Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:33

General

  • Target

    2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe

  • Size

    204KB

  • MD5

    375dbfc59e996eb9752cdbd68645f0a0

  • SHA1

    0ed548a9c92a86c6e89beaefeb934ba842afe498

  • SHA256

    28ed2df07c6fed10c0db88198033703b8d23b987bbb0ec0c83e087b5ac875840

  • SHA512

    30088a8564b7440e55653b2b15047fdfdabea143fe6aa1d696d2efc19f8729d88defef90124c764479b8013842cfaa69441a14a78c84ef5baaa7369eb5d49fc5

  • SSDEEP

    1536:1EGh0oMl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oMl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe
      C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe
        C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe
          C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe
            C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe
              C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2372
              • C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe
                C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1948
                • C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe
                  C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1908
                  • C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe
                    C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1572
                    • C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe
                      C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1268
                      • C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe
                        C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1300
                        • C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe
                          C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4F910~1.EXE > nul
                          12⤵
                            PID:1492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ADB91~1.EXE > nul
                          11⤵
                            PID:2796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BE19D~1.EXE > nul
                          10⤵
                            PID:1288
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{87BB5~1.EXE > nul
                          9⤵
                            PID:2296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A0126~1.EXE > nul
                          8⤵
                            PID:2308
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{60F17~1.EXE > nul
                          7⤵
                            PID:2268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{65FCD~1.EXE > nul
                          6⤵
                            PID:2644
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1A366~1.EXE > nul
                          5⤵
                            PID:2024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3048~1.EXE > nul
                          4⤵
                            PID:2732
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E887~1.EXE > nul
                          3⤵
                            PID:2776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1796

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{1A366651-1280-4e5d-A8B2-5CA00566D18C}.exe

                              Filesize

                              204KB

                              MD5

                              dd9b13d119704df675d88dbc14c984d1

                              SHA1

                              8fb4f5e69eccad3da479da3f939849a7e7440d02

                              SHA256

                              cf6d076e08e1de2a1875d9b6a77f057fab9c493a72c3f444f65e6ffa0f958080

                              SHA512

                              b43526fd739633dc4c179c78159d289305f93478ebbc283dae96d943ea5debbc2264798790af0efeee82a369a8214f4341f521f79c87a722aabb98bcbdf2e23d

                            • C:\Windows\{1E887CEA-0C2E-4a0a-81D9-EA857726F2BC}.exe

                              Filesize

                              204KB

                              MD5

                              5399c9798202f70a677ed821373fc51c

                              SHA1

                              df33b9f4610d0a532cf62daced1cbaeb12382e90

                              SHA256

                              83a474ddc1a9ba78ed554ecaf93493b6ff28e9cd4656ec8833f78ba3f2425f50

                              SHA512

                              6408c8b7846a3d5a0a410a839e0f1dca1dd3ad36d80ccac16c0a7b6e05d4735d21390dce54933f10650c1d96cf2fd6c0d13e0a2f0e0b7ca7832d601c06f2b9eb

                            • C:\Windows\{4F910C86-4864-4838-A08B-6974D02587EE}.exe

                              Filesize

                              204KB

                              MD5

                              c26bb1056be0b019c9eff58f47627b16

                              SHA1

                              30174555516dab67cee6729f51a8435ae1661bf4

                              SHA256

                              eecec752bff6a6e567edb26fc571a01576aa0b0e63551239c8c2217b2545dcb4

                              SHA512

                              4c625ccae26482efc38d35f295527de0186a48496cca285daaf68f6a7ddbe88362dd60455c56f80a0ea87c7bdbecb318eb4869c3d4466f727a423cb38bc10487

                            • C:\Windows\{60F17303-6864-42fe-8C50-2685E8C133E5}.exe

                              Filesize

                              204KB

                              MD5

                              10f8fe41fa6795d904a76dd525a1b14c

                              SHA1

                              465781678a8836bc1b9e8f2bc3479f6764d79338

                              SHA256

                              8b62598ea62c5190f554faec567a11f49b84b5a9050056ff72f1ff0a987ca4cb

                              SHA512

                              69469a27e8c37df18afe0f44eccf8f2cddf5a7bb09f171ecabe180791ef866646f9c91f1959cb812fa2e0c31e4a9e7f5f415aa7104d44e85c4f571f985f6d01b

                            • C:\Windows\{65FCDE4B-91EB-4198-9CB2-B606763AEDC1}.exe

                              Filesize

                              204KB

                              MD5

                              56b1c7ec78f95c4eef7ca5507a3c0005

                              SHA1

                              f47c3fabc38a53811f49a39007dbb2a257385d80

                              SHA256

                              202f1e8883e6598a33478c3bfcc88cc68523cfa4825e820e9b8696ff79389328

                              SHA512

                              ad20fa9607b97f171267e5dc297d964baa34296d3fc541de1d49a145e44bad3620afaad10ec596c74b8122c388c683d2d80a436a457e232cc1f2ca3889751b32

                            • C:\Windows\{87BB5C8A-652F-4bc9-882F-5DA348E5B89D}.exe

                              Filesize

                              204KB

                              MD5

                              224dff83407275da3b6a1d8a11bcd345

                              SHA1

                              1a39fcce5f7b94f780733d680a27acd5eaca559d

                              SHA256

                              a84cf7b4b99616b150de50cf9d9f7d507533daaa7a4ff03139e8b2a9b0b1aadd

                              SHA512

                              3fe175f07c0d97252f20ddcffe307fcbf2868b1ebe2e0d99e35c74dec83dce777d0c6750c230ed658db1bc39cce0eb560a52759517186e279c78cdd3eff19d86

                            • C:\Windows\{A01261DD-327E-4fa2-8449-5A52A8E69F38}.exe

                              Filesize

                              204KB

                              MD5

                              8d7a3f63fd15a12ddc3a21548dda960a

                              SHA1

                              721a3e18946836d4a2693025547f064c07c7c97b

                              SHA256

                              f2d67b64a2aba5ebf27a29f0641f00a615e24bfd25eb0675b586f96411f9d96e

                              SHA512

                              c946208bc5890f608df76c5aa420ba0a6d0f3b9c88ee2494a63875bbba7200c37d89340217e92e28ed3dc4ef910fd6181b5088ac6872171b7798b06605d21400

                            • C:\Windows\{ADB912C5-F98A-43bd-86A9-7A7BD1E0B389}.exe

                              Filesize

                              204KB

                              MD5

                              71aa768d0833da5568ef641d9bd64ec0

                              SHA1

                              94c390cd9318fae45b3be5a9abd7b375a3a64ad6

                              SHA256

                              0efdf28f900627b04006493e8b59b1996cd19d8d91594ad80e6e0e1343b725c1

                              SHA512

                              34a7d8a06bdbbc9e589196575efc06dfc384888c82d23017e02cc9e0bdd0b1dbd7a1b8221ade51d65309168244f6a4b3b7fbcfcd9b4d04d5c9747f04838716c2

                            • C:\Windows\{BE19D4A4-E0B5-4d44-BDA3-5C3CC52595A7}.exe

                              Filesize

                              204KB

                              MD5

                              57644328720eb97d9a7c52d30f056161

                              SHA1

                              aa7b2d59dac00255ecd01454f59402a2dbcb23f3

                              SHA256

                              1be1a8af8b67d29c6468d106aef4f74c1474d099c7341338bf8529b2396854b0

                              SHA512

                              9b337607ba1badeb9e5dd1f96d7e12199dae9a396a4dbfaad8ca7cd3402149dea5b6610d85d1e36f31eb287054fab995be2cfd61bcef21aa0fc8243a0fd46420

                            • C:\Windows\{D3048EB6-2C35-4daf-A628-8160CFCEE987}.exe

                              Filesize

                              204KB

                              MD5

                              0cfb6f50aaf97ef9e5ca01d8a36ebcc5

                              SHA1

                              95aa04d2572a11b1f978e0b0d3382060ce8e10f6

                              SHA256

                              0d211aaa744e65a547e3e0d830f0c41ddfe34dc7be94228466bc1b7f864e4cdc

                              SHA512

                              13959bb866378473c2955611e8731803e10c67642bf83c332d610698c253b3a4379284c502cd66742544d6cd0b65b2df550c1513cdd4ea170437c4a7de32174f

                            • C:\Windows\{D5C5264E-B694-41e7-B83B-639A0752B0DF}.exe

                              Filesize

                              204KB

                              MD5

                              ba720864efd67e14565ae7a03f4d4d5c

                              SHA1

                              b00dfd0c9df14af71d66697479e6739137769476

                              SHA256

                              a7151f2068ddf5cded8ca8f6187241942d9b791d5b1f593557fa48a5824ea48f

                              SHA512

                              a6273dfcfae49155bb4eee41b98ba12c31a1bee62466ae0d5cbacfd09056a2fc487fd2ab0da8228ddd669df1786f1387bb5135aa18c66dafa233a0cbf5600d34