Overview

overview

10

Static

static

10

2024-02-20...ye.exe

windows7-x64

9

2024-02-20...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-02-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-20_93e0c1d832fea2fb903ddd630164c459_goldeneye.exe

  • Size

    372KB

  • MD5

    93e0c1d832fea2fb903ddd630164c459

  • SHA1

    386054b00e63833efd992ab1dda83b4a698d5080

  • SHA256

    be6df662535773e6f3cff293eb2c7b824bfb086830b4af47ec11550c6896349d

  • SHA512

    950fb97148c2b7114f0f261e37aa9963ee38f819b5477a1403fe8b7b553c8023e5ee030713c0b3b8af1c0833fa5793c27909272ff7cda8e266b304c0a7e6e7f7

  • SSDEEP

    3072:CEGh0oqlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGMlkOe2MUVg3vTeKcAEciTBqr3

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-20_93e0c1d832fea2fb903ddd630164c459_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-20_93e0c1d832fea2fb903ddd630164c459_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\{0D044338-2DD9-441f-A9FF-82930709349F}.exe
      C:\Windows\{0D044338-2DD9-441f-A9FF-82930709349F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D044~1.EXE > nul
        3⤵
          PID:2724
        • C:\Windows\{BE15AF2F-E84A-487f-81AE-E42DF401F28C}.exe
          C:\Windows\{BE15AF2F-E84A-487f-81AE-E42DF401F28C}.exe
          3⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BE15A~1.EXE > nul
            4⤵
              PID:2876
            • C:\Windows\{3598A515-21A0-4f58-AC3E-2604AE713ECD}.exe
              C:\Windows\{3598A515-21A0-4f58-AC3E-2604AE713ECD}.exe
              4⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2612
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3598A~1.EXE > nul
                5⤵
                  PID:2592
                • C:\Windows\{67DF9F01-2530-4892-A05B-5A0D53FAECB0}.exe
                  C:\Windows\{67DF9F01-2530-4892-A05B-5A0D53FAECB0}.exe
                  5⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2644
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{67DF9~1.EXE > nul
                    6⤵
                      PID:1624
                    • C:\Windows\{5A5689BA-0894-4858-B245-F4AA5C88BF84}.exe
                      C:\Windows\{5A5689BA-0894-4858-B245-F4AA5C88BF84}.exe
                      6⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:320
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A568~1.EXE > nul
                        7⤵
                          PID:2532
                        • C:\Windows\{C2A779DE-AA47-4940-9C99-C966B4D60B9D}.exe
                          C:\Windows\{C2A779DE-AA47-4940-9C99-C966B4D60B9D}.exe
                          7⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1488
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A77~1.EXE > nul
                            8⤵
                              PID:2848
                            • C:\Windows\{EBE823E5-9E0B-4c54-AFAD-C540C1430775}.exe
                              C:\Windows\{EBE823E5-9E0B-4c54-AFAD-C540C1430775}.exe
                              8⤵
                              • Modifies Installed Components in the registry
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2468
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{EBE82~1.EXE > nul
                                9⤵
                                  PID:1368
                                • C:\Windows\{FF1126BA-4C29-4d37-BC71-BD76EEBBF261}.exe
                                  C:\Windows\{FF1126BA-4C29-4d37-BC71-BD76EEBBF261}.exe
                                  9⤵
                                  • Modifies Installed Components in the registry
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1056
                                  • C:\Windows\{8B87F211-729B-4923-AA87-D4489E66E91B}.exe
                                    C:\Windows\{8B87F211-729B-4923-AA87-D4489E66E91B}.exe
                                    10⤵
                                    • Modifies Installed Components in the registry
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3004
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B87F~1.EXE > nul
                                      11⤵
                                        PID:392
                                      • C:\Windows\{63219BE4-3E2A-4c27-ADFD-85C95D99318E}.exe
                                        C:\Windows\{63219BE4-3E2A-4c27-ADFD-85C95D99318E}.exe
                                        11⤵
                                        • Modifies Installed Components in the registry
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2332
                                        • C:\Windows\{A2E3512B-3B66-4b75-9E38-76586BCA9E2B}.exe
                                          C:\Windows\{A2E3512B-3B66-4b75-9E38-76586BCA9E2B}.exe
                                          12⤵
                                          • Executes dropped EXE
                                          PID:1440
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c del C:\Windows\{63219~1.EXE > nul
                                          12⤵
                                            PID:1100
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF112~1.EXE > nul
                                        10⤵
                                          PID:2144
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1992

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0D044338-2DD9-441f-A9FF-82930709349F}.exe
                        Filesize

                        372KB

                        MD5

                        c7356d3133fd5434bddc7349714b6b3b

                        SHA1

                        7b66b9af4db1b743b85c70e1ba997630283b0afc

                        SHA256

                        0870ce6c710aab322574fc3d17da25cc93e8f3ccafd942b2e0725f7119adb2e3

                        SHA512

                        9759e24a44896b34c9275dbd8cc2f4550ecafcea3538440d3788114255d5d3fe9037300e8b64a27195f6518d66114ec232d7166ee31a0700b246ceac3d4ad32a

                        Download Submit

                      • C:\Windows\{3598A515-21A0-4f58-AC3E-2604AE713ECD}.exe
                        Filesize

                        372KB

                        MD5

                        52a75662a7647041fdb28a42ec38994f

                        SHA1

                        60703a2fdafb25ec66ba326873bd152c50a0a87b

                        SHA256

                        d01a24d36a22fcaa46ad329477aa1c4368a8149ebc58edf9686d83e67235f9df

                        SHA512

                        36004cce7d833b038019d17732fc4fa1fdddddfedc631a959c34ad9402c943db5925752886b7fd4e2b6c2dcb5af1ef118aff83256f3fea7083a90f083d30e28b

                        Download Submit

                      • C:\Windows\{5A5689BA-0894-4858-B245-F4AA5C88BF84}.exe
                        Filesize

                        372KB

                        MD5

                        2d15d909c986695a836a9f71c8219ab8

                        SHA1

                        852ec66dcff9bca31eb31661a04308aac3e3889f

                        SHA256

                        0e453b221ac43ff22e41f71579cbd1a94b434705898e9ccdffa6195d2c8d0df3

                        SHA512

                        642b78935043cf36ea3b576cae82a73b405b7095df6c02a1a1ec0c214943f4160835a06c2e1b180e60460221febd9d5ee5315bc3eaeece9fd92c36c64d83e638

                        Download Submit

                      • C:\Windows\{63219BE4-3E2A-4c27-ADFD-85C95D99318E}.exe
                        Filesize

                        372KB

                        MD5

                        79acf326b4e60208d1c570741f4806b0

                        SHA1

                        5653d9dc356fa13775c0188be36efb79d9806bd9

                        SHA256

                        43548dd80de608f769055384a658f9254f2474b8b701050338b1644a4dd071d7

                        SHA512

                        9ad91b8612f98c2c37e9c14bb95f44e10cb608978e40f57e05e8ddc9d8254aff9b66456f4df66f612a7d4828f3543cbcd185534854dda4e277518ed33d5d2a29

                        Download Submit

                      • C:\Windows\{67DF9F01-2530-4892-A05B-5A0D53FAECB0}.exe
                        Filesize

                        372KB

                        MD5

                        12b901d801da46e170d86e84bdcb22ee

                        SHA1

                        eee8a657d11d694ae4eb5f629440bff87de085a9

                        SHA256

                        c078babe9a4d5118cca3a1a7e67d2746ac7e6d33bd7387d67e4cf18f7cc5230b

                        SHA512

                        63ce716057bb6f4968ccc8d0e404cf32b20163330814f9b463d5cc1f4ebbf29bd45296c0907881c1c17595dfc1290275ad6c8db085582790ed02ad6eb5f8d018

                        Download Submit

                      • C:\Windows\{8B87F211-729B-4923-AA87-D4489E66E91B}.exe
                        Filesize

                        372KB

                        MD5

                        55eba0d67983a4bc4ab1ead6a986b18e

                        SHA1

                        24d57b0bc73c1e227d52fa57ee1dedd5f1b2e5a0

                        SHA256

                        415c78022affe449a69830c6edde8c6ed4cba5911f563cc212c0aca48d638b06

                        SHA512

                        d6296b93760f3e248dc0793f7280c1b768d25f5667630d1b55f6781be1418ef65536a9492593c367c506ca10eec68a87dbd1b8fb1099524ad634db7efa16b9d4

                        Download Submit

                      • C:\Windows\{A2E3512B-3B66-4b75-9E38-76586BCA9E2B}.exe
                        Filesize

                        372KB

                        MD5

                        f62f527746e595c42b5f41dac08c63f9

                        SHA1

                        d2ed38f40defdd2e27d227252ece5df37543a985

                        SHA256

                        df263d4559d5feec1ecd339c9302afd04842d4c3da2ec1c827e1d042b6036d25

                        SHA512

                        a9057f838c4fa037d094775445c6a2c935a458010110354322feb28f46e8324635933c525cde56d46ff67d40cac4923d684f4ab3e3bb9d60a376d4389d57e900

                        Download Submit

                      • C:\Windows\{BE15AF2F-E84A-487f-81AE-E42DF401F28C}.exe
                        Filesize

                        372KB

                        MD5

                        054a00b2cadc891f3e5eec44664683cd

                        SHA1

                        04a01fd3c3c59be1271be68c217ce555c18061e7

                        SHA256

                        fbe790494a5140b743076127380574f6b302292fe8b21b5c8b01016d9289bd00

                        SHA512

                        f53ff3b0d176c031fb279043eaab40904781642abff60067acedcab7d1db2113bc599ecf304b83334632dccc8ba40cd43fa3914a774b5edafcf007c142f065b8

                        Download Submit

                      • C:\Windows\{C2A779DE-AA47-4940-9C99-C966B4D60B9D}.exe
                        Filesize

                        372KB

                        MD5

                        178d5f1b59ec7a0c5dffdd42c6e03ba7

                        SHA1

                        d575e1baf099b3fb1e388824faec59712805b094

                        SHA256

                        9fd7e52369e3a7ea7fb7137342e6fe4c0bc6c595d4347e05f3fbc859586fc4bd

                        SHA512

                        0aadfb25d0558407ee98f374b3989e01d7e2689d2776efe3ac10cb616bb605c195a5acecadd826fe3196af7187298cfe3a72f29e0ef54c30f39c1ea2715b17b5

                        Download Submit

                      • C:\Windows\{EBE823E5-9E0B-4c54-AFAD-C540C1430775}.exe
                        Filesize

                        372KB

                        MD5

                        3d6779a77a43c1e08a86df626715a165

                        SHA1

                        02b91118c9c398a1d37f85d0ca21cb7c30e3e9b7

                        SHA256

                        cd7ffd5f8012540d54116896801f11345fa4357575f2cc7ac346f19ee2e209a3

                        SHA512

                        b4e0fc8c0674fe6d97cc79d319d530b5bcd4746dc014797226bf5e7b4111f000b931041f4256de49827a41eafe7dc2c9b298caef6ebea181a7fb7b9a4ccd4e9c

                        Download Submit

                      • C:\Windows\{FF1126BA-4C29-4d37-BC71-BD76EEBBF261}.exe
                        Filesize

                        372KB

                        MD5

                        dccbc1d3455e27484de582fd6d7c26da

                        SHA1

                        e357f4213863ff33942bbd1fb64dac97ef1c5b50

                        SHA256

                        9dc31b2127ab1a28422a2e864dcde0b901289e286181868eb9daf673d73ccc2c

                        SHA512

                        9189b055057e40cfcbb8138418b5afe01d5b7a824d7ad1bbe5bcd1d3c2e182fe2a39e55728c86032b54e40fdbcf736607e1a9931d7f8883c1b81fb9131c742da

                        Download Submit