Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:40

General

  • Target

    2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe

  • Size

    408KB

  • MD5

    3165b9f7012dbb650ea326364bd4808a

  • SHA1

    e861b7427c92db1c83ad62ee631e7bea1bc4aad3

  • SHA256

    81553f1592a6e50fd6facb95710195f8a3d6b4e9e2269bcbec79678d17b0c182

  • SHA512

    d5cfcda780b82859f88541a43a35c1b6f636bbf87ce6d05994cac07077534aeee52604524608b161a849233c4651360baafe88d76111c04237efbb7e4ddab00c

  • SSDEEP

    3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGQldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe
      C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe
        C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe
          C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe
            C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe
              C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1500
              • C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe
                C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:624
                • C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe
                  C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1220
                  • C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe
                    C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2640
                    • C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe
                      C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1272
                      • C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe
                        C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2032
                        • C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe
                          C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2216
                          • C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe
                            C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3044
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F559B~1.EXE > nul
                            13⤵
                              PID:1008
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8225F~1.EXE > nul
                            12⤵
                              PID:1896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{452B0~1.EXE > nul
                            11⤵
                              PID:2000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5A138~1.EXE > nul
                            10⤵
                              PID:3012
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D95E9~1.EXE > nul
                            9⤵
                              PID:1092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA93~1.EXE > nul
                            8⤵
                              PID:1948
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{05BD4~1.EXE > nul
                            7⤵
                              PID:1536
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C238F~1.EXE > nul
                            6⤵
                              PID:924
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7F693~1.EXE > nul
                            5⤵
                              PID:524
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CF5AF~1.EXE > nul
                            4⤵
                              PID:2436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{50585~1.EXE > nul
                            3⤵
                              PID:2600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2940

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{05BD4040-845D-4213-8D25-50C5888F151B}.exe

                                Filesize

                                408KB

                                MD5

                                23a8a3d667aa1dec00f491cc9fed4d54

                                SHA1

                                0febb1a2713d6268c7af98dea8623cb94ad420ee

                                SHA256

                                379f6b8aa819726ded8f0efc283e3c120f90a7456c6600b7cfba865a6c37cdb2

                                SHA512

                                58faaa2b7e13345ca296814249ca47bd4d8cffa6ce03fc3a7309880a33a9e017ef9b4585b73107fe4a138c94b883b23099f10c0be49cf41f23f66719b63139c3

                              • C:\Windows\{452B0288-016E-4049-8C26-0C5DBC5CCBE9}.exe

                                Filesize

                                408KB

                                MD5

                                7250e2d39ffe7a7f35d1cd47687ef8bf

                                SHA1

                                fffc3f4686a598c42cdb54affb7c68cf1a3b8b09

                                SHA256

                                baf34db5cef61dc7c2d25a5e76fd25dbfed2f3d16fdb4a503248fc908875084c

                                SHA512

                                3cc792abc7fe009249051da866765991b89cdb74a9e26f2de95d405db10c153aa1a90ca286e7ec44aa8c829b0df585e46b8e263a1c5b3aed736f622cb6ce5134

                              • C:\Windows\{50585677-D0E6-4114-86CA-2766851ECBE8}.exe

                                Filesize

                                408KB

                                MD5

                                d0a6460ba0e4520aa7b99f60e19008b3

                                SHA1

                                d43bf08f59662aaa2abef14c31e2d0d07b7a93b6

                                SHA256

                                1ebfe46c066599ee000ce1493b424ece21b649778fbe122d6ec5443c0f2a9b0c

                                SHA512

                                21ac324a6f0f12bc990a961af41e8dbaa12375cdc530da67614f66bb593f15dba03fb9e35facc4bde44705e688dc9866752c522e9a913a4f8537bf6e4c346526

                              • C:\Windows\{58CF4DD8-E7B4-437f-9F7B-C607CFAEDF32}.exe

                                Filesize

                                408KB

                                MD5

                                131398e6443c3117035ec6c47d62474a

                                SHA1

                                d2ae9c726b5751a5614816b48b297e81ef47d5b1

                                SHA256

                                d0365f24749190725f9edc83793fd9a54f0dcf4acfb3f6d8af2a92f2d6777ea7

                                SHA512

                                18535dbe62d0885ab701f9f39d9b68defe9d71bc8ea5324cdddcc7d86ca24835889f1ad36a005c9d2b9573ccee6211da8a0266b7f006b327919374f9dd599460

                              • C:\Windows\{5A138DBA-EBD3-449d-8BFD-B8A759DEF15A}.exe

                                Filesize

                                408KB

                                MD5

                                dbeb31fcbd98185b6f29529e1b16dbf3

                                SHA1

                                5a2ffce4a1858c399c0bf2f2dab46b6fa95188f3

                                SHA256

                                adf49f9aee8e7c938b038b56b75f40ae7ab654bc0c064c2550cf931b6f4403dd

                                SHA512

                                f97119f34ed5b20ef98f4d562b14551e8898400d0e7551c5cc262700d9c19fb85f966f016582b7fe91e0da00ed08234253a1bc31ac83d965bf6e510f4fed7134

                              • C:\Windows\{7F69377D-A230-4f8b-BC36-50663C83845E}.exe

                                Filesize

                                408KB

                                MD5

                                a4020abd96505f3b0dffbd615e91ea35

                                SHA1

                                a1ccd8f4e535ca033d440224ec33516b671e7624

                                SHA256

                                703e6407c0deca5d6f82113fd90aaf28c8965cd8ad6fa71e50ca088a517d6a5e

                                SHA512

                                5090ccff293fbe2410173b2bb2b644c538b38e69fb08a9a1b8c208390a0d193e1184a6c28d06fdc7e21d3ca04868f60c930fab1e50a859414aaab6ec43d3bb03

                              • C:\Windows\{8225FA58-5299-4e72-96C4-A5A397A72C39}.exe

                                Filesize

                                408KB

                                MD5

                                c740497d7f086dcec681ba3b7b7cf5b2

                                SHA1

                                0bc46e55f3c56a15cd916797b39291c5ff28fb26

                                SHA256

                                1ac366c0afac3a08a78e77e7b0f74485bf48ea3b7b775c70d8de480a4c74339d

                                SHA512

                                d81bd8dbcc34e19f0edcf06c199a59e1a4bc01369881c82e32bfbaa1f5a4a0706ad2ecfc153c72d5f35e8a56de051f84c37fc8dbf6309385f7de777df6ff87dd

                              • C:\Windows\{8AA93C51-50A1-4c90-9311-953F4E6ADBF2}.exe

                                Filesize

                                408KB

                                MD5

                                5994c63cbb90584152e4744a1d59e260

                                SHA1

                                f5751ddcc67ee87e00d1c88992e9685dc1a1d01f

                                SHA256

                                bf75e180c63986076999d0174a11ef7648272438079775560445885ebf3f2574

                                SHA512

                                da32d8a72d88fda795d2f7fe5d4cf54186dd5ca2963171b1209dead171f9b5c641ef46b280481b256409028bee0d477a0f0e0e0b658827228e41a72242c59c0c

                              • C:\Windows\{C238F10B-946E-4885-92AC-3E7418C36887}.exe

                                Filesize

                                408KB

                                MD5

                                6f915ef3b9130be1621a3df1ec94fa4a

                                SHA1

                                67b558465ac3b0cd1b37a1243b69c573f9b0bdb9

                                SHA256

                                9a7456517b208a9a689dcedeb6f792dad207168ab1735db591b06b9d531e7dae

                                SHA512

                                0c4acafb536d391a6b1d421b8562e934e251436beeb0ebacb4a4221252d97217ea6c3b9b6ac5940e55f11acd5f3a57ba4df1897af22ed0eecbc8b169ea05ac98

                              • C:\Windows\{CF5AF656-4A08-4ae8-B8A3-2558E7BA602A}.exe

                                Filesize

                                408KB

                                MD5

                                e39e3163467045f97f592aa00cd4488c

                                SHA1

                                21b104121c9c42fe6502c9ad14710725bfc91e65

                                SHA256

                                7177d64893a675bfb19323e079676cdf7b454be4216ed74b801832544c6e6c27

                                SHA512

                                eca21cda60237fcd552fb5b1ff6aca2ec2b722a9e8339f8fa72680f448443b3e7fb6437140b64541654eafb64f23dfdc901c8d514b118a96358eed4921be761d

                              • C:\Windows\{D95E9586-EA22-4cb3-9567-47390ABB001D}.exe

                                Filesize

                                408KB

                                MD5

                                d01a6ac9ba3fc56d760e767181241f5d

                                SHA1

                                f8b946fb6009326d68b83c8ff2da165f5ecdac4c

                                SHA256

                                8002f315d532a8976d685cd67154e409422068553f690688b41ced2af4315efe

                                SHA512

                                9b12305a1205208f5548fcb90f69c293a0bf429d8c5a9c724401a87730857b021546d9c78431625f16e7821e2cd87ca38931d1a561c850aed2262d239bf00e3e

                              • C:\Windows\{F559BA1B-F487-4680-A8A3-8A2B89408B6B}.exe

                                Filesize

                                408KB

                                MD5

                                923e02862829fca540e83b38bce6f14b

                                SHA1

                                aad0bb741539837421c747abb352035f3260b9df

                                SHA256

                                b10590ee956c0b18bf04a27f245a81290ad456ce63f6dd27c019db819cba590f

                                SHA512

                                51dae9360a8404df356872361f069c20937fd52287ac66534936fa2f8e1c1bcb948027b2d8879796375b721f4b2478019c6cd6e7ef3a5f2e61a022e09b9120cc