Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:34

General

  • Target

    2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe

  • Size

    216KB

  • MD5

    1d83b5d5a996b10bd072a83df62b3ae2

  • SHA1

    ebf526a1a66ebc4bf0b65b312c817c31274c2614

  • SHA256

    ab47f60e736382aaea83ac449682a8908b0f8fbb644d20ff975d9e27f82025c8

  • SHA512

    d06fa8d130a29711cdce26c8ec8b9a29dcb93d489b6d9e51399c9d8ae70efc2dd151644390b794e1eecd65d4213ba2c275f97d91ef1f0778612c9070a862b682

  • SSDEEP

    3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe
      C:\Windows\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe
        C:\Windows\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\{84219630-A311-49de-80BA-A2883CB8BD37}.exe
          C:\Windows\{84219630-A311-49de-80BA-A2883CB8BD37}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Windows\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe
            C:\Windows\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Windows\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe
              C:\Windows\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe
                C:\Windows\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1776
                • C:\Windows\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe
                  C:\Windows\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2304
                  • C:\Windows\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe
                    C:\Windows\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2160
                    • C:\Windows\{1DB83913-5521-4194-8E69-C814617D12E3}.exe
                      C:\Windows\{1DB83913-5521-4194-8E69-C814617D12E3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2928
                      • C:\Windows\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe
                        C:\Windows\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2400
                        • C:\Windows\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe
                          C:\Windows\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A675B~1.EXE > nul
                          12⤵
                            PID:1640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB83~1.EXE > nul
                          11⤵
                            PID:2104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F5AF~1.EXE > nul
                          10⤵
                            PID:2904
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{24731~1.EXE > nul
                          9⤵
                            PID:2340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{86067~1.EXE > nul
                          8⤵
                            PID:2148
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{585DE~1.EXE > nul
                          7⤵
                            PID:2308
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CA5D9~1.EXE > nul
                          6⤵
                            PID:2508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{84219~1.EXE > nul
                          5⤵
                            PID:2896
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3C6F6~1.EXE > nul
                          4⤵
                            PID:2580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{03FD0~1.EXE > nul
                          3⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2172

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{03FD0D1F-0B4D-42c9-B922-22F64EE0ED1D}.exe

                              Filesize

                              216KB

                              MD5

                              527c2ec66f152b1000345b6c5014840b

                              SHA1

                              db58603eb6ff8fb4b192101b11ed56b997cb88b5

                              SHA256

                              26e42ad71514d781b0f9a176b3da284560403cd264cfe2843e7dff8782d5bbc9

                              SHA512

                              6bcd8b3cbd5bf16a79d92f5ad4931d0a8f53f675ec03a0936834439bf443fc040a242aefe4b208b1a163b65332c15111063393589231f0f473a63043cde0a87a

                            • C:\Windows\{1DB83913-5521-4194-8E69-C814617D12E3}.exe

                              Filesize

                              216KB

                              MD5

                              5ed9cdfe9ed340b79d31c2108790c282

                              SHA1

                              a27c1ce795350d6120efe605bd79ff7f5c42ec55

                              SHA256

                              2dd1fa49d9fb6a555cd067ad8031a209f0e0969d3ec81803d382156c914ffa6a

                              SHA512

                              12decf671123b205248b67d6ce7bebf91bd8075eea5a34afe58a97a7fbc63b893b422c7d49a3b36eb245e0acdd69e52727927ac09d02dac75956c6162a71b15a

                            • C:\Windows\{24731FE3-7AAC-44b3-A7B4-3A18A89F78A2}.exe

                              Filesize

                              216KB

                              MD5

                              d1085cb8d35cb97256ecfa340d11a979

                              SHA1

                              7851f687f550dfea2d6a868c85032098aaf32e65

                              SHA256

                              92d05bace4193ed5a3292172548047a269a9236d16b0078b27de8bad8a33ae34

                              SHA512

                              3dcac3312d457212e9ee27b39c73af92466c25c9d31819033851284b0d13077d8f98873c6a78ef72bf03967b04744fd8da0b7adedf14cf3ec43b26057b1cdcd8

                            • C:\Windows\{3C6F648C-31CC-43e2-A324-8E1B825038A7}.exe

                              Filesize

                              216KB

                              MD5

                              079473632baee2085b0ac5d487d88b4a

                              SHA1

                              44ded19a1c03b45534862896d304b44dd4c4e1cf

                              SHA256

                              8d8ad3a2df65fbfef3214dbced47241b7f2da1a781bfd360fcabeafb517413e6

                              SHA512

                              14553b986aebe9c6197d71e6bea2fac3cb1a8857eb85f53288b2adb53ee0e1d261025bbb3004415c514033e8690750dcfd264ced7a60010d1e9de32b80b184e2

                            • C:\Windows\{585DE9F4-48C7-4f5d-84FA-C1C69532B9DC}.exe

                              Filesize

                              216KB

                              MD5

                              d2f4afde128d8f270c5ee3f24a51b654

                              SHA1

                              6eaa76137064359e5047c1eae2ca2189bc70669e

                              SHA256

                              50b2c415946b265e2ead7fa1bd8c50dd683e3609db2c928421a307cd5610efdb

                              SHA512

                              3a07f6205f5d18e3355dd5ce87338f3b2af1ce1a14f141d61f4bc1072f0bffdae4aa0f93c72096dcfa9e3ba7a449a7bb46459357efb212c130627161401ba545

                            • C:\Windows\{84219630-A311-49de-80BA-A2883CB8BD37}.exe

                              Filesize

                              216KB

                              MD5

                              c4c180291243cfc4112e8ef882356263

                              SHA1

                              9228114ff14843777c626f246642b6611b293450

                              SHA256

                              e908fa7da17411de68094dd687f2f1627cd13a825a491f24a0f495701192b8bc

                              SHA512

                              cef44f1536d1bf9e166f64c6b202e52e7f05a06e0b71c42fa9fdcd38f1375e5bcc164f16094874c6f9072d4c347b009a7eac5348dd5ae56e606bd4a40c2f617e

                            • C:\Windows\{86067B87-74DD-473d-81AE-BF0AA1EC2608}.exe

                              Filesize

                              216KB

                              MD5

                              d38e717b3f1893d25a9f06ad8ae778cf

                              SHA1

                              e3668d3830a2a0b6b052fac09769fbf374b8fa43

                              SHA256

                              a81e0bff29e2ef71e2dffbbb9b64b2ef895ade76fc5bb81e49b76decb581d45b

                              SHA512

                              1d8dee410456d398dbf8743f4b4512abf1ec6717438e43b7f1b78c7cc517a04e8858c8e0e883393003702ee2dfd63d0e7c92d0e97d037d26a8f26141d83c30c1

                            • C:\Windows\{8F5AFE6E-C814-40e0-8B23-994A94C9C67A}.exe

                              Filesize

                              216KB

                              MD5

                              d570c47b496f7239ec19c4f8ac812d3b

                              SHA1

                              0d575e9ac9ff711a1a64a2e941c9bdc1b9c0da97

                              SHA256

                              defb26ccc9f138585180c11e77f311361cfc5dee07c4b2086f5dbd8507bbad8e

                              SHA512

                              f4e33dc8f3648558c39863da7a16958d569933b80217083c46ac7d4ca89477d8001e733d452726c0102aa90af0469c672007da429bc78145c8fb011a2419b84b

                            • C:\Windows\{917EAE3E-966D-4dcb-B063-5EA3481E9237}.exe

                              Filesize

                              216KB

                              MD5

                              36848ae2d61564b4c99f876128ed7b37

                              SHA1

                              29e5421c1f02689ad09f139d4dfb0dbe18179e76

                              SHA256

                              f8cf520ec572ece46b73d11a605cacd64805e7d3ed6ec32bb2bd21da10ed5e6a

                              SHA512

                              965762f458496c6cc83ac2992e9a463dd5c7b765759e8028af10c69c0ff55e0066610001a98e5e8edfa7c6403f8c89ad30101d399ac5928e90f0668c8fecb8e1

                            • C:\Windows\{A675B80C-A2DB-4008-960E-A92467EDC6F0}.exe

                              Filesize

                              216KB

                              MD5

                              5399846bcd4dccb5657459e9594598f6

                              SHA1

                              6f82a830991888afda8b240995d3319f0d0cd13e

                              SHA256

                              9dfb0a1d7f76fef716a05200d5cde97c7aaa6d5380c5addb254f9ab228fb4842

                              SHA512

                              4265daaf2a80f17378e0bec96a9fe7acddd44ff0ee37956b1cdc4653739f162131826b5cb996453c6132b0526e539df8da261c15d5ad0e8e1a49d12fa7eb0f63

                            • C:\Windows\{CA5D9B95-F6DA-421d-AE69-A2EA98DCD469}.exe

                              Filesize

                              216KB

                              MD5

                              9279aad4a439505a537b9088f541e6d2

                              SHA1

                              f7088df996d96263ba792e78ddc4e39b633da945

                              SHA256

                              79f450836900e5f6a78b3b2381f10a07f639250d0b2d9be23bf6b7408324998a

                              SHA512

                              2f2b054775b39ee256667a3766108b9302b7363039e588163235c92f0d33232058c8c2cf326611f1b91f1cc7f732c418c81e1d9b2da1c1501ff31a2ede8d1086