Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:37

General

  • Target

    2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe

  • Size

    168KB

  • MD5

    2680d6392f72a0c5db4e1d4eb20e3fb2

  • SHA1

    e0e6554478c119d14cd2ada53a16b71982b2d8ec

  • SHA256

    02229c757c01b07239d030159c39b38281b72687a8d3406f01043e42db7128b9

  • SHA512

    c4a0b8a112b714bfc60d373b8473bb5b96e1085fadb8ccce972f341354637aaf144d52111dffbaf5f0c277f9439c1875967420f1444e6148ab21ac61472a536e

  • SSDEEP

    1536:1EGh0o6lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o6lqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_2680d6392f72a0c5db4e1d4eb20e3fb2_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe
      C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe
        C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe
          C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe
            C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe
              C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2824
              • C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe
                C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2784
                • C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe
                  C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1628
                  • C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe
                    C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2616
                    • C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe
                      C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1904
                      • C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe
                        C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2876
                        • C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe
                          C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:576
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B16~1.EXE > nul
                          12⤵
                            PID:1104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D8117~1.EXE > nul
                          11⤵
                            PID:2108
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ACA9D~1.EXE > nul
                          10⤵
                            PID:1248
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FE95C~1.EXE > nul
                          9⤵
                            PID:2256
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{87879~1.EXE > nul
                          8⤵
                            PID:2492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{07979~1.EXE > nul
                          7⤵
                            PID:1940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{34794~1.EXE > nul
                          6⤵
                            PID:3040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{93F81~1.EXE > nul
                          5⤵
                            PID:2960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A0DD7~1.EXE > nul
                          4⤵
                            PID:2460
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1108~1.EXE > nul
                          3⤵
                            PID:2624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1720

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{07979479-C257-4cbe-9B30-235C54347859}.exe

                              Filesize

                              168KB

                              MD5

                              6f2c20e3b0a402c56ef0c761ca471503

                              SHA1

                              61a5f5031c233e5dd0538d88b6098168207fe27e

                              SHA256

                              3834d237bd69ca2568740a4eca0977d72c84843c5f6292f25494649ee41ba411

                              SHA512

                              ea27126a868506ea787269f8c513f0aefa8ce53970bb35c8a3e1f1f5bc5327bf5893db52c7561345a759f212832e3daa20100be8c5f66a78c32fddcdfbf1bb38

                            • C:\Windows\{2A39C267-FC2B-4054-8343-584CC181B7A8}.exe

                              Filesize

                              168KB

                              MD5

                              f8caae330947a6bffbd32f7c40d8de22

                              SHA1

                              18067c6341c34bba89845e439d5b2b4791d90b32

                              SHA256

                              9338e17b77a9e1d30ae2a19cf2d470d996bdf9b8fa15dbca7a48e9ffe6980277

                              SHA512

                              3ba168257f382ef4094e11cd50bc9c0b091fcbaae2721a60badec249db8fdd53bb4d5c329dc8aa719a1ed9b521c9aaa98001b8977ddb846f4c276f3bcfae3086

                            • C:\Windows\{34794B5F-6ADF-41ba-991B-BD29A125913E}.exe

                              Filesize

                              168KB

                              MD5

                              b9c783bd79f264b1284ee69e4e7b183e

                              SHA1

                              e54ba80e8a8fce94b1b37a299a6b408768dced68

                              SHA256

                              e6472563a8bee4ced468bf5a97a3b5b436d24005c0f90a01e711dac49093ef78

                              SHA512

                              2d546cff0d569dcb22eee484660a2397fbc762d02c4af53c5232b63e31fa3965bfc13a9e85d217d16638e569292e3377eec1e3d65b8f9252d2a0369339856edd

                            • C:\Windows\{878795C7-C9ED-4655-B3A7-B2EFC13E9D70}.exe

                              Filesize

                              168KB

                              MD5

                              2b6b909821942d68a586460dfa1a06ef

                              SHA1

                              2f67467a3794d1de47e0364d2d9a63acb60ec7e4

                              SHA256

                              e39e91d0c45cd109f66f913f54d5d0246fa8ed69abcb3dca929a7f7489a4bdf7

                              SHA512

                              1b84e89445c7b945d32a369a008cfc7ba693821e8522abaa273a47677656618a00f46cd6728649cf1f8b231e3b2351b444567081f1202e4b57de825e9ac1abdc

                            • C:\Windows\{93F810EF-4D2A-4724-BDAE-45589F53D6D4}.exe

                              Filesize

                              168KB

                              MD5

                              6d1e6f9b0d112d0b4026b93387080304

                              SHA1

                              b3d1fa8428f1fddaa76ee2f801dff69619d6bce1

                              SHA256

                              6bc2cb4cba952c47dd33f511f61177aabb49cf565b4d2b4ee6dd714c5bb644dd

                              SHA512

                              5495e4e7108601b583b61ab0a54e908fef54f386a88892b5a29e6a964e3f09ea5b1719c0a0be2616597c3e6e1435c2a0e4ae7c5fd4f834d01f72ece7d95e8b7f

                            • C:\Windows\{A0DD74C5-72BF-495e-9739-FD9FBE692788}.exe

                              Filesize

                              168KB

                              MD5

                              17fa96149d2fffbe71bbe306482417ec

                              SHA1

                              b93f81ce37200debcd52ee1b21b3138b3eeda8fc

                              SHA256

                              8f9c18fabb72006c45134c814717896803b828d823c5301ed38a6fd19a22d309

                              SHA512

                              1f4a9bba23dc821ef5376fb7e1bdab5e1b51e9d065391e9f4053b4399b3bd4b05a2665182a276ae0620ad676755ede3b9331301368eb0c31e2336c62d91b2fdc

                            • C:\Windows\{ACA9DC7D-35C0-44c0-B3D4-5CD400DC38EC}.exe

                              Filesize

                              168KB

                              MD5

                              1dd005d27374ab7866934557b258edec

                              SHA1

                              f4f1b6e5d807c001cb21eb06937ceae595a8c3dc

                              SHA256

                              9b13f709ba4e9b33a7a927680c668c52448fb1b2e4391d464031fe352a80ce36

                              SHA512

                              849a241fd56fb9c96008f2661ce0921bad29ea1dcdba1d9e171e934953d3e29dc90a347e57782db13e330c11826cf1060181a6ddb063c7ea0a5ebde5b9300588

                            • C:\Windows\{B11088D9-15BA-4c5f-9020-580D11D28345}.exe

                              Filesize

                              168KB

                              MD5

                              243b6ece830e64446c5bf1a1b833375b

                              SHA1

                              a55c44dcf55875b18c8b50eb60d6653678ca3814

                              SHA256

                              e8972d906dcfc2fd0c0f1e8d3be138b161c4fd11a76f60ef026e59eeb3816b3b

                              SHA512

                              5cc767fbb24bb2c3d0cf06f69bb6093824dda0d1b893997e984f4c36d930f0a66a63bc6cf2a223bb4365ff00d0a4f121b69138881b02a884592ff7bf2a7717ee

                            • C:\Windows\{D81173C5-D70A-4f74-8469-08D7C1B33BD6}.exe

                              Filesize

                              168KB

                              MD5

                              410d0bda6c6cdb26d71fb4c402cbb9cd

                              SHA1

                              92c3240ac607ab713f557b6bb095e8059db08e61

                              SHA256

                              8c8a62ce64affd4bce5edeb2b094d4ba5d0c0976037dce9915989748d065509f

                              SHA512

                              33d1258ba7c8d169d41ab5be9bfa64406d4c782e7f4b7053311f5794c683728759f6eeebc67ad1cfe59d942cb1a5160a620a305f8741e1f53f8bdd68ec13a64d

                            • C:\Windows\{F6B16D40-80FF-4d0a-BAC6-B961264ED1BC}.exe

                              Filesize

                              168KB

                              MD5

                              93a690030a9578e17a4de8edee6cd383

                              SHA1

                              2f0fa931cc184b35377036c8bfc8f9f0871b8d76

                              SHA256

                              2f7206911447ef3d3cd92b112da991f36fbad26cf62329b92ad0d6c5c0466a1d

                              SHA512

                              3844f3a1137d12be6ab068ecc414292e3fd6604f56e85f68e3c6d5f789edb1cfb4707d589d03e049d20e0b6394437ee99c0f0e1ac301f13e729120feb91ea495

                            • C:\Windows\{FE95C3CA-288F-489d-A3DD-D8B8997B65DF}.exe

                              Filesize

                              168KB

                              MD5

                              df56c7201eb6f98f49e61767f1b6f440

                              SHA1

                              3221bd87c2cc0013508ea9805c39ec054268b2c0

                              SHA256

                              ee1abe13ebf33f46ddf363c8ed7d8757f8ee2adb51aaf122553a76f64283389d

                              SHA512

                              191c6b22c05eb13b6b99b5691a1c5652ca8eb80760f3f8118afcc1c8aa5baeb9731819c9c497a4ae3fb65aa718cb09dccbb7011f8bfdf3a27cba83fbf9b3704c