Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:25

General

  • Target

    2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe

  • Size

    344KB

  • MD5

    02df46e8c5329e63f5ec9bf636f35022

  • SHA1

    39c38efbaf16218991bc24267b70355f90731b9a

  • SHA256

    81a487f5327b4005b040996fbcdc64b9d9e70023f47d3bfcf57f93d762a55a47

  • SHA512

    6e1211682b49f5de51952eb5f0545b80a33210e32b0ad1dd09f88d2ad0c3d45d88fe9b5e287a09dedc9cf1e33f96a9c89e1d90f96344e83415b9e76e4ce45cb2

  • SSDEEP

    3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe
      C:\Windows\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\{FA15A97A-1836-453e-9D75-FF0425E25087}.exe
        C:\Windows\{FA15A97A-1836-453e-9D75-FF0425E25087}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe
          C:\Windows\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe
            C:\Windows\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2480
            • C:\Windows\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe
              C:\Windows\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2988
              • C:\Windows\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe
                C:\Windows\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2424
                • C:\Windows\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe
                  C:\Windows\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2712
                  • C:\Windows\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe
                    C:\Windows\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2832
                    • C:\Windows\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe
                      C:\Windows\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2248
                      • C:\Windows\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe
                        C:\Windows\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2420
                        • C:\Windows\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe
                          C:\Windows\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F8EB0~1.EXE > nul
                          12⤵
                            PID:1636
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FACC1~1.EXE > nul
                          11⤵
                            PID:1820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FFF02~1.EXE > nul
                          10⤵
                            PID:1276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A3DB7~1.EXE > nul
                          9⤵
                            PID:1336
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B027F~1.EXE > nul
                          8⤵
                            PID:2700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69A2C~1.EXE > nul
                          7⤵
                            PID:1556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D81~1.EXE > nul
                          6⤵
                            PID:2984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A15A0~1.EXE > nul
                          5⤵
                            PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FA15A~1.EXE > nul
                          4⤵
                            PID:2616
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDB4~1.EXE > nul
                          3⤵
                            PID:2596
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2044

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{69A2CA21-AF6B-4537-AE56-254EAA5BA0F4}.exe

                              Filesize

                              344KB

                              MD5

                              1a69e022b9262facd6dafe4b5a59ea43

                              SHA1

                              aef71ee94c763836499dba6d38e1c8c79d98e704

                              SHA256

                              50cd0eea2bbeaaa8cf61c48a7256002590e079f049c8200a163a4e694410c0bc

                              SHA512

                              620ba11f8bb74046395f2400774da5864acb5d3d04828e3e7f4515f76f665e98326ca3342a5e10f23759ae5e8d288105463c3b3541f50855805c7168c33db042

                            • C:\Windows\{A15A0CBD-32FF-48e4-9D14-573F6171BE1D}.exe

                              Filesize

                              344KB

                              MD5

                              fad26117e8c2d660d8fcc32be983e06a

                              SHA1

                              26f6128d7b6a0c840f8976dc5a066efc398b9622

                              SHA256

                              2407b9f4e4210da0755041e5a871a87f9f36940593d7880b208dc1162aa37d71

                              SHA512

                              298dd86c73247824b53a286d938d9c4319b36f28e43d589271902753ce78def663ea19d9357bd2fb6b91af361c78e75e30731ae5ddf40c2c4e887877893b0402

                            • C:\Windows\{A3DB71D6-9E5A-464f-9646-7F19EFCC57E8}.exe

                              Filesize

                              344KB

                              MD5

                              39582d3a589b7a6f80313232464b056b

                              SHA1

                              4c347d2f66f52a4876666010e4bddf86784ba8ed

                              SHA256

                              4b475286f2d7ffc3fe45a35d0ba009bb486bed88d39ac153857bb287afe41648

                              SHA512

                              3e2f56b9fa04af5edf44e1989eddabea83094cfffb0a26b45ae0f822d22e41f5fb81be735e5076d96908fb84bf5659f5b44535abe9312376e18f81f759dfdd0e

                            • C:\Windows\{B027FFF6-2ACD-48cd-8A62-C295D915022E}.exe

                              Filesize

                              344KB

                              MD5

                              370f1599a85d086ecbb3f6a28c469539

                              SHA1

                              1d186dec0c8a4f0c309d31ec5f7aec2b2393d4f1

                              SHA256

                              d473681c7da0a5585edc55651e309b8196b113e4c8b7612e0e10b8e6f002f062

                              SHA512

                              e9ca1ab0b882259e4bacbb724323f7a8bc971784c4f851897d1d61faa047c095c25404cf6f53962f23801201e49981ad670f61d5d4bc20eb30001c0c4acf008a

                            • C:\Windows\{BEDB4307-1DDE-45b2-9B8E-8311924F767B}.exe

                              Filesize

                              344KB

                              MD5

                              4edd5fff43c0a4e9e7f1bc9c63b90b11

                              SHA1

                              a1785f0eae2ff6e235b1af5750c4227e99fb8f9a

                              SHA256

                              0e44ce803dbb27202ecdc2414294b7bc7617a900b74f8274661f3d5c710d4988

                              SHA512

                              1a7cefc3f4d281c1359b26d3ea1e6caf9d9eff158d1323342af934299c227989a6ad265001f79910e84f37076d4609d1f4dee28024d4fc0443749be2e1d0a812

                            • C:\Windows\{E7D8197D-251E-40d7-AF3B-8F0782EF9870}.exe

                              Filesize

                              344KB

                              MD5

                              440f9ba14dce5b8614d6a05d25e9dda9

                              SHA1

                              e7ccb3c3cb394c25917ea61eb99361f3fabeb770

                              SHA256

                              c6bc88516f0aab5cbed7202ad57974574e4288cbaf829d5cc688eaa98e636b77

                              SHA512

                              047b39d462d67364dde819a3c3f4711e6157aa75a309e5b00dc50135e4305782f586d6735c0948da0cbbd9e99a4b94db33d200886236381477355e638cb10d4b

                            • C:\Windows\{F570F08C-9E71-4362-BCC1-A5B9761F6285}.exe

                              Filesize

                              344KB

                              MD5

                              b3167267f67232d331187aee53a2341a

                              SHA1

                              a9d4bca99451e1c382eb2f613fcbe6324edbc1fa

                              SHA256

                              f8479845705603c3213e9be3d843fd74c1aa9a2eaf82b42a91bcfd67da124402

                              SHA512

                              a73ad55c1b191e9393f8d0c2f1ee7c9217f50f04f9e68a15f625c48fa4ab7454c649bd6f915763456332c960db428239f411d2703b3cd09759ff80af4e11b3f8

                            • C:\Windows\{F8EB0A63-238A-4f14-9C36-E062A27D36ED}.exe

                              Filesize

                              344KB

                              MD5

                              25f43251e8d5ba4b18f7df77e460a18e

                              SHA1

                              9a6a2d0d4116298fe1a7b2854ecdaf9933d4ccc6

                              SHA256

                              c9bee3b88774b0c94283ac8fabfb87dff424354c2c000e318140e635a2011fc2

                              SHA512

                              10d9e147298424f9275b378b0194178cb9d83e8a4ae48f3bfdb48fc73ea47f4fb1e7c3b05c284122f3cc8350815fec073d2269223c05b2af64d26d13a2e6d882

                            • C:\Windows\{FA15A97A-1836-453e-9D75-FF0425E25087}.exe

                              Filesize

                              344KB

                              MD5

                              ff57b42fac1d06e59916c1f3977f203f

                              SHA1

                              ce19ab7b0a3fdc24e34b0dd66ab2bbabef864024

                              SHA256

                              b8a353b10df0f0475415220813d6ddfa0d436c9696a0909cdb0f90ff44686f41

                              SHA512

                              c08f3462c14578bbc8af75b7f70ff7330276e6bbb8589c63d9b81144add622c34a80c368ff17d6025c2d92de96c0a5609e024ffa77a4402ae7ffb1781577676c

                            • C:\Windows\{FACC182A-310B-4d08-BBFA-690EDBAA01DA}.exe

                              Filesize

                              344KB

                              MD5

                              ad8196d01fa438699d676000eeea256a

                              SHA1

                              7d30349d09b0cf4b11960656ecee05f56f7a5c25

                              SHA256

                              5811b9685336a68ee8cb984abc51e495a335a708b19877ea39b5ad9afc1420c9

                              SHA512

                              b0996dd0da7e0fe339f1c7437bc7ed5669f9d88691d341056f99df20fd706d5a44a4cbb01b383e3b65773ab028d4ccbcf70bb76e80a2651c03e1e5785d8edd2c

                            • C:\Windows\{FFF02C56-7136-4c0c-917C-5D2983F7746D}.exe

                              Filesize

                              344KB

                              MD5

                              268b585eead4b1aa6c702981baa8d048

                              SHA1

                              2822874260679c515eefa10b2a14fbaf1ca448d6

                              SHA256

                              33e28632d500bbd61132da6a49d73d44516950e7738eb7350ac361f77591dd67

                              SHA512

                              36597e702d7719e583fbce92d85746dcaeecbdb6304dfd2f139ba9a48874cbacd5975cb46297e60a7539bc4347359e9fe5c894083c16b9ecde0c458a1a3030b0