Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:45

General

  • Target

    2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe

  • Size

    197KB

  • MD5

    43198fa1c0eff6a701988f839ed3aea5

  • SHA1

    6e6f835d17aae182ac0e3e06d0177ec0193fc4d4

  • SHA256

    818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8

  • SHA512

    e1b4c4473010928aafb3f8082e5259e218ad66b1178a528a15ef1c9e1fadf0a9e4805b44ee02a46347954fdae3f36f2519ef3c4de41e66d8d2f4d079d455803b

  • SSDEEP

    3072:jEGh0oal+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGslEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
      C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
        C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
          C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
            C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2664
            • C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
              C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:524
              • C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
                C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1652
                • C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
                  C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:848
                  • C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
                    C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1100
                    • C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe
                      C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1832
                      • C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe
                        C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2288
                        • C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe
                          C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2E641~1.EXE > nul
                          12⤵
                            PID:1700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56E9F~1.EXE > nul
                          11⤵
                            PID:2284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC6E~1.EXE > nul
                          10⤵
                            PID:1020
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{597C7~1.EXE > nul
                          9⤵
                            PID:2644
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3C120~1.EXE > nul
                          8⤵
                            PID:1976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E9ACF~1.EXE > nul
                          7⤵
                            PID:2164
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EA995~1.EXE > nul
                          6⤵
                            PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9621~1.EXE > nul
                          5⤵
                            PID:2600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA269~1.EXE > nul
                          4⤵
                            PID:2980
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E78D6~1.EXE > nul
                          3⤵
                            PID:2532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2676

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{2E641844-7EC2-42a5-80C9-475335E5E7C4}.exe

                              Filesize

                              197KB

                              MD5

                              f993395b3f6da2a276d12e182a725929

                              SHA1

                              10e9ab5071f13928ecdc427380f4a966a4bd00bb

                              SHA256

                              d706667e5473358f7731b83c4c673a37717c7090e58cf379664fb581ebffedc6

                              SHA512

                              eea0ef975538c6cfefc542455d24f3c69b1c96350570b969693d11c3847f09bc1fcec9f8e5c24078c8d01971527937c9d6dce64a47b51b03b6f736b01494c2ed

                            • C:\Windows\{3C120091-6DF4-4fb4-BBB3-4F997E040ADC}.exe

                              Filesize

                              197KB

                              MD5

                              9ff40a19f749adeaa0869b382f22b9d2

                              SHA1

                              a28a07fa272e5a5122ddb66d39eed578a6765ffb

                              SHA256

                              c5b58708eafc12e6ab53032829f305367894d69ce635d76eb279f30ef41e1f5f

                              SHA512

                              12dd512d956f174ffe61ce10c77abffba51186470702d66976023b8b707852b163028f6b6dd9309029e4167cc2a5aebc0c3fff7afbd82bda423db62563d4ef68

                            • C:\Windows\{56E9F424-F572-41d6-A41B-302837EABF97}.exe

                              Filesize

                              197KB

                              MD5

                              ae08bfeae7d4432f95830bceb7b46f04

                              SHA1

                              d5543728bbb8802350b4e5f09a8a9f42a50d6d46

                              SHA256

                              4fe120ecd98afb6766f318b0b84d891e50e2a724f08b45561b6eaa4431fa35b0

                              SHA512

                              2fca97612c45e0c5da7af946cf561620007c3796d929bc278f9528d433b903e57d4a8f8c42d837b5402451fee3b3a64772d57cb726129689c2e271d278e37298

                            • C:\Windows\{597C775A-3953-4c21-B557-DAD3D246475E}.exe

                              Filesize

                              197KB

                              MD5

                              fe8a3f275834f30c70169b2d7349caad

                              SHA1

                              a109aecb01f7bbfcef8544753a494b1e0dbf2a3e

                              SHA256

                              de5a1df0423384976f6d811ab51a3158df5f71e65de77458a19d02ef6c19e394

                              SHA512

                              9079b98ae23ef15213b14cd14b0a134a76d10d6411024ca48c788e9dbe94016976a7f052a20e34c14f9890c3b33ac430fdbdb8cdfe698819e043c6ae4ccfcda3

                            • C:\Windows\{B9621C1B-3D96-49a8-B130-2D6397F503EE}.exe

                              Filesize

                              197KB

                              MD5

                              582820ac45214e67b85b03cc72b1515b

                              SHA1

                              28572f7cb3b9501a1318627a811bcd99ff8c24bb

                              SHA256

                              1b101072b7239803e5ce07428a156bd60b8ea1434e08207fd3e4536d8ad1c371

                              SHA512

                              e738fc39df7cf2a983682e03a066e01ef219e02cb4a6b0631c27e22171fd94651dc33e5b9ea3bdbbec2d170cd0101bbeca8a9bff44eee3e6b096132730f71aae

                            • C:\Windows\{CFC6E6B0-F2FC-4592-8563-97854B726809}.exe

                              Filesize

                              197KB

                              MD5

                              b98d232b25a8d58bf4c0474aad6ea9a0

                              SHA1

                              b75826c242f09288d333046b16b99297784c5191

                              SHA256

                              c5b93ce35edd7e881e3d4879cd208e96293c9ec6ea7b1e5f8716af7df342a0a1

                              SHA512

                              cc47769e14f80328a37fbcff6c5b76645c8e068b2ea969f68e4f398f624227fad031d617cd93032990057aa823638ccf50c0476ff6c889e273fa52fe0e2d38bf

                            • C:\Windows\{DA26966D-DE35-45da-B031-0C11CABC4C5F}.exe

                              Filesize

                              197KB

                              MD5

                              3eae0282abd018b2239c8c3e6449f4ce

                              SHA1

                              e38c6e196dd5819e0207abc64348741625090141

                              SHA256

                              163f6d475075cb930bf9b99bebcf0cc3bcaecd0fc5ead30dc09670945e0a3a49

                              SHA512

                              5ed537a35e45e5c6ab8b0091bb3a503c95ac5114fa6f07c22ea3b30507a6bdb65cb51b9c5bbcea686cf9f9d5f6e0a852b98bd12cb7487fa0bca27b848c2d8aa4

                            • C:\Windows\{DCFC316A-A67F-406e-BFFA-ABB34B1B164C}.exe

                              Filesize

                              197KB

                              MD5

                              d582459d75c8b00df3d9c0d1bfa39e44

                              SHA1

                              8c26f2969372212aacf92ab9159a50947cda8666

                              SHA256

                              c38b529a398651c99b561e5a106aef72e5473339751a5f72e1ae6ad362eb2d56

                              SHA512

                              f7990ed248c0ee694dfca2154c8db8e4df99f8aa1b2c9d6b72f3fba0a9b991c3bb843f2a076146da38f5d0c4431963a5b25c586a64a1692fc153ebe90f500bcf

                            • C:\Windows\{E78D6739-C881-4b15-B6B0-E31883FD204A}.exe

                              Filesize

                              197KB

                              MD5

                              1af8d243e85a1166fda3e18c475edbfe

                              SHA1

                              3eb3c2f47b5ab5339b324fe07bece1c6f87351bc

                              SHA256

                              1c69f1665f599ea7c84f5d3dfae7187d2a99b6be65e2443471548a72a747be31

                              SHA512

                              eadade69cfc62f2d7f979e39d51948f21256d92e39faba9b01ec00da40c95f55d86c6ec428d085358dec200a56f980ea4e636c28cd23d871b0a8611d58f78dfa

                            • C:\Windows\{E9ACF67B-1EB9-48f6-BD36-E14240E43D14}.exe

                              Filesize

                              197KB

                              MD5

                              f85ddaadabfcc79a6d51bdc5236e71d0

                              SHA1

                              8583d679b82b87161f3df2a907ab2998ecb2efd8

                              SHA256

                              1510edcff34d80fd3dc6ff45069fd825af3067ed9e463d1204d6e917ff375dbb

                              SHA512

                              d846b9e009efee7c3e555721572fb5d3623c974022a77ee1b78553cee202e6a4d5c04c990659ce362e8910fed9fc70243133773a140771e7a7f5b99bafd09014

                            • C:\Windows\{EA99551C-A1C3-41f2-971B-F825FA05A78E}.exe

                              Filesize

                              197KB

                              MD5

                              0125484002fd1cc31d79d1074092e92f

                              SHA1

                              ff9ba070583e9132d2116ac41f742e230db077ff

                              SHA256

                              178d4a984edf6bd5e87499b22863b2c11d4569783248746a3f4609f5367f62cd

                              SHA512

                              77bb2061a809879e8f8801fa08b83cbb0e275f294cf06ad5923f509330c421cbbb4f904790c2d02912bd294cc78d35aea9f43855383edc06928c005a711dcc7d