Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:31

General

  • Target

    2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe

  • Size

    408KB

  • MD5

    164de08d5920bce67bd0075809e6beb7

  • SHA1

    c840578699cf5038dc4093f890e17c19c8bad8a8

  • SHA256

    a201e4705b075bf42639fe006c80d8c6a1c97092cce9d540478a68a6605dc605

  • SHA512

    271a1af102f7877dfab8b99ce1295c4125b8743c092d7710b2b2b181a9023a286639b9a919998d4c5d2d0ea662860159f1fb7fb36ed8dfe3bc64a19f215b2c4b

  • SSDEEP

    3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGdldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe
      C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe
        C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe
          C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe
            C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe
              C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2316
              • C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe
                C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1640
                • C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe
                  C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2292
                  • C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe
                    C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1376
                    • C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe
                      C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2508
                      • C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe
                        C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:600
                        • C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe
                          C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FE43B~1.EXE > nul
                          12⤵
                            PID:1772
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC5D2~1.EXE > nul
                          11⤵
                            PID:816
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0D6AA~1.EXE > nul
                          10⤵
                            PID:2776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{90692~1.EXE > nul
                          9⤵
                            PID:1708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C41FE~1.EXE > nul
                          8⤵
                            PID:1676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7BE~1.EXE > nul
                          7⤵
                            PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F71~1.EXE > nul
                          6⤵
                            PID:2332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F39A3~1.EXE > nul
                          5⤵
                            PID:1536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F22EF~1.EXE > nul
                          4⤵
                            PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E906~1.EXE > nul
                          3⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2056

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0D6AA90D-493B-4314-8541-88CD700166E2}.exe

                              Filesize

                              408KB

                              MD5

                              19ea88ec3a9f3491dd6f19db450666b4

                              SHA1

                              648b6030d7669524917130177b06b6dfee5735cc

                              SHA256

                              a43542185a91d908ee6c1fc33ad264913d9336eb011e3f5f55bb2a928e07e54b

                              SHA512

                              a84857d3ecdeabbc22386ec246d769a781391d91c3b5e502672018cbfd9c310dbd7058eb09feaa3d86a651814442b9d30e54beb54516d976cc0b38aba91c7897

                            • C:\Windows\{1E906994-9BD7-4aa7-8A86-D14E1598567C}.exe

                              Filesize

                              408KB

                              MD5

                              28cc4bee2a1bb57f74817b4ede0525f6

                              SHA1

                              3fe8f36b9fdf13dd2cadad6ab0ab876dd3a7b134

                              SHA256

                              5361d7536654046c9f8ff7f31cceedbb195a3e87f456f3a3e83ea3604a0127a1

                              SHA512

                              1a34649e86b4efc14cf92dc400da181d13417ec9487be6f11ba4e54ffadd94e3cd47751d30f7b65757c1f8c2ced7931aa22efd35a15197f5909779ed4446f40c

                            • C:\Windows\{6E99404B-06D2-48bc-AB6C-09C642A09FD7}.exe

                              Filesize

                              408KB

                              MD5

                              a15ec99267fafde4ae25bc0acc8a9347

                              SHA1

                              19ee8309788a9d97ac4db0325e71fe67c57944df

                              SHA256

                              f6bea61c1db195d4a84996bf48761760ddc7dbdc00a5171fc57f3f14f4f90767

                              SHA512

                              75704bf69d2031063cf8fbd8c69d9617d941343a3ab7b05d976bae6b917e183e874ca8c03d853592830b7c778636a2c1071a63e2121731f361ca416bb7cd3989

                            • C:\Windows\{7A7BE827-BA83-4855-8117-6FA863AE8BA9}.exe

                              Filesize

                              408KB

                              MD5

                              7f142d279f6d769736b4637e779645f4

                              SHA1

                              b719e52470b665f23c724a35c7be0de56cdb7726

                              SHA256

                              dee4ff6e58f4a737c7121974841ca59d9cd28cf07031b8af4aae24c57110251f

                              SHA512

                              a735091db4295ed55beb4b113554d690ce86fe6d6c7c60ba2c49ce569a648e082d2a9a874f99a794d0cdb786db204557483686ccee04e503653ac60c3438b5dd

                            • C:\Windows\{90692767-9AA5-44ba-ADF0-C1B781FA909B}.exe

                              Filesize

                              408KB

                              MD5

                              7a6a15e142979fd8b684a635786682d4

                              SHA1

                              f248eece4c4a98869139850f3635732dbb50ec36

                              SHA256

                              4a502d181500cbf021140f1f1bb7461486881f5ae4585f973c72b0477bbcf2b5

                              SHA512

                              1217beafa66581f6e8b5d0087f054475144c0817e052348ec9c04d569f47b724949e3b880fcb97804b86f87196ceda9060f3e2fa902eac54b0e02f969b39be28

                            • C:\Windows\{C41FE860-1F41-4e02-982F-F300D9204BBE}.exe

                              Filesize

                              408KB

                              MD5

                              69b8e53fd9afbf4d79ddcfab3eaad3df

                              SHA1

                              53418e9f7a56cc1b815eca0a4929d40b7a2660df

                              SHA256

                              e6c80ac166730aade6ac3a93c72e74f5fbf947ca916c71aa5eaef4c1dd3d9864

                              SHA512

                              b29406f8abbda9b17f19af3e20f06e6461c69bff4051575bdc39d6cafbc5a4982808b4cf86b280f14734890cba7a37893da4cd5c28bb5e331f6ceb8d7416d2b9

                            • C:\Windows\{C8F71E79-0AA5-472f-BA94-B4E662969B5D}.exe

                              Filesize

                              408KB

                              MD5

                              0cf3d8bb15620e0884daf89c2acdd4ef

                              SHA1

                              4b302208c9c9aa2b8f957d141866a53e2bb7d97d

                              SHA256

                              9cd98971906a2ade31a76d2c6704b543705c36aaeb8ddfc6cf5f24dc5d8c7f74

                              SHA512

                              60100985d02d80ede80ea6afc30bd99137374b61d97b7f0941f4ca6f3fd91f7e0070b688440fdccfa89dbb9d6293ff617242dafe5178e2cf5f5abddf61005920

                            • C:\Windows\{CC5D2798-414D-4e1b-9726-DF0A1C2B94FB}.exe

                              Filesize

                              408KB

                              MD5

                              a664c2de655404a12a34aebfe331bdff

                              SHA1

                              8f956574b8cf3a50dd538a67abbce9d3ee68d192

                              SHA256

                              aa70dd3a0fcda38efeea6e77493dc5625ee18b0f8e0c34e6310387ee32814dc2

                              SHA512

                              d87f73c19a8e417b8e60917fe3634a1926caa0441eb28631e1de2192d6350d8f520c1110db584db4d11f764c98bf947616c4418e70a3b5ece67910f9eb0f32cb

                            • C:\Windows\{F22EFBAC-3677-47a0-BB2D-2B557CE10031}.exe

                              Filesize

                              408KB

                              MD5

                              9526767791aa1a7994e1b550353c340c

                              SHA1

                              e63534cf0bfc88984732a4927fa8779e474e745a

                              SHA256

                              8a610c3ef02b6e91790a7cd0f840819bc00f36588cd465ba0f00e4c2f8f37752

                              SHA512

                              9fe1def048ec62256beb2addddcc9f97ab30ae6cc4c31e97f187025b77710dfef6674e272433088a17d98a662dd2285270f5f23269e6e15b30a6385373966909

                            • C:\Windows\{F39A3723-EFCF-43d2-BE6C-63C8AB327401}.exe

                              Filesize

                              408KB

                              MD5

                              e8e7596e171ef9cfaa34c3bd218dcab9

                              SHA1

                              88ab1aab3687e1412bb670e6057858a88cc47046

                              SHA256

                              c78af638d7fb0b0a59cf18924d9fa7210f91a1cc7cd2f0ea75d39288e4ecd23e

                              SHA512

                              c666a2e3f02782ee2bd26f18af841715f61437d1b6b4ff2cf1c8973c39ce2ca67c02c3a2bd635e154a2796dbb31986d99063a6ac096cf5e54e197bfe77ffa9b1

                            • C:\Windows\{FE43BF03-DBBA-4e64-8192-BFB834EB00F2}.exe

                              Filesize

                              408KB

                              MD5

                              8edbeb5b7e476176b745fc6fb0f2a00f

                              SHA1

                              3b5e7470c0616613115aeb924669ac0201997281

                              SHA256

                              b42f2a55fa9e6a64f36fc76220c5a244663432017083873e03aa9b4446832b8f

                              SHA512

                              d73e2f7796d5ebd6731e216c0d6952791589b6b849d81c229a53cd774b3d4bf22e6688765056090bf66585646ac5822dfdc1874114aaf9c8fea8f45daa469f68