Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:45

General

  • Target

    2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe

  • Size

    192KB

  • MD5

    41a3bfd84351468cb374b10e6bc69476

  • SHA1

    251255420d7c9a4f63a904db85c1df31f5464c11

  • SHA256

    a263cf6a0dcd6ead2d64b8d0e8bbb36e23ab47bd532c14a5a9eb948521f26e2e

  • SHA512

    d9da1e919e6c09cee37c34ad6c19232790d46651bc9b92f79514718dd7eee04c7ab2f945ebdb20b4fdeb0da13575addc8d942ed9c18fa9bae017227e93823d5b

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe
      C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe
        C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe
          C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe
            C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe
              C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe
                C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:828
                • C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe
                  C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1340
                  • C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe
                    C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1656
                    • C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe
                      C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:660
                      • C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe
                        C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2472
                        • C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe
                          C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC65~1.EXE > nul
                          12⤵
                            PID:2056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{328C2~1.EXE > nul
                          11⤵
                            PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E91E1~1.EXE > nul
                          10⤵
                            PID:684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E83EE~1.EXE > nul
                          9⤵
                            PID:1708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{810C7~1.EXE > nul
                          8⤵
                            PID:1876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F7AE~1.EXE > nul
                          7⤵
                            PID:1888
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C6356~1.EXE > nul
                          6⤵
                            PID:2504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{78179~1.EXE > nul
                          5⤵
                            PID:2520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{09FC1~1.EXE > nul
                          4⤵
                            PID:2028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E60~1.EXE > nul
                          3⤵
                            PID:2488
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2824

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{09FC1AD1-7E6F-40c1-95A9-48D83D55408D}.exe

                              Filesize

                              192KB

                              MD5

                              c24450c3cbe3dcdff588f34388295f42

                              SHA1

                              5614c01e2fab10f52b0a79654c33f595468234a2

                              SHA256

                              f72c415acac63a4463108008560a171d231def02994ceb37f0d535320416ee90

                              SHA512

                              5795634cea623c68567076c6c25b4d69ce0608bda18e2dda9f656d923f12b5b4b0981c82bbde0765d2739353d151c0e123b7696e5b8e3079d0f02d4acca41dcb

                            • C:\Windows\{328C2C9F-5671-4a8a-9DBE-6911D6D84A49}.exe

                              Filesize

                              192KB

                              MD5

                              7e12a616238cb8367b5e35a1dcfa90c7

                              SHA1

                              369421451944bd67f3eec5f8a67bba1c7614cc30

                              SHA256

                              4b53bf0c1f73dc6628cbe3dc09a48d6572b15fc5972718861961461846ab93ce

                              SHA512

                              9ca46155913eecf3d39099934f6fe8c331b7e1bed6d31b748a7369fb9b9f8c7b94882571bd56ddbc889039a874be083ff32cfdd3c5e505aac89bfd3b8158e878

                            • C:\Windows\{499AEFA4-EE94-42fd-B8C8-D0892D6F3037}.exe

                              Filesize

                              192KB

                              MD5

                              6fc6b7f217a919982e5a37099e28aeb7

                              SHA1

                              bac97f57bfa1bf19b1c2fed4e469a4255db53624

                              SHA256

                              74610157bfc034535da76f72140bbe7df255a2dbf03395f129cfaad3990e3a99

                              SHA512

                              5c88828e49b1fcf191af056168b27a6193ddb39cc0042964843c87c18b78141acc71e8daa676a8e413b932f71d9213abbcad5297b40cfe91900ffb788eab1975

                            • C:\Windows\{78179858-76B0-4561-B5D9-EE443E5194FC}.exe

                              Filesize

                              192KB

                              MD5

                              9fb341ddcbf48db9e37f5d63c2084705

                              SHA1

                              9f4e7485c81d41ddcc31548f98d9267e538d21dc

                              SHA256

                              6a41faca498c812cd0831ccd7e378257de28ac5d5cb25e9e86e769bfd28353ce

                              SHA512

                              9d8861a88d8e757cfa68681d06c28386c17997d18fc1707ab48f9ad9506561e313da38d31a5cfc290a4348bac494cfc5d5aed83b027f2aef2687bb52dd8f1a49

                            • C:\Windows\{810C727B-A546-4c18-A4B5-EC623A04E23B}.exe

                              Filesize

                              192KB

                              MD5

                              09d4c2912afea1e0a3dcfdae9cd7b868

                              SHA1

                              1bcb2ad4992c6c3075b03082c50a70a46b3db7de

                              SHA256

                              a59861623c732b41d00c8e8b54487c9e039640a805bf26c63ffc9a640916804b

                              SHA512

                              143ac9b238efb498d81e316b6218ce46cb92828b10139ff09bfc35e868f41d970c67e9ddfb026d802c9bb08afce6eda7a7d9b336990903811c47063a0dbf12f3

                            • C:\Windows\{8F7AEBFE-8AC9-4985-B3FE-52247AF428C8}.exe

                              Filesize

                              192KB

                              MD5

                              5b90109b4ab119b9a6b25816f3bdc064

                              SHA1

                              5502751862aa4166fe7dfef1b286950e322a9233

                              SHA256

                              5d2c0927c15835ae346e3eb7731a898101853fad40cce77014d2c5c2b76677b1

                              SHA512

                              9921de11a102f0f555b348426a5622716650aa63ff5b97a06247e60d4bd3d3c501cd2b1f5460dadf48c0fc6e4e6f188182413e94d82a7d800ce349eb60446733

                            • C:\Windows\{C635633D-5B06-4ee1-B0A3-A28290F5A9E8}.exe

                              Filesize

                              192KB

                              MD5

                              f2c35d9944e0643dc0b588fa3a3380e6

                              SHA1

                              b66fb0f757c1ec58908a8c6049c000adfccb517b

                              SHA256

                              fb6dbdf50b91af1a8079cbcdb44af16dea0aa581eee4752c3c771ebe31f3d269

                              SHA512

                              3690ee889d5d08f92753e1a0b746389141603b371b022fb493b0de44dfbf70fbf88d335cdfd4b387771ddbb561141ee4a424dd0c13d75b2895a5d4178ed63fdb

                            • C:\Windows\{C7E60B55-F5C5-4862-85FA-6DF4DA912E93}.exe

                              Filesize

                              192KB

                              MD5

                              40685e5a3a90c2911e4a99c7f638caec

                              SHA1

                              34474e02f0657ef7e29f59160ff08ecc1a2f0e9b

                              SHA256

                              1178f9eb98acdb79ac1f95c47a59593337d1a21f1c24fbeb30009df96fcd9a29

                              SHA512

                              e7256555c902e4bd0627ab091c2c200c45314351fd90b7124d9a0788a934c8d4c7d08601d186023564eb2b4aee58d1a3d766e98fba3a77e7d553dd457c83833b

                            • C:\Windows\{CBC65423-244C-4824-BE8D-F58C174D51E2}.exe

                              Filesize

                              192KB

                              MD5

                              faeda5aa22db9084a7c12512c4669596

                              SHA1

                              3d63b84feedb1e22693c11ca2ff1de1435d21d11

                              SHA256

                              6ec3f8bf128b36e40e018ee4e908a3b650b7299446af6d30664e34d078fe8814

                              SHA512

                              7a2f83fc5b9a3d0177c9ca3347d7034fa93cfb4983186130772d4656096754321d8b95566812976fff3f082050e1be0fa3b3edee98e481f4d88778f777c67b40

                            • C:\Windows\{E83EEBD5-18E6-4c2c-BF8C-FAB902CF01D2}.exe

                              Filesize

                              192KB

                              MD5

                              290f954bcf0f9b0167146ce3171b829f

                              SHA1

                              73574d377d512a6dd99228bf9449cb2605670429

                              SHA256

                              64600a71c67e74025063dd732e157e80bfec2c15ee141d70251cf2b248cd02ec

                              SHA512

                              6643c6c994060199b97b9f95c03059fcbf19c9984e9a492bcc86de1b90b2b9b29df74797516d22b49a797d3dfbaae64f52a9a305e9d20c7610366e53d2457631

                            • C:\Windows\{E91E18E1-095A-467c-9F8A-046DB187A3D0}.exe

                              Filesize

                              192KB

                              MD5

                              a9c7c1bcdfc14394fe703ba14883d28a

                              SHA1

                              adeba02744da21681be854b68b6d1618dd43c2f6

                              SHA256

                              7874c96707f7c87f633ec0529c73b3fcce37dc1485bb345e7a79effe8be1b0fa

                              SHA512

                              e08cb170f3754ae4824b6f4cf623e6161616a6961f17109a28083a3a9d9c52ca49df98dea4573ccd76a3ee52eb432bf5c7a284f1298dfe3c252d0426d03fe79d