Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:36

General

  • Target

    2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe

  • Size

    180KB

  • MD5

    566aa4cd67f4c3337a1d128c0ee66d87

  • SHA1

    82125716a0fd42b24ac14bf8543439bd02b3cc6c

  • SHA256

    a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168

  • SHA512

    97123beefeeadfb7a7e2c09fdcfcfeb98246313bf4e3853c683403eeb158f37d9ff0b0962a5cb9f57dfc5a56e3cd89c63755a366a8b369626e30581d2c22c98e

  • SSDEEP

    3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
      C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
        C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
          C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
            C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
              C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2492
              • C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
                C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1196
                • C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
                  C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1252
                  • C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
                    C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1632
                    • C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe
                      C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2316
                      • C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe
                        C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2824
                        • C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe
                          C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD60~1.EXE > nul
                          12⤵
                            PID:1488
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB3C8~1.EXE > nul
                          11⤵
                            PID:2080
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4B66E~1.EXE > nul
                          10⤵
                            PID:2312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B8764~1.EXE > nul
                          9⤵
                            PID:876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF3D~1.EXE > nul
                          8⤵
                            PID:304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{35EE9~1.EXE > nul
                          7⤵
                            PID:1036
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A1665~1.EXE > nul
                          6⤵
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8E6~1.EXE > nul
                          5⤵
                            PID:2868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{604BF~1.EXE > nul
                          4⤵
                            PID:2188
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FCCC4~1.EXE > nul
                          3⤵
                            PID:2804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2756

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{35EE9D55-F650-41ff-AD11-A4D29C60F8B3}.exe

                              Filesize

                              180KB

                              MD5

                              a157d7c774553e1b30311f41f7dd1bbf

                              SHA1

                              41602061ff4327959b777d13d62cf4cd76095512

                              SHA256

                              b572aa5c03475fc2578f78aa153e4b9e4ff8d16aecefc70f97b0170d868e9f13

                              SHA512

                              b26049a12117b54554b915b5ad6d3a6db8b6d6fe0870e667e903752164e20d2416033b3f1feaa790ae36ed1a86951378cc3fd0693aec52a78bb9059b40b69f50

                            • C:\Windows\{3BF3D1FB-E973-44e6-BDBA-24970F7435D4}.exe

                              Filesize

                              180KB

                              MD5

                              b092c683792194635b29a52de32a0f98

                              SHA1

                              b7c3550c33114e3a61c12a898e162dc93c2658d5

                              SHA256

                              59cb80853b8ebabcb9bff0d701c353e76850d1870b132d90e9183ae330135bd7

                              SHA512

                              89653b9f4c69149eaadaff8b17d8c53a93e586bff7df7d0e92e416082b204cf8cf98615e0cf8ffd96458dfd36174ad65fa089252f98cb194e4fc73ae0690a2f3

                            • C:\Windows\{4B66E4F2-50E4-422c-A65B-9C42C70562CD}.exe

                              Filesize

                              180KB

                              MD5

                              c27e58a7d6aaadb450283217e9b8b3e7

                              SHA1

                              3ece90233252ded4b564826b037db395b9c6a225

                              SHA256

                              e7b1a6eb6b529df898adbcd8a90f18447a77b75452d72d418e7ad3e8aec9e879

                              SHA512

                              0e9f7511057f7b53f7a68c48bbdfaa396b413d9fabce58d5f4ccf4c612d26aaac8fedc147f17066675511e98958ca97859a713fb964ce734d8155a961b910176

                            • C:\Windows\{604BFE7E-8D72-4868-8415-2BD7EE83987E}.exe

                              Filesize

                              180KB

                              MD5

                              56e50e2b967acbb0d24488c0bc2bbaa2

                              SHA1

                              1e31b5ebd9426aecb4896f1f69ef0ce1a1a71de9

                              SHA256

                              1e34c4176ab4509f9ebab70461b2b15686042126f10a9ff6eb484afc95c4afb3

                              SHA512

                              23e85f75881ad209cd167641ffced90a1fb6c8bb916295d13450c4f0cc66efef21ecb5c743fbdc8e62ce5a5f3abaaa2533535cb48a03e81c1c411c5ced91faca

                            • C:\Windows\{6AD6013F-E941-4aac-99A6-13E1F5BAC725}.exe

                              Filesize

                              180KB

                              MD5

                              a1cd3f99cfb4b417d3c6b7754a1ff522

                              SHA1

                              4fb281ea818fcd5d1050043b95961a39110c679f

                              SHA256

                              9d5f1f544ff5756603f1f657c1e0602a72add7a469fc41999f4504b9c26a2239

                              SHA512

                              53412b9fd5810fd38a3c26a739a169fb60ddda251b4247b8af74add0fbe19075f7196f976123672777a764343e24d3a91e0be4576e222e817793cf3e99cb64c9

                            • C:\Windows\{9B8E65DD-0180-41df-8903-910F8314783F}.exe

                              Filesize

                              180KB

                              MD5

                              34fb909ad609b13ee3daa35a99c873b2

                              SHA1

                              de387611134d7e4725ff103ddf0992d393d95d37

                              SHA256

                              c796f6da61c8579bdd5b6eac472b7a51589304ee9c94bcf801f22fb3601f40c2

                              SHA512

                              bb1106c3a27dee637a2fb38104d83d863fda18984af1fa87e704b9406574b03efe13e2048d90b3babad3295b49309b5c92307f376825c63f56e61ff7d1322840

                            • C:\Windows\{A1665C2C-634C-42d3-AB6C-6F7DD8D8E871}.exe

                              Filesize

                              180KB

                              MD5

                              a1fc6ab812dfad7e48b4feac80539371

                              SHA1

                              32492210dc4ae2c77b4eb9d950f326bd116235a4

                              SHA256

                              d2de389109edd5717ba1df530db1dfc338239a56f5ed7593c58ab4f6102b4ab0

                              SHA512

                              02451eb93e5bbbbb8de4371da589089370cbf2098529539d80a2ce8da05b4a2eeb167349dfa67c1208d96c166e0bf4ab7bb36ec3e876e4570f77858ac4328167

                            • C:\Windows\{B87649AC-2E2E-4144-81F5-34E4C0198C86}.exe

                              Filesize

                              180KB

                              MD5

                              a52714442065a2d688dc9f64a039b659

                              SHA1

                              daaf60b3561163bc1593263ac8568ff319422163

                              SHA256

                              64f1244b34f6666f0e89c6ed7b8d64d28a518590bc4ba577827839ce7738a1e8

                              SHA512

                              4bec2ac3cb2a774cf057965929dc4ea1186d3140f9f66157006c73210224ff0b2079a54906e6716b7d2f35b42a6717f7b7bd0ac3b01cd3f3f6d660bd44d68d46

                            • C:\Windows\{EB3C8E36-E0B0-40e2-89AC-171CFD078124}.exe

                              Filesize

                              180KB

                              MD5

                              cba567da7c2781c136d6b41dd3bcfc5a

                              SHA1

                              4db1a940af3aefd68a6f77301480ea2ecdb5f28b

                              SHA256

                              b145bb067e58fdb9e16b0b64371b27601722183a31ec738e4d67b89c227fbb0b

                              SHA512

                              83eb9bce1647de624fa8487cb25f392810889373fa7c5c85e9eb169d3fc6270e2caec04b6c1f2371e17e8bf1f03a6fea7fc4e9141965581b46ff108fe7905955

                            • C:\Windows\{F63FEFC2-79FF-4cf5-A4CC-A12052F15D86}.exe

                              Filesize

                              180KB

                              MD5

                              09641c994c8200aa5437f719f04eb09e

                              SHA1

                              9bde1f6fd87230b7db3674e60f74b4e1da2ae2d3

                              SHA256

                              39b2c06abb9b0bd18c7e231ef66816940e54e9e87b4330c7af42935dad7eb035

                              SHA512

                              16f5e937e298558720f46ffcab51b33b54dad8f96c58c6fa593b947c4288c21a9b9870c067c1a8c746dcd008cf0f326ddcbc236b2d0baa37fce9add86a9a58bb

                            • C:\Windows\{FCCC416B-2248-4984-8F67-B901D98E8F67}.exe

                              Filesize

                              180KB

                              MD5

                              0675366eb2db2b9fb6c571acc3d3cfff

                              SHA1

                              51220fd63562fed5f193cee5e5e15ea9bdb7dc7b

                              SHA256

                              c1ac122ee6e70f72d69a735c0807b49eb8a0f7d4ccd75952668cb1918ca54c50

                              SHA512

                              84163e2025a22fb50bc7583bf522de5f05a8cf3ffd5e007b5f857fc9bb2bea9f0689761814c1690b0bfb6134b6ea1325a7caa2ea52532b2e5081ab313abf5977