Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:21

General

  • Target

    2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe

  • Size

    197KB

  • MD5

    07df5cc6838f279930c33904c850e1db

  • SHA1

    db9fad254bcead8c4c6d5c66633b4ed7ef9d46d4

  • SHA256

    20c1f5b05d5cb43caee71a2c91870af3415c008102ab0f54d480f1df4f615b1e

  • SHA512

    3c706f99aac39d42683dc38e62f9b9e251f5811d6c0fcdc5e50647a73c2bae1dc26e06bdaf973ebd9c4d108e5c531fd5a03728b43d9fa5387abadf998c45b9b1

  • SSDEEP

    3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG8lEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_07df5cc6838f279930c33904c850e1db_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe
      C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe
        C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe
          C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe
            C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe
              C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2660
              • C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe
                C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2208
                • C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe
                  C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1244
                  • C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe
                    C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2032
                    • C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe
                      C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1912
                      • C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe
                        C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:336
                        • C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe
                          C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F7093~1.EXE > nul
                          12⤵
                            PID:1124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C3D~1.EXE > nul
                          11⤵
                            PID:988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{55759~1.EXE > nul
                          10⤵
                            PID:2356
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4ACB5~1.EXE > nul
                          9⤵
                            PID:1688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C84A3~1.EXE > nul
                          8⤵
                            PID:2448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0067~1.EXE > nul
                          7⤵
                            PID:832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4FF2C~1.EXE > nul
                          6⤵
                            PID:1276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5F6A3~1.EXE > nul
                          5⤵
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E0356~1.EXE > nul
                          4⤵
                            PID:2188
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{349BF~1.EXE > nul
                          3⤵
                            PID:2508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2580

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{349BF865-E6B3-476e-92E2-7DEFAB157E09}.exe

                              Filesize

                              197KB

                              MD5

                              cb25b0cfcbce8417a444a1818549e343

                              SHA1

                              3e15d11255b914c0f258733deb2608e44fbd6333

                              SHA256

                              a5a11e872ecc6f0c0e2a9956f7bdad13bb8cb475be309178ed671937bd37ac55

                              SHA512

                              1543034484d568b647b776e9969aac6dd3d0303255937d1719d8d1532feb20382761598c12a33f2501217437fbae1b4f7426f1620dcfebb4b71922e326d7945a

                            • C:\Windows\{4ACB5DA2-CB29-4044-9E69-59ABF0FC34FD}.exe

                              Filesize

                              197KB

                              MD5

                              a403e45f00c7ee093696e1840e57f63c

                              SHA1

                              6bc43aabaa9c5caa9a00dd6fbd11000d05c70dbb

                              SHA256

                              cd8abe234389dfcb3f196b1a745065510e39c886f220ad3de941bcde527a5de8

                              SHA512

                              3dfba8762375a6bcfaaa247ce9ab623d8121e8168d04556b46371e71d852e949a14f7a76e31ea9817881740da5a0cfee0b48674bbadb19f5eaf1ad9112b0d8c4

                            • C:\Windows\{4FF2C761-D2E2-4581-95D1-C2ABE94D4694}.exe

                              Filesize

                              197KB

                              MD5

                              a3f5b5235fc3b8118941866068d937a0

                              SHA1

                              afce5bac60e6a86368e39b28b9f2a5e3e458712b

                              SHA256

                              7b4de28c1827e8656f98b49c248acfcab3aea4b281de37e08a3c7054c9bc0abb

                              SHA512

                              fdff73845cceeecbf882d72d33786352297347a5dd318ca4325062c19a6044320550c3dcf197002a05ad5539c0de2542a0ad60996a1c00d3dbf2225bb2e38d92

                            • C:\Windows\{55759448-FCFD-491b-8029-1400D52CA454}.exe

                              Filesize

                              197KB

                              MD5

                              cbfdf45502c266e02a7bd3d996d32a2e

                              SHA1

                              22db723ef20d8d55271f362036cc27782cd2314b

                              SHA256

                              4188e718c8054ce771cdee46c18697fa3fc7a55ace15a93a5abf793b84575474

                              SHA512

                              7425d850c173802db952584ff1623526a2cdb0ac5592a7cb0c732cc2821a7e47b05579dc0e4c14b5b9a2c9dce9d02dd3a4f596de277042603cf15dd694800ce2

                            • C:\Windows\{5F6A3B75-5CCD-4a75-8079-B64854C42DB7}.exe

                              Filesize

                              197KB

                              MD5

                              5db3c689872e6469504b0f76a19e31ec

                              SHA1

                              6d98063c96b260568fe10aab43b65eb5351662e1

                              SHA256

                              51d54906e7415d21e278aaad08ac053ecc4a6ee2216fa614977f9a0e2be0bf3f

                              SHA512

                              84c98954a17a5d338086af1e5eb7575efe8249d497f625dec340c585633759f1f6e5fe9c2d813d550e41bb0bd1ace58a22dcdd45eaf4e5244ed7d49fb558753d

                            • C:\Windows\{6F092E89-042A-4a07-A8EF-BE2C0E72E0A0}.exe

                              Filesize

                              197KB

                              MD5

                              5ba6854e805176daad8ec33cbbbb362f

                              SHA1

                              10249623952118c5b5ed62a77398da505a01a96f

                              SHA256

                              83f81b1e659a665d2aec11335c40e6be18cc30d40349e3613b88106bddadef93

                              SHA512

                              8792aa494af8959119ef04b6cc9644312a2abb885e763e75818e79df3d8f3e44c2050302ec5540ac5a36148757565ef6647f6f6e20d0f0e6df1abf4d7d8683f1

                            • C:\Windows\{C3C3D896-65C9-4269-B2E0-68CF526001C5}.exe

                              Filesize

                              197KB

                              MD5

                              e434399788ed1d3a9f561850554d3882

                              SHA1

                              2ddb7b08107150f36b0479064f7d3ee3953b5cd1

                              SHA256

                              95ad3dfabbe06a664113a2e3f5a2f9905209e9b6a3d15d42479815afcd4d4e2c

                              SHA512

                              57f0628ef1319764cbaa3f0009067dbc94cc077269852fb8288e6e658afd2e9d71d62cbd8d55aa860a734d83f2dab4981114b3cde79e4391982ce62deacc3eed

                            • C:\Windows\{C84A3C94-099A-4550-90D4-FEF732FE301E}.exe

                              Filesize

                              197KB

                              MD5

                              c53cada65f0aae9ddf758daaa5613eaf

                              SHA1

                              9329dc931db3e747bbb69b752d6059f12e207e2a

                              SHA256

                              5e5f086ebe80fb0b0483517f9cddd95737bcc4c60a246db2a8f880872085b81a

                              SHA512

                              544093018bb11f4246ee241f462320bae53c2403ecc598ac63abf879e5a479aeb7d5a4c9e973670abc128fa3a57f7b5ff51f987d7a4b5fd8bdccd3e8ea7ec517

                            • C:\Windows\{D006795E-7BDD-4bef-84E0-C4DF2FD7AD37}.exe

                              Filesize

                              197KB

                              MD5

                              18151b9edfa5d4de05afdbfc2c7e7524

                              SHA1

                              7543c574375f583c7a04215fbfdcb20cffe6fc75

                              SHA256

                              2dd41b6f5f92528c6033d668d382b232c82e4b6835e6c142595788f8fd5c3714

                              SHA512

                              521dd13cd30ae08768fdf3b12f299a329030512e474b602afe3f73db532d2db7c101f8231ce2693a568a6b96ac50f1f46dbfe52b8c28455b9f0f0c12d7f11f44

                            • C:\Windows\{E0356565-AC7A-46b8-B37E-B4E01826C914}.exe

                              Filesize

                              197KB

                              MD5

                              9972b236f565d23a0129d52161547462

                              SHA1

                              9808ba32a2c84e8f6734afa641236c7ce11af06f

                              SHA256

                              4a56bfec3eb1a099db22b3f1e2d48f0a3bbe368768fdb63812708d7e33646512

                              SHA512

                              f2dea232b02786d161ab1ef98a68a002632f36406bb41bb2765d730be54ff07a16f069eb386d8ca50ddb5f3c486776cc558c7a65d7844f7341d66bbab783b853

                            • C:\Windows\{F7093274-1777-4ac4-B969-E6BE00326EBC}.exe

                              Filesize

                              197KB

                              MD5

                              1cf7581d5a88697cccc4e18e87cc7bb9

                              SHA1

                              b19a93894819855e59315924480436f518fcb46a

                              SHA256

                              751d7f581e8ac21da26b76f1ef096d196c72fe2d539b6b35ff3e556e9b295932

                              SHA512

                              307b2732ab4fa693b9a4c8c4638375930045e3c82bfb1f32787eb38bc090ec1079ece9561b4f1c9c29da19fc2b0cf80f536609a16c029ad1e9264b2e4f507ef0