Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:40

General

  • Target

    2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe

  • Size

    197KB

  • MD5

    7ab09cf27c3f40c2dda8d177614af4df

  • SHA1

    c5641c003869f3c35b8c35158bd902d77481dcc6

  • SHA256

    9f5cb290f246ab711516464b106d16d714c9b940d450a6efe4d4ae3d170be7cd

  • SHA512

    989f7d057c91f946c0e4d195d04c4abf65487c2b509332ff1c8657df5df078bde4e952cb0e2697211887a29453c9d51d82d571df9025b06aa4ca95c5eb9a4964

  • SSDEEP

    3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGZlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe
      C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe
        C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe
          C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe
            C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe
              C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe
                C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2156
                • C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe
                  C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1920
                  • C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe
                    C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:640
                    • C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe
                      C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2944
                      • C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe
                        C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1096
                        • C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe
                          C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E3DAB~1.EXE > nul
                          12⤵
                            PID:2920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EA932~1.EXE > nul
                          11⤵
                            PID:2036
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{03211~1.EXE > nul
                          10⤵
                            PID:1760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FE4C5~1.EXE > nul
                          9⤵
                            PID:2588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{971A2~1.EXE > nul
                          8⤵
                            PID:672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BA6B6~1.EXE > nul
                          7⤵
                            PID:2020
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B151~1.EXE > nul
                          6⤵
                            PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ACAB2~1.EXE > nul
                          5⤵
                            PID:2644
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8195C~1.EXE > nul
                          4⤵
                            PID:812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{07204~1.EXE > nul
                          3⤵
                            PID:2832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:856

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{032110C9-AC34-422d-A53A-441348EEEA94}.exe

                                Filesize

                                197KB

                                MD5

                                03b73687c220828e2d0ae75311d0eeab

                                SHA1

                                caaeec20a473e1582fd358ad52c5c931ab11cb57

                                SHA256

                                3e980cf7e9b4ec71c6dc9bac75063b2d4533176dea4f7ea6a375874c678f6ce2

                                SHA512

                                394335769434865218d7c5e6f12fcac338cb0a41de34af19a63b3e0177109b7dc84fd83da46f4a6c40732afe88d171572d6fb7eaa55577f4eda23a47f1a32084

                              • C:\Windows\{07204088-DD8A-4b39-9959-77ABA5B0EC3D}.exe

                                Filesize

                                197KB

                                MD5

                                963b5dc76b1b4c16f68140a011aed4ab

                                SHA1

                                95540dba9559a75acaf966ed900d121d1b4c3cca

                                SHA256

                                ef7413a58bc735271a01bf015bd7666dd596204ff8c49e0bc971a5e70152e5a4

                                SHA512

                                c59e1dad07ab745a6cacb86c22b20a64126df4fd736649d39a26d4ea11d8635f1701d12b8f03dca83217c48ea89d403d22c28ece4460584638c0aa5e46818eb4

                              • C:\Windows\{2B151C70-8844-460c-A4F5-47EA5CC04EEC}.exe

                                Filesize

                                197KB

                                MD5

                                fad57d1e905fefe6ac0c37099b0e5035

                                SHA1

                                52f834e71236b90a1c98b503df70bd2295454d1b

                                SHA256

                                96714883ff0d6266e7fc89e8ffea671063925b6426a167e5b7ea449bda0587d4

                                SHA512

                                c00a5501f441090f2d86b41cdbb87ff73e1f30946f8a6d590694cfec70e3f016206ebd64a469e2b469470f5297f7a5dcca4b57673467306fe6d0235463e1d09b

                              • C:\Windows\{8195CC8F-512C-464f-A280-437245459717}.exe

                                Filesize

                                197KB

                                MD5

                                0aa94af94d012a22ae41312b6c2bcc69

                                SHA1

                                57ae17c93fa21de75635e4a45a0d01bbc443b8fa

                                SHA256

                                bfc9fdca8daf9c381adee8edfc80a4b2ccdadf279a8c06ad23b2e561d6c88e16

                                SHA512

                                7ea5875cbce0d599dd91cc8f95f4679d5b8aa955ac27981d3ba211a0d2d683d6bcc23a51994660578635550819423c4c92cf3c39536817d4840f80225db9d1f0

                              • C:\Windows\{971A2958-2AF4-4aa0-A8B7-3AFD30568A2A}.exe

                                Filesize

                                197KB

                                MD5

                                804ad540f377206941cc9105f3efec5a

                                SHA1

                                1c31b87f5709a448e6b815f32cbc4dbdcbf6da75

                                SHA256

                                532b252746365237e77f0d0ea6a81eee4c0dd3ce9bed72ab996e8e876e8058b6

                                SHA512

                                96cc5c04f0a9cc53bbae70d957b166fa170ed099cee07263415accfe50e5f4270d5a987f9d0b0bfbe2cf4ce90c9d1b25f6d62479eb7f6d3b3bc45d2607728941

                              • C:\Windows\{ACAB25F2-117E-4d2e-A5E4-72D0A08DD8E8}.exe

                                Filesize

                                197KB

                                MD5

                                03a12ae6282b1e6f80df6e4d7fcca052

                                SHA1

                                1cb71fb9d95c7ea6a5e5ba1cbdc4bbbad7473120

                                SHA256

                                e865dbdc781f578bfde9a348b97fff4682f95a078d9046fd1e9e1eefa894e344

                                SHA512

                                d81bc92cba5f1d2353f44d90e5950cbd1181db6da1df338e75207d741d81a001a2c4f4199e4efc744d66067dfb2ebc1adda7016df97f150d7e313049580c3173

                              • C:\Windows\{BA6B6362-46DB-4512-A5A8-7D07E4C49501}.exe

                                Filesize

                                197KB

                                MD5

                                307747ef145264a084aabce28e773320

                                SHA1

                                1ebe63d1aa17e81f2c2a5578a5d0c53601a6cfab

                                SHA256

                                24b0e9be63b304dc63235ee25ca908d1ed53cf485179d63b9f062262168c15d3

                                SHA512

                                7406d32df73fdfce25ecd8d84aee1f9f1e194f6bcaec9b1a32a39e06c82572ff362e3aaab1a28499967bdaf5e25844546100f1aa876f3d24570b078bc5d93551

                              • C:\Windows\{E3DAB201-DA90-4aac-8F9A-DE64E104D72A}.exe

                                Filesize

                                197KB

                                MD5

                                0a6aa30f9ba14b7adfe5bd6e9daa7897

                                SHA1

                                f6183d3ebba58a3715c266f0f9ca41f675839abc

                                SHA256

                                58a5ec88709001ed7b6eabc17e9c2432708cb35220fa3d081b0a75bd2c15005e

                                SHA512

                                e0a1ef8c6978da2b0a4c5fa9ae625d812ebfc188a05a01af527c2f3138b1d356c2616c74fc0adcfcee9aa8e18f616ec3e3664e6bb07d12e12172f03de29a6cfb

                              • C:\Windows\{EA9327B0-5A9B-41f9-BA25-00C1FEA138F0}.exe

                                Filesize

                                197KB

                                MD5

                                11cd1945fddc484ee65da0d2f0d375b3

                                SHA1

                                9f316915b5480e5223d2bf6fb53dd8f01140d390

                                SHA256

                                8ee9a81fbcd8012befcdf6fb50948bc6e84d7781ae3443fa34a8a58a8206179c

                                SHA512

                                81c7f408066d67d646e013026eef97b8ac88b8e2e22da2d6190ead13c0ec93dc53701041bad4a073b0def8e97689d1de1e2089ebd33c8f6eafa6a62c48a52012

                              • C:\Windows\{FE4C5BF4-74A4-44f1-9466-F7D8DFDF93C2}.exe

                                Filesize

                                197KB

                                MD5

                                78ad46e48ef853943d75be4b87bb1fe1

                                SHA1

                                679ce0f8263d96ea3937d0e012a591100cc6ee71

                                SHA256

                                74cf7eee28d84d01dbe11080b1c10e6b73b95080bd4c046b397f31b01bf8d77f

                                SHA512

                                94cae19aa382500f2a8d82d3f26370f1a8ee9f687f65d83a8775fcca38282d38846d991cd7c3cf57e9f25c5e950ba60056ecdc2909efd95dd59b0677604cfc55

                              • C:\Windows\{FF789B63-7607-476a-83CB-91E1DC5E07E9}.exe

                                Filesize

                                197KB

                                MD5

                                04a1b0b472cc08050a8fe4ce5bd8ea0c

                                SHA1

                                bb77aa24d45d944bb2ceb3e9624997e0e599b005

                                SHA256

                                23a9f3e2467a3a5b4121809e4d7079f10c869331702f3d39d04abb5b95ef2b0e

                                SHA512

                                5ca62b9722bb56a808fd89a44a9d7251ff988e8ff5b5527e4a800d834e5452a4644befa75538524f0a49c4e308c2b919d7ecbe22a7eb9040fc12739e7eb65b61