Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:41

General

  • Target

    2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe

  • Size

    192KB

  • MD5

    b74120f39986ebaf4507dd39d76c5a14

  • SHA1

    f5ea0ec84e6830c1044d993559b1b8a5f1935a55

  • SHA256

    21a531c3306520a16e04aa7a4f24c5aab801c790525e46256fbaaf7665da9291

  • SHA512

    906e42a51642a1a0c3cb94383ecaa6e5bea2761a61f7d547a4e4e806c8e138124867d103fb06383fbbb3740b3ef18811d3f374ca4dbd74773550b88b3d5e1607

  • SSDEEP

    1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ool1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe
      C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe
        C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe
          C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe
            C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe
              C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe
                C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1664
                • C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe
                  C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2812
                  • C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe
                    C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1656
                    • C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe
                      C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1700
                      • C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe
                        C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2228
                        • C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe
                          C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{06D84~1.EXE > nul
                          12⤵
                            PID:1116
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{49760~1.EXE > nul
                          11⤵
                            PID:540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{27C34~1.EXE > nul
                          10⤵
                            PID:2264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2DCF1~1.EXE > nul
                          9⤵
                            PID:1784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{426B8~1.EXE > nul
                          8⤵
                            PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{556B1~1.EXE > nul
                          7⤵
                            PID:1472
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{461A4~1.EXE > nul
                          6⤵
                            PID:2736
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A464C~1.EXE > nul
                          5⤵
                            PID:1136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4AAAD~1.EXE > nul
                          4⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{078E7~1.EXE > nul
                          3⤵
                            PID:2564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2932

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{06D84438-6AFF-4fc3-9B0B-3FBF5DB8DAB5}.exe

                              Filesize

                              192KB

                              MD5

                              0b5c2a17b230d2b014b1e156f1ee1835

                              SHA1

                              101b97d540dab9139789b506a9421d5e129b0e28

                              SHA256

                              e6b174135585b04bd19d2f5baf6224569fc960efbc51350c6984da9d60327b46

                              SHA512

                              ba367728f9698d355b348938b8623e5878822775fe51e251c034ce662baff2a47c20d55e299e6e325aa4b4957604dddb79d0ed6b3508f42b646880ac78a91092

                            • C:\Windows\{078E77AC-14C6-4977-AB96-835408A2F49B}.exe

                              Filesize

                              192KB

                              MD5

                              3e5cdf2b1be42d81596aeb4e91e154d9

                              SHA1

                              e4a3a3ee8bda4e5cd610dee18b31766abcb04bbd

                              SHA256

                              c8e23a7be403cc2a8d94385f5f4a325fa0f58dd4a7be617074f4e159f7498d4e

                              SHA512

                              4ee5eb36f2300f7705f5f07d24b3e476b94be3f2d7d5186520c927e2dc02a576f32a315f176bacc0be33c7cb18f14c20c6239573c5a3007b088658147c546b1a

                            • C:\Windows\{27C34729-1D2F-4bdf-A242-3CC3E23B0618}.exe

                              Filesize

                              192KB

                              MD5

                              5b95d81b0d47521462f516f22ec8f75a

                              SHA1

                              f9f7d614cc6232ff1b80891d5c139d07d1c4a547

                              SHA256

                              49eff79a1b566c7c6d1ea3de1117eb2a4f1acd794c817e34617b39ca792b8324

                              SHA512

                              8c688001c04239cf10491079ac01a3d6a3d74232bbe9fff6d6f8d7005d5faf9f2f11de167f7bfbea4a1ee7ae320fbe39d4a8d740e6c0bb3d275c5cf489c1d58d

                            • C:\Windows\{2DCF1DAA-E6D8-445e-8185-6F35CFF8695D}.exe

                              Filesize

                              192KB

                              MD5

                              3e0d718c6b48d70737bb51bb96a8ed3b

                              SHA1

                              0fe5a1f26cb13493d79da8151575dd9dd4bc5e81

                              SHA256

                              d496cbbace86f240d9c16a7b07022eb0da2b59a3915603acd8660abc8cad12d4

                              SHA512

                              dfcbe215c615f5f3c43ccf20da89527eb6c31856bea0f16d45a28f5a9f7ae3be810e3a94fc526511c4b5b42bf0c21d9219a8d897c755337c60bd94cfe454445d

                            • C:\Windows\{426B868C-88CF-4092-A3DF-94BE950B904C}.exe

                              Filesize

                              192KB

                              MD5

                              d5f150ad055a2d39a8cb84f745024991

                              SHA1

                              8c06abea5e76cf724b6b0ffd2f4df0e098f7b147

                              SHA256

                              70260cef0842348f30967cd833ba5f2b94f1e659877717bde18bf9faaebb2514

                              SHA512

                              ab68d25375136e193d54db9c573c2c26a715eb0d5dbd649bb33d98b32069c79241ef5c0b9c200968dbd53576ee39c21a233b747bf3748347022788bec80f8c4d

                            • C:\Windows\{461A4BCB-1FE3-4e37-8159-3E032AF404D3}.exe

                              Filesize

                              192KB

                              MD5

                              23af495fbbf57e341b05688705e8e7d9

                              SHA1

                              1ef0fb494ea902bf566265de3530b120e320bffe

                              SHA256

                              16352ebfb83f274195f05009d22a5dc0830e37899660c49a5bc62a631dc91144

                              SHA512

                              31762f04c5dbc6736f315dc2999a2b1206f571b3a41936630e7fde6161f6a10040b2de4d680e5730daef2eee9ea4049b68065c6f72972a0827f510a33df904bc

                            • C:\Windows\{497601ED-FB01-40e0-AC8D-053166A61BD0}.exe

                              Filesize

                              192KB

                              MD5

                              e74102eb2963cbd5c6715bf037901107

                              SHA1

                              616ce399ac8c200cb332dd7fcffa92f8b2f9249a

                              SHA256

                              b8b9a101ffde55e3fa403c3757c1af3c57e633f2f60609dc34b5b9488a47f108

                              SHA512

                              4c0aa40e6726cba5df7b1f68c564ba7e8c09f64af91ab7ec85b493597e5328c5d235e36b7af3acd8bc2eaa5b8fa0d03e3e84cbc00004c69f029b25b39b540cfe

                            • C:\Windows\{4AAAD155-C541-4c02-8E2A-90946FA4CDE8}.exe

                              Filesize

                              192KB

                              MD5

                              d2c1bbefcefadaa5f80bab8646873e7a

                              SHA1

                              5636f70dc73aa2532c0b5438d85061a0d3a2859c

                              SHA256

                              e1023be86c224af7f96e39fc1609e448c1ef5c619659daab1144054d66214dc0

                              SHA512

                              2217ec114c74bcc760b69d7b1997d1f88b62f8765b184d3db84588da80e9426bf8e751ae528bb51572b5a74ce9094120b5b49569816584c4e5de5237e71548a9

                            • C:\Windows\{556B17AF-DA13-406f-B180-5B1CE1EDF7F8}.exe

                              Filesize

                              192KB

                              MD5

                              b144b003083472a8b14fbdfc4fcf1472

                              SHA1

                              d03ebedb4fd39aac378d491619bb8a2862941301

                              SHA256

                              9f14ce9edbfdf9ab8a72fa001638c921fc42bee1005f78ac853789fc31091e9d

                              SHA512

                              04f3467509c025aff2a62226091d0615bb34b23d7e0c14d0d267cba242ad91c2681f1a15f878ef833962a67aef2190aa3765ea790d255573bfbecc2f9435e49b

                            • C:\Windows\{A464C467-8DB9-4705-88A7-DD0F667D776E}.exe

                              Filesize

                              192KB

                              MD5

                              a08864dc9265974a3d169a3d711a999a

                              SHA1

                              49fc19f76c8933ad3ac08f267a2539b8879a5fcc

                              SHA256

                              fb269aa32b7948763e28019218556940ed97af49c4659c7f7549502ee22c77f6

                              SHA512

                              5b5a1f5716284d38ec2924124503c2d76f5fea3000f4bfa25f951c426c92e7e94803c92914cdc7c26a16ca5ed0c174c148ea5c1157aa95e43c37c1ce395dcf5c

                            • C:\Windows\{BA52E9F0-3EB2-4534-B398-8B14364E48F6}.exe

                              Filesize

                              192KB

                              MD5

                              e40a5e92c1c54b56656c3051b17f4c86

                              SHA1

                              d5744f3bb346b5c75ffb2b2d85195c267c540d36

                              SHA256

                              b1233d05aa56c6e6f48b02498036009e8b66e16731730629430664badbcd78e2

                              SHA512

                              caadfceeb200631570712c10ac785a3a8707245dfb989fe319058d80b8c210a203ee9370c14babd2a46bc528d49c6ae374335fd40e4cdda9d168f2998cb095ca