Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:23

General

  • Target

    2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe

  • Size

    204KB

  • MD5

    1f57b3b2e0426da9841dcf20c031e1cd

  • SHA1

    a98d6c1eaa825a4321d01c66ab5df496002effb5

  • SHA256

    73a7aea95d6e7f8a274bfed7b82ef7bd0c2faa8a042c8f59cdf44f7b73491df5

  • SHA512

    dee901fd35c0aaba529b039fd744e90068bc6111dd9f1fc6760572a4abce07a8a9a0b347ff38441248139acb41970813f2805cc21a45ac0db5c7846bec8adee8

  • SSDEEP

    1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe
      C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe
        C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe
          C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe
            C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1392
            • C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe
              C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1880
              • C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe
                C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2908
                • C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe
                  C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1252
                  • C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe
                    C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2520
                    • C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe
                      C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1740
                      • C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe
                        C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1288
                        • C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe
                          C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:676
                          • C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe
                            C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3068
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C6ADC~1.EXE > nul
                            13⤵
                              PID:1444
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A65D9~1.EXE > nul
                            12⤵
                              PID:2248
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DA80D~1.EXE > nul
                            11⤵
                              PID:2868
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EC1B6~1.EXE > nul
                            10⤵
                              PID:2312
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{89494~1.EXE > nul
                            9⤵
                              PID:2744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{33ECD~1.EXE > nul
                            8⤵
                              PID:1324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1BA58~1.EXE > nul
                            7⤵
                              PID:1892
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC102~1.EXE > nul
                            6⤵
                              PID:2780
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{41603~1.EXE > nul
                            5⤵
                              PID:580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{444EF~1.EXE > nul
                            4⤵
                              PID:2992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F457D~1.EXE > nul
                            3⤵
                              PID:2588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2572

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{1BA58297-FFD3-44db-A01C-C17A5F501696}.exe

                                Filesize

                                204KB

                                MD5

                                6fe04b71d10145c6009b2c3c85286b2a

                                SHA1

                                0068efbc843801259e4c936340960657aa60d8dc

                                SHA256

                                f28bac4c095c1bdcd778d6cfcc53187624fd5ed67088e5f6b4231bc9e4c16a65

                                SHA512

                                ad2e19b639973b55b05a70b5e3b00d85cbbc501325d320ffa45b24bff51f62d573c1183ec7e7c5e886637948bdb15ef8fb5a8d65ade2c207358fca1f102e48a9

                              • C:\Windows\{33ECD5B9-E5B1-466f-9941-09DE1C5F220D}.exe

                                Filesize

                                204KB

                                MD5

                                3da95a11d54d8085456a3968ca46e144

                                SHA1

                                bd2b53da278aa6ae87e41ee1facb7d127ea1824a

                                SHA256

                                bc1325d5485ee19ca10cfc00256c8e32f6d03951b99ee801c3b2b69245cc051c

                                SHA512

                                f07e470747c786d6cf492b73c79c88246149d956e6ef437dec681c326806e7ed7d9a07a8b279a00750d7045965da184e9119b19aff69bbfa4b9bbc8aa469a761

                              • C:\Windows\{4160388C-A54B-48e5-AFD9-EA793FA0A672}.exe

                                Filesize

                                204KB

                                MD5

                                e0b202ca06201b76882c9db30c08bdc8

                                SHA1

                                30adcb217d05127aaa4652a6ffee4715e3022878

                                SHA256

                                20ab1c1862250e33e425101a689d68290d93c9550826a36ee463d507f4174161

                                SHA512

                                667765d06ba99c74b341504d75c2a2708de2e2d4b509f3bb4ebad7e48f53ce59bf84e6d2d148d902fe0c496e6000ce4265260c3756a47a0be36b7a9df3187027

                              • C:\Windows\{444EF7BA-BE70-4446-85C4-5A830E9ABDDD}.exe

                                Filesize

                                204KB

                                MD5

                                2341cdd9bc2e637c5115066e12ccff20

                                SHA1

                                b5810615d4c594ca570d478205d44d9e91148678

                                SHA256

                                807151ad9b9ea2c66d773a7228e4e46f2b55204b135f44df6ce0d1cd4a6d1655

                                SHA512

                                df80a65bbdece33de8d313c49eba293bb6e3b3aa5d31e8a430260e4e0a730c37f8381e8ef932e2f90b0249d295974dbbad73211fe36e1e6948903f0dd2cfcd1b

                              • C:\Windows\{89494701-917B-4d69-8BED-1BB7753C5AF0}.exe

                                Filesize

                                204KB

                                MD5

                                ed12772c6d0118d7d50b1bdf2945282a

                                SHA1

                                195d7dbd4f120352f6a5aef223dc8cbb633a0ac7

                                SHA256

                                78ddd048682a6b9fdd72119575b7d3ba2f2443861f7dd610bb2ef71f374c8f4a

                                SHA512

                                b7d4d10b050c4f5d5cde79950d5d857ba0c44ce9ec17701361d5525683757b5466e9750e3b0adae0d66e8cb0e12ae464bc08a397719cd88c399d113a6dd5801e

                              • C:\Windows\{9B6FA4E9-8460-4cbe-850F-098448677A80}.exe

                                Filesize

                                204KB

                                MD5

                                fb4538c26575f82251a6b1f3caed779b

                                SHA1

                                884b180ed9e29a53749ce3bb86668fe1e2a9d0c1

                                SHA256

                                3da6c6fe57ccf4b60787a0d5280426cce802dabdbe5a05436e690202c66db02f

                                SHA512

                                2b01d8425155191e2361df215e44ee6945ba65530bac73ee8d9a6479c773c31dc0e4701508e8d6f62563fa0ea686f01368e75fa217b2bfa853a7320b470be3da

                              • C:\Windows\{A65D97F5-C01B-46e6-963A-B83CF1CEDD59}.exe

                                Filesize

                                204KB

                                MD5

                                49d618031aa706f84e5f3844ee78a692

                                SHA1

                                0f468c6741f934f31364e07743212c1ebc5a0570

                                SHA256

                                780344dcb308065ac7ab4b8778792e9e37d5e5c32b3012960cbb116f13b5d6d4

                                SHA512

                                7def4b301e955e95dbf0879d4ecda59f32b47f5878f1ff6db1b14047c04c3cf1a638f0f36b2a1da77272cd24d5a5958597373deee90da0a2fc552992ec2a89af

                              • C:\Windows\{BC102FD7-B054-4e21-BE16-B24A9E98ECB6}.exe

                                Filesize

                                204KB

                                MD5

                                e05cd6bdd459afa849c9756e3ade185f

                                SHA1

                                08e0e380bf10083a192406ed37e1d0fdf694cef2

                                SHA256

                                f8362220290937a7b8812a72e6f0e7e137612b22b9ae881e8359309e4538380b

                                SHA512

                                8dc0fccf9ff2a6f2646a5cbdbfcc91e8e2c99b18f89245b6c9a02e21f4899dfdb7ccc434b09cd439ff1223a691fb87105c86e675d57879ce9daef2b4c46b992f

                              • C:\Windows\{C6ADCE41-3B0D-4494-B7B6-F2B7920A2C86}.exe

                                Filesize

                                204KB

                                MD5

                                613f2ad97542a487a26f360089250e84

                                SHA1

                                fc009aa0e33b8338e62f57edf6f9760925a93651

                                SHA256

                                5df7133ca0186d6b350b44c9014d8b8c3d50bd4c489049170f8010134d7e9bd4

                                SHA512

                                2f5baef724c7cec113cd4692eaa7014d1f1f74f57222ab3ff722020e8ce3032097583053bce8c825831039d7298ef594c3a1406e4a013dcb21df9aeade3244a9

                              • C:\Windows\{DA80D9EC-FEC2-4e2e-ADEE-A555836E78C2}.exe

                                Filesize

                                204KB

                                MD5

                                4029006a148c5110ee41e6c750753dce

                                SHA1

                                7852be8e1e2b611de2e3b396d71dd12f3346cc30

                                SHA256

                                2e8d6f8ad94e213213a79ddccf14ae19c0fe754ded2e25da2572c71176458b26

                                SHA512

                                309cc28350bc00e588f57f6284f14d6f7f5c8045f29b733f41cb0bd9e1c9c6437c58dcd11b766bbb2f210203120affdc971a1b2b70827fc874bc5b415bb49d39

                              • C:\Windows\{EC1B66EA-A08D-469a-8F58-3EFA8123E4A1}.exe

                                Filesize

                                204KB

                                MD5

                                177e436badb9c1cad8bd2b2969a1b814

                                SHA1

                                d418bd3d46896b6b73b1666b28640c6454511a69

                                SHA256

                                666abdf44b0fa1a81922d82d2fb61a9d57b1e1a9f1be8eab3838799abfe7b5f0

                                SHA512

                                14c05e57f58a5553a856bb84b17f6b5d83ee6ad463c884455bedcd3bd4481da7e861a7d61a519491d2b5e351f51e14c03cd1c6a66206ee95f1aec83a50691847

                              • C:\Windows\{F457DAC7-26F7-4c0c-A1CA-7B2D1C9169E9}.exe

                                Filesize

                                204KB

                                MD5

                                19dd66d6e03731e853c3f913fad3c9dc

                                SHA1

                                aa609fb963cbd978869d3ce807347fd1cb0be3b0

                                SHA256

                                c69c08cdc5d4386a2e2ab8ef11611a037365b2326ef132eda3e7c1d855adb910

                                SHA512

                                9bd46b04b8f0df0c4270ea1e783a057dcc388ab850d5688fc5430039b82c63670fe67ce508c79e14ab32560820c294d32fdc2c36007c5b75a4cad1c12daf7110