Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:37

General

  • Target

    2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe

  • Size

    408KB

  • MD5

    63674177d321bd82d8149f48e69fd53a

  • SHA1

    d0a3b27b8a3d3a82241d7c13dfda65cbdcb8fb4a

  • SHA256

    9235dafa5d7eeef3a72e666e239a5c6951f1fe1815be71898d8e6e1aba87e15b

  • SHA512

    b8fd7f95eb163002cd765f4059122813ab7193a0c6cda577b9e6cb97e881c001767e71005c76f3251b68509304f762f7e04f63f679855ee39b33d2601194fada

  • SSDEEP

    3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe
      C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe
        C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe
          C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe
            C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe
              C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:320
              • C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe
                C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2672
                • C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe
                  C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2348
                  • C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe
                    C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1996
                    • C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe
                      C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1716
                      • C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe
                        C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1752
                        • C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe
                          C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C77A1~1.EXE > nul
                          12⤵
                            PID:580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{99C52~1.EXE > nul
                          11⤵
                            PID:1976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC61~1.EXE > nul
                          10⤵
                            PID:2908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EC546~1.EXE > nul
                          9⤵
                            PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F682B~1.EXE > nul
                          8⤵
                            PID:2676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF30~1.EXE > nul
                          7⤵
                            PID:2780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF96~1.EXE > nul
                          6⤵
                            PID:2796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{97BA9~1.EXE > nul
                          5⤵
                            PID:2924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{931C1~1.EXE > nul
                          4⤵
                            PID:2940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6958D~1.EXE > nul
                          3⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:772

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{213237EF-16EA-4f8e-B83E-CDDF85EE4139}.exe

                              Filesize

                              408KB

                              MD5

                              077f99d63f0d55e0023f83dbb5d19fc7

                              SHA1

                              28a7c1d934b78bd587f7fff48b93384b63c76519

                              SHA256

                              5fd0624c7be6c38fbeadcdf4c4839f41d1c3771956d17eecb6f7a7c59541c222

                              SHA512

                              a305189b72c63560cc96d085dd4af7af63803e97e004fd322123800fe90ca8d8f4c5809caeb363920be71ba26df5c6c70d1304c64892b2db43b9e62a2cafeb3b

                            • C:\Windows\{6958DF70-2E70-47fb-B333-8654538B68C7}.exe

                              Filesize

                              408KB

                              MD5

                              ac1dbb4a6bc9fbf6357a9e9037d745bc

                              SHA1

                              35b31836d22f9b7c9add2589594e08339bda5e31

                              SHA256

                              10e77337af218aee20dbe7b9edf37850df85d975fa07df0d5a81dc263d415384

                              SHA512

                              a0d4bd35f6f98590e78d546bca87c1bc2705d81c2fc6290bb1917e49cdad77b3473c484a380bb857f2e250de78ee5f25833db9649c5a605d3728695c7e3ab456

                            • C:\Windows\{931C1CFE-D7D0-4efd-BAB5-3CB853A31BE5}.exe

                              Filesize

                              408KB

                              MD5

                              9c2f2f509f99f1c65ab5a6acb39577be

                              SHA1

                              cc7b02403c6b64c5df1db5ec953d1f31ca2d92ac

                              SHA256

                              df67aa8384d4a989519ad37a8db51bacfeb9c508bab62ab757606c68622ca043

                              SHA512

                              3f538ecfce67675f4691a8bd6499927aff0e30e034d60fe6d9ac17192d5d59083c7f596babb32382ef610502b8d6cb44a2cbb5327359b4e14cbc5b2b9da77721

                            • C:\Windows\{97BA95AD-07DD-4b72-8192-81D57F4EDD92}.exe

                              Filesize

                              408KB

                              MD5

                              48e9864c0274f38911f85897ece73dc7

                              SHA1

                              dca3299dbc9b90d970bb643533728074ddd34adf

                              SHA256

                              29995756ea34e4c7e95ca305a43e7ef7a657b0388b8a8accc5f85ced5305d2de

                              SHA512

                              54f681b97f9d7c240f4c059ef23a0fcf5088e3b2e776cf2abf8443f6d238f195a6afe35aac1af81b5d76055024f2a235258ee290890e7776fade1ebd2de78b0e

                            • C:\Windows\{99C5292B-5F47-44e4-BAB2-F196AD5BF7C2}.exe

                              Filesize

                              408KB

                              MD5

                              1a134122948bc0a143d270d9385b9991

                              SHA1

                              86b3eb9eb7270719590583081f59e98df1c20270

                              SHA256

                              78f71561a34333a3e5ffd68f081a240d2b372412f7bcac8c73d00596960a083a

                              SHA512

                              cc7f9f3a6722ca178e0afea37d43d34dc9259502dea893651d499a5d42259b20cab07481c42313676f0bba1aa7a7fe5e007bbcd35021a788d8f0fd1f5c581896

                            • C:\Windows\{9DF3038B-1E0F-4c18-AEB7-7271AA6F39C9}.exe

                              Filesize

                              408KB

                              MD5

                              46659071465ad25003ca428108e8a1aa

                              SHA1

                              e72089fd87126428f42a5c35a20803d5c6878fd4

                              SHA256

                              a9b88315fb44db2caf71a19558a307b6ef2a1fe7164a009b548c9bcdbddd0d9f

                              SHA512

                              4728873cd520fcf475fae94162e229422e81ba99c7c759e7b81094d28a5469ada238db78bda44eba01d1fc3eecb9fd4159f294e1ac210cd0b9f9952a1e7aa129

                            • C:\Windows\{C77A1454-F23A-4dc2-A284-7D800C7B708C}.exe

                              Filesize

                              408KB

                              MD5

                              3c5bc08e41d16bff58112fda5ac89c2a

                              SHA1

                              b96a7f49223af9d81b94ffda515223deaa1bb6ae

                              SHA256

                              42c7345af68ad97ecf77420032c835b954ce146c857bc81d5455701f004844d3

                              SHA512

                              761002131c0be192c331c9ba49f336268e9ad12ff56a92f0cf236874387ee60ad19be6542be88f4f34b22d23384676fcff88327f595b82a0d9611f4275cbf1a1

                            • C:\Windows\{CAF96995-C120-43da-9B5F-A1398B1DCF9E}.exe

                              Filesize

                              408KB

                              MD5

                              1a3463c86dc47b8e3b7a08415f17ba8f

                              SHA1

                              cf522569ee19b9cbd01073c7f69b5eb401e68f7b

                              SHA256

                              92ecb194a1b6b69cd33b9df3550d01893c537f44b5b98cdd1692ec5d991760b6

                              SHA512

                              7df35cdf3e7f7f689825fb459bf6b5180658d7caed0fc1c6dea580910047a35c31c451dfcc41d21c7bcfcb7b55b2dbb5196a18e168d9d7f57bb1bff9656d173a

                            • C:\Windows\{EC54689C-C80C-4a22-9ACE-AFCA466F3050}.exe

                              Filesize

                              408KB

                              MD5

                              b4a68855b2466caf6f589a8fd78fbe43

                              SHA1

                              58dca2683abbfd5be7c85137af0ef95f35e83cdb

                              SHA256

                              49e7fb2b3e71ec31b6ab8a717375ec5fe4b7a9ca42b21dabfd80e4fd9c9ea1c3

                              SHA512

                              e8f1b33aec5c6fd9e16f14ee78bb899e6e4f8bbff207a8a6e412c474f202b3ac592070022239876b4b04ce8cd6e99db4320335a4bdc42c7ea123c4ccaa4c6c6b

                            • C:\Windows\{EEC619BF-6069-4dfb-AFF9-703CB71AD46D}.exe

                              Filesize

                              408KB

                              MD5

                              ca0c0aaaa15bec83be9205e867c0dfd3

                              SHA1

                              4f0545343a507f12c2427c0c67b0de4e04852b6a

                              SHA256

                              35dc19832fef9ddde93b696d8fbc4376ca428d536270b2343e778766d17ceefd

                              SHA512

                              cfa984fc847ffea01d2c79b96a3cb8540bd5ba7efb11af33adfbc3176da38c2ec5e1745af62109e11b26b9ca3f4037a82136474825b5e2552e8b6feb66f1d2a8

                            • C:\Windows\{F682B477-5F40-4e5a-87DD-95E0AFCD0E28}.exe

                              Filesize

                              408KB

                              MD5

                              9d65985176fa7c7a73849b2dca00282a

                              SHA1

                              73e6a7e78e518dfc462a532f19fc330587f922a8

                              SHA256

                              c81c59e91a1a43222377f0c2d58df56574e60aef7358ab4f68d3f24be9ac840f

                              SHA512

                              985aeb80a929b783f9cf9de9a0bf2cc64e92b828ae14dc692060f2666f0e34204748f80fadac860171dcb14b0b7cf475f9fbc86c54751c41aca40b2759a45b74