Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-02-2024 14:35

General

  • Target

    2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe

  • Size

    344KB

  • MD5

    7af93560dfe168c250f011a545317e9f

  • SHA1

    c96d46a02263c00dd052444d1fa0f47eab85fa1c

  • SHA256

    566a6f94c75b8bcb4432c6964fa94f373e7e9b059c9b49ef9cef6b4068537d7d

  • SHA512

    9982863b97db4fa25481724641cca1e0b93516cc3fc8c411df39bc2321542edc582d06ec7fe40360b7912172d530e504a2e11bb8085dea8fa955fe6b610022fb

  • SSDEEP

    3072:mEGh0oblEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-12_7af93560dfe168c250f011a545317e9f_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe
      C:\Windows\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe
        C:\Windows\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe
          C:\Windows\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe
            C:\Windows\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe
              C:\Windows\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2528
              • C:\Windows\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe
                C:\Windows\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1592
                • C:\Windows\{90736CBB-0974-4217-9452-C043D7A83EAA}.exe
                  C:\Windows\{90736CBB-0974-4217-9452-C043D7A83EAA}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{90736~1.EXE > nul
                    9⤵
                      PID:1416
                    • C:\Windows\{80021C7D-2660-427a-B889-939F82C277F4}.exe
                      C:\Windows\{80021C7D-2660-427a-B889-939F82C277F4}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2944
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{80021~1.EXE > nul
                        10⤵
                          PID:2892
                        • C:\Windows\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe
                          C:\Windows\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe
                          10⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:864
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{34CE4~1.EXE > nul
                            11⤵
                              PID:384
                            • C:\Windows\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe
                              C:\Windows\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe
                              11⤵
                              • Modifies Installed Components in the registry
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:612
                              • C:\Windows\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe
                                C:\Windows\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe
                                12⤵
                                • Executes dropped EXE
                                PID:1124
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{A8608~1.EXE > nul
                                12⤵
                                  PID:1872
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{28C1E~1.EXE > nul
                          8⤵
                            PID:2720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6C2DF~1.EXE > nul
                          7⤵
                            PID:812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7DF33~1.EXE > nul
                          6⤵
                            PID:2576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EE3FD~1.EXE > nul
                          5⤵
                            PID:2172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0566~1.EXE > nul
                          4⤵
                            PID:2304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3B693~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1628

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{28C1E109-FB8D-4d4d-88BC-779BB0B8535B}.exe

                        Filesize

                        344KB

                        MD5

                        3501cf9f69e83c77b6dca7005a83b236

                        SHA1

                        593ebf1463906cc9c305c073f42b3c4d34f9e174

                        SHA256

                        d1f7872d63e40709d57baff18af6035ea72c4ab4cf4a2d3a026f607094d084d7

                        SHA512

                        c490cdb2788278bfcdfb6ad876b6deb33f0042dfb687afae84192aeb5fde177042a02877db50a71f3ee035f3dd89eb638f31ad9079ccb1054225873946c229e1

                      • C:\Windows\{34CE4996-A829-40e3-A3A0-742D4638C1AB}.exe

                        Filesize

                        344KB

                        MD5

                        45b510dbe6f2ad6aa46daee6dbb9d9ad

                        SHA1

                        836bbc8e4b48999573f06b4fd515b85a3341e0ec

                        SHA256

                        082c880e833db3e66b5c50e1157bd07b5dd6d374799c4ae46a8cb13959c4f0f3

                        SHA512

                        b91e475e35c17019697bd63967003b0c9e345132260e5497254194e1ace19ce53183c0b77f8cf72af751dcd2ac1815430338cdd11cfdd97f8f50429e14588e0a

                      • C:\Windows\{3B693EB5-06AE-4d76-82A0-99AFF1408C4E}.exe

                        Filesize

                        344KB

                        MD5

                        b144fe36a1fb665cc4323f32ad245ff1

                        SHA1

                        6481622ca59e04f6dfd46b8bb585212ae72cfa5a

                        SHA256

                        03fdcf414801d3c288304ceef5ff8016ed6425fa77767d7603a13a14b617f268

                        SHA512

                        14d644292ad9e129de0885326de78d751e35236e9780e9a94f5aff0d3c077bd5679e8a882565d3a8965dc90b5fe2687cbe4434740d59d95482087fa1d41eda98

                      • C:\Windows\{6C2DFE9E-C96D-4cbd-A0D3-80413255870C}.exe

                        Filesize

                        344KB

                        MD5

                        877e1445199664b578179d7f57ee98b3

                        SHA1

                        c985dbb67a58108002c5bd16fe8b60698c7625ac

                        SHA256

                        3ad5a5d2f331e1fa9872d4a859b414dec1d374caffdcf7355b2551cb08d40be3

                        SHA512

                        df9f8d08345961f3307d19b40db1db5e4c222851878c8efb7471aa134bd57d49220064981119dd84fc1e95bab9e7d00d000f0caa7d387060727473539f23a3f6

                      • C:\Windows\{7DF338F3-6F65-48b2-9B9D-0F04C6396414}.exe

                        Filesize

                        344KB

                        MD5

                        9bc83038d67df79de96e375839a2494c

                        SHA1

                        02b36607d1414c8688fa17d4598be12d666ea2c6

                        SHA256

                        ced2fb23ac8bf1d145f6ca5d92f5c3fc22d8b70a0b4cde34c4864e79b6953f70

                        SHA512

                        2de8827c2152a3ddbe7c517e3b6b62895a1f7bfa279a0e893cc6c35b9e793e24f32959dae2f00a13a0ad8ee935fdfd0eb2f52d10624c48a75e9d1e0dd72ef622

                      • C:\Windows\{80021C7D-2660-427a-B889-939F82C277F4}.exe

                        Filesize

                        344KB

                        MD5

                        68ac5739302f1c62a0853b29f4faadbf

                        SHA1

                        064ec68b76f46dfe341e06d783a7146311004923

                        SHA256

                        03b2c4e8f1ec47392086c20c1d72fd390416b8af69648f15ed8ba5b29825814d

                        SHA512

                        11b5a539dabd5411d29a306429d3d84d83ea0ed70f416dee86bf0c42fd21f55bb953d15ed70c0ab5dddcb7292db103372930c87106a1caeeebfd81505ae72383

                      • C:\Windows\{90736CBB-0974-4217-9452-C043D7A83EAA}.exe

                        Filesize

                        344KB

                        MD5

                        7995aa25d4c432936bcc09eb9358834b

                        SHA1

                        ec8df7546f8bdfb508ee1bfa5b13b31cb0ecc49c

                        SHA256

                        9d76b41d21daa7651161338fb9a39cd48479a09d327bd2e13efdba8a4ae20c19

                        SHA512

                        c5979bd5515c67b18fae31b2621ddeab277ee16ac46ded2f5a786eff99e11e6997dfee8d3241291005fa40908d5c80a96173b3c6fda7590a18f87b125ea1f7ad

                      • C:\Windows\{A86081BB-AE97-44ef-A816-FF961EC2AC36}.exe

                        Filesize

                        344KB

                        MD5

                        64c7135a2180214eed0faae0ffb8119f

                        SHA1

                        b333c9a643bebd40e285271d0a6ed1637715c77c

                        SHA256

                        b0f44ce57367af40e80e5133c84be333afb13d1450dd447cb33a9b30ddfb7cca

                        SHA512

                        0f6f4de2cfc874e2f965417c8aaffa4812af42de219af423d867df1a25bf03e38123379852e2629fbd1d0c65dc338dea3d92d8aca37b6de7dc36134e8de486d9

                      • C:\Windows\{B9C71314-1DDA-46cc-8F32-B6547E2B5602}.exe

                        Filesize

                        344KB

                        MD5

                        2ea123e9e531ad76bf0bda5b3b08c50a

                        SHA1

                        174aa087af8191ce92eb1dc99c3a6ce6efc4bdeb

                        SHA256

                        b3f233c964012d1c4ed64bf9b7c870af704eea8256e2e9e36ed27d4793c4b26a

                        SHA512

                        cfd619bab6e69d1ea3f822037e8f5188d01b5369e89048bd25ee07b75af7e49691994b343cedc7df52a539f911a23cfd64c2b891b3c239d0b7946b07aeae25c5

                      • C:\Windows\{EE3FDCDD-2188-46b8-BD3D-2DC505DF5138}.exe

                        Filesize

                        344KB

                        MD5

                        0fc6edf74f8138b60112b457b209039f

                        SHA1

                        a194d3ae02e579ccac8c507824dd88c9b792636a

                        SHA256

                        44b205ba1d77ec847d54687a7f049f15f6955baa43b131f034c9c4ec0a27d772

                        SHA512

                        8e873b339e1b1026bd949a963cfaac9af93556b85386b6448e37e8f3088fe4063160dd3b86a28d9d4f97068092da621e06ad003a2498673fc040d15177d4ed66

                      • C:\Windows\{F0566F7D-40DA-4fc4-9332-EE20B50C18BC}.exe

                        Filesize

                        344KB

                        MD5

                        2b3ffc5e8ec284bcec64d8350a90cb3f

                        SHA1

                        b12efbc07a1b6b7e6946f007272c440d9833fb04

                        SHA256

                        fddc91e54cf4eada2a235df2cd85010dfbd4d0df0acdf27756cbc83a550e1943

                        SHA512

                        39d44fe49660a455a1343567d752c10eb4e0b24ee550af2ed23cbdcd9f70d3b18eb69251dc18d636d22bf2b32b2c013537d2351267b17a088cda7f823fb24bbe