Resubmissions

02/03/2024, 23:37

240302-3l9thaah53 8

02/03/2024, 23:26

240302-3ev2rsag46 10

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:26

General

  • Target

    2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe

  • Size

    408KB

  • MD5

    5264be32e86275d2fbdda6a68bc09148

  • SHA1

    bd73f0431bae5e161f6c51b23d8ecb479e4105f1

  • SHA256

    83be2346e78cbcf6e06dc63789dcbfcfb87fecabc7b49f354fb6bcee7706c54e

  • SHA512

    deb386b08978fbe23c46b93b774440ffc767d6bd8a3f5faeaf696c812b7e94992cb13ef5a157457aa249c499b3e785968a4d53582759f097d51d2e60a5df0f16

  • SSDEEP

    3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\{45545256-78E1-4cec-8C7F-EE66914D6709}.exe
      C:\Windows\{45545256-78E1-4cec-8C7F-EE66914D6709}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe
        C:\Windows\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe
          C:\Windows\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe
            C:\Windows\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Windows\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe
              C:\Windows\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:564
              • C:\Windows\{D066109B-3839-4e70-AE65-57F51B4909EA}.exe
                C:\Windows\{D066109B-3839-4e70-AE65-57F51B4909EA}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2724
                • C:\Windows\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe
                  C:\Windows\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:916
                  • C:\Windows\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe
                    C:\Windows\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1540
                    • C:\Windows\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe
                      C:\Windows\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1460
                      • C:\Windows\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe
                        C:\Windows\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2776
                        • C:\Windows\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe
                          C:\Windows\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2076
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E3CA6~1.EXE > nul
                          12⤵
                            PID:1952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1708~1.EXE > nul
                          11⤵
                            PID:1988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8D051~1.EXE > nul
                          10⤵
                            PID:820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C6F~1.EXE > nul
                          9⤵
                            PID:2352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0661~1.EXE > nul
                          8⤵
                            PID:2204
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7702B~1.EXE > nul
                          7⤵
                            PID:1408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{754F4~1.EXE > nul
                          6⤵
                            PID:2596
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0EBBC~1.EXE > nul
                          5⤵
                            PID:556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1F1D5~1.EXE > nul
                          4⤵
                            PID:2820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{45545~1.EXE > nul
                          3⤵
                            PID:2624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1072

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0EBBCC06-31D6-4575-B558-D4C8DC62A4B6}.exe

                              Filesize

                              408KB

                              MD5

                              0cb7faf44fd1e224eecfa72981397be6

                              SHA1

                              c60124666fe6dc7ab51b926b72fc5adc2d3c9b50

                              SHA256

                              28857e1c689c77b07bb49ab0365fe4b6916c31d9db047405c93b87c7f3a8a409

                              SHA512

                              db6e85571ba9564f2454ef7b2dc6236ff35e5cef45851fe9b489f53ba72090a3d49966bed8737fec747ecbea26dda98d06e3d721fa35f92b59335dc1dcafce48

                            • C:\Windows\{1F1D5380-4249-4d9b-84B3-099DE7E080CD}.exe

                              Filesize

                              408KB

                              MD5

                              05f98110f48164aeeff06f3477efc596

                              SHA1

                              77c32c85d6fa432dd46cdc4e0373d4cc52a5112f

                              SHA256

                              4e2b108fe4815dd357d50e04803fdacaf1724739fd3d0139ab4b89484694b9b0

                              SHA512

                              172f8bb8e0ff250f0cd05a117559ee767f277034126ecc54de6d6b3365e19782136bdbd09785ff2d7cddbffbb0cde29a759852c9677a950e5c142946820d049c

                            • C:\Windows\{45545256-78E1-4cec-8C7F-EE66914D6709}.exe

                              Filesize

                              408KB

                              MD5

                              d7ccccc35a9d71e61b8399f11bcd901e

                              SHA1

                              a7ae1225c316ae772fed6e92aaff5e795295c22d

                              SHA256

                              9c3010aef39f5e8e5176c7bdf383d2ac0461f9a70287c72d3dd6aad5f2d89333

                              SHA512

                              08468f65e8262e9becd29f35b62995fbca36f80790919acf933c201d341e0ee07fbcf12b041eb3d397ee3b01185c5dc48633c70cea03cb54ba944db5ec15dccc

                            • C:\Windows\{754F45FB-7D04-4bf9-A437-2C5387617E6A}.exe

                              Filesize

                              408KB

                              MD5

                              d3be2b51f2ab92d124926aad488c168c

                              SHA1

                              89c8f66de553e7631a0315d41b7327b955154b2b

                              SHA256

                              002a30cc81b0a763da791a114e3dd3f893c825c2aed2e98188b7900c7b9c902a

                              SHA512

                              b0586ad1e3876d93cfd8b3ffe522794d63bf619bbc1c8afa9d6af3daf4a5af0631057d53162b6e35e2fc4cb19aa29b6b6a9b2ea3aa0586ef8801338b674aa50e

                            • C:\Windows\{7702B487-E2AF-4aa1-8B17-1B2C4FFCE159}.exe

                              Filesize

                              408KB

                              MD5

                              907f40b6a894bd0106532fa6c96bbbe0

                              SHA1

                              6f59c01e62c5516fd0a0640f4b3cbf19ee020c91

                              SHA256

                              54bf8e767fe59a50fbd41abc35dbc2afb6f39e9ccaaaaa0697e005aa935dd6e6

                              SHA512

                              7488bfa26c4dc073f4cc594b65efab747555f186355950e041bd0fbfd5c3001206cc6f462df647067aa528847ea2d87db79cbd3e96234bb319533bf61da8eab0

                            • C:\Windows\{8D0518C9-C498-4069-AEB3-707DE9566E4C}.exe

                              Filesize

                              408KB

                              MD5

                              be08561e998ca9fe6f9a4cf777c905e9

                              SHA1

                              7ba05a9d361bc986f4bd4198aec008a9ea3ee333

                              SHA256

                              7d5738259ed07aa77514d029b4b82050446c39dff5528df738d81a9c238ccc43

                              SHA512

                              8554393f5ed41db56335a90c64b26e8c6836423826224e4bb64369c7dcadd14e445657027304a49fc15621994b274dcfab3929dbc0a7811b3468b2532e0cab61

                            • C:\Windows\{A7C6F47F-0590-47d1-AF5E-40FB21CACD2B}.exe

                              Filesize

                              408KB

                              MD5

                              7fbf8053c02d832980fc65f9ccf5e6d7

                              SHA1

                              da223729b4e777b10ca5141e7f887f5580bd5d48

                              SHA256

                              658677cb75b3e90b658e056d9becd7d47f2c2faca7914c38935592731b11235b

                              SHA512

                              309467f994d3360ad3bce3c5d0b9ac84b3a108bfb09ee2d3c9f1f7f17744f89a40b3100ea67e4b91291e0317378d344b4c4502fe28a54092d98e8b4fb86310f2

                            • C:\Windows\{B1708D3D-B8A9-497e-82E3-32E7414F1FCA}.exe

                              Filesize

                              408KB

                              MD5

                              c2498f5f2a9e7734fdf0e74c7ef25079

                              SHA1

                              4b45c5e97ee9630241eb465d06392c01d8a2a156

                              SHA256

                              0738f91bf24b56dd57246b755fb52b7e71f06e4017737dd3d0e20ebf71029428

                              SHA512

                              e187a3d9acd3e65ba275265f558b6ddf9180c7a6858322affc7b166c42af0bc8c1986cdb92ead6be2a3a570075b5e45af2d09febc9ce045d5df7d060feabee8c

                            • C:\Windows\{D066109B-3839-4e70-AE65-57F51B4909EA}.exe

                              Filesize

                              408KB

                              MD5

                              255d063443e28979bbf79e15df2cd98f

                              SHA1

                              f8fd35f0c65d910820868996cd228fe7d058a1ab

                              SHA256

                              4c1925f4bb9f7d226d745c84b7de464a2c25add9fe23366443ae6f40234f67e4

                              SHA512

                              066b290dd3ca1ae8cb3e7d40094051321aa1d6decf43b174e9c792c0032169d31fddf844841de3e4214d0f56166987adf7e711bb7e41895e4fa827d34bc63609

                            • C:\Windows\{E3CA65F8-37FF-4e7e-9994-D58927B5DF54}.exe

                              Filesize

                              408KB

                              MD5

                              eac2eff686ba1c7a41db696aa6de0376

                              SHA1

                              2a3027690e2cb1b18222785e4a64070f69789ae8

                              SHA256

                              21267c7a674f891aa5815051e6278b5999a3ee3b163b6bfd66855446105e17cd

                              SHA512

                              f7ea42a90ddd0f343d161209ac1e5be9d7dbc1c0bf98a4393d2c326d16ca2cc2b51bbc3f76c31c8e0e4d82f050f83620f911b38b4bb1ae87cb129f3653974ea0

                            • C:\Windows\{FA1EFDAA-C6B8-4cb2-B94D-8B2E0DB482E2}.exe

                              Filesize

                              408KB

                              MD5

                              72d2073bf625dbcbfa5d11aedbcf3c5f

                              SHA1

                              9d4744b2adb1fad1601b496625fc689a9cde356b

                              SHA256

                              0bb310248486906a90d1d51815d3dbb9dae7458c59ea4532c03b6d71e7b48ea2

                              SHA512

                              9de8ae962a11412f38f66e7449b734208cab0132aa1c71f44c9305a78cc1c9ce3513cbbeb00dbcab798bc9c6330549a1852b29a977cb8e0a1bbd307ea9e67192