Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 13:42

General

  • Target

    2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe

  • Size

    180KB

  • MD5

    8b0d6362c5339021cf7bf8c3335b3656

  • SHA1

    5edcdcbc300c263a93bad82d0e3c9a58eaa1df6d

  • SHA256

    bd35f6bc5112f724f198ce37c376e172a7d8854e88e2919c8c26bf4fd3e12bdb

  • SHA512

    e9ae3dbcb28949cb6af1ec184d3b9b71086afa2ddc3762a8b9425fd8b0ba5eb44b7907304da312ac0600ef6ef4ade589fd21133d5f7d6d447e2b3b892a8e6177

  • SSDEEP

    3072:jEGh0oVlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8b0d6362c5339021cf7bf8c3335b3656_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
      C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
        C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
          C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
            C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
              C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
                C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2728
                • C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
                  C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1960
                  • C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
                    C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2276
                    • C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe
                      C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1604
                      • C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe
                        C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1040
                        • C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe
                          C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:3012
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{94BE6~1.EXE > nul
                          12⤵
                            PID:2096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{36797~1.EXE > nul
                          11⤵
                            PID:2224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F3963~1.EXE > nul
                          10⤵
                            PID:1528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE61~1.EXE > nul
                          9⤵
                            PID:980
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F64B3~1.EXE > nul
                          8⤵
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{920BF~1.EXE > nul
                          7⤵
                            PID:2428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D6B~1.EXE > nul
                          6⤵
                            PID:2376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DF5CF~1.EXE > nul
                          5⤵
                            PID:380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA2E~1.EXE > nul
                          4⤵
                            PID:2512
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C782A~1.EXE > nul
                          3⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3004

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{36797B73-560C-4bc4-A281-D987E6B05C23}.exe

                              Filesize

                              180KB

                              MD5

                              86b33c8923947dc9ce00b919d01f68b2

                              SHA1

                              65d8eb6fbd9db745d9c5156760cea1f8f0f97a27

                              SHA256

                              5b666817cb57151c46a3922d85f10ad157adc4ee1745fd0b81b108c31bd5ccbe

                              SHA512

                              d0652fb4f80729b02693085068fc0537a827e9cf5173f1dba38bc23d00d4bd856f0dafb8680b7f25e252200e0314a1fc4ff38f7f6f9eeba6eb4021cd8b45da44

                            • C:\Windows\{4BE61102-DBEE-49f2-9D9A-F912E30E1728}.exe

                              Filesize

                              180KB

                              MD5

                              62c887fe00794f92f5bcae7ec9c2422d

                              SHA1

                              9dbf591e2d23bc7e59b7ab0457df0a72093575e7

                              SHA256

                              be169592d960afb855d6cb836960554a7c5334d82f2cb8a5e674323402e4c715

                              SHA512

                              4694d52537b18fc34ceec19a709ef8f70869ee293453759b50f1d8bd6d32bec2359ac78c50960a6778d658af1da3826fd9540a1e452c4ab45bc1c8ed2d144dec

                            • C:\Windows\{6BA2EA45-B2EE-477d-A87D-EC78653DCBA2}.exe

                              Filesize

                              180KB

                              MD5

                              ff8acbd3543ce31c8313c1a7b6231d11

                              SHA1

                              f82242e02f84fcd123aecacb59ea0dad4a9f39c6

                              SHA256

                              3c82f0326f2e69495f966f5784e5444e343283119e3f8495a5644d1de2cecb54

                              SHA512

                              65b935648925acf737a82f59016cc536a803277f434a71a4bb2b6651427e506b7f6a740dc7da2abbb36744336e2d7142849f05b0ef4ec9d185d150c2113a60d7

                            • C:\Windows\{920BF310-5F68-4812-ADA8-FDD57959FC2E}.exe

                              Filesize

                              180KB

                              MD5

                              8b1aa8beecf7703712edf6e2d5b66bd3

                              SHA1

                              aab2f887506290cb1f63df1cca47e8a54feb5e40

                              SHA256

                              8dc3ca1e11d75d96fe7fc1e91aaca15878cd9d056377af1f2d21e2e1872eb9d8

                              SHA512

                              fc5b02bd10328428548a396a8257db450f7d54731abb5cf18d4c645b339ee942200f985773335b95cc6fad5af499f1f514fdcf525c7d8864961ab82cd9e9346c

                            • C:\Windows\{94BE65DE-29E0-4928-9620-3F29E0D6783E}.exe

                              Filesize

                              180KB

                              MD5

                              95efe9b25e1208ac39de6cf2e267c25f

                              SHA1

                              5dec70913b652ad79b7c81b5f132348375ccc45a

                              SHA256

                              703652989ab0be398251fae833426a7b2016c2df7754adb38cba1a945e2558a5

                              SHA512

                              c57b9e4f58812db482370408e8a46b94c4b426228ad1b43b24f3901f0964687a1316dc0e145dbfe83f16e182097a4bb861882c62f4d69a53e2d7cec1e938f8c9

                            • C:\Windows\{A0FE919E-F6D7-492c-BB35-79E5F5AE88DF}.exe

                              Filesize

                              180KB

                              MD5

                              ff1831da8a50d0376406aebfb439576a

                              SHA1

                              b0f28269eb2459d5642ccc0668c9049329b305a4

                              SHA256

                              c78a446b480452462f0589380493f805ac5a97e3d4c5fdeaf29b198c723327b9

                              SHA512

                              180be68952eec2fa75923479d438cbe6994139c9350e515b9f07d337531a2143f3fc3a4ab763c98fccdb5dda183c14d4dca12acb0347f7145719f2a360fc0c73

                            • C:\Windows\{A6D6BB9C-4F4C-4e72-9B02-CE492BA83ADE}.exe

                              Filesize

                              180KB

                              MD5

                              96b150812c214e2448606befba0853bd

                              SHA1

                              c7436e2cdcef3134e459a5e87af1422a98150c57

                              SHA256

                              d4eaa4294474847f6c827e1ae5ea1e2c9872258a154e4515be8420935ece3b64

                              SHA512

                              f71741abcf04f5fbbf10ca9ba5bee07f1995353e449cdcf6a5f71e58061de146011425c935e32c1df646364427b7f618e6f925945df6ef7746e89de7fc27d46a

                            • C:\Windows\{C782ACB6-8C42-4bb8-88DF-271FDF1156C6}.exe

                              Filesize

                              180KB

                              MD5

                              4b42f57ee3e86d494c41cdf8e51d651f

                              SHA1

                              b1af92ac51b60ebc391c3fb9c043cb280fd47a26

                              SHA256

                              96837a319c4f4b6b176c8cc133ed976ef17e237622de04a0d7937285291a2d86

                              SHA512

                              0b08d7333b48af4aadbb0ab72e22c63383472990a4f0bcdf7d61ca47dde9d0466fe81f41279f33558089a242a4fb1a780a4d91082ecb1382ae9d760f5412e99f

                            • C:\Windows\{DF5CF52F-5EE3-4412-B393-534DEBE7B1CA}.exe

                              Filesize

                              180KB

                              MD5

                              9907c62fdef52d2b392b33b0b9e1621d

                              SHA1

                              0992aa321d81fa6a90c1da32c5cb055bb2860c7c

                              SHA256

                              b22e7b832e0ff1fcad9e682b1ec6dd746e60798b75bc223233b2089f897e6811

                              SHA512

                              51b4190b5dea9dfc90fab358cc262064c0a67a726b1bed366b2eb00d14e70e3f519d08606d9445658045c1bd95e6c0cc061da7b6a528f4ace0255ef105775835

                            • C:\Windows\{F3963956-BF9B-4e75-98BF-640EEA48CCFF}.exe

                              Filesize

                              180KB

                              MD5

                              23e44dae1b62aff2adfe009b407e09d2

                              SHA1

                              ac558e257930cc6bea1fd1adea6827b5f8bb6cd9

                              SHA256

                              d7ff4669cb798ae72b2b2527ca9a17fe1e69d987f35f28646128606904a288f3

                              SHA512

                              4b923e24c6be21fb2cfc373f16569ffc2becbe063e9bd0d06a818cb338009a43cb1e146c8a72fc841912ae3c9436cc92ed9e449922fb824473a21243456d1ff4

                            • C:\Windows\{F64B3978-62CC-461e-8171-248679C9158C}.exe

                              Filesize

                              180KB

                              MD5

                              75363e3e3641dcaf387599fc85c10313

                              SHA1

                              5e32d925468cd29e5e03ac81651724d2cbc5713a

                              SHA256

                              bf3f64aa28fdb34a44020fe627e2ec097c5a6d047085769bac063bc5943ebf24

                              SHA512

                              ea6c04fe5d91ceec12f8f617df3500a1c07fa5362d67bdb3d720f91a1a25b2867a8adc0ed553e190f97a69fde2dca6c7ccbaa6bb34318b52f92e70e9afbd104b