Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:27

General

  • Target

    2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe

  • Size

    168KB

  • MD5

    0a5b152cb8c16f9ca55148f4565cb954

  • SHA1

    28e8a9135e60e20862496f0007c9dc69c20a74ad

  • SHA256

    9aadba2e559c63d5f1fc87ed0e5afe68ba12a67a053aefef880d7ae9f80f5689

  • SHA512

    986751a468cd12a2a53bada435e623937e33c581f151621a89ed0aac7f2df300df9f7aefa48ee5952f770c21f1af64875ca071d092460f9db6c094b68930fe0d

  • SSDEEP

    1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe
      C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe
        C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe
          C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe
            C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2080
            • C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe
              C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2996
              • C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe
                C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1964
                • C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe
                  C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1532
                  • C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe
                    C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1168
                    • C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe
                      C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1212
                      • C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe
                        C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2156
                        • C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe
                          C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1972
                          • C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe
                            C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1676
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4E526~1.EXE > nul
                            13⤵
                              PID:3044
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E67BD~1.EXE > nul
                            12⤵
                              PID:2784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB3F~1.EXE > nul
                            11⤵
                              PID:2928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{82615~1.EXE > nul
                            10⤵
                              PID:564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA7~1.EXE > nul
                            9⤵
                              PID:588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7C05F~1.EXE > nul
                            8⤵
                              PID:1892
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{50F05~1.EXE > nul
                            7⤵
                              PID:2040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8B963~1.EXE > nul
                            6⤵
                              PID:580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B8B~1.EXE > nul
                            5⤵
                              PID:2712
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EED6C~1.EXE > nul
                            4⤵
                              PID:2368
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC275~1.EXE > nul
                            3⤵
                              PID:2756
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2088

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{4E5261F3-E645-4037-AFAF-30BDCD25F287}.exe

                                Filesize

                                168KB

                                MD5

                                d9e53cff0c7416cf19881cd8af84aabe

                                SHA1

                                f1f960bec071cf452b9470ffb89a04f421927550

                                SHA256

                                6de67f9b4de05038ea3388a8eaed035dbc7c223dff4ae829b5216dc255f9b7a6

                                SHA512

                                c4e3317aae262493eed0b37b9f4da9ab37f664a7894b35714dda07a4fd204435248722eedd3d6fe8bed1df69c3869774aba759bfae509b0c6a9c9461c31c484f

                              • C:\Windows\{50F057CC-AAB5-49ca-84AF-2D1DCAB5F844}.exe

                                Filesize

                                168KB

                                MD5

                                c8729f000c1d8d62690489f56cf8b22f

                                SHA1

                                1c93b668df19c2b213f88fa550150a424c015413

                                SHA256

                                2e5f1dc39563c33c729b3dd8d9985e865dcaa5da6a28b531d80988311055f8c2

                                SHA512

                                0913ee1c09005cf2beef5a7444438dbd814f2ae4e137b102198abfcc215390baacd9119f3dc402cfd562b8b259ebeba3f28960ece151aceb3ac0d1e96bfea833

                              • C:\Windows\{7C05FD81-7F70-4742-8A1E-49F6AFD16DCE}.exe

                                Filesize

                                168KB

                                MD5

                                c68077a1f19cabc83bbc2c467d8d7031

                                SHA1

                                3b81248cd1b049940371c43b9927c580214d3a65

                                SHA256

                                9490ee55655f967407790556e332c69b15ecd388e36423560b551de7ed64e919

                                SHA512

                                7aeec26dcfbb3ae316a44897b39af5885895a80af94318b76c4a28c9ab425567a710e2395822e7c639f3c44021b61f1af958345ce970c7bce1c75194c750efab

                              • C:\Windows\{80E6FFD0-2D78-4991-BB20-F669C5FF58D8}.exe

                                Filesize

                                168KB

                                MD5

                                52d97fd0c95607f5202d29b86c9f6c79

                                SHA1

                                aabd384a91c1a9c0477155e79a29aafa87a8dcc2

                                SHA256

                                e42312a0d9a337ac1afc2aa19eebffb2312a4a8381d4c105270f3940ea5144da

                                SHA512

                                e4da362deb83b491b96a1db3576fa7d7da1194994690ba8ea7fe4ebb4254bae3f895cb670fe89984a25cf1f6f876bd81e5f1a8d6d0b7106cb6717ebf5c60ee21

                              • C:\Windows\{82615CFC-85E9-4b39-BE0B-C9035496F600}.exe

                                Filesize

                                168KB

                                MD5

                                aab357d4b3e0e14a8310095a2ce5af8c

                                SHA1

                                878f07764831d4a03824c37d326a26d8d6c48194

                                SHA256

                                0ddedbb24dd6be90bc0d79feaaab7e5aae11d9bb53ea2c7de9f1cac85e957c7a

                                SHA512

                                cdcefebf8c5b149dd641b2b39f864a1a0809aa0351a79912a4810dfa880b4e7abf01a56eafbc7f6d1d88d0ddc3953c1a0b1bda68cc2e487c0ae8a9ed78d26f2d

                              • C:\Windows\{8B963F48-001B-4332-9BBA-5109266F44E2}.exe

                                Filesize

                                168KB

                                MD5

                                60190b6859946ecea172554c14c8e6f7

                                SHA1

                                d26cedc54d801157fa57999a389dc572eba2e400

                                SHA256

                                ec0af3cbb9a99d4355ec7b8c3f276343227a96977b95fbc0afc80e23773b87e3

                                SHA512

                                7d31805dc601826173b4148f6a94e5b15cf145bbc8ce57b6117ca211b784dfee36e4716df4eaaed4f7cdb440931e64a12d65552ad1eb33f045c7a2e5bfaaaa74

                              • C:\Windows\{9DB3F306-B49F-42f0-A0BA-28185E3286CF}.exe

                                Filesize

                                168KB

                                MD5

                                3e6a89b74e8dea1f0c28a64f928d9c71

                                SHA1

                                1418acf7d9dbfebcfbcebda9a2b871cb3234bd9f

                                SHA256

                                ec0f322296eb3ee997ecf20378eea5d7b32854a10c608b6548c3658f5f3dd088

                                SHA512

                                487b2b0ec3a748c28fd463efe9b1d862997226ba5a63ca2f19fa4095a20fd43699c2e1fe7d711085a9807824ab3b15273b9260f84b2fe6eb978adc65c929c350

                              • C:\Windows\{BC27545C-A2FF-4c8e-9C3D-E329AC8C6DEE}.exe

                                Filesize

                                168KB

                                MD5

                                9caa402c2ecda1b24807186a12ab26a1

                                SHA1

                                1624f79f1725cb0b1bc3efc2ca2c904d864b716f

                                SHA256

                                6c3a6d52570d7f63bc4e1baed9438af82af244df7378d506084e17838c937b9f

                                SHA512

                                1b26d852dc09c11df05263676127e6b6d68bc2c5056bc5165199151cb33cc456326be7e7d261eb14e70ca7b88c2a529e9572942b115481ea2ccf5b285c509c0a

                              • C:\Windows\{C8BA7832-0C58-4ad6-8DA9-00A1BE7B0E54}.exe

                                Filesize

                                168KB

                                MD5

                                e038dfd3c23c80927f9a33972f38c8f4

                                SHA1

                                afad7a8c28803b575be2ef00abb07ab636be3471

                                SHA256

                                ee1a7e6ea1a9a22aebd48832f2f4e988e563280d493182be3440b9f506fbe67e

                                SHA512

                                f0b5a21c64be629e12be56dd9dbe85af364694cafb3387acc25a906c8bac5e95d353a18d1973fd7ac87c9e350d3eede57aeb6cb549385f9aa3727a73830a09f1

                              • C:\Windows\{D8B8BCCB-5A05-41d0-B8A4-E5723EB31C4B}.exe

                                Filesize

                                168KB

                                MD5

                                3367e083a8d1329e3e9be49983d70384

                                SHA1

                                e79832f9f276a09c366baac202cee9209f42dc97

                                SHA256

                                fd896e8160e6297bd72e4608f53697b26b4811426125e0fe642b9570576cead1

                                SHA512

                                72c0cb9386cb5299abbefdb58124b460dcbabd42e84f8c73597bc75c634c15ac6537f8fb8febf33f45149fd4df829d18ab83c7e4140229a69e5a55ba407bc67a

                              • C:\Windows\{E67BD1F5-6126-4fe1-93E5-ED6DA1CFE240}.exe

                                Filesize

                                168KB

                                MD5

                                06272e755c384de1a081d2395b7f7b2a

                                SHA1

                                8df14bca266be3ecfc3cc3fa2f4dc647634398ff

                                SHA256

                                51d55b87e028ea0be9136782bb3411ebdbd30ea344ef3c815e4123cfa253e921

                                SHA512

                                805ee201ed564e7693be3aecfc0c2d43baf18b753f95589f86eaa1d8d91ce5f52ade109679e3d4f8d90333dd076894886c472091bce526850dbc67c08c8eb072

                              • C:\Windows\{EED6CDBF-3556-4a9a-96A5-2B5C927BD70D}.exe

                                Filesize

                                168KB

                                MD5

                                437f553309631815b83524f6b0a8015c

                                SHA1

                                c14b86e7fa9e0b3933f858a0bb64d3ef629763e2

                                SHA256

                                536a383bbe9fc71556efab8d786a79e4c8957fa0fad34ed96c800e8c1bc92497

                                SHA512

                                083a1564e00860d1ef96f4b93cc268fbeb6027633b7f41319f8d1901dfe81fab67b1740fc687439c747531ef394bc199a3e12124da74be3a4ebd82f0a53286e0