Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:39

General

  • Target

    2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe

  • Size

    204KB

  • MD5

    75d172b074cfb2f8092b21b0cb1417b8

  • SHA1

    27016bc58f7ed03a6a012f653f84282547c89a03

  • SHA256

    a640cd5774250fc10b40ac663eb8f85bac0d6fc61c3241bec84b210afbf774fc

  • SHA512

    2561cacb93cb9dc2976b4d0f808fc957efc7df9f46acbcf5e7816b0e38e2fe124a5c57752c8b400508c4626d4ea2b69bd8fbc4cebfe60b39e11940311b6d0705

  • SSDEEP

    1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe
      C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe
        C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe
          C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe
            C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2472
            • C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe
              C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1940
              • C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe
                C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1656
                • C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe
                  C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2460
                  • C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe
                    C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1464
                    • C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe
                      C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2876
                      • C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe
                        C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:336
                        • C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe
                          C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1456
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B6B~1.EXE > nul
                          12⤵
                            PID:2816
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6C823~1.EXE > nul
                          11⤵
                            PID:984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5AAEB~1.EXE > nul
                          10⤵
                            PID:2116
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0DB8~1.EXE > nul
                          9⤵
                            PID:2588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F027B~1.EXE > nul
                          8⤵
                            PID:1376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{07902~1.EXE > nul
                          7⤵
                            PID:344
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{27A73~1.EXE > nul
                          6⤵
                            PID:1612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{65782~1.EXE > nul
                          5⤵
                            PID:2452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4CF25~1.EXE > nul
                          4⤵
                            PID:2516
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{23B4E~1.EXE > nul
                          3⤵
                            PID:2608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2976

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{07902000-F022-491c-B968-7A01A8B7FDC3}.exe

                              Filesize

                              204KB

                              MD5

                              9368918784f91ff17d6b67c6d4f1e256

                              SHA1

                              76d2e7554374fceb7c98e90835f48da3d0382ee4

                              SHA256

                              e732887af2a1cf0474280aa0cc79638549685bc133c5bed6bdeedb916a433908

                              SHA512

                              0105010c8d6fecf22b5dfd99ba08bf8a73ff0c5218912941cfd9da573011f7154c6265580d5ec4995a77fb5ee85b6723ad6c099af96cf6a6169b8b144eebb398

                            • C:\Windows\{23B4E215-D468-43e5-A7E8-EBD0D6A646E3}.exe

                              Filesize

                              204KB

                              MD5

                              36b79d330b1d71ada09236c47c67f8cf

                              SHA1

                              d1939977766e962f336a21f61e5378cb9362f0cd

                              SHA256

                              73b2ba53274fcc5a5dd439e7789d4f5d9c0d153bd84d218d297da362cdb19b73

                              SHA512

                              31d09766e14c48d99d76aeac802b89c63f8ef4caea63147f31e3179bb65a3aea6ba182920d13215cc7c00b582906b866332dd7312d33e546cfa0ae41b9cbcfde

                            • C:\Windows\{27A73443-9C5D-4728-9E0A-6A5116D8E9A2}.exe

                              Filesize

                              204KB

                              MD5

                              c29e441448ba725cfe04f36dbe0270a0

                              SHA1

                              947fa7cb93afb1e03424db044647587ae75abfc2

                              SHA256

                              f7b4d05b685fa0759a97cbd6180794da78c4e91d860e913e9ace5a7bef87b439

                              SHA512

                              5603eddbf0e4b10620d8ce80551e153bc609193e0bddde27c6292884b3351da1e673049fae047a2b4e30e19f13cda1e02758a64f18fd00e47262541fe4023237

                            • C:\Windows\{4CF251A6-6B71-44d7-9C3C-0A31E7321906}.exe

                              Filesize

                              204KB

                              MD5

                              7ca9dbc2743ebf88d6a047e019c94550

                              SHA1

                              79f34246006be021ec01d7f087cb5a21b71c0c0a

                              SHA256

                              d7a97f111875869d2e67811f7d19b7d9e5479fc47bd8f0988d29d5d19a8002a4

                              SHA512

                              5884303716b423376a6ccb8526d290e872b4886f1fb70f14b99a0858cd566d71d75052ad95b30896947a29772a66583141b7204ca2a9b3139e07e2f5d04138fb

                            • C:\Windows\{5AAEBD8E-BBFA-4006-9F32-2913F96BCD02}.exe

                              Filesize

                              204KB

                              MD5

                              cba1ec6d6f4347665cda465a237a6d80

                              SHA1

                              e5177b45bce3c4ef78d51c4edfee766cf4739d0d

                              SHA256

                              77993e3659edc3a5e79fa66187d8c35b60a909241ebc8cfcf68141d62c29684e

                              SHA512

                              bfdab196c942fd0a0847d98e39c03e5657d085d06599127ee589316e892e89059da455dac6eb4fc418f94aa0726def34991f8c5dac8630de775349b1df632127

                            • C:\Windows\{65782627-3DC2-4ab2-9F09-78420C969855}.exe

                              Filesize

                              204KB

                              MD5

                              d8082e1fb1ad8dfbad4444e90265c173

                              SHA1

                              3c9cd35a4bd6eeb9875d3097fbce64c8628abb7d

                              SHA256

                              2d12105fa4f585b2106f8e9cfb7bb5be3fcda084f367437e69815dfa40519be5

                              SHA512

                              e681f70f6a6db6c7d9ad61a1ca606a674ee9cea75f3e9bf553b3e16da8549ecabbd42c421d6d75731e00aa2330ede1bd3376fbde75813be1c6819e2b5f2748d3

                            • C:\Windows\{6AFCEA01-5C4C-4f1f-9184-B473D11E4683}.exe

                              Filesize

                              204KB

                              MD5

                              74b93cb2a248b6694f252db76176d62a

                              SHA1

                              97b5d3acaaaf7af3f7ba9fe73a34cb931257d579

                              SHA256

                              812c3fee92c96a0513677a64a0b123ac04ab8a9ee76623c32b5f66c6d300b682

                              SHA512

                              f745f8e55a3d6792290fa506136524a8e6906604dec6a9b4a8eb4b75d0e9270761eb90b5d81e52071a5d8eabdeef27e9cff3fc3b16a39360dd302bb6da8cfbe9

                            • C:\Windows\{6C823AB3-D565-4b9d-80D0-BBB9D4B54F90}.exe

                              Filesize

                              204KB

                              MD5

                              cf131a7cfa7e3bebae4a9ba0ba54168a

                              SHA1

                              04d078bec5baff0b34825901f841821f009a26ed

                              SHA256

                              dddb9316cb33e238711de14e2fd66ccce74936c4e101a18f1aa35a801c7fed45

                              SHA512

                              a10ea3bfd703328e8fe3a07204fa641e9c795cf7eaa46db44ebe832f077c366bd53c18f93f740cf6708d1b4404176eac9afb99812a9f2a9ef4dc256358a043ea

                            • C:\Windows\{B1B6B830-878E-461d-9A5D-979B7B9AFA72}.exe

                              Filesize

                              204KB

                              MD5

                              e1658e689b8aaefaa4c0ce1b796b468d

                              SHA1

                              874a3058b8c2f83ef20fa91aee893538e64a652c

                              SHA256

                              6e31d80fb7bb8c07421895c3198379726c719e91143470bafc1c97cc3e749c1b

                              SHA512

                              a171bb392ad7c4c3425f52821cfa9b70a5c71281eba26e9ddeefb1767a59c6d2b858480d1d4664b4bcede8591af1bddf36fafdddab0c3645c2bc5f7b04733cf5

                            • C:\Windows\{F027BE9B-853C-47da-943B-B4E9B045E1C7}.exe

                              Filesize

                              204KB

                              MD5

                              1c9704de3a87a2fe157564ab75d5f8f6

                              SHA1

                              23efcbae6bd563aaa9724e1895de374db8de8cca

                              SHA256

                              b0d406d986cc8dea963670ba30d921f7e6a94aed2b0c45207fa0ddfc365ab2f5

                              SHA512

                              eb25996d6ccb1de29e238bdfbb484ca784afee15725394f9bc34b713726a51c7f75e9f0b866f81159737dd4e0e32cee02b4d04938eb5147f6d827baa5d5daed0

                            • C:\Windows\{F0DB803E-0673-47ab-8BE2-A9EF78FE34BB}.exe

                              Filesize

                              204KB

                              MD5

                              9af7a6a0181cada47cda5572898e1f34

                              SHA1

                              4dbcd378953937a6a1aa7bcd29eb8a51eca8af79

                              SHA256

                              1f56cec93c7d22b67466bbb5931cf8045ab59410fff96d3f2134e5605354629d

                              SHA512

                              ffce8cf660ac8476d5d2daa2bf3be7726174ae0fe314b5e8fbfac68b507b9eb2e919c7303ac4c71ac21c89ad802274f77ec4395a8e004a4bf344af299eea3d18