Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:39

General

  • Target

    2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe

  • Size

    180KB

  • MD5

    7797130fb4e98aab4021671402741353

  • SHA1

    4d73edec6762a49079032ecf3c4a1782aab754d8

  • SHA256

    8c74b39e1abe43c7e9774cdf80e1d441b320de635c37baa31c98f01586e57afc

  • SHA512

    8257b9fa76823847bdb0c7ac98ba5a9bcafd585a033d45982c4921df1b82e6e7f5cbe992e93de4fd1e7573e886d42989a66e971a6f9dd10e19187616cc8fb6ba

  • SSDEEP

    3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe
      C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe
        C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe
          C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe
            C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe
              C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2776
              • C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe
                C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1636
                • C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe
                  C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:852
                  • C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe
                    C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1180
                    • C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe
                      C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1764
                      • C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe
                        C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1108
                        • C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe
                          C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2080
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{17AAB~1.EXE > nul
                          12⤵
                            PID:672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70106~1.EXE > nul
                          11⤵
                            PID:2876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{15D6E~1.EXE > nul
                          10⤵
                            PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A404D~1.EXE > nul
                          9⤵
                            PID:876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD19~1.EXE > nul
                          8⤵
                            PID:656
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DDACB~1.EXE > nul
                          7⤵
                            PID:2172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{19C9C~1.EXE > nul
                          6⤵
                            PID:2904
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF64B~1.EXE > nul
                          5⤵
                            PID:2380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{479ED~1.EXE > nul
                          4⤵
                            PID:2164
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4B67B~1.EXE > nul
                          3⤵
                            PID:2440
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2284

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{15D6E019-9C27-43f2-A8E0-637AC6A88366}.exe

                              Filesize

                              180KB

                              MD5

                              631dcae8ee24c26f4d132915534ac58e

                              SHA1

                              c8b74c0492b64cbdf930352c2f981c028a50606e

                              SHA256

                              c0d7248458053162b770ad6288c9deba702c96a8db867e3b7191d3082f49bd21

                              SHA512

                              29a7f5b0e40ae93544ae4ebeedca314ee1270719c7957a07628cd54a9bb2a0ef12218abee6a6f6099c8d67ffbbbd33f1a4afa95a56c764c63d3dc707260af71a

                            • C:\Windows\{17AABC3A-24D2-4e6f-8C23-C2C8CD6D22DC}.exe

                              Filesize

                              180KB

                              MD5

                              3cc8b0be906cbfec30eaedad70b9e906

                              SHA1

                              4684f270f371121426e3a69f1a2f1d6e0d0791ee

                              SHA256

                              b81a031479a692272ae90d96433cf8d5fa8a8c78942e41372e4ad6ea17c3170e

                              SHA512

                              6ba765a4e9d95ef129b46b3729de62ee837aa01c662903f6e26e466437f4b042ff282a6434c92f19b731b0f692a21025646930eec2b4e51c8beed6304a540761

                            • C:\Windows\{19C9C6B0-F2F2-4c3c-BDD7-C2651072E9F1}.exe

                              Filesize

                              180KB

                              MD5

                              17dd7042325e488205f8d6ec8edc5b26

                              SHA1

                              076354257e30e86b87f8883f07fe09a0202b85a3

                              SHA256

                              babd8dfdc4393202af084096a368352aedae3f0bf70d56858c4c8a99d0550cd3

                              SHA512

                              30b44983057a547378ce4cc918afa64f7591bd3baac80ed72538c54e88a2eea2c9d65fe14acedcc0c9843956fbdcd8bcaf756df67760b39e693ad4a1ec5a9b38

                            • C:\Windows\{479ED959-8E57-4209-A82B-678A006E7D34}.exe

                              Filesize

                              180KB

                              MD5

                              3226383af96f23ed6c15099615c53f2e

                              SHA1

                              19074d42fa06d5897a09f34790216041d85b7b48

                              SHA256

                              cc243bb910a30e569aa78090f17eeb091794f148676a2cc26f31c5a0b9661298

                              SHA512

                              a1167ad30577c1fcdf03520bf2c080d8668e194cefd25fb5a1a2ec629e40e6aab828cc8541a4e775921598377aa11cf63365d7c6b1f21adafa5faaf1126cf27b

                            • C:\Windows\{4B67B273-5D11-480d-8A63-C998AAC84425}.exe

                              Filesize

                              180KB

                              MD5

                              e5be26c98ab05b627390bdf1c4dc7eee

                              SHA1

                              dc0a24f3c7cb0762551733d9d9a878fcc0c4fe95

                              SHA256

                              f9a3eaf85706ed531951d363e7293b9eb6d4d4b9678e7cd080da987464417737

                              SHA512

                              18be4041b48db30ee9d018186bd23e01a490c8bc43ddd04292cf8650be5996fe31450f3c84cdee94f0d6e647f1c8e046e87f518925c825d42264c899963e7722

                            • C:\Windows\{701069A2-B2E9-4bd2-8190-740A89155C4A}.exe

                              Filesize

                              180KB

                              MD5

                              175762126b01ee2af13bc19992adca7f

                              SHA1

                              507283c6fcab8f2077d1b26edf172fbe85bbaa4d

                              SHA256

                              09ae4b444b5ef98429db90bb27ad97a431ef4054caf740d6db85aca19e2f3a24

                              SHA512

                              48ccd3609849cc828ef5d38209a284c377e99b8a226e94354c78da261cba467a751094751ecfed4aa1ba420f7533c488c822bf4671a233d9f36ca99ee9d51a00

                            • C:\Windows\{8AB9396A-8D9A-4c86-9E64-00D4C2EACC65}.exe

                              Filesize

                              180KB

                              MD5

                              2b28276f4fa8f5ef87731c1297055929

                              SHA1

                              cbcd9b340ffd3eefaab22de1ea8166c32416f194

                              SHA256

                              60893155b1007113497698a212a05f9353fd395cf75549e040d3af852b14c88b

                              SHA512

                              32490c2ddc1969c21c758fa1bf5f0195201b95534274b0f0a11b9a1b14e88715365478b233ec68f4a5829795d34893de37867a2a2b51574b07345d49378c15bb

                            • C:\Windows\{8BD19470-5747-4942-880A-EA1AC2780B88}.exe

                              Filesize

                              180KB

                              MD5

                              bff04c454bc7598a85700deb7d07aba9

                              SHA1

                              69b68dcdcf17228eb97c5f17d274e3a9e29f20a5

                              SHA256

                              1258eeb5244f97789ba8f421aa5abf9f2048140fbc462cc61023b572f11af7e3

                              SHA512

                              7601dcf95f0decb45ac7c1b4411873b1f9f4e8558ade62b5e63fd6eaa100cdba256c132d3fed31de9ebaf534bbc02ad303da86a85d36989e8c3821cd9560b57c

                            • C:\Windows\{A404D399-FAD0-4ab6-9AD6-633443E263B2}.exe

                              Filesize

                              180KB

                              MD5

                              cb0dac43f5a603260c0b9174bba3e51b

                              SHA1

                              d466f9751c7d54a238f5bcb2c82ed70e68cc0472

                              SHA256

                              a3fdeedd035cd0fc19f11a9c749df3abdfa63a87d096300011417f18cc825ab4

                              SHA512

                              fd9ca3dabe46db69081ee4733fddad8c4997bc99231e826446c80c1f42955d6bbece14277acc9030ec4c9addc3779025fb2d14e89ee4b38fad607af011e771b1

                            • C:\Windows\{DDACB699-91B4-4a00-8E27-5CA6D3255798}.exe

                              Filesize

                              180KB

                              MD5

                              68362305ab8d8f95f38f1ac17c440b4f

                              SHA1

                              f80c550ad1116dbc13609d71a563e9a2374e8688

                              SHA256

                              63c41319b2cdbfad7f48bd5052edeb6a955c44bd3b6a094b8acc18469e9d1556

                              SHA512

                              079b0ad27aedc5d1885c59c9758bab140f07a7b46604617d7a9f5fe8d4116f30bdf762d054f1d101770b075ecb9158fa5c77d91e27cb97d05a8fe856cca16e54

                            • C:\Windows\{EF64B707-0AE1-41c4-B072-C6D308180806}.exe

                              Filesize

                              180KB

                              MD5

                              d67fce81cdf2e9c98df448455fb14693

                              SHA1

                              c486e1ae5862356bf2df13b7f49301fc47048482

                              SHA256

                              5d1376f9fa78cba076eeee18af7603f9a884bb9b56d2776e01effec66d961d27

                              SHA512

                              aefb677d5bad632f03cbf25ecc1971c5b47150ac3839a754ab3a149aa1c3efe1aea5e562ad78427af98b0fc3632f219d6243d0c90fbe374c4fc1fd16fa282ee4