Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:34

General

  • Target

    2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe

  • Size

    408KB

  • MD5

    37f14fbc75ba06a427b0a6e6bbffa3d1

  • SHA1

    c99c0798797da7dcb3bc89e8d096b51b4c334912

  • SHA256

    0b0777db0ffd874117d99e8b6c058940f53a70c0368e7aa64219fc4ee584d285

  • SHA512

    012b98d01a2743d78daa3722e8aa8db7c6ddebf887f257e640e5c48c75c060d78bbf96b66ae88aca34a56daa27d0627f66cb4c4637026717ee915a9a4b5ac13f

  • SSDEEP

    3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGHldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe
      C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe
        C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe
          C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe
            C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1520
            • C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe
              C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1276
              • C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe
                C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2112
                • C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe
                  C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2656
                  • C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe
                    C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:824
                    • C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe
                      C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1252
                      • C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe
                        C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2288
                        • C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe
                          C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E78CE~1.EXE > nul
                          12⤵
                            PID:2116
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA75~1.EXE > nul
                          11⤵
                            PID:1908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70A3E~1.EXE > nul
                          10⤵
                            PID:1128
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5B167~1.EXE > nul
                          9⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D00~1.EXE > nul
                          8⤵
                            PID:2756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CE7AC~1.EXE > nul
                          7⤵
                            PID:2744
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B845A~1.EXE > nul
                          6⤵
                            PID:2848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E6287~1.EXE > nul
                          5⤵
                            PID:568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{58AE2~1.EXE > nul
                          4⤵
                            PID:2176
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF223~1.EXE > nul
                          3⤵
                            PID:2696
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2628

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{2C205BB7-5DE7-4ddc-86D4-743B9A180B0E}.exe

                              Filesize

                              408KB

                              MD5

                              64b5cb59a5ab022eb7a31f133e7c5639

                              SHA1

                              bfd9e2377434f93f30401a6ba9fcf139d774b35c

                              SHA256

                              ef66ed80fd3593a828456ea25053be6c9576057513c0edb3081018de04d6d14e

                              SHA512

                              1d6946ccd7f7ac96a5559e3df6947b229fe50e1fc89a966fd575a09e440c3d11267347eeffc121de38a45a258fdebbd2c2215fbb1f27e8a28973483c1e91eeb2

                            • C:\Windows\{58AE291D-10F4-4141-8D69-8CC6AD4C2921}.exe

                              Filesize

                              408KB

                              MD5

                              df6d198f0371a49ae9609085f1291d31

                              SHA1

                              fafb82545d8e03093adb55789a34c7b675778d2f

                              SHA256

                              0a8bda7d501c4ea2897790daca60d1f7f92db74f7679679c954a43e0fa8499b4

                              SHA512

                              3fb4a4ba18375900bb860edb972cde9dc34c7241a36ca1fc3ee181aab49d77e54d6f9ef29a342bf1093c53a3978bfa49369116ee870cbddaab91a4b9bd426c62

                            • C:\Windows\{5B1672D4-CB2D-45d5-9B5F-0F787B8DD8BB}.exe

                              Filesize

                              408KB

                              MD5

                              549eb82483622ce523a936a44bdbb3c7

                              SHA1

                              17e492ed0c4fffbe5380d4289f287ecd3b0c0ac1

                              SHA256

                              81f9f8235ee8491e9646df217b29bd66ad9ce8ee6e5d330498d593e4ea814ed2

                              SHA512

                              c8df51a747676d73641e76224ca1fe114e757b1b57dff14bf4f7f5720c702c19ff0d05e7c2989574806939a790b347ae1cff096a1a59d4bfce5f0427c9fd16d9

                            • C:\Windows\{70A3E6DE-25D7-48ed-81F0-7E5D3DE3EDDF}.exe

                              Filesize

                              408KB

                              MD5

                              fd24fe43f08278ab608912090903e8a5

                              SHA1

                              bccaf567a8eda59ec49e9afe7a878e3556190981

                              SHA256

                              395d8e133184d7e982a1597938d49385d1107d32fe646339eb39bb634873e368

                              SHA512

                              1f9a298a0a052fecb96a192c374f744ea571ccdc176251998ec00b3a1caa6719c0bc3b5f6e69e6b57f3d7d3527cdbdd7b07d13c7c57ca92ef36c7c50a3a61ef4

                            • C:\Windows\{AF223F36-74C8-4321-A72A-FB418B2CFF13}.exe

                              Filesize

                              408KB

                              MD5

                              0d9c906f4439bbcfeacf1c8bb08218f9

                              SHA1

                              cee9409622ba76d42cccb3501bec66fc9cf26a93

                              SHA256

                              6896fea704b9eaa6d2f6465c14a29f17589f7304900075b523821c3e33ae7a50

                              SHA512

                              6f36c27e61031f889b3f03ef4af724c30fc3a4f73f8a97647d7eb91df9639c1002b44544937de5df6c8ba2629e5c5e7c1772a0f34c55bce6ea0d756c7a5c6215

                            • C:\Windows\{B845A054-066B-49c9-8534-FA6692E64EC9}.exe

                              Filesize

                              408KB

                              MD5

                              0bfcf77dc8ffb76d1ab46afc929ceaa5

                              SHA1

                              1f41a3ddf16ca5a26af7825680df89e8b31ba105

                              SHA256

                              ddba66bee3ef076703679c5715eeff60ff62f6956e608387598befdf68610847

                              SHA512

                              e2770cad68cfb70b64df9908de017b0583068ab8f1e1be6286a788d3d778630963be7ee1f0ea76d0034027128a852c4a7c82f8f6066fc1aa1636cd64275bdcf0

                            • C:\Windows\{B9D009BB-74B8-442a-AE0A-3EDD7EA930AD}.exe

                              Filesize

                              408KB

                              MD5

                              0a43bb9710db25a320d9b9cf090ed9f3

                              SHA1

                              972242682a43302561669fb8fba7c9dafc6c1118

                              SHA256

                              789300252398d6485978bcdd8b53238de3d16955e09aac236c49d69091c2fdba

                              SHA512

                              03db8011b3dcdcb1cd0db70f3c81c0fa97b8fe22f68ee6106102c5276450e1ad7eba7d4c65e26657a200c98ca52f975a3644a85930e8c2d09fac95295d557251

                            • C:\Windows\{CE7ACB97-9533-498a-AD12-C396408CD496}.exe

                              Filesize

                              408KB

                              MD5

                              7896a7db0afd39b71ef3d06e35e1396e

                              SHA1

                              188fbb2243b55bd84629a8bb35ef6b77a4137164

                              SHA256

                              e65699ad2828ff019d4ad2cdf763e7764c2ae5dc2a002bde0ae18f06df011f33

                              SHA512

                              e3a1e2c2a7755f8a0cb5a08264788e82426d9c31e7969ec600bd33f2cbd89dbd04826fd16edcb8ccb5a6a4aa3c5ec0c6e99f0df1e53b357ad7d51226a49e22c3

                            • C:\Windows\{E62871A3-4B41-4119-A387-D24A9268E602}.exe

                              Filesize

                              408KB

                              MD5

                              4da37b754cd22f1dcc14716eeef6dd2a

                              SHA1

                              b478e10b9c256667b6d746e0ada03092ae8961b6

                              SHA256

                              7132656997c9490f24a1b53a0ad468c13ea2bf1aaa4aa7811fff28f5b3733d40

                              SHA512

                              b5fb4e4c1d70432ac743a496eff5c068ac7a871af2eb6cc4b28f1d3680727b8c644cf238e34031486ce6d4bb5a620be52c70c037d58c111a6d1660bd7e6061fb

                            • C:\Windows\{E78CEBFC-3DA4-47b8-B43B-B411C04EBEB6}.exe

                              Filesize

                              408KB

                              MD5

                              d408dd2c36569776c03b0d392c453d9d

                              SHA1

                              d65a8c1be858271b328c1dc918d229295d07f639

                              SHA256

                              e54180b557030be6b7890055a2386b21452e67c24128f85bd5e15f19ec5b21e2

                              SHA512

                              b863a33b1fd775717830cf2e1927c54e874ac1700ea094c3b6935d761b14232b31f0ad1c464b2258bc5447753e50cbe68471f0cd2493b249523a4b6202a218ad

                            • C:\Windows\{EDA75B77-B029-429f-AEDB-98353ADD729C}.exe

                              Filesize

                              408KB

                              MD5

                              298091adbd6370d37db33656afe1b89c

                              SHA1

                              9d969551f51dded49e86c4391eef935dd1c5a4a9

                              SHA256

                              d5e91ac7b5f4eb091e7624faefaa5a646ae34e14d962c7423bf55725bbe8257c

                              SHA512

                              9c745b822aa465823c7273034b5a61bd19ce8df71bd26a3ae9a8511268fcdc509e9d9a178241646f147c87047032575a1141ccac757707dc3b700380fd47a12f