Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:35

General

  • Target

    2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe

  • Size

    408KB

  • MD5

    47ed00611fc28276ac7279e5a85a003d

  • SHA1

    675b6f8ff31f6b6324a58637c101869979de4217

  • SHA256

    fc23cd1c6f90f1a907c08e4fff0cf46e7d6552264201caccd9423bafde233e33

  • SHA512

    adee5df07e61e158d70f43fc4faf4115a22d1a231f91101d7a77f56e1cc828d07aabbaab5988a469e41d1ad4ad12052c3dabb923c32748165658a0e8562bba83

  • SSDEEP

    3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe
      C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe
        C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe
          C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe
            C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe
              C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2296
              • C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe
                C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1576
                • C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe
                  C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1328
                  • C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe
                    C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:860
                    • C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe
                      C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:324
                      • C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe
                        C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2220
                        • C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe
                          C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69FDD~1.EXE > nul
                          12⤵
                            PID:1712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A8410~1.EXE > nul
                          11⤵
                            PID:996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{631C7~1.EXE > nul
                          10⤵
                            PID:1852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C91D9~1.EXE > nul
                          9⤵
                            PID:2044
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BC49E~1.EXE > nul
                          8⤵
                            PID:2656
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8AEB4~1.EXE > nul
                          7⤵
                            PID:1892
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D74B8~1.EXE > nul
                          6⤵
                            PID:2900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F7E55~1.EXE > nul
                          5⤵
                            PID:2704
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5A18D~1.EXE > nul
                          4⤵
                            PID:2464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26252~1.EXE > nul
                          3⤵
                            PID:2568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2556

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{26252A3B-DDF2-47e1-8C4B-1C3C4FDF3906}.exe

                              Filesize

                              408KB

                              MD5

                              07c3ed2e72668fce068b4869fadfff8f

                              SHA1

                              b8dcee8dc234d0bc8f8ac08c256e2fabe9d5f186

                              SHA256

                              d1c530863832d83ae41f96822c9156c1252546def4ce37d7abb3f713a9c3bf9e

                              SHA512

                              9e71e21b6589ab490b5d79e22ac1cc56a4fbf60db413a7502bbc54bee4338f5a9ce65f2f8fb12bf34d96dec0c5d5af1f4db66a53605297ffabd257a26af85ab5

                            • C:\Windows\{5A18DFA8-0AB6-4302-9D4A-99865CC980EE}.exe

                              Filesize

                              408KB

                              MD5

                              b1b1c0a2d5f1512d7d662ad3486bbe3c

                              SHA1

                              a6b4ef4c620a2b165c85a32f51ce7fcb65d419e0

                              SHA256

                              07b0248220b0c56ead77c5ab93c27962aa27b4c389d7cd9db834fa1a65c81617

                              SHA512

                              8c026f9e0e9ebbf44a641ddc6d8e9d05a1bd6e582390481cd97fd097ad831ed6dda9b4e897e4e5f3cb44e0f9ed7d27ba56d0cfab5857f6ba4bd2f382e4441e2d

                            • C:\Windows\{631C7C8D-E93D-4b3d-9CDC-D3333B70A4CB}.exe

                              Filesize

                              408KB

                              MD5

                              3a4d18e664dab7705c160cea9b03ecc7

                              SHA1

                              912a1f8503e85ae2a42cba6d76501eb85a9aac26

                              SHA256

                              db1c9c2c773f897a49d8c8c53a62e98051922753b46f53be9b3c50137fd6b287

                              SHA512

                              c7360728b7ceb86dd687e6c2eefacacd9c7ce75671d71fafc5ec3c0cac631ad2c968a751516c7cb863aeb695fdfeb019c93d4db9bb84ad0bdc74f9cc9ffce67f

                            • C:\Windows\{69FDDBF3-F1DF-4e4c-9840-D0BFC99ABA19}.exe

                              Filesize

                              408KB

                              MD5

                              1e5dce9a86b44be8c43d7bb9e9a524a5

                              SHA1

                              85950bff1f96a1a1ac7b3c5958ce7d359dcae2de

                              SHA256

                              347175f0886af87ac79031d0927427b1d08ef6a327db139badd21cba2a1a2946

                              SHA512

                              94bb9e71a1701cff0c6067ebb905490ca76f3ece085739c0eb1b7c1f9bfc5ab7896e8caebd01671a9930e91e09b3215b0b045b97b0f8a8c816d1e92e13d93acb

                            • C:\Windows\{8AEB44D2-E1EB-4a95-9F0C-21FDDCC5EF9D}.exe

                              Filesize

                              408KB

                              MD5

                              3cede7d47d80a1f8e31f215623d9d88d

                              SHA1

                              738ba58478f61a1a73db6dd2e13a4e7c5098ffad

                              SHA256

                              07cdfc96e719a073b8b0fce92888276c9e6e6d0f6e600cebf2589ef1c70b74a4

                              SHA512

                              d7ca52b0fdbe3e0c158bb479c78b4a25cd1471b1cd9bf3e3d36dcfb756c660895dd3cebe170697101f6bbffd18cbc1f727062f13aaffb85dec087a0d05d11014

                            • C:\Windows\{A841007C-6540-422c-B8A4-F13088944423}.exe

                              Filesize

                              408KB

                              MD5

                              0e072c946c60f04a244aba03ec6d5957

                              SHA1

                              896d01122e8d16038af8a7d7104fdbc5c7730123

                              SHA256

                              950e28ade2258e11e380f7b95d532e319646337154003361f09a38846ff1fb8d

                              SHA512

                              84cfd12e02dff8dbaa83e83ddc2e64c21918c7dc92a1591f440d125b73239558d7ff23edc815ec725de2b19002aac5c1183e3b7319a7cf7842d7ff225a1b43f6

                            • C:\Windows\{BC49E73F-5E0A-4269-8CE9-DA2F8B7EB5B1}.exe

                              Filesize

                              408KB

                              MD5

                              4799fda54b8450077fd1bb3e13a95fb5

                              SHA1

                              38a5e167f4bdfb39c2014b913b36e26805241d19

                              SHA256

                              089b71b37bf9f60deb972c7aa479f648996cd95f60eb2abac493ace681f3890b

                              SHA512

                              8df51659ff1068ab0fdb0c9046b24f3fc9b2e63bb36972a01127fe4c3d03fda38dce124fb04987b268f2f983c3141b99e8752ffce1f0b771e53fb98f85074aa5

                            • C:\Windows\{C91D99BC-1C4C-4666-A6A4-2B42001F4AC0}.exe

                              Filesize

                              408KB

                              MD5

                              aa412ab46d73210f82c5c420c7e28e31

                              SHA1

                              f0b44f94b19d7df6108155f4566158f0416b7898

                              SHA256

                              9dd4c88499d50b3155bcb602e105ddab4a5b4bdae91119bc44733a788f5827f5

                              SHA512

                              1c53c81b4693509a2f07e5e962f7781b09c8a3a1e8be20b947c0bd5b6c808941ea3240a3dee571b433d3345aa67c757528266cc0f4d4eca26b8db80e1768c963

                            • C:\Windows\{D157068A-6C63-4c72-92F3-827474DEEE9E}.exe

                              Filesize

                              408KB

                              MD5

                              121a5b728854d8bf292d6499a06d7dfa

                              SHA1

                              71303ffbba8e2eb27ee889ed385cda15132c1162

                              SHA256

                              46f536cdd881a04e42fcf943133a9f68f47ead5f5caa57e6886d6c8204e815c8

                              SHA512

                              32c74e7cecdd655efdd5fed5e51c7aba8296ce2391621bb6385d7707ebf9b1761c30733aa94c7fc3216691e0cb6fdc5e4757bbcd58fe043f3a7532c6240ebe55

                            • C:\Windows\{D74B840A-03EB-4d99-ACB9-FD508FC76035}.exe

                              Filesize

                              408KB

                              MD5

                              2a045127c5c9408f9470146cd02e3574

                              SHA1

                              b905bd8b87fd399a1299e6265978990c48f38652

                              SHA256

                              b0bee28bd095769053c8b59bb396f117501f0c4bdc2f436fd852eb88f8c8637d

                              SHA512

                              6e9c42107e399a12996b72cf8a71d1320644cdbf885efb2b7e01d0875a75db8a6408f5594a0e9f7a5fb607c3ddb5e9707cffad658559fcf46b4ee377452fcd6b

                            • C:\Windows\{F7E552B3-4E42-4b60-BB3C-BBAE31BE7017}.exe

                              Filesize

                              408KB

                              MD5

                              7cfb1f2328ce4abce9f52af540ba636a

                              SHA1

                              97637fb809edb50a61e6055a625013cd0086f6e3

                              SHA256

                              097e0c657e2ba2b18554383d59bd7aec41b5d652425d4e0617d9c584cc308d19

                              SHA512

                              7cd68888940f7dc52b1df4e76549f20b4fd2d6400100e428c72a4e90b1a2cfa61881e474642b6ab1ec87c88faacb5df5edc7c4bdc80913514912307ec1d2181a