Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:22

General

  • Target

    2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe

  • Size

    197KB

  • MD5

    0da03db861609ce5d2f7075059c41f71

  • SHA1

    11001db7b0c0a83612e91587aa621e17ab36b309

  • SHA256

    4825ad8c88f1fbb6a19c34a89ebd938b91f8341cb30cdb7cf216757b57c1001e

  • SHA512

    718cbda8488a15c19a4cb21b2c5666c639e662c88fac4a081c14b6cc95e64f6190aee42e70f273f6d38183fc90eb03c3897b887b5f35f0cbbea46b59182832ac

  • SSDEEP

    3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGflEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 13 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe
      C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe
        C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe
          C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe
            C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe
              C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe
                C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:920
                • C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe
                  C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1716
                  • C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe
                    C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2400
                    • C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe
                      C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2920
                      • C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe
                        C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:336
                        • C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe
                          C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DF668~1.EXE > nul
                          12⤵
                            PID:772
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{63EE5~1.EXE > nul
                          11⤵
                            PID:2824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A4702~1.EXE > nul
                          10⤵
                            PID:1812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4462F~1.EXE > nul
                          9⤵
                            PID:1972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E4A~1.EXE > nul
                          8⤵
                            PID:2344
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{36F2B~1.EXE > nul
                          7⤵
                            PID:1860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{366BB~1.EXE > nul
                          6⤵
                            PID:2700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{08BD3~1.EXE > nul
                          5⤵
                            PID:2900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA8A~1.EXE > nul
                          4⤵
                            PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1310E~1.EXE > nul
                          3⤵
                            PID:2652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1684

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{08BD3BBB-6CB2-4525-BC03-B43296437F33}.exe

                              Filesize

                              197KB

                              MD5

                              4dd52e8a894023e4c061c970561dc232

                              SHA1

                              5e0ba6ed2a726d38f733877c055c13c5157f4c75

                              SHA256

                              a5d4240b9817ca0fc143b40a8a435903598209675eccd53c855e2c2a2a496213

                              SHA512

                              4235d06b4f3655112d36dfb67520d4a7900b39a44a963a35d60f78c913dbc01c44682a8a79fb9a6be71d44062e48707b0a77e56645b9a445d1db91a20d433beb

                            • C:\Windows\{1310ED04-CCF6-4f4d-A34B-CBA75225ABE1}.exe

                              Filesize

                              197KB

                              MD5

                              bf5893a05cac81266ebf0d6fb8b4c11c

                              SHA1

                              a766204b20e07f0bca823fadb7e38080db5efe00

                              SHA256

                              120c3c9085cff9bbd5db2bcbe7e357df6dba4718959d8cf484d4a4d6efce55dc

                              SHA512

                              3c12b41806b250e283598cdfb5d00823d619a1274e638c9f92b8d137fb41d8a51bd7086eb0e944dc1be13deb356c337db5257d50d35093b832760dd5e00384c6

                            • C:\Windows\{366BBE7A-64C0-4b5c-82AE-883A8DECEC54}.exe

                              Filesize

                              197KB

                              MD5

                              9ac5901230132c027412b44f54a0e257

                              SHA1

                              9100d2d7fe2916ee1a722aac8bf89422e0e37815

                              SHA256

                              960837b6f5c71ed52d9d350f80beb307ea0e790c6494484c06f4db97f894dd2c

                              SHA512

                              8fc7d8bb42a2d8b28d562547a60ecaaba61e8c3f11f9d22ae5f39edbd2c3e5d7bc6a9c1ce13827ed0d017674224d4f21b91aa2b347c0cea6eed58ce1a3c69d91

                            • C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe

                              Filesize

                              197KB

                              MD5

                              9a4df72d514601a3dbdcd44f29c28708

                              SHA1

                              e8c9a7ce05eabedcb6466c421c129540f451279b

                              SHA256

                              879a60f6b27897dd1486e681b54d7635f1cbe9c56f69606511fc1573ccc5eb9d

                              SHA512

                              3a934e80ac23b6fe55032c05469a453c9171eaf7a3c7870f9707cbbe41671f55b03a563e52e6b440a3c29197b117c92b0fb1d66a38e613a9d020d5e43cc107c5

                            • C:\Windows\{36F2B4B6-C4FE-4474-BA2D-4449F238ADD0}.exe

                              Filesize

                              58KB

                              MD5

                              45b305bdd37c97273ae1ec96d3db6899

                              SHA1

                              86cf38fb9c0fd9411cdec9f9552e12f0906e0a68

                              SHA256

                              0c80e797a7452198fab95feb1184ef11c18670c92b01be99e5f4bb7badb41436

                              SHA512

                              a1a7b9c3ef353bc0f7ee591a1cd30c49cd50159886b0da120302d5b97cbda90e4c9cdf9fac058f6dee3f257eb41c3e5ef0faea5b1a22a55cc57c602d5ae64a9c

                            • C:\Windows\{4462F5B2-09EA-47b9-AAED-77F43A96F4B8}.exe

                              Filesize

                              197KB

                              MD5

                              97eca6bb2e82095fc1b4ad37aad34c4f

                              SHA1

                              bb652ce2b3e0770fa5cacd4da40a13dc72777b67

                              SHA256

                              e0b0bcded9355370bc65734decabcf97cf920026c1e5ac767daafeb077abda4b

                              SHA512

                              37c2b3b38966242eca4eab8931ac94beaee60ca1bdb6cb86719ba6d7ffaae0d53f3b086b76275cc856337a16e5fa1db24c73cbaf6003fed9fe522b4e875f5206

                            • C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe

                              Filesize

                              197KB

                              MD5

                              355aafac59eae3c8d6028b44822bb8b2

                              SHA1

                              f05b6bf032d7dc2a5e56e2bca00eefa06bfd3d26

                              SHA256

                              19627490c00de9143b078c3f027e1b2d03e75ccf313613f57648ec69439a6dbe

                              SHA512

                              63bb502885765bf1d21618159f6943719030a9301a331c26452273b1cf91797b28487db8edb38b44f11706118d37f487be58aee527de19642064fb10c7ed0ac7

                            • C:\Windows\{63EE528C-5C2A-4ea3-980C-2BA59B2FA086}.exe

                              Filesize

                              162KB

                              MD5

                              e1695743024df604140a61181bae51fc

                              SHA1

                              d5b203f56963314db28e7273de38548754e6dbf2

                              SHA256

                              9713ae2d0c7dc8f5b204144def75068e2faeb76d4db70212a1d2d300d1b78ca5

                              SHA512

                              79e7393f9e690a7fd2df4abc99abce127c204a5a74f8c3ded07dba0108ede7e9c1b630acf81a062618968fead1082db5b7bc9a0becf9b0a057d5e90263078968

                            • C:\Windows\{8EA8AAC5-5A6B-4efb-B972-2BFF713E9CF4}.exe

                              Filesize

                              197KB

                              MD5

                              0a405ef5b6c6a85df73cda88b782d0b9

                              SHA1

                              2f484c4603d305af7bdf10cf1a3f2f1fa345bd9a

                              SHA256

                              605d45be6ac9a5c22bb20795ef002dfa24695b9b68d58ed45f8266db200d4457

                              SHA512

                              8089dc66df0c0553695ffd9634bcb2c727f992da007d9e845df1d1e86718e53c2a03c23903e78cc0fe844e52549e7a26501179b216b496b13ac6c624fe4049f4

                            • C:\Windows\{A47029E8-60DC-41f1-886E-2679C02B46F3}.exe

                              Filesize

                              197KB

                              MD5

                              97be8a348ae2e835fefcba831b1c97bc

                              SHA1

                              9d4d3c6521041c269cd6118fd96066ddd14af7aa

                              SHA256

                              a060c9bf3d5c6acd45ecd0fa34724bc0b43d2835988adb47bf57e426dd7f992c

                              SHA512

                              f146a51b6cabfd2440d70b09a747ee2a02f415503ad16b60f07d9b0996ff2c064a2486786ed053fa114be08a64bdf9756fe7624f94c3b2e31eca70a5797b04e1

                            • C:\Windows\{A9E4A478-96B4-40fc-8CDD-F89C6EEC22A7}.exe

                              Filesize

                              197KB

                              MD5

                              ac9ab5a456d663231ba2407492d2eddf

                              SHA1

                              7a6f6e4ca8c4bee1060555ddc2009bb564e74d96

                              SHA256

                              5ef8ae8de119e858043392dae9733b6fb1078afc4b836940d45458264eea0996

                              SHA512

                              8555bfd89866362c2e205a38b67ffcea67c3ffb29d0793de168936fb63c316dbf810ffee35bb520b7ada604144933fa247b123c8c13bdf4b4b50b057c43cf1cd

                            • C:\Windows\{C022BA33-3522-42fc-A99E-80F6E8CA601B}.exe

                              Filesize

                              197KB

                              MD5

                              2fd17add3928887ea89e93f448867163

                              SHA1

                              1a89311d494a8309295d417f372febd9225a26d7

                              SHA256

                              77901ab2afecb8fcda8bd3a79d40983e75ded7562021b2265231a850d38b6a25

                              SHA512

                              b85421fe6cf71dcef830fb40087dc5baf96dea8160a71ce5022e9647a2324c16a65dc9a8e35d2916500548da1ba714df6b4871047dfb4e0e8048113d1771a298

                            • C:\Windows\{DF668AF4-9D2D-4f77-A237-8ADC5111FC6F}.exe

                              Filesize

                              197KB

                              MD5

                              7a7ad37f6f336e30ddb3f37aa4300917

                              SHA1

                              99f79c54d61aada85fab3884fc241327e32af862

                              SHA256

                              2bd8a6e89bb3888ca900d151877c303873a9de11803ce797e392c87a52853b26

                              SHA512

                              5f8aeba4c490572333f4ece215422daf358ade01a3c30bb36778695a0b0de55b3fd8106afba6737bb60cec2a006cf2a009e247ba0ee69e1eb626a9b9a2854482