Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:32

General

  • Target

    2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe

  • Size

    204KB

  • MD5

    221640e16ccbe316d47a545bce65c559

  • SHA1

    64c89a18baebfc0d26f7d03b3598ec9e14ab9ed1

  • SHA256

    c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4

  • SHA512

    afe12282d65791f3e2fdafcbe3d47758e1e38a82f7987e7bebbb649d554ec8971506b75a2d09ad2f9eda45304f51260867a75aeb40928384acc3462fd0c130ad

  • SSDEEP

    1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
      C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
        C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
          C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
            C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:440
            • C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
              C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2856
              • C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
                C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2652
                • C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
                  C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2636
                  • C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
                    C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2692
                    • C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe
                      C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1136
                      • C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe
                        C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1872
                        • C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe
                          C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{18803~1.EXE > nul
                          12⤵
                            PID:1884
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{79C0D~1.EXE > nul
                          11⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{32EF9~1.EXE > nul
                          10⤵
                            PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{08886~1.EXE > nul
                          9⤵
                            PID:2704
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{66BA1~1.EXE > nul
                          8⤵
                            PID:1928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9502~1.EXE > nul
                          7⤵
                            PID:844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EECFA~1.EXE > nul
                          6⤵
                            PID:3040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{98513~1.EXE > nul
                          5⤵
                            PID:1464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A799C~1.EXE > nul
                          4⤵
                            PID:2880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{162DB~1.EXE > nul
                          3⤵
                            PID:2080
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2568

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{08886010-0683-4569-B5CA-86122B334181}.exe

                              Filesize

                              204KB

                              MD5

                              7164d3bfd369680ce71fcfa2667494af

                              SHA1

                              3c44900a5fbfcca5754676ffe6efcbc1f7588473

                              SHA256

                              d6f80b67d3bad7fcbdcba2752960e2dc7c47bf503bbbbf9c1541c7079d704d35

                              SHA512

                              f89f97a858fc09c8a9f7ee2214823d37ad4333520646fb1df5eb191c5d949866a0dc4325acb1003bf5d76df75d19a2605c4f361e6b729d0330624b86212f1f97

                            • C:\Windows\{162DBF6A-5FD1-451a-9F81-A271776D4B81}.exe

                              Filesize

                              204KB

                              MD5

                              0379cc575c9d18df25411fd0bbdb53af

                              SHA1

                              35ef3986100d2a29eb6fb9a9a92dc7ad89457eb5

                              SHA256

                              f0e9c96b07a7c88faa80a8a2fd4352b70e048b378326ec01a66d9fe0f3aca09e

                              SHA512

                              885bf86a7a634e706c6d39911d64f285d4afa2a075ad900eb22a50f1303bbb5b693d8f32af31f0770024f7d072e8c58493fa941f3dbd5e79a837b047c4f5a991

                            • C:\Windows\{188038A5-8A7E-4505-B9AF-0CCCE258D05B}.exe

                              Filesize

                              204KB

                              MD5

                              da88213bdf6bfab96c212d0dde0220d4

                              SHA1

                              494e7fd74e0d79af2670845caece4df32c91c76c

                              SHA256

                              9e8c074fe1f90c08abeb1ebff5cfb13f9635be3a1cd782c16bbbc6b393636240

                              SHA512

                              2baceb525f10a8a53e385b022373edb575222c8f6f3006c630adde6e31f9e2147f6e92e1ada19c97bc4efad7f14f0c312ad556e72515c6cf383c9616ec46bd6a

                            • C:\Windows\{32EF9236-F5A9-45e1-9F9C-61E3A0A68011}.exe

                              Filesize

                              204KB

                              MD5

                              9d47b527d37f302d29871556c95085a0

                              SHA1

                              9449a065d790e5b225bd428b28c52c435eb0bd1b

                              SHA256

                              d2b40a9c0bd658699b350a42b9697e3769f4d2a856444b979afe930ee109932f

                              SHA512

                              5c2d32bebac3c2c2c8245d979cb50f4d1938b19461c6013d9f77a139efc397652c5eb053529b9b7c816329026f3aace4d6f9b756d0ea606280e9f822ff19cdec

                            • C:\Windows\{66BA10C6-D5D9-4e10-BF22-43B9AC9AB714}.exe

                              Filesize

                              204KB

                              MD5

                              9b4b2f6661878e2990dbd378665ab7cd

                              SHA1

                              07d30ccb1db48165464167f3f1672e43de136792

                              SHA256

                              e3b48ae13c794dfa4b601b567c0dc98ef3861d82b976d98ece98308b96aa0de6

                              SHA512

                              c40afb6c6c7e774d761eb40d858549f053a3fa0a98f7cbaf4cdbd0aa443587bbb44104e5e80cd8d94ff50a10b6a746a812ea558373bd7dcf9c09783014271f3a

                            • C:\Windows\{79C0D496-1469-4659-B710-674F9255570E}.exe

                              Filesize

                              204KB

                              MD5

                              8032e7bd7e0921788b84667ef4282eba

                              SHA1

                              df913b95132e5c93057aa3d7ad6321589abd41e5

                              SHA256

                              e7d504c6d109e564b7b494cb03682cbff0b37382acf15bab669ee8579227ee4f

                              SHA512

                              dca6ad023296f9578e9683dbbee707b47c242deb6e14d3e46d33ec3147239c26cc3423e2babda7b43631586852849ac63be7a845049dbfba595e7456a23f3778

                            • C:\Windows\{98513519-C272-42e7-B62C-90F87F3C5FE8}.exe

                              Filesize

                              204KB

                              MD5

                              33ca14285601737b87f56358389ff2ea

                              SHA1

                              96ccebad416d04c473f79325b621d120e7f8bdab

                              SHA256

                              9fc823ec4aa3f0fe74b4f2f866d25e4a3e1529f0f43b6ce19ff956ac028b9c66

                              SHA512

                              2f01063fb315abcef304d233836568e31ea0613ec9f18578ce5eac45af7985586b3b9a40c2e81d948dffc43e521fa0af0c968ac029004e9d82358c0b3660144c

                            • C:\Windows\{A799C4C5-4489-4df5-93E1-39190D179CF6}.exe

                              Filesize

                              204KB

                              MD5

                              1a7b9435ae338bf44dd3934059041120

                              SHA1

                              d32b0fd91db062c98c99e8f7429dd67c0bbba15b

                              SHA256

                              ec2d846e8cf9519f79b085b09745566fed17f14e74238d957b7f728e403e7752

                              SHA512

                              7e20d66810d45630b61de340eec94c5837acbf0383eb29acbbf6d12f8e07acb67b71d73452e53d0623d99dad1c4701c09b4690ef4fe5a1d96205b46f6f59cb2f

                            • C:\Windows\{B26B4F89-0F00-4cd8-9A6A-2225105FC474}.exe

                              Filesize

                              204KB

                              MD5

                              b3c9f16d623251ae81e53d13a733a782

                              SHA1

                              84b65487ffed3df894c36db0d747a55b1fbb496d

                              SHA256

                              ebc490c2d9573e0727283320949061b455b0b10e350af692bd4710c80e55b6d3

                              SHA512

                              d01e5ba33f36d579d0983e0c51fe36b791e133a7869db998210cbef60423a39296ad503c418a166ba9349300dd9f4d8bde43cb9e9eb8b183c28942fa419d7350

                            • C:\Windows\{EECFA159-9BC3-48b6-AE7B-090837AAF9A0}.exe

                              Filesize

                              204KB

                              MD5

                              5514bbed30469ec70dda59bb309c1ca9

                              SHA1

                              50f1fea57c6df6e5094a9e3cfd1a0c297c60a560

                              SHA256

                              15829ca22af7d3551932b1f14c2dfa22aeba8c4ff42712219df7625a310025e8

                              SHA512

                              85d1ee11dc3d626b5d6effc7076ea10041788d8943ce6a25708ee6ca4908ea34b517f97ce916750940b24ec71645a9e22a35bc7c6831e9e2fb085551edc24653

                            • C:\Windows\{F95024C6-9E6B-4d77-82F0-DD8612330837}.exe

                              Filesize

                              204KB

                              MD5

                              64c6aafeed2506adfac0132131b556e3

                              SHA1

                              cc5ce62fbb530d52d68b9d76fa76feaf6bd7e093

                              SHA256

                              a5221aa31ced443f6794329dafcd95cfd945ef091c791f06fae667cb5f558ac0

                              SHA512

                              18286d0b517ab4b88a2671dfa26e58ca2a00aefb0e05152b492d5c697fdea49f3425117e247fa1fe3cd8dcd1c9775d9151f5a5b1e713962d5e88b0105f8ffe1a