Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:25

General

  • Target

    2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe

  • Size

    408KB

  • MD5

    011e13009db147c44f349d7df4be4eb4

  • SHA1

    f84399f6e29ddcbefc34d19c70a78b7fe4dd4dfa

  • SHA256

    e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a

  • SHA512

    8863b3d7391d1ef1550da7dcf666542cc4e239fd0d0bc623933658ea43f622ad706b87a3bffead1c7fb083870a260823c985e1c62f0e6a7117658054e8f2f679

  • SSDEEP

    3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
      C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
        C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
          C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
            C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
              C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2860
              • C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
                C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:840
                • C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
                  C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:872
                  • C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
                    C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2788
                    • C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe
                      C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1240
                      • C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe
                        C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1464
                        • C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe
                          C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C20C4~1.EXE > nul
                          12⤵
                            PID:824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B781B~1.EXE > nul
                          11⤵
                            PID:2628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FACE4~1.EXE > nul
                          10⤵
                            PID:1824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA3E~1.EXE > nul
                          9⤵
                            PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5968B~1.EXE > nul
                          8⤵
                            PID:2640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB23~1.EXE > nul
                          7⤵
                            PID:1620
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E2B1A~1.EXE > nul
                          6⤵
                            PID:2096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF0D~1.EXE > nul
                          5⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E80E0~1.EXE > nul
                          4⤵
                            PID:2092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9D783~1.EXE > nul
                          3⤵
                            PID:2552
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2272

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{5968B87B-5080-44c2-888C-687D0CAA5029}.exe

                              Filesize

                              408KB

                              MD5

                              a5411af724a5e4be182f3149716ff5c5

                              SHA1

                              f24612c1eb97f1f0543c16ff4e48e53649a7c52e

                              SHA256

                              aeedeb19e293ee0f7c3ae62bc33950b47738de939590cd8f434090fc3f5104c9

                              SHA512

                              5c4fcd1eeee7cc6bfe04c3adfe69a0707f2a7376bec73ce766414a2a0176a39a3dc0acc96ac3ab53462f567b603219063abf457028a643bfdad152af965ae9a5

                            • C:\Windows\{96605775-AC2A-4368-BB05-B38F1B6E9308}.exe

                              Filesize

                              408KB

                              MD5

                              24b2a49d3a4e8315791b85d5916a0a16

                              SHA1

                              b1630e2fe86002eb07952fce33add4334d1c8359

                              SHA256

                              e21798e1eca4a0df775ae5e68a9290ba6c45a63f62f3d547b84bd8a9b2a50638

                              SHA512

                              de87bc496a6f4596c70a1b2be686a29ded4a11582cc9acb166e4ea34189c98eabb87c68f599c4c1fa3b3f65058a43807d6b8f9b414701aa34669b2b26761b5fc

                            • C:\Windows\{9BF0DFFD-E172-4fc7-8D02-1BD8DABFDAED}.exe

                              Filesize

                              408KB

                              MD5

                              d32fd6dbc830e6e551d8e65545e725fb

                              SHA1

                              a740bae30157a11d94da31870d099083cdeddd2e

                              SHA256

                              ff222733f14727a891d7547df8181af53e9c1b9a4af2419a8f869c46df7cb4d9

                              SHA512

                              fbacdfc30573276f24247a2d90e6c83e6c883f551e3a073d01eb5e0f82f763de0b26a995e8c86f1b428574438e24c1f45d2d7ee69acac749803bafbcb0d6683e

                            • C:\Windows\{9D783760-B970-436c-83E5-2508D1D9E36B}.exe

                              Filesize

                              408KB

                              MD5

                              63393dc5f2d8462fed30e99a982145b9

                              SHA1

                              1ea90a41924e78400f9a812baf11c962d23abcad

                              SHA256

                              09018fcce6c99670d23f2dab37e7df97df099d1798194a748682ea21c95a8483

                              SHA512

                              1eb2bd904dd1666760a1402f5a999899981050cdc1be7ed38d75e6dabb803902a7d473f3cfb4a4d2d66b7c2ad8d17af355be4e7a9aa09be69d55ab26e737d836

                            • C:\Windows\{9FA3E7ED-8B6F-41e0-BCBD-FC4C2DFD3058}.exe

                              Filesize

                              408KB

                              MD5

                              e4ad3f270657b214c7d89032e9f9852c

                              SHA1

                              049de04d0257b8fda57ed1ea2cf6de4032f7a6bb

                              SHA256

                              b9963407feb3f39fc92c26f05f866e6e12816ddedd3a214941a86ef96e0a24c6

                              SHA512

                              703cf6e511ea15cf7fafe8b194d08c9521b2217329fdd6ad436a39a7bb46279a4b7e0808aff270621956edf299b3ab602775f01a2d4f79809a1e6df26aa8fcec

                            • C:\Windows\{AFB2356A-26CC-4208-8714-61B9D164F7E1}.exe

                              Filesize

                              408KB

                              MD5

                              c3fb4cc8cdcadd622ab6e94d2aebb776

                              SHA1

                              d4a240951216d46fa281b8c72ea91e4cbc2fb7a6

                              SHA256

                              3096852ed8cfd3cea8b076e534cc19c7297b81f8ee99d97d773e325c207f75ed

                              SHA512

                              502d8ead7a1212e4f51c168fd2fc61fee4b564a22fe538c3657fb8e955a6df8752fd2a4941bbfb0671df86eeaedf538015dd978f4a04a751fcd504ba3f979820

                            • C:\Windows\{B781B76F-D67F-47e3-BF92-9EAEBD5ECB72}.exe

                              Filesize

                              408KB

                              MD5

                              4beca00462435f975d09579144fde3d5

                              SHA1

                              0bd96603aeb6448c5b07804d0edc59ac88adb9af

                              SHA256

                              ff6663be3a55473abcbe7e44a5f38fa8c9fa40be9538da4c8589580538df4e7f

                              SHA512

                              fdf8a68949a422aaaf0cb220ee956dc4eec8343a2fa0331b39e0d9b2e7d9c512bc548c67dff1ad1046202ee0edefa3ce1053f350418aa8aec99bf4de1314ba53

                            • C:\Windows\{C20C4325-2996-4700-AEC3-821F53CEE382}.exe

                              Filesize

                              408KB

                              MD5

                              754d24c398a62e079e27eac9ee566eef

                              SHA1

                              06aebdea23c9b616cbbb86a0f11b83f100627867

                              SHA256

                              1610bc5cc5bb8b418e2a5542757cd870dce47c1e510d99ca69d9bd8654c8dadb

                              SHA512

                              38b0faf1d80f30e095b843ffde89b87f80b18f8fdbd17b51e84587f6c06f0d075495bf1aa8a0965252a17001fed78ada1921cf77c65ecf52d177b9cbbf8e11ad

                            • C:\Windows\{E2B1ADC7-53A7-4efd-9486-B86EE677C27B}.exe

                              Filesize

                              408KB

                              MD5

                              8ac47d31ea4ff4fbf83d61e6880cdde0

                              SHA1

                              5b3640a7ee8b2dcda35de24cfc9c6b740abd5352

                              SHA256

                              be9262ec02966d881aa897a907fba6adc58a79a2bea5607cc7bc41dc6c3a3d4c

                              SHA512

                              1326fe53ecf98b8bba721906e9a80373e63ff23cececabd2b2dc0cc0b36093a8df645096f99e0f2d89007a99817ce97d93ff420d838bcb80e108ce0983a44825

                            • C:\Windows\{E80E0958-075A-499c-89F5-6315C24AE0AF}.exe

                              Filesize

                              408KB

                              MD5

                              b795287c559170a3c78b914a78446eb8

                              SHA1

                              ba94c6b5a62083f661de4f9380d92cb7b2efc42a

                              SHA256

                              5ebbb616b06d61d3a53fe3a8af49322319a28967c9fd23a590dea006497c87cf

                              SHA512

                              e573355a58f4537eb7e54a09edf29d469ffe16093bc9f47b91d3a7e627d7c524f4e16ee35fc301033c4c35bb0f08eb6e4b775fa819ed3f178ac901dc7072a48c

                            • C:\Windows\{FACE45D8-5F84-4db7-AD74-E32551C13331}.exe

                              Filesize

                              408KB

                              MD5

                              49f60d68550465e426559cb2c5393c65

                              SHA1

                              09fd34158dabfd6b1955c452184577a642f467e9

                              SHA256

                              d637e59a73b98735644a614b2d3033088c9d48760c97e6dd706af35b7b2ea57b

                              SHA512

                              8bcdeb055a37e1ebfabb1bdcc4422c7dc147d4d3d4d965f1412b29dda8e07ae974c37c47e2d0b8f77a31672e288f55086c0137b0fcf89520afe649f3ca8dca38