Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 13:44

General

  • Target

    2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe

  • Size

    197KB

  • MD5

    7e4c99c818180036023dab47835f27d5

  • SHA1

    eb83e14dd03416dfbf2a9673c829a82db13b10ca

  • SHA256

    f385068e29ea8c135ebf911095d024add3bd99ec7f8b1f08c3d2450d5fedce12

  • SHA512

    a264ec7d8b216bf04651730e5dd1d724df0b6632f98ac63d66058a11ea104ca46087e7fd096b571ee652e4b80b592a4618a95cfab9836f2e59ba1d5b043d0373

  • SSDEEP

    3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGhlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-14_7e4c99c818180036023dab47835f27d5_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe
      C:\Windows\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe
        C:\Windows\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\{E300877D-D93D-4e77-B156-5E49969C8E76}.exe
          C:\Windows\{E300877D-D93D-4e77-B156-5E49969C8E76}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Windows\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe
            C:\Windows\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:576
            • C:\Windows\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe
              C:\Windows\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2760
              • C:\Windows\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exe
                C:\Windows\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2144
                • C:\Windows\{C442D40B-7220-4553-A823-ED93437E1D41}.exe
                  C:\Windows\{C442D40B-7220-4553-A823-ED93437E1D41}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:812
                  • C:\Windows\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe
                    C:\Windows\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2752
                    • C:\Windows\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe
                      C:\Windows\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1656
                      • C:\Windows\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe
                        C:\Windows\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2860
                        • C:\Windows\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe
                          C:\Windows\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2076
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3D3F~1.EXE > nul
                          12⤵
                            PID:652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CFB~1.EXE > nul
                          11⤵
                            PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{352FB~1.EXE > nul
                          10⤵
                            PID:1784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C442D~1.EXE > nul
                          9⤵
                            PID:2600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6B076~1.EXE > nul
                          8⤵
                            PID:1988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A62~1.EXE > nul
                          7⤵
                            PID:1048
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{262F8~1.EXE > nul
                          6⤵
                            PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E3008~1.EXE > nul
                          5⤵
                            PID:1604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{74FBE~1.EXE > nul
                          4⤵
                            PID:2932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C35ED~1.EXE > nul
                          3⤵
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2616

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{031CA2D6-BEF1-47d3-9E83-E3037945ED04}.exe

                        Filesize

                        197KB

                        MD5

                        0e801ee35f43e3c1a3aa005e57d376a8

                        SHA1

                        562e39b8557f7a0ef07f7c2ebba37e1ba663ad45

                        SHA256

                        6c26993d6eebfadb6febc1b5f1650f3eb6133df4a8355956bd772301cb7b167a

                        SHA512

                        41f365d3869a26c671b9e39f6b4bd21d0ee2e3ca72323c5d2a97da1dd745ec5d35f80a51faa3e869fa24867e7205fbf495d86b82089b57401a934c4a47fb20f4

                      • C:\Windows\{262F8A0B-7128-4828-8DC7-5DF5567BBD41}.exe

                        Filesize

                        197KB

                        MD5

                        b1d1a7730507128bda545689fc7e8c95

                        SHA1

                        9f0b61bdd9490062d6b926bece33588dce7a08ea

                        SHA256

                        133c5d322a8f674455b9e95a3b36d362d197d627b7c04197dab0619fb6bd2113

                        SHA512

                        9242a3610ec4cdbcf4a4830c3800249e6681138434bc30f426e943bcf38bd330da5744dfcf69f8a897fda4e927c3c767c6482673f7ff26cd579858d2619f87a6

                      • C:\Windows\{352FBD9A-6B1D-418c-8B97-52A3C1DFAC6F}.exe

                        Filesize

                        197KB

                        MD5

                        2a722f074e0f13900a919fa90dc5db2f

                        SHA1

                        5ca837fda9b90abe40444d272dd6589d6e0e0da1

                        SHA256

                        71100067b3c36408e6fc28c14d30286a64429db7e5a5b0b534b0f8f3b9b05457

                        SHA512

                        b540d9b6ec64e2171a742878544bb482733d01f04e46f28138e718bbfbae850cba75b7a539a246d01bb0836cf60304c38a1634e5c482d08c324cae5af1eca504

                      • C:\Windows\{6B076488-F558-4997-8C1B-4144F2EFA30D}.exe

                        Filesize

                        197KB

                        MD5

                        9f2ee303d37a2299dce086d7e6235f72

                        SHA1

                        d2ed44cbab6ffcac4ca41561740a15b36451d391

                        SHA256

                        353b6d7752f78fc27ebafa694d4fe86f4c4fd86b3ba83b732326a894f170cbe0

                        SHA512

                        88a9d15a8941de2ad9ef657722d1e2f2a97e231c7dbcb230fa3952fdc235356b5cba8fff313b35f476d11dbb3bee2111a49a319382187eba8d03243f04bc16f2

                      • C:\Windows\{74FBE356-A744-444d-BCB1-6FEFE77A701B}.exe

                        Filesize

                        197KB

                        MD5

                        228bc63631384d99aa8d302414c41012

                        SHA1

                        85f4ad4d38afada553f17820387e2395311c5d20

                        SHA256

                        53ebb8e6bbab45d06466e2d26f005262884b501c2ef5a63e7ff138e6bda32b67

                        SHA512

                        e50805b7b51aedf26125c479a05ca3576638069e4edcf0bf7bab10be472c20c8c3b720ac2d3b30ae5c4bacef0ac8bfc630e80def95231603297c880838f0b6a1

                      • C:\Windows\{B7CFB945-8234-44ee-BA70-5EBC526040B8}.exe

                        Filesize

                        197KB

                        MD5

                        2139725ae4b080bf387565e939a95695

                        SHA1

                        218ca37d2d2262454cecb407bc836a052290ce32

                        SHA256

                        0fbf08cfa81d4287d4285da51ad90fcb3ddff8c699a48e631f09965ccb442ffd

                        SHA512

                        f28b99968090c0024510a5e0d941b04184e6d02faee75e24c8e0674c9f2653cf2d6b5f95b9d20c413c2287db57069b7ba2fff99c8e05b40c49a82e7bf6ef9ec7

                      • C:\Windows\{C35EDF54-5D37-460c-9B8F-58D319EA6F44}.exe

                        Filesize

                        197KB

                        MD5

                        6f03d225d96d5a346b12695056bca83a

                        SHA1

                        cf829ab05dfb8f2c4c77dfde3f9c09babd88b5b4

                        SHA256

                        967a0aab2d16e3b1489bc4f9492e3607608427d44c55b3f1dffd05e4d2b13053

                        SHA512

                        8a4cd58c42f0621bb33d4b8fc1ced140407e0357125bfe074d515104eeb59f7a80359ebd4b63a1c6620ff4a7522299a1acecb8e0a033a2ba86418d504beddcc3

                      • C:\Windows\{C3D3FD3C-111A-4b85-89DD-D67E134983F2}.exe

                        Filesize

                        197KB

                        MD5

                        94def956146c167c91dfadcf0d37ba8a

                        SHA1

                        0fc85d63edec11abfe7a91e9c3be56c40f483e32

                        SHA256

                        3cd78ebd7428e45be4fb130d9d360f40646e5b1832b5add20015ba540e2142c0

                        SHA512

                        918250db5fd87f982776a89fee09fd4e8b3af8f3660dde559f22e0235d7ce6a70461dec17917566474278886f4c89025000d50be6746aef569a8f91f0aca5db6

                      • C:\Windows\{C442D40B-7220-4553-A823-ED93437E1D41}.exe

                        Filesize

                        197KB

                        MD5

                        9d23c15b9ba6ab8d0adaf9090b7318fe

                        SHA1

                        08d737f1d2315f2436e434c25d8d623e857c3e0d

                        SHA256

                        d5b70d8f61c186e3f4705db5b3ec9ad40e9b6d68c06b5184de23f0809910f1ad

                        SHA512

                        c2a22bbbe0f1a032b69ff39b5040464f1c42dff89e104e4c1a48fe0e620267753327ebed97d516a904b044b1f3b69eb358c31132a0fd9cef670eba8f3ea27a82

                      • C:\Windows\{D4A62A17-FF0D-438b-9491-BA81613D2C39}.exe

                        Filesize

                        197KB

                        MD5

                        ece55a82c1103b9195bd3d68bad18d4d

                        SHA1

                        1ff101b712f6ec5b949c0dab42703633f5f98076

                        SHA256

                        0a784b64f4469d344223598c600b11e2f649e67736480991e26530dff17a0d0e

                        SHA512

                        699e81f473322ed0c15efd89e836ef97a0a3301276f7dbf17c8359aafedbbdcb23d8fb3b88dc71d7d5f93e5f3d8f1d36049707c12edac90168fde119cddf70b0

                      • C:\Windows\{E300877D-D93D-4e77-B156-5E49969C8E76}.exe

                        Filesize

                        197KB

                        MD5

                        b03688013d5840f14d12059ed2205d8d

                        SHA1

                        bedb1fc37bdf092b4765e7d62ae42146c45e9b46

                        SHA256

                        61c5d8f27ec429173ad9d875b72c85f0b9bab36471ccc5f6aafd5722439f18d6

                        SHA512

                        36b223c14d4fd67b8da783ee25ce9247cad3b3b0d8a25981106262faa565fc9d2346d66b3d18b902718ff326293fc900c28c44fcd8370fa4dcc69abaff05e78e