Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:27

General

  • Target

    2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe

  • Size

    204KB

  • MD5

    1116de28e782e197373277782dff7273

  • SHA1

    f31cbededbc7ad1476d0e3e7642708139e64cc53

  • SHA256

    361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f

  • SHA512

    e5ea98079f6e1066c24e16fa0489e1a4a0ba9f960006170cbbb841499112c68f895eb6e54766d9e6c280ecdfc35b1bf18e88935cb38d3e9ab774fd16252603ce

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
      C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
        C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
          C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
            C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1792
            • C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
              C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
                C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1740
                • C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
                  C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
                    C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:976
                    • C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe
                      C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2732
                      • C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe
                        C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1944
                        • C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe
                          C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80421~1.EXE > nul
                          12⤵
                            PID:1752
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ADE0E~1.EXE > nul
                          11⤵
                            PID:2224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9A99B~1.EXE > nul
                          10⤵
                            PID:2412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC16B~1.EXE > nul
                          9⤵
                            PID:2120
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{20FB5~1.EXE > nul
                          8⤵
                            PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D8410~1.EXE > nul
                          7⤵
                            PID:1712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{501F3~1.EXE > nul
                          6⤵
                            PID:1544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7310~1.EXE > nul
                          5⤵
                            PID:2436
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DFA90~1.EXE > nul
                          4⤵
                            PID:2628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{862EB~1.EXE > nul
                          3⤵
                            PID:2492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2524

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{20FB547E-8C37-48a7-957B-2AE6E1FE0117}.exe

                              Filesize

                              204KB

                              MD5

                              1d7119d991dbb7b23da22d4a5246f1fb

                              SHA1

                              f43296ce17ffd1f0633e1292719bbfefecb988c2

                              SHA256

                              ce992bc1baf4767bb163614d1d5a257582b0d7cff4146436fdf101f9ced91536

                              SHA512

                              7cd3b31759e15254e11ed6234fa800ea648232502cb1718f9ae90928109fec2da03dd7c697aa9171fbbf311913c976fa382aa371b694e9edc3ebca5d25e3a007

                            • C:\Windows\{501F3A6D-3066-4d6e-81A7-0E14241EA057}.exe

                              Filesize

                              204KB

                              MD5

                              df7aa31266fed34925ef2cc175cf6ff5

                              SHA1

                              69a2700ce3b49adec1cbd399f3cc973fac7663b8

                              SHA256

                              7ed3e15ea573840680f44dc82790ed08b916fd25db3531bd2024d32b836f681e

                              SHA512

                              45a2f2dadcf0f1270f9e310300847b1b7bc8c369822ab5f2e5c30e3debd20fb0258bfae034032eb92d1bb542d4c00a8ebd6cceec0d7105c5a2a2596b214da675

                            • C:\Windows\{7AD89BFE-0D0D-4833-B55B-CF56ABFB3ABA}.exe

                              Filesize

                              204KB

                              MD5

                              27a729d2a6ee85b190fa46d20eed2a10

                              SHA1

                              5c71ae69a8d461d51427bd710acefc507b9da15e

                              SHA256

                              13d278116ec744b7570bdfc0cf1738361d72858107d66e8ab703556649278dfa

                              SHA512

                              1bac7c0f6768aa45b3cf9aa568fb8fbf96373155252e4da0ba26dbfda99a01b1f3e9c6e181b677901efd1d3634c4d4258ef3c977cc6f76649f7a67ce75235695

                            • C:\Windows\{80421C56-0D9E-4d14-932F-88989A4ED863}.exe

                              Filesize

                              204KB

                              MD5

                              b28f934e806da810484d9744c2ed4b6b

                              SHA1

                              dee68429624cad3061c78aa93afb78ee14369d41

                              SHA256

                              fa2328837d705b03535e24107266fff500000d42c8d801d26bb5567f61a9e051

                              SHA512

                              364cc7cfda304701ca6a681c20cfda3af3d6eb832968fdedf13e0f1e86295115113f18130b0b0f2098101390c8ef76f473fa0c1e4d6348443574443307448d81

                            • C:\Windows\{862EBF15-8D0E-4761-B328-C9B1F4645300}.exe

                              Filesize

                              204KB

                              MD5

                              889e9ad93b2d919b168683e582829bc5

                              SHA1

                              93758ae5196bb57d01687c405b0b3607fedd3c58

                              SHA256

                              8332e7f3b109e8aae4e5c47d58f4fa17124e71539e8474b9831d3d4ea75957fe

                              SHA512

                              0cb1e2df143f186b9e9c75de4af2fe5e5ca432e136898bc09cbd5efa08ce1b8346851e9a1337f8fa98f00297809219029d9df3909d5f901e950ee6b2c3c18f39

                            • C:\Windows\{9A99B96B-8DDB-41f9-92A2-99EAD2FB90A6}.exe

                              Filesize

                              204KB

                              MD5

                              73568b4ef73379e82fb7dee5c19c6fd8

                              SHA1

                              457f6b3886c9a29a47589e7ae4744b8ea7ca4271

                              SHA256

                              331799bfcab39fba94442e6d7f28b649c1d4aad6efa0e607ffe29ff69cf54cda

                              SHA512

                              b2d091c06713bb445e6ab3ea5d74b514a4c3ece3a50b85ca1a7d3c7ed8fee7bd3636409806f6fa7e59658334bebeea90935aee13fb73a36643b2cec72193c4a1

                            • C:\Windows\{ADE0EC4D-424B-4754-AB8F-424D3B6CB850}.exe

                              Filesize

                              204KB

                              MD5

                              811b7c05a9979a820e391a5842b0c1db

                              SHA1

                              7c0536b415317a5d972fe49baabce1fb8402d46d

                              SHA256

                              99042bdcefb2b5148ac0c52cd5db8ddf5d8502d8ce5182230745cb276b7c28ab

                              SHA512

                              9a393cbf4ca807fdf2b95d83e176f4495c1fd7571ec696aeec06ec754efb94ae1073ec6edfc3c0dddc6d9bf104300e3b1383f5355f3e2dad5dd86c1660a73773

                            • C:\Windows\{CC16BA8D-E1B9-46f5-B3FC-A6BC34FB3771}.exe

                              Filesize

                              204KB

                              MD5

                              4cb5cb4c122368ab986902efee33130b

                              SHA1

                              726a76f6398e300f6afd5725ec00d74584249e00

                              SHA256

                              925674927431b5a27f46b8d931a17d13049a017d5ed92a09bcb5408989940fd6

                              SHA512

                              682cd878ed92a9a9b5ab451c7d3d3ceb3b693e453028e5af022394c2a2e5ee7ac7d9c8f614fd8aa0d0cd2411fcae374f1b2bd076ebb6400f8618ac04dc412198

                            • C:\Windows\{D7310CB3-54CB-4795-AEDC-D142AFFF35F9}.exe

                              Filesize

                              204KB

                              MD5

                              4273603e448c7b2028e9f101be08eab0

                              SHA1

                              4d094e903c9519bd530fb1b6a40c5166514751d5

                              SHA256

                              cd770e2929a25314938efd1eb79dff867efd46c84025d85352160e55105770fd

                              SHA512

                              dde4620c1a1b0ba7c2c1b7262678531cbf551ddfb3025b1949ed46bea171e10e429abb26ee10569091599ec3ca4d9e02cc59ad46896b5ebde1518e42d81cceb2

                            • C:\Windows\{D84101FE-CCAB-4c21-8332-6B0CCA31D71A}.exe

                              Filesize

                              204KB

                              MD5

                              c0a5cc39d316c7294f41abd03011f5f0

                              SHA1

                              4abfa7261e402984464a52f0baffce06f0e001d1

                              SHA256

                              d02fad6f622cb5f67c8ed3ad28d3b47fb538c7956d0514bd1957369809d7970f

                              SHA512

                              ed00a9108a05578112e0a140d198cc3a9d7f4f5705ca191b12b9c7e09ade1788f55d2103ec885dd996fb4698a06282ba3e81db4bd8bfe3982ab1b0e928718a68

                            • C:\Windows\{DFA902CC-6D5E-468c-82F9-2DDC746CC602}.exe

                              Filesize

                              204KB

                              MD5

                              4da78d24447d78737bd01da22ade50db

                              SHA1

                              d4b66d26fa84427288b1501187284dfe49d3f515

                              SHA256

                              922a641c5d9f28a614bc28d58b0ebc966236d915c48c98d0a2458c48e132dedb

                              SHA512

                              2c1aa901b51476e88b2cb5659dafa328da4a55468509b51a1542066dee80676448dd2519e9d4cf55a33cb4b9f13eda33c64ff888bda74901432b1427c1288109