Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:28

General

  • Target

    2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe

  • Size

    168KB

  • MD5

    6f7eefc4dcc19cf96d504a8d70f186ec

  • SHA1

    7f401dcbab81163ca78f4126cde960da282c3e34

  • SHA256

    2da291a4b4ede9f5a03b2c37df6a043eed126b6c3a488c3edf8e7f086dfc1ebb

  • SHA512

    271dee908d308300a63dd805bc6a74868552df15d176d9526ab20a4db67c07534c035b97bb168f0a4cbc8de8085cfbf2c582999f17a4ac4c20c484d0ee8a256c

  • SSDEEP

    1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe
      C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe
        C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe
          C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe
            C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe
              C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2732
              • C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe
                C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2248
                • C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe
                  C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1732
                  • C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe
                    C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1556
                    • C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe
                      C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2140
                      • C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe
                        C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2840
                        • C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe
                          C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{76E4D~1.EXE > nul
                          12⤵
                            PID:1388
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F729A~1.EXE > nul
                          11⤵
                            PID:1156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3BAB2~1.EXE > nul
                          10⤵
                            PID:2412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{72B34~1.EXE > nul
                          9⤵
                            PID:2296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E7A~1.EXE > nul
                          8⤵
                            PID:2260
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C2776~1.EXE > nul
                          7⤵
                            PID:1656
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{23075~1.EXE > nul
                          6⤵
                            PID:2792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC5C~1.EXE > nul
                          5⤵
                            PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{47FFF~1.EXE > nul
                          4⤵
                            PID:2932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{096C2~1.EXE > nul
                          3⤵
                            PID:2576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2148

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{096C2CE5-078E-4ab5-8108-63C14835295F}.exe

                              Filesize

                              168KB

                              MD5

                              390c55ee0511099e04793ae981379888

                              SHA1

                              75ed6d878afa9b03ef114b89b0ccc013d02651b5

                              SHA256

                              f9d2e5d639e990bd98e05d0a5497c20d067c21f64080877a381fa4c9a398a7c5

                              SHA512

                              96762b4d1f1239ee9b4780152fe4bfe0b45847c157ec98f0f84a9f916c430b3cdb6582b88e6e2d99126f6d077266c382b87545976203ee7195b8ca09033daeee

                            • C:\Windows\{2307504F-A577-4294-991D-2D5167107C7D}.exe

                              Filesize

                              168KB

                              MD5

                              fb4ed78d30e1c05b6708f72ae907af2e

                              SHA1

                              f35d3c787dcaeceb7cd5d5f84eca33389f5b22cc

                              SHA256

                              6c6104a0805c3d1161e895ac00699e22823a6789f12934c23a3ff7777835e6a4

                              SHA512

                              eab8cb6fc4ee5fd1dac8a310a72474911e660f29054ceeecdfd1c572c184fcfac4c65d7d3c1d6225afa4f42c3d9f5ff7c2b6ad66fb9aca3bef027f14e68c1c81

                            • C:\Windows\{2DC5C1B5-A4BC-4563-8E5F-11084B8A2AC6}.exe

                              Filesize

                              168KB

                              MD5

                              68e970621a0b1749cbfdb6a330f3a9ec

                              SHA1

                              b3c3c03f2da00206fe650311f1f9c0cbc7307701

                              SHA256

                              a86a207316b09004046001584543e036149d11c650e44bd4bf88b800aff21539

                              SHA512

                              33dc6301924ebbf5a7ad277a379cc70f16c59734e7240aa4681f3fc0ac4a481c7bc6a63bd91cdc3632ea75f0a2a3218838cc774a1ef9f2d1b54b80684f7d39bc

                            • C:\Windows\{3BAB292B-37D4-4a40-A991-BF1E66A2B64E}.exe

                              Filesize

                              168KB

                              MD5

                              2a2f6f4f3f464d8d48c7530ff2b50793

                              SHA1

                              0cf16e6b9075f74b87f628fb2eb360de7ac6c63b

                              SHA256

                              37d2708b17c3472a1da270fce99fcddcc9b1013b91683ea415055ed6235d3c81

                              SHA512

                              15da7985db99aba74ba6a4e0c6bfafc061391d2c745c3ae248f6fe68cb6af128512e20bd02c59d18958c79415775069484ddc337a790aa7820dc30d0686308e5

                            • C:\Windows\{47FFF679-D305-4e81-921B-46B1BF473518}.exe

                              Filesize

                              168KB

                              MD5

                              0b122aeba2289aa68765b8c086c26956

                              SHA1

                              4ae982a3844b145b5291c8fb89dc68b99ee75d17

                              SHA256

                              99e52d0c25c2e1f21cfa1cfb8c1c9a271a5ccc892a78c8378d91dd034c0c5e14

                              SHA512

                              f1295767a0b9905dd3079f26abe30d334c7f24edc99685cee0b539df6f2645328d1011dbf28d224cabc8ea02f6709bc3d98f8a3449ca405e2ea4d12f62d1aa8b

                            • C:\Windows\{72B34DD3-3981-4fde-BF93-04F022FB8A36}.exe

                              Filesize

                              168KB

                              MD5

                              e28bbf67be1dda490cb2ba2ab2c98a1a

                              SHA1

                              44ba096787de53d56fee869b311537ced7a7d131

                              SHA256

                              710c96a2288a543dbb76332b796c16cf4af76d3a6779a95db4471808cc77a5c4

                              SHA512

                              ad3a249ce4f4557746f1f7a620c1a0876b8b14c705ca9c15fae2f7ebd1cfe1df96ad21dbc1637e1097244fc2107d3db0ae586c55d9840cb55ca9f4cd3338b38e

                            • C:\Windows\{76E4DC1C-58EB-4c44-A8A1-439F6519BBDA}.exe

                              Filesize

                              168KB

                              MD5

                              d02898c4cd0cb0e4ea21e91cf478649f

                              SHA1

                              2d375d28672be069c5e271665ae21da9018c9a55

                              SHA256

                              c4520bd43438daa2de7df765d96476e00d16d38ad7e52dcf9c240490302f9aa1

                              SHA512

                              215a674ed280ae67036fd2bf43bd91f748ed99b76a4ec00d2b2f5b984a250ada3e2e42efbf28bdf9143a0a2ce8d7557b6e5aee1ec061969965e2dfb3deaaca8b

                            • C:\Windows\{C27768E8-A198-413d-9656-A6E89BDEFA6C}.exe

                              Filesize

                              168KB

                              MD5

                              def19c364ba04e14c7adcf121ccee287

                              SHA1

                              ce072c658498784ddf8fc7f3147d02b6290bad44

                              SHA256

                              6554e12264aff64eaeeb35f18a520e2569b08befe01d620c13543ea79811ef1f

                              SHA512

                              fe4d11585e6a0b3271ee94ddfc230d6dd942022f7ec80d4559412836487190c413a5d460f6f7caf1113b12115b860b4e6d0fed483a42d704e7ddbf22932c53d3

                            • C:\Windows\{C9E7AEEF-E853-4415-9076-31F6E421E2E3}.exe

                              Filesize

                              168KB

                              MD5

                              262a8824af97263fcfc4ecaddd5d196e

                              SHA1

                              75a8ad134b466bad9eaaa73f1cd83339a5f894e0

                              SHA256

                              dcb64cdce056e17c43af3aa9ead868175bad4f363b4b76e2813b2cc3ba7eff2d

                              SHA512

                              5a4b083abc98eeed509044730d16d0b33310a96b4792f1d2ebcfb40aefcc10bbe44757ec7994ab48539a6fa7193d7322e11e23bca48ade6f7de12492808a9904

                            • C:\Windows\{D515D68B-A213-4574-8B90-6E8AC15AFA1F}.exe

                              Filesize

                              168KB

                              MD5

                              612b6b96bcd5a76e7acee8288e5dc76d

                              SHA1

                              9a44636d7852d5c5cf2a1234b77f701640349542

                              SHA256

                              30b5641ae34c4063450513675a8e1422e26d1182dbcb42afef01e22d34f26304

                              SHA512

                              ca94e93d549b08e78589b692efc6716427cb19e3cea56dfb54403792b14a9a70c724f539bf8138586c77c0758975cdb3b91cab07954f88dcf30274837fcd6edb

                            • C:\Windows\{F729A74C-CE76-42bf-8133-64095F4D1408}.exe

                              Filesize

                              168KB

                              MD5

                              4ff33fb26b61da49e83fe406d51a8982

                              SHA1

                              07604d582437ac09de6aeae0e1ecd156de5febfd

                              SHA256

                              614b933bd78930ae1d838fe41b6726ffc274d68cefd722f54013a3ea0670aaeb

                              SHA512

                              e1a68f50daee46f9db7ee7b8bfc14268f368229c542efdec965d0a42462a1793f1c57a617caec49c0242c6a8cff42066053bed54152221c2b163cff47600d83e