Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:28

General

  • Target

    2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe

  • Size

    204KB

  • MD5

    14f5b92fdb38838cf5a78fa932e15e9e

  • SHA1

    c3337c6cdb30205cc2af4e2d63a50fba1ab65a80

  • SHA256

    9ae334582da93f547d84f738b8d96fdae5999d61459a2c8a1b7213aff0c7466a

  • SHA512

    ab99fbcaaa0e3966e0e1c6d2ef6c1fefad08ef18a330e1f815d0b3629f07ec097c53a29131e59f72ba6fc9e9ed0b94f57adf725f98bcef7754e6a4dfa062681a

  • SSDEEP

    1536:1EGh0osLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe
      C:\Windows\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe
        C:\Windows\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\{9DD1C78B-9C26-4228-97A7-16181126C540}.exe
          C:\Windows\{9DD1C78B-9C26-4228-97A7-16181126C540}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\{46A07A74-5686-4710-911D-FF1F65E315C2}.exe
            C:\Windows\{46A07A74-5686-4710-911D-FF1F65E315C2}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\{C5283680-C069-4aa6-820B-083E4D49A75F}.exe
              C:\Windows\{C5283680-C069-4aa6-820B-083E4D49A75F}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Windows\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe
                C:\Windows\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1980
                • C:\Windows\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe
                  C:\Windows\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2776
                  • C:\Windows\{A06D913A-E5F3-463c-B330-539A520C6954}.exe
                    C:\Windows\{A06D913A-E5F3-463c-B330-539A520C6954}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1456
                    • C:\Windows\{F7F1EB66-49DC-41bb-BA92-754531032856}.exe
                      C:\Windows\{F7F1EB66-49DC-41bb-BA92-754531032856}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3028
                      • C:\Windows\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe
                        C:\Windows\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1864
                        • C:\Windows\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe
                          C:\Windows\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2436
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{514AF~1.EXE > nul
                          12⤵
                            PID:1892
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F1E~1.EXE > nul
                          11⤵
                            PID:600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A06D9~1.EXE > nul
                          10⤵
                            PID:1124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6FA~1.EXE > nul
                          9⤵
                            PID:1524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3D5F0~1.EXE > nul
                          8⤵
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C5283~1.EXE > nul
                          7⤵
                            PID:2816
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{46A07~1.EXE > nul
                          6⤵
                            PID:2520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD1C~1.EXE > nul
                          5⤵
                            PID:2824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0B260~1.EXE > nul
                          4⤵
                            PID:2892
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2792A~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1956

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0B260884-9373-4cff-912A-0A4DB2E6FB12}.exe

                              Filesize

                              204KB

                              MD5

                              75555498e7462e5ca3903dcbdb77a712

                              SHA1

                              4ef6de9cc56d18d6254eef75ebd5885ddbdbafee

                              SHA256

                              d9879c6735e7064dbf4d444296e82b1e16d71006642345713eb3c4c82a2f7c17

                              SHA512

                              7e94a830053601c243ce2a22f7c84d27ecf08847797b8443b1b34db9c6648631496387b637e64a5d71fe9814408c911c1d14329457ca9248ddf8fc27b71aafd4

                            • C:\Windows\{15763438-CB9B-4ca9-91AB-2A2BF718BEE3}.exe

                              Filesize

                              204KB

                              MD5

                              eb4d316c1da32f144b864c3e23edd6c0

                              SHA1

                              bbdda0814d02e556c463d1ca2df6ccf4bf8db2f2

                              SHA256

                              8c73881ec6dbbe077455b3a74bf76162dfc7f7a70c8e7ed8000000b3266bd295

                              SHA512

                              0f589cc0345eb90885bbfd4dafaa8cc1264c3e2e4cf2367a98cb58c367333704ac313eea511d127226f1abccf2dfaba9a2a73318010c7d2539b92642fa550ea6

                            • C:\Windows\{2792A540-FCE4-4693-AE0F-03BBA61C58BD}.exe

                              Filesize

                              204KB

                              MD5

                              9f639dd1fd56592e8b95c38f672a5343

                              SHA1

                              1b3e45a0607bd373931ba5234070f24b6d7f7c90

                              SHA256

                              dab88d6ca41f08d9947c1d8a64fd693c8a9069c6bda26af9d761ff871bad8419

                              SHA512

                              1e83fa853f5e19ae92106f7f7c1016b827092b1f886dfb1b5a5372b065c8318c2a51e1ec4eb00e81f13af4020e875a7aa529820cb3f336bc87545460556ccffb

                            • C:\Windows\{3D5F003E-F27A-469b-BBD0-4AF4B779CFD8}.exe

                              Filesize

                              204KB

                              MD5

                              7fd75b2c398c47491a2721ffd8236150

                              SHA1

                              df3f136b1930ec02105f4a874eb1ee82e00dd50f

                              SHA256

                              da74124e85ea179d403b99b90732de38e5458b3e0f0c2ecbd4d8c2ff4ec2b6e7

                              SHA512

                              1bbcad5a5fca13c5c5cdc15c9b143cd0127a0d7bb6472f12d12d1c16708a3490dd3cf6b18d06232daa84121cff556c9d6b77bc007431c5a961ca1ebd0715b47e

                            • C:\Windows\{46A07A74-5686-4710-911D-FF1F65E315C2}.exe

                              Filesize

                              204KB

                              MD5

                              19ded82733648cb42402579c89721b90

                              SHA1

                              64e536ab1a82afe9afd16134e0cc2af185a77bf2

                              SHA256

                              fa62f5f5746943470d923d0876233a6af848465a0ca264fcdb66eb5b1f62672b

                              SHA512

                              6d88cc369a1e7b818686ba7ee5388ba6b394ad2e3ed761363d0ea7fb0314af0b4767ce4dbcd98c8c6ec582085fee9ed180258a487d454e6e5964b578d73e8bec

                            • C:\Windows\{514AF039-3A2F-489a-BD5F-25A5325A5A2B}.exe

                              Filesize

                              204KB

                              MD5

                              1ac6cab7b7d70ee75d48d0063f5c21f3

                              SHA1

                              3f9ee7799ad34b25e48e1705cd3761bdadb41c4b

                              SHA256

                              87d6e98a63b96722af65dcf57b077207617d4a28eaea909cf356e8255c883eb7

                              SHA512

                              dfd6407d10783dcda030db79d3ad5826631fe47b9302523ad7313b869c23d07b2cc4eeac802dd8524dce7fea9ee51225c3d0d04bab12297be3667f9a0b118f17

                            • C:\Windows\{9DD1C78B-9C26-4228-97A7-16181126C540}.exe

                              Filesize

                              204KB

                              MD5

                              6de2f55313bfc3c5c4bb32f50bdb9607

                              SHA1

                              bc4a7df290ca7376afe4916f1f97ba2f9d6a4549

                              SHA256

                              8ed6ba6112688800a2cbfae7edfbde1af827df7d2756fad7b5b67dfadb212c41

                              SHA512

                              2bc1d098ea32056a8812fd5073258bfef6d677502beb4266973f57eecb74a0d6e13731e8a7743e13cf694f0439022af3b88f919d9c2f0e8465d238e2015da952

                            • C:\Windows\{A06D913A-E5F3-463c-B330-539A520C6954}.exe

                              Filesize

                              204KB

                              MD5

                              4813f9470e30d6753085a33c795f4fef

                              SHA1

                              e5819371c36a5eb2570f8cef22ea57e0d37b8454

                              SHA256

                              73913842b95a683cae890be7916fef8ea8ddb0347210e79d515c2f4b6030f913

                              SHA512

                              1b8320a3bd83c030129e196020d520745f06f9768d93d813ea3017276b8a89e617bec7ca8b39f8e45c9c38f7dd284ca10ed87e39d5576ceef56a11941f25657d

                            • C:\Windows\{C5283680-C069-4aa6-820B-083E4D49A75F}.exe

                              Filesize

                              204KB

                              MD5

                              80fe89a3fc86d9a59f7d604370b80462

                              SHA1

                              76be8caa9b362d8f30c081912d94eeeb312cb3d2

                              SHA256

                              ddb5eae00174809be9e9e5f776d05efec2a725a720adc88cf5c40b8cd229faeb

                              SHA512

                              528e8184cd59286ab152eed2d5e553d1b0c50924d56f31d8b5ba6c81f00d5f43ff8f226be208973c44a331f6d02fd4abac2b05809d808ddc1d390b9170bad452

                            • C:\Windows\{F7F1EB66-49DC-41bb-BA92-754531032856}.exe

                              Filesize

                              204KB

                              MD5

                              e9c6a887c4c61c6bc87ae00c59113a7e

                              SHA1

                              8146ff60604b3ff4c2ff3f3f30fd63d4887cb540

                              SHA256

                              223d6ce922b6f126ddce077d7949c60d85896ccbb61e1f0f9e3cfd9fc66187e3

                              SHA512

                              a5075dbc102f73f274f184e6d80abd1976f391401dbc423535bc78fb310cf777843ff447afce8d7c004c85e1d253d641c3975b9fcda909aeb44e5a69abbd0ba8

                            • C:\Windows\{FA6FAD46-262F-48d2-A0C7-0C53551D3D54}.exe

                              Filesize

                              204KB

                              MD5

                              4000f6ec9f25a293c3232ac453e37f76

                              SHA1

                              dd68b0ffbe2a5d3f762d4d0f15dff2e3ef42b135

                              SHA256

                              a23f959ba9712d4eb55fa02f962ea43c02d5046212e7ef085a52aa85a98d0dec

                              SHA512

                              8ae94707520f4f60e2de9ad51928dad74608769ade6de19a1ed4cc5e4a72356379d4e41ee006118f51145911bc9d63a82783baa0f36c5fcb6811e304f07ca197