a28e2ca141cf524528f7d18d18c5bfb2bdf94da492e338caa7e52a0770

                        SHA512

                        7da042e50ccc49621fd3f200c29b7c51254e54500dcea89121a16c21b2617ead8f8a6ca460f2cb8e1c30ee7a24a1fc40d7358cb7efa72c5917f47d5e74f6e027

                      • C:\Windows\{14290696-1A52-499e-8C91-97F81A3C22B8}.exe

                        Filesize

                        180KB

                        MD5

                        0077c306b321681ee6903b8dc2d0c9ae

                        SHA1

                        4ab1e46fe2b16341e9316591d77a18d7f199b5c8

                        SHA256

                        ec0862ec51828325203f0c6ba370985b66165b8fc1f977e2c2f23813cf094b4c

                        SHA512

                        f99ac3d93ec3ada701c257504749e89e618183e0d2b59bf70eb1d87a051f733738d46a0a564efbdd3177d554d99bcc128b4d254d071f7e03748f221ede36262d

                      • C:\Windows\{3AED1C53-0998-4a79-BBFC-6831230BF7CF}.exe

                        Filesize

                        180KB

                        MD5

                        5596d43596a5c581228786ce8156560f

                        SHA1

                        4d161257d073a0d6f0c090cb28dab1240d53d4ea

                        SHA256

                        20b1b9b3c428bda148c5b04c458e519253ff4f4e1a35903578f01f65e41249e4

                        SHA512

                        90990b1dbb9cfee51813b90d5ca5acc0402b04fbd8912b18c21f00e9db8e22f720330d39d0a02b434bea02117d19a3a638c64f07aa02d3a9e93fc8c7ec823642

                      • C:\Windows\{9BD08258-7973-4c21-8672-71EC15AAF19A}.exe

                        Filesize

                        180KB

                        MD5

                        40d98e5d6b499030bccba25d6a43fc96

                        SHA1

                        1c76600674518e47726f06a052c5821ccf03f186

                        SHA256

                        9e1805cbffcd1ab8739a742abc48f18e532eb0fbf468a17540061374767cd13f

                        SHA512

                        63fc80c5af87c18bcee228b6f56a2b09abd673fb02e8f639fd5922cd363905b5c01bf7b73fef388852c936718850bb3f7658e0b7c3720b4f48c2aa81a080ee58

                      • C:\Windows\{B6119849-F8E3-45e2-AB63-52C1386C5DD1}.exe

                        Filesize

                        180KB

                        MD5

                        4bc29995f451f438d33d208dcf13f363

                        SHA1

                        5661a1dc8893101e1218393f2cd7094935c79f2a

                        SHA256

                        1b531fe6886bd7c761af0945232ec9372422ba6f38c8850bb8bf347d703c5b5f

                        SHA512

                        98d5917d29dbaf28e6d31dac7727f00f44f1e5923149e86cabaaf36ba1969743d9567a8a023811ca36648dee8ba0cee6be2120267e2df2b6a79b7d0323505dca

                      • C:\Windows\{C9F463A8-9F09-41a5-A9E5-752590882A21}.exe

                        Filesize

                        180KB

                        MD5

                        1f8b8dfdbd8acdb1e7dffdd7129aace0

                        SHA1

                        eca4d23386fef8e040c68155bc86982e8b7c7f74

                        SHA256

                        8781e33b54f104dfbe69f20a4c38e4daa4766e2f5b03f05210720f8b79355cda

                        SHA512

                        c6ab3cdb4b5a15794bf083bef0c8a4a96fe24033030838e1cda52790b2f78d426faca9a9af1989bfe2d1b2e7228aa7b792ee2598e49e458e261fc9be60793fe9

                      • C:\Windows\{CE9C9B5F-F716-4576-930F-BD0D2F28805F}.exe

                        Filesize

                        180KB

                        MD5

                        715f2c0ad620cd3b93ae26c6b2092664

                        SHA1

                        aa23eda537b1ee7e6d117ee88594f6121f621da1

                        SHA256

                        8addc6a3427500caee3d7470af69309ebfb3a0563b043e60d7892512af9c9043

                        SHA512

                        358d0cb97dd489e83faa5b6998c87838a7faefb0ac1693030d41826ba739fcdfe136957d16e9bc7d5ce6722960dcd4b598abfadf81ce7210f462e6bf2c5d55aa

                      • C:\Windows\{D2ABE405-D29D-44e1-BE86-3DC7AED932E4}.exe

                        Filesize

                        180KB

                        MD5

                        f68515a0efe911710f0a9055c35d8914

                        SHA1

                        beb5b4a5bfb52cf593b29c8535be72a87faf6b54

                        SHA256

                        273a61b3ccd34049d6c2cd872a6974a6b1f5bd19d2544a6ec340ce45e3ac6b8e

                        SHA512

                        a8aa1c94bd0132692e06534a2bd21e7825863ef3b4b2a83a0f84f49e3430adbcbf0f5d8c6e26603c497183f90cc4f89f7a18e83dd38d5af4e82d96ffd966ca4a

                      • C:\Windows\{E30A34B0-1CB6-44a7-88D7-4F3FE8B87103}.exe

                        Filesize

                        180KB

                        MD5

                        23845faba6e2be38265d92542d65f03a

                        SHA1

                        04881796f151993cffad10c0ae5cfe966421e5b1

                        SHA256

                        13c0e733bfa5384769c84df119c1a6877c2fc6b003bc340735ab9b26a171d444

                        SHA512

                        80c64b90c48c5a8aff8922ced41c57de7811dd83e7d56336efb93467e160d242aef64f04d1f467b2b850f1a3af16ae8cd74cdc4333c2c9ca6c2d7aa559569a42

                      • C:\Windows\{E51DF00D-878D-45cb-BB7C-086979D5E84E}.exe

                        Filesize

                        180KB

                        MD5

                        82561a27ca6960a9d3a576e992bb2714

                        SHA1

                        55994b84c6721ca6771facf31872390f4ec86e2b

                        SHA256

                        669fa29ed8df9c6d5bcfc706bccbce05d4a6d9392a41edb6a930be8b2343e02b

                        SHA512

                        834d9faa2ee32473bc962a32f43ad399e96bde5613712af3cf9d1328f5980213e1a39707066126ebe8dee6d8f578e15e3a387166d93124cbdf4fe91bada2ad4f