Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:36

General

  • Target

    2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe

  • Size

    216KB

  • MD5

    8ea0dd1a711c9c10168735d32e4aa174

  • SHA1

    25d038f82d14faf3c2911dd41ed978c86d838ae0

  • SHA256

    dd45da4ac9e71a521959ca58a588567054e9cdcb884a15dfb0699bf81045c02e

  • SHA512

    25b011767726f66f55f5e1238de4535958536fdef94ece48267afae0bc1ff0e5ccf9963e073dd30ed47a765b5cdf23c3341d1e85d195c4daec3699cb2a33533d

  • SSDEEP

    3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe
      C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe
        C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe
          C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe
            C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe
              C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:528
              • C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe
                C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe
                  C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:308
                  • C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe
                    C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:640
                    • C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe
                      C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1328
                      • C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe
                        C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2240
                        • C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe
                          C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFF0~1.EXE > nul
                          12⤵
                            PID:1936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{34944~1.EXE > nul
                          11⤵
                            PID:2592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{75B26~1.EXE > nul
                          10⤵
                            PID:1228
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{73889~1.EXE > nul
                          9⤵
                            PID:1112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8B302~1.EXE > nul
                          8⤵
                            PID:2000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{02236~1.EXE > nul
                          7⤵
                            PID:616
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{46A6E~1.EXE > nul
                          6⤵
                            PID:2948
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC76~1.EXE > nul
                          5⤵
                            PID:2204
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4567C~1.EXE > nul
                          4⤵
                            PID:2476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B095~1.EXE > nul
                          3⤵
                            PID:2412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2108

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{02236274-6E38-4e40-B216-244B4A5A7C62}.exe

                              Filesize

                              216KB

                              MD5

                              929399e0342830bf0710ebd803092f5c

                              SHA1

                              678181bdbcb31c21fd8ac38cf3c8ff470ad2ff96

                              SHA256

                              4324afa1c74105c6516de8e7a907d64a6af927dafa48e3cddbb3f74fa36ff7b2

                              SHA512

                              38d2def89e5039743545c6b09d35292bea29579fed26c04497b497e3d4ff5dc10bc1d1920fe2ff7141e1c9947111ee5dbb103e44174a9e1ce080ab937bbe6416

                            • C:\Windows\{2B095A86-877A-41fe-9020-5B202D6BD5C2}.exe

                              Filesize

                              216KB

                              MD5

                              b4052f6bca4d0d07a4dba0233a716079

                              SHA1

                              032806afae10b1b931c2f8aae1ab05fc22e8c498

                              SHA256

                              d0a3aff2789173f2ede3e4c9692c15857f977002cc07baf8bb8d87105172a62f

                              SHA512

                              989f48f0680e3c51fdcc6fc46bdaf5b452ec91f8b24d5e85413f854622e6ef6217cd9c69901848d4dce22cdccaf263062465b1aad37a0b1963d0a97b8613b24e

                            • C:\Windows\{34944F5B-185C-4f6e-9C70-054FC4FFF07A}.exe

                              Filesize

                              216KB

                              MD5

                              334a5ebc11ef198a66e6c55bdb215269

                              SHA1

                              009373c7c99f5e4e92e7725c93a95552207d0d91

                              SHA256

                              314a69a6fce784517c7c48b99e909eeeb321cdc3ae260e7744ecbbd689145908

                              SHA512

                              cbf9381edb7e876810d7f29f87045aec180be6c31e43c3b0d58a300b1076fe5eace1133b6f19cfba8f967f6a7084c2348227228d56f48f22a2ba4e3750f55bac

                            • C:\Windows\{4567CF87-DF3D-4d46-87D7-C3F6A5A7EF78}.exe

                              Filesize

                              216KB

                              MD5

                              bccc7ded669aca828b12a44dba6be6b0

                              SHA1

                              c140018ac283e6c5d850fe0e5c61c85866c856ff

                              SHA256

                              8779e9b180439baf0d60ac827902bbfcb05d2a774b34462680efe0d94af4d540

                              SHA512

                              10d8ee365b1cd14a0f40dd3bf642ed8d67b388d355dd957387efacfb8d38dbbf300fb07a3defd1dda1f20c98514290e11fce1437b0fdee00d69ddf6270abd824

                            • C:\Windows\{46A6E562-BEA2-45f9-AA93-FBF38D8D1554}.exe

                              Filesize

                              216KB

                              MD5

                              7ff9394f03b533ee3db7378e06c54918

                              SHA1

                              b7bc39151306c7aceef08ce93c4942d3f4dd8a31

                              SHA256

                              cbb52e589977b0e5ec3188d4593e2551f854d520ed247d5496f19dc6c2889eff

                              SHA512

                              88482e4145953082545b0ca4ae66b5a963b9dcde782ceebc0fbd7344677e88352aa421318eecced653c1be22381155a016e96a3684cb4f406f2a7be69c31f14c

                            • C:\Windows\{4A47EAC2-52C9-4dff-B166-CB9FD167CF17}.exe

                              Filesize

                              216KB

                              MD5

                              519c3ed5a34169bdd1832f7284044806

                              SHA1

                              46bd7a2c52e807c36570c92c573dce520c29aa42

                              SHA256

                              f2bf7323239830e55984150592f66da362f31bbaaa52f55c9e7718817d80e798

                              SHA512

                              8feafa1e7ff9ff8bd3617019ffd06121b3c0934f55d49e0d3055028c522a4c4502846d37410cc0ff9e45c8efab1f4ec9c983254a075f77e276f52715384b7f54

                            • C:\Windows\{738898C5-E120-4eb7-A4F5-6CAB93E402FA}.exe

                              Filesize

                              216KB

                              MD5

                              37c10b9ad027b9f642830a5927c8a327

                              SHA1

                              9cc7c72390c1d3bb69867a7dce963ca7e94d8ad0

                              SHA256

                              9ac04aa56ae35a387d6f9dd785c5df73e07d9699b7e67c9974a878f6630481ae

                              SHA512

                              9c0788cb226d31b25f071cebeacdd3af332387fc0373416f3fa8fed88df06efeb0779cd6db7b184c56f54dfb73f82b9a7d6428bd2abd6705e9a064d9f84aa21b

                            • C:\Windows\{75B262A6-8634-4111-B6C1-706529378260}.exe

                              Filesize

                              216KB

                              MD5

                              4e161548adfffc7bef81913932eea4e2

                              SHA1

                              bfdd5db3fbd9e99f34bccd20acb26ee8f23cb5e1

                              SHA256

                              0581234d311cf46ee829722a5d52605a67cbeb70a088680941e2367cc46670c6

                              SHA512

                              743b582e88e29b1669d44237a4ba8de1a2646e35a6106aa0f5ca08f90ecd26c137f87c5624605a2716874ca8f1aad4936cd4095a81077e8defc7ad756eb1e9f5

                            • C:\Windows\{8B30212D-1F06-44a4-A49A-983A53730C27}.exe

                              Filesize

                              216KB

                              MD5

                              30a2f91ad1d532477b22a47d54d69be0

                              SHA1

                              edc6b3eb02a27af5dddc1148ba9992aa08a7a15c

                              SHA256

                              910e3bc9a16b96236718ce3c35af19974042cc602cd0d01b67837b9d0741bbb2

                              SHA512

                              9056ba4c6e242caa2265aa3064a2ef16e6c2d4e84e3d5d362640ff5bbe440d7c60b5860c6c7ea4206f252724996c1921d3bf1a266086ce4c397ee965dec9c304

                            • C:\Windows\{8DC76868-8834-43c2-8005-D056C7D53FD0}.exe

                              Filesize

                              216KB

                              MD5

                              027a2afe743b8e7f302d9e17a6dc64ff

                              SHA1

                              150bdb9c4637fe6bca00199a0a893f1ade95d5eb

                              SHA256

                              d93fb31739b96b22b7fadb11922f663a8490c8ad1c78e16f676ba716c70b61a8

                              SHA512

                              b69603b28b363edb66687ea4a755fa9ceb9bfdb8ffccb36c2fe6f22554222fbc7c3257c556c3b67fb11f48ea24139293e7e880e4422ade1d55c94cc911ba61bc

                            • C:\Windows\{DEFF01D9-908D-4d74-929B-1ED6243A5585}.exe

                              Filesize

                              216KB

                              MD5

                              441dcab9ac8c081f081e4258f8ab256d

                              SHA1

                              98664e10bea5f76c5ae9fdd849854c37d8082750

                              SHA256

                              a3d1ae74990868fb93970728253c097ad65707c9ebcdaba999139bacc5a11fde

                              SHA512

                              015cec3befd29c27c05097c1790b87037b28666cc85636bf46dfccb69d09cdbe0a5ee1dfaf4cefa9ae60c01f20d7b6f5630d14dd846a365bbabbb09b05b4a7af