Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:27

General

  • Target

    2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe

  • Size

    168KB

  • MD5

    635a3c6b18af3c5dd32a436fb72efa92

  • SHA1

    08a6d06c96872312e9ca0002face7a846d47e040

  • SHA256

    e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f

  • SHA512

    c6282bbfbf9b4681735aa2dea1652ea8daf81c9d4e9f06ca5805f04f4b88176d0740bf6575d38dce4518131266cf226f1c5f5494f8f656d257a1c116f435f8ff

  • SSDEEP

    1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
      C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
        C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
          C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
            C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
              C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2748
              • C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
                C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1368
                • C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
                  C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:744
                  • C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
                    C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1180
                    • C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe
                      C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2064
                      • C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe
                        C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1728
                        • C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe
                          C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:3024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB35~1.EXE > nul
                          12⤵
                            PID:1096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{28066~1.EXE > nul
                          11⤵
                            PID:2992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{519F3~1.EXE > nul
                          10⤵
                            PID:2260
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDC3~1.EXE > nul
                          9⤵
                            PID:876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{11DE0~1.EXE > nul
                          8⤵
                            PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D026D~1.EXE > nul
                          7⤵
                            PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59E02~1.EXE > nul
                          6⤵
                            PID:1592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{48A62~1.EXE > nul
                          5⤵
                            PID:2380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{96201~1.EXE > nul
                          4⤵
                            PID:2960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDAD~1.EXE > nul
                          3⤵
                            PID:2552
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2568

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe

                              Filesize

                              168KB

                              MD5

                              18fdba0988a5dd2de9eb98bbb572ea9c

                              SHA1

                              0887fdd173e6ae1f9b037162010d1cbf0200cc9d

                              SHA256

                              91f6dd0bd869389b0c9e229752f865fdee6c4e79cc43eff0f781bfb04f0308fb

                              SHA512

                              1a4441a9e1d3ae75e8a2ba0ca1a5dd0261879708024aba4ab2c21f1261c5645f69863247f9c078b34f3ddc30dbe3d015b2b1100f998d3d13a5f4a000179730c6

                            • C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe

                              Filesize

                              168KB

                              MD5

                              fe4a6d0c22c44068f7803dcab3a96568

                              SHA1

                              c9745466e18b269a0e38d2a576e71b52e13a6782

                              SHA256

                              07b9c3187a4b47caec0394a4df5204414e593ed9b58559c32f78286aa2a40410

                              SHA512

                              8005f1b56d9c0285f739fc3cfd6260746d9e67463eeb931ab375b5679135b633621023a3d4520168c417c69a682c5fab930e399b0f9f07cc780f61b2da6ba459

                            • C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe

                              Filesize

                              168KB

                              MD5

                              5963a98cba84b3ffaa652656e7ff3b36

                              SHA1

                              02a1ec5356b4be995a0bede0e080893a95a4ae2a

                              SHA256

                              6535d2cc4e2ffff6195fd1caffd6787f590543ab24fe3519ffba2d2702028ae0

                              SHA512

                              ff8299317111eed0f268e9db02e3cea6d2f6aa0fca5f156268e086544c522e4cea79f7078906226c4257780286f1ea406a3db71f732a9fea8b6f3470aa0f0417

                            • C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe

                              Filesize

                              168KB

                              MD5

                              78bcb17a5b8d448dad01d472c3a1b316

                              SHA1

                              8b05e812bf6d767040b260f523056274c445cd0e

                              SHA256

                              93b9e37516556b52907555ba4ce660ec1aaa9fecade5c7b05878537eeb601923

                              SHA512

                              1e0cbe90c6cf156958af8c732503dd9c2437f452806930df56388ce1f3f3768e3554ffd8d6bc0ad0016c32d60a101c794e50ccc01bd8e95eeabfd39ad2f53d4d

                            • C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe

                              Filesize

                              2KB

                              MD5

                              ce885b255b68d43e4d2f5b4bff54092a

                              SHA1

                              b70d044e341957b9ca2b8a2d2c24632bd17e10f8

                              SHA256

                              9d63eb3d1f85ce76a31eb296acefb3e83c03e18f2eab97ca4cebf86ed7d930e6

                              SHA512

                              19eed145dd3a240dab5dc48df7ccd201c6e0945e602ffaff9c4f1fa5049746b31e3f825fa967cf73c67f4e2ff3ea04c7b3f5425b2e303c8e6a1ba1aee5f01d0b

                            • C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe

                              Filesize

                              168KB

                              MD5

                              d8ce69150ce05a24cccf6e64cf5c44c4

                              SHA1

                              448330ebd731b9beb328328417c475b5fcd45dd3

                              SHA256

                              ead9fad789778163a2f94efc4cc3cc09ff8763cf91db5742fc9a617c75ce01c5

                              SHA512

                              6e76fa4cd38c26fa1fce8ea2252ae97cb77fe6e0ea9e808350a6197cc6b6c36c206eb8ff9e01756610630fcc8d1a0f5d7ffe483ab35fae9a5015b70fd59f25d7

                            • C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe

                              Filesize

                              168KB

                              MD5

                              d73b9ff44106e9fa946359d23322770c

                              SHA1

                              fc411966f148a5afdbdedde6c3ba8d72d7d836f6

                              SHA256

                              e3b13eaae672131948ead3a84715a80263810bcae8cf222aab0381a930af07fd

                              SHA512

                              ded1dec3babb863513517800b4a0d79993c1b0dd5e00e73d8bac631f511e06e908da36732b7f4d853c07c74007ea059994f71f28e6389d16c9aa4667ce98c22a

                            • C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe

                              Filesize

                              168KB

                              MD5

                              4da6c58211f1f4d34d3e99dc9a650eb3

                              SHA1

                              f1f9ad71c6b263608ced44271217b16e08089c64

                              SHA256

                              f88542cdca85621d4d532ce478913f76b712933b5475da4af0c5e70b89c4a50e

                              SHA512

                              59c31466891fb6e9cf37855108b7ec3b2f34454652d3f449493794d5ca83a3e80b4cbe2581bea889cc793c78fd8e8f7922008dedeb87ae309eee2c4dcc9482e7

                            • C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe

                              Filesize

                              168KB

                              MD5

                              04063d1dad94043fa83f9badfea491e0

                              SHA1

                              ec644ab0cb485cb0d236b43ba21f8b7edd7e5a70

                              SHA256

                              cb39be57be9a042d9430c4575d3a5be58d5e9a2b1f330bfc86fd7f2aae7c6302

                              SHA512

                              c1c04956c4bc06db7cdd4b26b0f9a64995b9490cae6db72a4f50013b45d584d27cdc588f7e407c711cce2759547432414e6fb93f617795948009da019a2f384a

                            • C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe

                              Filesize

                              168KB

                              MD5

                              2d3d34d59943f301cbaf0929bf7a33ff

                              SHA1

                              197d3dde2a59a3285f9886d408e53bbb279b70c8

                              SHA256

                              b8f0f89d4bbb1f440caff44ce1458408cf831b969e80e9ea54bd2a16fda7b1c0

                              SHA512

                              f06fad1ba31a0ba1448cd799459e2a6f7feaa68fdcdbcabe4dcd82b27eee481cd35c742917e569828986d3da6c2e28e71cb5bd936d8ebac38a95c0e2bf84fdbe

                            • C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe

                              Filesize

                              168KB

                              MD5

                              56772c9b8a787db82e43c44a52342ef1

                              SHA1

                              743f3f1cace888e90b782b423341ef71648e9920

                              SHA256

                              c69d49b8cfb5922f7be62b51931122f0f22c10d7f71bf5311bbf6c65c6a72541

                              SHA512

                              e126a765f64d47d769aaf77a4d102a31845d0074b2ab0b318d49f2756acca73a0efdc073d8ca8958bd19575f0194580399ec2b680d767d0f2100fe02494f99c1

                            • C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe

                              Filesize

                              168KB

                              MD5

                              07bb153b34b0a38a304cb57f69080589

                              SHA1

                              9652b4d8d70634df20aa843455dfa24e0d8a80a4

                              SHA256

                              934f6f27bff80d8fa16df5fa1168ac0c8fec2e910fc9f5126ab2fbbde394257e

                              SHA512

                              98a160c1f374446d50fe11f59a8dff15ba41ceb6ea4067bd9073b355da756a418f178cb3e224311a994bee6cb1901127811d104aa06ef160c96f771ad3156b77