Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:33

General

  • Target

    2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe

  • Size

    197KB

  • MD5

    1b79f7a7b43252a50deeee1b37920bc6

  • SHA1

    e5158a59de2e0641125a7dcf7583c63ce1ffca12

  • SHA256

    f50bfdcc2f255991febeeeccd6d84b7c1c09dd9c99f2c3d0b288fdfcb12840c5

  • SHA512

    a5de5791da9c8448776fe315199155221c358472bb0388d052c056b15f25c4c1eb8167ddc21671f85f70b35a218b0ba0d960401425765ffc1b9140f141ef2947

  • SSDEEP

    3072:jEGh0oYZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGWlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 10 IoCs
  • Modifies Installed Components in the registry 2 TTPs 20 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe
      C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe
        C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe
          C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:592
          • C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe
            C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe
              C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:696
              • C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe
                C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2396
                • C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe
                  C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2556
                  • C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe
                    C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2708
                    • C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe
                      C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1836
                      • C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe
                        C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe
                        11⤵
                        • Executes dropped EXE
                        PID:3048
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{372C5~1.EXE > nul
                        11⤵
                          PID:3016
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA954~1.EXE > nul
                        10⤵
                          PID:2948
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA7DF~1.EXE > nul
                        9⤵
                          PID:1792
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAC3~1.EXE > nul
                        8⤵
                          PID:2840
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F024A~1.EXE > nul
                        7⤵
                          PID:2884
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAED6~1.EXE > nul
                        6⤵
                          PID:2660
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5598~1.EXE > nul
                        5⤵
                          PID:564
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D40ED~1.EXE > nul
                        4⤵
                          PID:268
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{18766~1.EXE > nul
                        3⤵
                          PID:2032
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                        2⤵
                        • Deletes itself
                        PID:1636

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{1876614C-7669-4144-A331-81E143FB8CB7}.exe

                            Filesize

                            197KB

                            MD5

                            49dfb7e96385145f6e1e447582806c08

                            SHA1

                            219aab2ac1b5ca966f6b03ffe6a839dbb9fee0a0

                            SHA256

                            fb2946cd7fa9b8d72ed2c7a1431efbc185f9c71c544835a01392f778523b5ffd

                            SHA512

                            1c329ddb2c9dddde1ea6166cd830cee6ac5e660451f5753f7270604d72f3be14c020448d775d9353adb5951f605f70efeeadeaf4e12be29e2ed3a77a371476ea

                          • C:\Windows\{372C5E36-A21F-401d-ABC9-C9A3CB892D44}.exe

                            Filesize

                            197KB

                            MD5

                            0ebcd8c95897bb0e7ea042bcc69e0bb8

                            SHA1

                            8fbb3bd6f6f084130fec320c948d0366c2b83f2d

                            SHA256

                            fd6eb326f56d7f908e6eeb69d1965e135f293f828a7cdba87ee6c3c3ecf24d5c

                            SHA512

                            84821a26a2e7c9b5335cce05aabc171ca150b3017c84a6022902fb1cd599521a02e0c00dfd3400b709573719bc9933fcabde223fe04ffa36bea8420576d4299c

                          • C:\Windows\{AAED611D-5084-417d-8664-AFFFB6E502AF}.exe

                            Filesize

                            197KB

                            MD5

                            d3294ac02cb45d61b0302912bcc27ed8

                            SHA1

                            f7c1af37f4dd27ca2790a4c3758af518feca145f

                            SHA256

                            d080182dd80ad639a86ba945f545ad6a4ac52c234087a12ce0b92e1f659ab812

                            SHA512

                            db5f85c05785c6147016b71a51d6af8f0efe99dc372d0dbfb51a0ddcbd3075adee71feae7dec2fa582022c54a1a7393d95e48f5aa6f9c823791b3a7132139be1

                          • C:\Windows\{AEAC342A-6C1A-4a81-B2C8-B8E2B9F91911}.exe

                            Filesize

                            197KB

                            MD5

                            2bd31cb8e2006bd1fd6ad76cbd48bdd6

                            SHA1

                            778023fb0f2caac2273c2327233b685133675970

                            SHA256

                            ee53567553ccc2ea919a894866a4e782ef7191cfa3664fab8229f1f6111a97c4

                            SHA512

                            cd043116126c238e2e988b2afe89d99f50d21a6330c10fe287c705cd508be0cf6645412614d9cca9cd0ff68867ffaeca89ba91c4c2bcd4772712fa4c4bbd2951

                          • C:\Windows\{D40ED85B-99DF-418e-8F6E-FD1066F6A1FA}.exe

                            Filesize

                            197KB

                            MD5

                            f6f8d2511aee421c8685fbe3ce24359d

                            SHA1

                            7beb9417f11423f25d4f911ebe769c7efd3958c0

                            SHA256

                            58aaeeb46791d8bdf3688b8ac92fd0a5abed6c38ebe6336a023fedcee9f0ac8c

                            SHA512

                            fa67a703000f6c2dc89da4e9a9442a3e8fefd5e2079934ba15b5e781a71a0166112f5baf9f631592d71a8cdca1b5165e73df80baa495581189685fa18ce2e842

                          • C:\Windows\{D5598CEB-C6DF-433a-937E-4E31CB358AD8}.exe

                            Filesize

                            197KB

                            MD5

                            fe002134e4747e06d5ab3e884154fc39

                            SHA1

                            d560c23c7c45a3e4f9821ae96ebad1f1ce9a352a

                            SHA256

                            0c322116fd015e5c3573d7ee054557b7533dcd91d610f406b4af310eace8e2f0

                            SHA512

                            e3482f5e0557a729222bca5e8b57668267afa28d6e2a596cedbd33e9aea9c2ac187b3111f65ec60629cd8f26e6f1fa66bf06a8d8a5f1b8bc39b9fb56e859c603

                          • C:\Windows\{DA954FBD-7CD3-42e0-B684-26CA2184E798}.exe

                            Filesize

                            197KB

                            MD5

                            b753931bc1fa56bd061b91ec0a4aa2b2

                            SHA1

                            293efa10b26e52f7b3f452e7bf7c8d0f5449d4d8

                            SHA256

                            83fdbee2ead73a48588455a654dc618b237bb5e4f558bf06fe6b5c889cabdc56

                            SHA512

                            239c9a38cc6028555b6cb618394c5c53a0ce6b8900becce022e813017dd7b994da62d46e2b475be2c508ba731e5336581f53ca73b689ff82c45b9bbfc35d4c21

                          • C:\Windows\{E46435EA-2DE1-4bb2-AD2F-DA4570EDCE7A}.exe

                            Filesize

                            197KB

                            MD5

                            80c4a35fa6dd315ee65abe522bfe91ba

                            SHA1

                            01572e552da3a525d4a2a0347929a11bbcbd9ab8

                            SHA256

                            5e80d7bb4ee22a8a704337cbccc979dad30d757b05f2c047079c165ae8db5496

                            SHA512

                            4e1c08ecb69edad66729b4ddee583a52f72e522c238d8a561f4e6ed50039b0d7d2d5fcaf383796e7711c74840971a5d306844fd1de5339d0d3d4ebda54271dc2

                          • C:\Windows\{EA7DF3CB-63E6-47cf-887B-CD0B843E97BF}.exe

                            Filesize

                            197KB

                            MD5

                            80ed4bf39e39a2b91f8c29377637e079

                            SHA1

                            01e4fde850e2cb109ba1a3eb4ae4578041d89f89

                            SHA256

                            fc5b51a90731f9ec76a359cae3b518749332970482cb35d6fd09fd74c86d3777

                            SHA512

                            4bbd5834fde5280e29cc79f032ec0c0157172874cf4427c24f9b6c0b506172641f3ba3a2afc9e85ec0d4c0c2c01d07420d6e6d91cf3349e68e815e78be50c12d

                          • C:\Windows\{F024A393-9B71-4bf1-8E82-79D123AE1293}.exe

                            Filesize

                            197KB

                            MD5

                            079ac69f9705a4ef7f4c5ca220d1800a

                            SHA1

                            3f0530dbc6bcf86e1d517f41153cb0f3bc866bba

                            SHA256

                            478615967619e87c9f6981aa415a573d03376d62fad923c30cd3f59ce9b3d603

                            SHA512

                            a002c6863d534165080042b672e183fedd85c0798d93af7dacd59d7471e3ffb9f91431ab1393c066379f7f2e7e6515599f8527cae15e3f6745f416e30d1d6e78