Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:26

General

  • Target

    2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe

  • Size

    408KB

  • MD5

    5563717ece795b8d9bcdf32e23573d0e

  • SHA1

    64560ef9cb7b54b3c16a5cebbf8a79e68ddf4b32

  • SHA256

    07490cb10169d4341dce83e183cf3cb2daec726e0c991bcb2c9d959ba3b57615

  • SHA512

    51b34fd5a59962732707f669897a6c8ab3c15e8103b8f223caae38e568b439c19de8508e3d01928e82bf280fbbadf6334019faf593aa9201df29bcc251c62874

  • SSDEEP

    3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 20 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe
      C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe
        C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe
          C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe
            C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe
              C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1772
              • C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe
                C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2452
                • C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe
                  C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2628
                  • C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe
                    C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2700
                    • C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe
                      C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1600
                      • C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe
                        C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe
                        11⤵
                        • Executes dropped EXE
                        PID:3024
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{73BE2~1.EXE > nul
                        11⤵
                          PID:3004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{43366~1.EXE > nul
                        10⤵
                          PID:2940
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC1D~1.EXE > nul
                        9⤵
                          PID:1868
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{467F6~1.EXE > nul
                        8⤵
                          PID:2856
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE6B~1.EXE > nul
                        7⤵
                          PID:2552
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ADE3~1.EXE > nul
                        6⤵
                          PID:2616
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A845F~1.EXE > nul
                        5⤵
                          PID:564
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7D9C~1.EXE > nul
                        4⤵
                          PID:704
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D442D~1.EXE > nul
                        3⤵
                          PID:1992
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                        2⤵
                        • Deletes itself
                        PID:1252

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{433668F4-6242-4c2e-A412-0D1760A89D27}.exe

                            Filesize

                            408KB

                            MD5

                            6e8d91f8ec471520e97c8fca40c26afa

                            SHA1

                            e0c94df57408cf42667c5f1c5814138de90f2386

                            SHA256

                            d59ad072aab0e1bb5a539f540dbf2838b76086784dc5936859cdbec33cce83ea

                            SHA512

                            712fa21dbb9b5f4957b00fba12689fad495d5aba1a6bf93d20cb40405916eee27d8ccc74c30e27b9257043bf13ee5f4f121426b3cf1b1408b8454ab0c122960e

                          • C:\Windows\{467F62E4-A9F6-4496-8D3A-12761792D9FE}.exe

                            Filesize

                            408KB

                            MD5

                            8b8e854f32b8d27f81972379dda156dc

                            SHA1

                            250a2d041b6ddf6e1716b96ed36f111a454fe028

                            SHA256

                            b6903abd071477d67f89a97e7520cbdae6c5127a92863c3df1c0dd243c3d58e4

                            SHA512

                            165f3a87f2eef26837201f719d8585772f6e7151cbd59db5f3f6bfbac7a03efa1ce75c437bd98991a4b8eb1822bb1a707982fde8034eacd7b49d2ea399f873a4

                          • C:\Windows\{4ADE3DED-D8B0-48f2-8DA3-1CEAFA088E3B}.exe

                            Filesize

                            408KB

                            MD5

                            f0c49411699a6322532563223601d959

                            SHA1

                            1a2e2e57808141909bbe3157a4f48a7ab31d78c1

                            SHA256

                            4aad20ac973aad8128a05439926c7f446e6e5744594a349d47bb851daa472e28

                            SHA512

                            f45d98e1fcd2ba4fffb16ad03a1f0a2ba7cce3c8a24b1920843d08a606c791cd80e4567ff94fd88a7348a3b18a94f26c8cef7ad9be4b388e72d9eadd5b44041d

                          • C:\Windows\{4AE6B544-9626-4129-85B6-66F9CFA910A8}.exe

                            Filesize

                            408KB

                            MD5

                            dd4645c9aeb2b0966587bdb8f27f5646

                            SHA1

                            4fc98d2eb8850f3707816927c8826275eaebe184

                            SHA256

                            f95a4b55b4aa6eddceeb58b5efb9412ca223aa4b89105a46000d7f3192031302

                            SHA512

                            19d1815041ea4d2d98b8f30572c8ea7f3ba3c6deb300eaf34147a1a19336b2add464d11d06b5317ca687928b9a56a9a660d49d1d4d5db9ee1a94cb8f604bc3d4

                          • C:\Windows\{73BE235A-C140-4c57-82F5-4A2B196B5C95}.exe

                            Filesize

                            408KB

                            MD5

                            8a8a9e54ab5f3e9ef5e571e3697d2450

                            SHA1

                            b41ecbd632760f9a88cae67941c8718e4b5f06fb

                            SHA256

                            5d54f9f7df2225f2502013e11e5f6c99ea8471a6bec9938db8c8a691b39d19b1

                            SHA512

                            7af4510303f4f9b954ac27623e02968106769d004c98484612b122a35defb464b44bd03d81e8e5a0e36d01abce5dbeb8d12d571a4412b5bdf65d8bbd672b05a3

                          • C:\Windows\{A081A041-FB51-4b83-A4F2-DB029A990789}.exe

                            Filesize

                            408KB

                            MD5

                            934822e66a124a591ef45fbc90a70da0

                            SHA1

                            b0e6ed8f13f9eebb72b901566710eb463f35d3dc

                            SHA256

                            065e9a0767f62e53846da57f017aff07b4ed58b78755dc61c466c4c7550b3940

                            SHA512

                            e5f8965202a65f3892e4872f480d08f136c16ec79f618fca5259ffcfe0a0533c5a34c4e1d96b415208b0fde7ae657754bfe51604816be4e34dbb366c158194d3

                          • C:\Windows\{A845F28C-F7C1-44ed-9F8B-A8959B9D1D2C}.exe

                            Filesize

                            408KB

                            MD5

                            0f736fdecc7a78c09c5767e7dd375d4b

                            SHA1

                            c0335e4fe82e3b82989af7ef7b1d0b03e121b472

                            SHA256

                            6c378c3cf2a88ddceb778fd1b645ebdfdb18775fc1429ba40e09c00ca54ae844

                            SHA512

                            9d463dc532374c629e954f84b1b76fb570046f966821fcd3ccacf48ec4bb6bc8acab2ef80d3b3e20451001002738a3b7ed6194c4db847d3840d3234bd81e82db

                          • C:\Windows\{ADC1DFDD-0244-4506-97BB-3F84CE6D3318}.exe

                            Filesize

                            408KB

                            MD5

                            98063389c3f8bd8f2f95c1d313b0e7f3

                            SHA1

                            fa28e9808d48b2b26d91ee2eac369d0d2aaeee6f

                            SHA256

                            b0098d332c4c5bb6adae0b3bc8ead451bbf49035c417b1aced56e4299e6dd120

                            SHA512

                            20d3430e54a5138b1479f24ee9b82437b4493f6c0f85c1f552c36829f5d808e1abc53f64afda44da24b7828c0da8a95539808aa425a1f6a793c104cf36d02bca

                          • C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

                            Filesize

                            64KB

                            MD5

                            2ce0b4053f2e21485822e3f3b2384418

                            SHA1

                            e5eab5b79aa8aaca244b2ea18cdd2f0bfdf21780

                            SHA256

                            0f5630f8d3f48aa9a3edb9b2d8151e5717fd3a5337540ee7cac53098dba8acdf

                            SHA512

                            86163ad58b73ba8fbcf7183e87b7d5d02630049a7ee59f0397fa13dc7e418dd1b069aa37ed3ba99080dd1782673fd3b6b6bfd3422fbca92c5fbc28d5a1c08291

                          • C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

                            Filesize

                            5KB

                            MD5

                            dced0a3c1d041f2fcb706e6f962b402a

                            SHA1

                            6797bc1f4a8baed184c85735ddad0a23090eb837

                            SHA256

                            e52366a6556982967a3c8aaf1ded9e8a542cd439cbea425956e1e99cfd6fa3d4

                            SHA512

                            c20acdfff30caecf2b3f36c1b351e1ce1d07772c94c3f9007d6dfce7217d51054af3563cb1d8084456fafc3a47351ccc77fab4e1b697b12813f301ecfafb3544

                          • C:\Windows\{D442DA56-6D21-4011-9C2A-9A090EDD21E7}.exe

                            Filesize

                            408KB

                            MD5

                            07f48b6695face04080bcf29eb53f18d

                            SHA1

                            fa23341aa93bbf220603c133cb478ba5585bcffd

                            SHA256

                            14beea22ce46f1c5041f82e3a0f38e47722b2f4dcbcdb2c3a456621ac095c640

                            SHA512

                            42ffd741bb4f3b3fb944d48fff5ca9f1f805ca9e395dd3528c82c6faacf4f995b7ccc04ad7d6c5fc29aae5624f9a08c4b2ed5ff17d4297cb70a98846cfce0488

                          • C:\Windows\{D7D9C351-A5C8-4e19-A87B-4D6D49A71BAD}.exe

                            Filesize

                            408KB

                            MD5

                            3857a898f9e9e2fc078f13e00414eb2d

                            SHA1

                            0ad990dff042eeb4846367c468036f10ad7e6d3e

                            SHA256

                            d58f5cddac02ed231266560fe9b0c14138542184623c61c773be8285328de63a

                            SHA512

                            535f816deec5472cd49ec2da6d0d4bd57cf92d4a6298300af73a645399134f358cd7db1fb2f63193ce1465c041fab0bf2d3047cdc5572108033b37b4dffe7056