Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:27

General

  • Target

    2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe

  • Size

    408KB

  • MD5

    60519da15958b25e42df8453c8d8608d

  • SHA1

    bd54a40bdff07aef1ce2c870492368b064982458

  • SHA256

    620766325486b4b603153ed34ab08978e3da9627f47f0b56623d4ef551b23671

  • SHA512

    badebc03c40bb371ec5748115c4dfd8ebbaa639034d524fbc1a631e3bd756ebfb380873957281c6443d97ddefed8bf77a935ce07dee37f35d578b96c95359c06

  • SSDEEP

    3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe
      C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe
        C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe
          C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe
            C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe
              C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe
                C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:868
                • C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe
                  C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:768
                  • C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe
                    C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1968
                    • C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe
                      C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2192
                      • C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe
                        C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1724
                        • C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe
                          C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:308
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8249B~1.EXE > nul
                          12⤵
                            PID:1500
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7C379~1.EXE > nul
                          11⤵
                            PID:2172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4D189~1.EXE > nul
                          10⤵
                            PID:2132
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA3A~1.EXE > nul
                          9⤵
                            PID:348
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EA1E6~1.EXE > nul
                          8⤵
                            PID:2680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCF6~1.EXE > nul
                          7⤵
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{75BB0~1.EXE > nul
                          6⤵
                            PID:2996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE45~1.EXE > nul
                          5⤵
                            PID:2836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{407A3~1.EXE > nul
                          4⤵
                            PID:2616
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{45B6E~1.EXE > nul
                          3⤵
                            PID:2748
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2176

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0FE45463-3B10-498a-85C2-E94266581A59}.exe

                              Filesize

                              408KB

                              MD5

                              14e74bd59edcd4a68e26d47740a12da9

                              SHA1

                              35c89dfbf00ae2781881b86d9beb0efcce5da2cb

                              SHA256

                              02e6bd1ecd2f52fd12f9bd9afde63a8c451e0d40910a101a8920449dc837dbbe

                              SHA512

                              8c69c1be6d24ea85e3c29944e11570c7d778e75a465b9d6b1ea0c66ce78380117f96105e4c8c3ee327309938a1701122ccad4145cb3f28bd7bbb8c645a0c3996

                            • C:\Windows\{407A3AE2-0B21-43b7-9A61-B748D5619F08}.exe

                              Filesize

                              408KB

                              MD5

                              847feb87c39ac1c593f8ebb5394d64f2

                              SHA1

                              190e028778d53a4a7dc5e568368a48ebe2491f3d

                              SHA256

                              cc582374bb32c622b1d4d72cfd3f17a1d55294cb1515092ea24fb3e35983bfce

                              SHA512

                              c83d7658ea3eb071148343724d2828f830f33b3ebad735a35ae267dec8dc958ab2997835c1fc95dc1793e2da9f4b20e3311c9217e28efb5655aa8f1a1f6839d3

                            • C:\Windows\{45B6E455-FAED-46ac-AC9F-0AEF0E2F09A6}.exe

                              Filesize

                              408KB

                              MD5

                              91e20bd9cef3885fbc44677ce9be2dcf

                              SHA1

                              84025b167d64805331963b5bd5a8e18519cf075a

                              SHA256

                              f0ed22c86aa12039a142ddd022bec4979476e5b7883315e5cca6566a6918b138

                              SHA512

                              ea1e852a7bbbaeef560e85648b8093d1e358fcf3995eb6c9146f0ba18f8e57c5770d109699273f553a42c6db0e9f64306856e414261a6d76de850cc83be4ba4a

                            • C:\Windows\{4D1890CF-B3E9-44fc-AAD7-7888E98BB161}.exe

                              Filesize

                              408KB

                              MD5

                              37e61ec242d9c0c8dc80d4590f11a792

                              SHA1

                              1c405746c041bcc95e585b74e4bab8eda19cf459

                              SHA256

                              f3ace24592a0b3cbe3ca0441354b4ee0556243759b956077518249bace59ca6a

                              SHA512

                              426c3207ffa179b2f0725fb3415b48b5c8f3981980ca15689db761d3acf957f0da4d0653d124ee2e20d204675eae0a711402a940c24b884107113b56e5ab65a4

                            • C:\Windows\{75BB0762-CCBC-4ae0-A605-FFDCD30C45A6}.exe

                              Filesize

                              408KB

                              MD5

                              8f7fc3441b85910da7ce2bb0176475f4

                              SHA1

                              35ecad29debfcf35855dd724e21df2a80bf8a24c

                              SHA256

                              1e24a12d41345d812c440e7d4febec8c4f4cdf6279654e4bf6370287caefe08f

                              SHA512

                              ddc88c551d80dc68ccf87396d20500e944b5338c3bf6fade8e74a1b9894e48a88a35bee142ebf608272bde88140c013402bf21287cc37cc3c0b9f61aeb4aca69

                            • C:\Windows\{7C3799C4-2489-4948-A95C-CF8AFB117F51}.exe

                              Filesize

                              408KB

                              MD5

                              bf394358745e130a73277c8627275149

                              SHA1

                              e8268281fe29e50cc9635c54534d4738ab04f483

                              SHA256

                              634d555153b95ae032eecf74fc26c1b827d2a769a1d2b2b4460c24bb5536f84e

                              SHA512

                              65cb06dc34e85325fc2fa8561ce7604d5975ed574db18d1adec70795155c50f809b3238f8e3fd3d6b1ffeb3bc680b956ba47bca2fe6cbb65a2ffff2dd425e3d9

                            • C:\Windows\{8249BCF6-A546-4459-A6A5-CF77F0495C2B}.exe

                              Filesize

                              408KB

                              MD5

                              d106ea958f98b9ab2f15bb0dcf23c19d

                              SHA1

                              44982e47143f396e3036c591d90ff7fe77868a65

                              SHA256

                              903fccdef9188d0e47801f5b23f3bcd8ee8d004693941f85cf2bb8e9be88fa2e

                              SHA512

                              4856a3a4ae3bd51e63f879225532c9a14c2c62ecff22e54467246c5cffe455d5016997e29ee19f037879c4adc8f3e504a72da452ef83bbf2041f5a2875fe815e

                            • C:\Windows\{9E279C3D-B64F-498a-A24C-CD6F6F76EE16}.exe

                              Filesize

                              408KB

                              MD5

                              fe3a358292020d362b7f8420ff8286a4

                              SHA1

                              cc181405503b56bd931c7d947e5804c84117853c

                              SHA256

                              e7319833a24d0ad618b134e0830b7f186c2a348b6a4f388b64c6ff2fa3508157

                              SHA512

                              a53f4138387782c9bff2004e4843cfdfc8ef692ac2b96b8abab9b14e8d9fe290bbd8a118282c835193a11043e9cd5ae984905229ccf96a464f888cc7ccdf87b8

                            • C:\Windows\{BAA3AC43-A49C-490d-8B96-E30880475306}.exe

                              Filesize

                              408KB

                              MD5

                              4a34e622d36db1196c79887b301f8441

                              SHA1

                              8392bc74952f7e4fc2199dea72c2b294c28399dc

                              SHA256

                              f60c45726cc136900c041c333a216f78c38db1d572d80709a74e3cbb7b62d918

                              SHA512

                              86f2b9b2554ff1f2fc5e35d28d215db3238061b86a6501ecb265ae241bb264afed5cde1cca8b6f93dee820432df3e23bb27088101ceb085d76afad2fff06ab70

                            • C:\Windows\{EA1E627F-18E7-4d4f-BD06-E197EC6804B2}.exe

                              Filesize

                              408KB

                              MD5

                              a9c9bac13fb70541f39017f8f8d199d7

                              SHA1

                              e7f091d84c6759890c2c5b8d1252636a1599410d

                              SHA256

                              ac8bd60150c4d5d4a8270454c7e324326dc594ba2583723c69a45ffd336d259c

                              SHA512

                              9c265c068a6858d82d66a9425a85dc3c38f5333b6cb11c8c4e884462f3ef7e110d762e14b6f6deddd09adbfb9514237b7e78e3bc62eec12e4363207a44da90ae

                            • C:\Windows\{EFCF6994-F7B1-461b-9BFF-A3C4935932C5}.exe

                              Filesize

                              408KB

                              MD5

                              4e7143ad2ab66f105d2b43a95ab5cf4a

                              SHA1

                              0f45aeb483c444ebd0b8de91542ef0497f9c2d96

                              SHA256

                              8f7d1c2fb4bc6ef09f9533dc8d9827a47622861ab091ef60d3dd3b1f663708fe

                              SHA512

                              73f247689308558e90b2d6d0a5cdd1cf7e994e29c8f3ff0ba61473734a6f0b65984e904f38ccb128bf45b0a76cfe20ceadc6ce62b03d2fa6e43edc461e842875