Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:37

General

  • Target

    2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe

  • Size

    168KB

  • MD5

    5f0dc811482238f0932c7529f94c2671

  • SHA1

    d6e5550a87d5851acc0a5ad0ea8e2e3944c2382f

  • SHA256

    dc4d3c6adc73b6019c3836caeb4fb9c9591b51cf03cffe6f1d1008572ca0e603

  • SHA512

    c4bb9f4d54df43d7ccdac3e7808e2a5c773c380d9b098f18cd1e59f783859075daa25d219d268dce983a7f6c565cd6f95ba4c6edbb9353cec0354b6caae0ce11

  • SSDEEP

    1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe
      C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe
        C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe
          C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe
            C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe
              C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2452
              • C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe
                C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:556
                • C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe
                  C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2672
                  • C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe
                    C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1060
                    • C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe
                      C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1340
                      • C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe
                        C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1920
                        • C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe
                          C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B16DE~1.EXE > nul
                          12⤵
                            PID:2984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D83A9~1.EXE > nul
                          11⤵
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D1903~1.EXE > nul
                          10⤵
                            PID:1988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70600~1.EXE > nul
                          9⤵
                            PID:1428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8134A~1.EXE > nul
                          8⤵
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{97FF8~1.EXE > nul
                          7⤵
                            PID:2680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26B8C~1.EXE > nul
                          6⤵
                            PID:1476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE51~1.EXE > nul
                          5⤵
                            PID:2792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FC2DD~1.EXE > nul
                          4⤵
                            PID:304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6DEB2~1.EXE > nul
                          3⤵
                            PID:2696
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2608

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{26B8CDAC-4E04-41fd-8AEF-5EFC84D97AC0}.exe

                              Filesize

                              168KB

                              MD5

                              4bf78308bd1e33c5e1c074a09b9fb11d

                              SHA1

                              59ff47694d0af6e607f7034090ec3c3e7ffa62b1

                              SHA256

                              9a08d6f358a51a009a70d50cc8c9938eb42146f7065872b814a315ad24274312

                              SHA512

                              c3191121a07daa4b3db1cdec931368ec44eed154ad33b0689ace6774f75c5a17b3851e0dc2e940b97492d6ce5e882e4a51857360346f5a23e9194eb9e2df1cc5

                            • C:\Windows\{2BE51290-E81F-4adc-8799-538FAC502141}.exe

                              Filesize

                              168KB

                              MD5

                              da725d5820d7701b85259420e2c5d1be

                              SHA1

                              6c28b43d342ff99346c0cccde8cdcd6807dfdebf

                              SHA256

                              9ee69bc3cd7f5eafda81114450e5dde78fa49a706fc3fd1f928abfe664183edb

                              SHA512

                              fa2c2b2afd2368283f5e15390c0f69e4cc0ca26399def9e828c90a36b44c64ddddb56b9fd65660383bfface7de4bcd901273d0687470dc6525a127ccdbd80070

                            • C:\Windows\{6DEB249F-A5D9-4912-BF86-BB5BD2B85BA5}.exe

                              Filesize

                              168KB

                              MD5

                              823c5e20a4681a5602878816daa59829

                              SHA1

                              fde1443471e9fac0a3a981af0c2dd39efd733900

                              SHA256

                              9ba7d10d24df1dfcf27116e3dccac88396de0220609593d0cc7f7414300aa4ba

                              SHA512

                              57aea77323daa5ad9b966dc8d5725c4fc606cfd11384c33bf08a52fff9e07c83cf8deff937740c8bd92c35fe028219623e04cc0f4d48828e8b9eb58d6b7decde

                            • C:\Windows\{70600684-3492-475c-ADDB-A0522AD3C3C6}.exe

                              Filesize

                              168KB

                              MD5

                              7ea02d42125db7ee910d83d79bf156cf

                              SHA1

                              d7926357bb6504f6d4587fbcc8d22ea3326eb041

                              SHA256

                              eb9b099fc3032894a4d11489514768319b17b926da7c7f498a193f929a024128

                              SHA512

                              8cfbef2e511fa80cf392b630557cd57d095928908e32371c7c6b121579037186c8e2db507fceb42d62fcdce5170a5dd17ab6a90d458304681781d12ad1dc7376

                            • C:\Windows\{8134AE22-F197-4a81-9DC4-3AFE6FC32B80}.exe

                              Filesize

                              168KB

                              MD5

                              588285051dc56f5a5ec984e9ba7d02a4

                              SHA1

                              9cb312a748d24c64bdddd2c18c825d1f93a3ef6e

                              SHA256

                              12a5f741a1208315534a47ea8f6ccf70d13b29731c20f5994b0be8ae104af8db

                              SHA512

                              d99ad375277357efdfd1113ec62c570ca08ebe6fd62a63f3503a4b001a0f6d0a1a588605e559bcdc6e560ba78ff97a7d267c91c11e448f67816f6ac191d7a013

                            • C:\Windows\{97FF8615-255C-49df-A76D-6F048669F28E}.exe

                              Filesize

                              168KB

                              MD5

                              286ab9b667d8074db6752d0c1355ab40

                              SHA1

                              4d5fe0e2cb7665099223da5ea83ed9b4f5d20057

                              SHA256

                              7ef0558fc551ce111f0199e5ac75f563f13a2989d1382f8fddb1a9434c683330

                              SHA512

                              712915a6b311a6cd0a07bea844b5795e9095a305c16107a6acd91ea02673bb3e5b8d7c95c6e8ad5a3c3e117219d20565d57fe1067ae8075a1437a4546d4cd117

                            • C:\Windows\{B16DEDCE-6FC7-411d-8EC8-37D92D5AD657}.exe

                              Filesize

                              168KB

                              MD5

                              b40d8516cce15d0b25ded870dfe9b5f3

                              SHA1

                              55fc7ca87901de75369828bccda5d9f36aede7f1

                              SHA256

                              53924cf3d25ecdd57c4173a708d8380cb0ccc0965e53e30041b3af591d6f712b

                              SHA512

                              191e048d5833d84a57ebe977cfd655770a3099eabf83996d6464013261cb15e66cad742a956d4318f56ae37ac45b9543401e973eec84c8909c5ae993b6c3b125

                            • C:\Windows\{B86FF227-920A-469d-91B6-5A0EEE0F28E6}.exe

                              Filesize

                              168KB

                              MD5

                              9d0c2979ff128d053dc04a36e72c10c9

                              SHA1

                              85640199fd2e0f8760ff1f1c7fe0df40fe8af4db

                              SHA256

                              34120f7fe0f3bdaa60f23d3e72e7b223c39f9e284053906eb5fed67c8bc6565e

                              SHA512

                              bfba589570a736ffc40c6fd54deb7c52bc08d4d4d25b2c935c884685b9ba83f111d962b07552db3a4b1409d26d80c9944253d95fa1ff1b8fe4209f9f71d79492

                            • C:\Windows\{D1903E0E-7333-4b4a-9988-E385F1ED3DBB}.exe

                              Filesize

                              168KB

                              MD5

                              7db792a83234830699c224538837fa11

                              SHA1

                              4ed50f2469d62e783215e074e45aed5aea240309

                              SHA256

                              63bb5463cf4cd5ff19007f62678207a3aa8d0616b817e32b41cffb8179e65a11

                              SHA512

                              02eeee89253764be1c7fa86ee99dff149110a2f3c1ef5d06e02fef5af5a559064b6072e430eb3cc960abdd884fc37743dd3b5dbffe4f6814aceb5db0e76f851b

                            • C:\Windows\{D83A901F-7C57-4dbf-B16F-7951A9BDDC53}.exe

                              Filesize

                              168KB

                              MD5

                              d3bc993d26367e8096229b164e19a83c

                              SHA1

                              1cd59af8fb0fdb571c6c56f765398d1f8ee0990b

                              SHA256

                              f695d946ffc8335645e8c3abf6fef47acfb0b07dacd54af93724be713b6861ab

                              SHA512

                              bd0e24beb6adb71852d520ac570b7b0117ebc0c3951581e5f7ad299c287919fa86c65f15f33734329e4d2c7ad3bb470f9be0db745dfa628d63076ba01c90b4f0

                            • C:\Windows\{FC2DD0E4-0A84-4d8d-BF7F-1F7AFB77A64B}.exe

                              Filesize

                              168KB

                              MD5

                              aeb2d598e5fd784dd5561cb2241cdd50

                              SHA1

                              71a5b5cdde4382fc6bc681fba7845db5aa71d69d

                              SHA256

                              d6fc2cd581787c92637bad8b0d96e02a4246a6c95fd60d8ae6371519728af390

                              SHA512

                              02c1ca96f36012699169651b70a16651240dab315aa5f76505f7442fe49862b81a6dfbb5749107b4d75be07d44e986c58ac306f3731bc0e2b9a0a8ac7c3e7e9c