Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:33

General

  • Target

    2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe

  • Size

    408KB

  • MD5

    7c79d857b718bf5a5838505d3dbb615d

  • SHA1

    2ac8774151e05d71183cd09b9435ca32a3d543f7

  • SHA256

    8bd06ed0f125f4b50da63906bfecb187873bd82cb3d6ed64c5190e17642a23a6

  • SHA512

    f00d505f2d255864a4332affc6d8c9fb83aa5501625ed0f2473d96c52cc121d37bcdb7b826299376f993d410c63df93f96d752ef54efaee6ac02b8165dbed84d

  • SSDEEP

    3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe
      C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe
        C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe
          C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe
            C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe
              C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe
                C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1016
                • C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe
                  C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2288
                  • C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe
                    C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:852
                    • C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe
                      C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2072
                      • C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe
                        C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:596
                        • C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe
                          C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{758F5~1.EXE > nul
                          12⤵
                            PID:1772
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FBEDD~1.EXE > nul
                          11⤵
                            PID:524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0519F~1.EXE > nul
                          10⤵
                            PID:1992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E4854~1.EXE > nul
                          9⤵
                            PID:1204
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1F7E2~1.EXE > nul
                          8⤵
                            PID:2200
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E0A~1.EXE > nul
                          7⤵
                            PID:1776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E83D0~1.EXE > nul
                          6⤵
                            PID:2144
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CBC~1.EXE > nul
                          5⤵
                            PID:1488
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{64B80~1.EXE > nul
                          4⤵
                            PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7F6C4~1.EXE > nul
                          3⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2616

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0519F1B9-D84D-4363-8E04-A3E6DB66A217}.exe

                              Filesize

                              408KB

                              MD5

                              55612e29a628c1191295c3b0a046ea87

                              SHA1

                              fa4ac4b192d99fcb5122e6b3dfb704b920872c61

                              SHA256

                              7dc772877c3a07e24986850b21d8a9e9e55e17e2283fd84fb9e2abacca06805d

                              SHA512

                              b687b3948eb96f345dae64b7183e306844bad5ac2b99ce8a7a4ed7a38ba80a7e008ab8979fc12b096f406a37e62018bdc57578eb34fc4aa347c0907e4622a88c

                            • C:\Windows\{1F7E2A90-4EB4-4893-990E-F02213A61194}.exe

                              Filesize

                              408KB

                              MD5

                              663954763a906b6c594f6e371adca4e2

                              SHA1

                              015ca656705548d487960118b75ca2ca8c074663

                              SHA256

                              8d715a26a955946593d1a6d1d4654fa2c27816a29cfbaf26ed8ed6dd275d7483

                              SHA512

                              260b71e15811c2d2eabe237877594789ce88f7a011885f68d317ab1a6f1b98f019d51df494b1a3ed3ef6dfddea824a7a97b1bc9011e6732b2132a7f50910814e

                            • C:\Windows\{64B80B20-68D9-4baf-BFA1-3094EBC29D2D}.exe

                              Filesize

                              408KB

                              MD5

                              65f3c3b3fe7b806c668a3af05c1e3c44

                              SHA1

                              be8a500768aa774a995291b75816292def1d8a79

                              SHA256

                              3db9a4496db7506362261a7693158a6432975f490f969726ef2960181167d8e2

                              SHA512

                              1092facd80067f0471f65baefd81eb0eafc518e54b7cfe5654987810b4b9bfa129c4e12eabf6d42d806efbcb6099224e2e9d23aee3516524ebd2442531551694

                            • C:\Windows\{6F0C872A-FD4D-496f-B7BA-76FE6335A9A3}.exe

                              Filesize

                              408KB

                              MD5

                              ef667aa1ca198307a663f8607179f9f1

                              SHA1

                              925c4473fa65e1ca5bc352644a9ba150d2580bbf

                              SHA256

                              39ae2142c5e2676c7f0e55c8a38fb2a3f0be14a5fc94c63b26f806e1283f4177

                              SHA512

                              10de51d608544da2de08b6d6614efcc024f12009a22d96bc642a7a2b9081322fe426e2b9a403e48c80904836e1ccdf7b609b0583697912a0671b5e664767e960

                            • C:\Windows\{758F56F4-711C-4465-B5FE-A8771FB66D9A}.exe

                              Filesize

                              408KB

                              MD5

                              2d915cdf9398d6e3845d08de15a7a75a

                              SHA1

                              e7dea7b0f2cda9d2a851eb4546c360c71ca4c72e

                              SHA256

                              1f1dab1527e1a192fc628dd692ab35d7677e12d275e3c0b79cba9715f70daaa2

                              SHA512

                              d4d54dbf173b6f7b347c356abac0c3c4d933acf99362a6a80a0016aead3670046e60d7caac92021145f9858145aaedc7cbee5a0f07d6a6f0d214245c9c2c3ccb

                            • C:\Windows\{7F6C4D75-DCF3-48af-9FE7-4BF63DBB592C}.exe

                              Filesize

                              408KB

                              MD5

                              3f01a96b6ebc755ad8b7644b760fc764

                              SHA1

                              bc2b89e57d46362a5c2a49e1791de6bf6200b9df

                              SHA256

                              9b92706254858b8f7fc4f3f88daf15ba86853e998f082fa844ce38626a8f5169

                              SHA512

                              8b3a3e9b5432a4ff9162d50714540b5e419e772ffc45efdeca333622d53af9ad92e7d95b24c47c87ebaca844d40971492869980c9a7f079435c139ab085ef7af

                            • C:\Windows\{D3CBC41E-A6C7-4827-91B7-FDC0EE81EC20}.exe

                              Filesize

                              408KB

                              MD5

                              a60b04d447e00af3f92f38e078be0917

                              SHA1

                              41a4892a6bc8902d36cfe16039b6e9a8d7f513d3

                              SHA256

                              fe698b8fe395bcdf7f03bf267114b6664cc5717d8faac2944d8c86c08c93cdac

                              SHA512

                              848dcfc190b6a4c723f7bb10ace0497c1cb4317de909307ed447414a4f2e16589c1a5bf2f241f624b9a670a83ecf253ca97c4f734c7f71469912f6b1e5c78b24

                            • C:\Windows\{E48547A3-BA90-424e-BE10-1FEB3C1C1DC4}.exe

                              Filesize

                              408KB

                              MD5

                              c8589c8f4b8a62ff9c64ef60de7ed761

                              SHA1

                              b39d592fc3f95b09baa27dbeb4935e2e23bfc7bd

                              SHA256

                              f1add54aa081fc67e36669e2387e40a62b490a87801a2211325bd3a84f5dd07e

                              SHA512

                              8a7d331784aa0d721a6c5c5ac89def1e0774284f900627af57f8c60f6306561034fdfdcf65e55c634f22286617e8f1453b7ee03eafdbd959429714c45ed503a9

                            • C:\Windows\{E83D0614-1609-401c-A06E-0DA0917E7D45}.exe

                              Filesize

                              408KB

                              MD5

                              1cbe4a0e2ce6871092134ed317cb531b

                              SHA1

                              52adb2591c0a5e5a3598adfd50ad978f7e61c5c3

                              SHA256

                              2fc5d7dafd068fb676a6f3ad30d5cc6488e97a8457623e2fc30db06863ad0053

                              SHA512

                              a6b2815f520b3b019e93f2c1a9033e348025b0fe75946c1171fd697438629ace38f9acd1df6f1b74d59c0879ce7cbaf794213d8a89a226101a530905f1b616de

                            • C:\Windows\{E8E0A43C-986F-462e-B69A-CAA8537BA389}.exe

                              Filesize

                              408KB

                              MD5

                              e8565404476a8525c1f31e0978ff77ef

                              SHA1

                              2fbb72315619ac27282d5c7f6d11317e1138098b

                              SHA256

                              fdce23f2ec65c90162aded8948ebbac507946b7b1e399b59bfc7c27f9436cdee

                              SHA512

                              c53ba42a5f50ffee06aadce6e3fce9a81509ce0e7dcee0cd00d28970f30094b6e2b98f1bea5a282841079439af1948e98fa291d21a2ca7ea75a58c94778de28d

                            • C:\Windows\{FBEDDDD9-2739-4781-9F87-94AF1EE4804A}.exe

                              Filesize

                              408KB

                              MD5

                              56399d0f5d937db9505dfdd0b48e6462

                              SHA1

                              272823c72609121ebfefc4d1a39de8bfe30c5a69

                              SHA256

                              c908df214df08465e8010b890e37a74e76560e4a54ff2bb1a1c48e6652580af4

                              SHA512

                              ec98e2fd42af99b0fd4d9d30a6d4ab4ce4518a4405c57b2eb486760b011b513c7bf48f42bc3c949cbe19b53b93cc65b1fa19be5cfa4dd3aa1b4479c2cc299000