Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:48

General

  • Target

    2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe

  • Size

    197KB

  • MD5

    e4d2a0c0c33dc92bb5245ec3f744cdbf

  • SHA1

    3efb34fc084ec2a81d56a8253fe55a2245e969a3

  • SHA256

    2489e2760ad547f24841cca1879a74d5d47ca8083c53eb86fa73977edcfefd5e

  • SHA512

    ed6b4ebfc4e272740d4eb36f8ef6906bf29a6579a80fbad88414d9c3b4ac01839ee609a710d9df1a66708d0329c5df62fe74d9a930a1eb2017b4922618d75a17

  • SSDEEP

    3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe
      C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe
        C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe
          C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe
            C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe
              C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1836
              • C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe
                C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2076
                • C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe
                  C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:876
                  • C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe
                    C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1588
                    • C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe
                      C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1612
                      • C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe
                        C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2296
                        • C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe
                          C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2D944~1.EXE > nul
                          12⤵
                            PID:2292
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F17DA~1.EXE > nul
                          11⤵
                            PID:1112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F86B~1.EXE > nul
                          10⤵
                            PID:1812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{12D49~1.EXE > nul
                          9⤵
                            PID:2668
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D44FE~1.EXE > nul
                          8⤵
                            PID:2328
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FC3A4~1.EXE > nul
                          7⤵
                            PID:2624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{46FE6~1.EXE > nul
                          6⤵
                            PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{49C00~1.EXE > nul
                          5⤵
                            PID:1352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{06535~1.EXE > nul
                          4⤵
                            PID:2936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{57BD6~1.EXE > nul
                          3⤵
                            PID:2456
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2700

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{065356A9-054A-438d-801D-7B8D233D20D9}.exe

                              Filesize

                              197KB

                              MD5

                              a5339f48a90273eafb444b82bed4b4bc

                              SHA1

                              c051789dc287364d02e5978d4f110930018e2f25

                              SHA256

                              484a85a06de61c7d0c1dd674bcd0963da813c3dc8619aabb1668c8d2657a0d3c

                              SHA512

                              777a3054326ce4f0d1c568c286f91741ebeb78dcc40e3b87b92f16c4aefa215a3b0e816896096bcbcc408a7775b564bf43e98d630cf99562e9671c0491fac8cc

                            • C:\Windows\{12D49ADD-D329-401d-94D9-C0437798EB4E}.exe

                              Filesize

                              197KB

                              MD5

                              68f6c6db281151d8c97444c65046c35c

                              SHA1

                              2c02aa6c202e4d7444ee466836ea46d2aabf4f3b

                              SHA256

                              16c8a83d2ac18926f491f50ca7651321b7c8b818d1a317f7ac51027c8afce420

                              SHA512

                              d28b4251574cefebd077fe928de134b448479575b1726bd6da106682874c4cf70e4d11c3d5ae402697cda030a54245e0270f5c09dd19173b6ded192b0f244499

                            • C:\Windows\{2D944D92-7366-45a6-B6D3-6D370FEBA9F4}.exe

                              Filesize

                              197KB

                              MD5

                              7abb1ff2c11aa70f8c132333541cc153

                              SHA1

                              149cc827b1cf9fe911dfc48f4081d89cc70c3ca7

                              SHA256

                              ec77a0cb0e0387072f48aaa202603aa4948ddcf64a290107537b61f9e453f347

                              SHA512

                              752f358c3566babb0743f7d68229aea5116e3ddd9ec8cbaafe1be4eef07aa1b6dd3526b503f2032bb8c445016c074ea65454f997b1c20374415520f5d35d7078

                            • C:\Windows\{46FE61F9-BE5B-42ec-87C6-BC826C813E0D}.exe

                              Filesize

                              197KB

                              MD5

                              34d3af00ed115617adb3777f1a63c514

                              SHA1

                              6d14004255c37b1400695bfc403c855f0988084a

                              SHA256

                              72292e8c7af5947f40a1f7514a48eb16eb9f7d9efa85a1ee27c724c5d2ee5776

                              SHA512

                              cbcaf16e7ce90539de8c3b730ea9c8434570066f4c8f50bf8a4593076579096017ead1bd5307f7ebeece5a4a2cd133480fc0b7292d6a82ad453e8f80064771bf

                            • C:\Windows\{49C002CB-84F6-43c4-8669-828973402A04}.exe

                              Filesize

                              197KB

                              MD5

                              dfb9fb38b971ea131e1274d545f81262

                              SHA1

                              7092e9d359ad9fbc75cb9cacf9ce35bbe7d4a607

                              SHA256

                              6537390b09f221c94c23d41a22dcc7ffc73fd988465162e2f8d6c44b51c13714

                              SHA512

                              42ac191ee6fa14ed25212dd3c483d5274ee88a651dcdb1e43ae2f0d15bbcf8bfb3232539c9e2403d17ab37bbb0468ba10467f79276daffc6c3446d6fe67e3048

                            • C:\Windows\{57BD6B94-B07B-4e8a-A6A2-D410A87C538A}.exe

                              Filesize

                              197KB

                              MD5

                              6e852c4fa2ace9bebd4533daf3aadb57

                              SHA1

                              ffa391f5a432d09cc6836331e3db84b80a67c8b5

                              SHA256

                              cae9787dd5ba28e248110a3af03371647166559a2859efd0803719254b4e6e4b

                              SHA512

                              1d5578b886a4546dc769f41395681e1b09cdf94e4b838bbd76496636603b38993e8fa872c7ba1a294299ad60d83ce9cbf060768fc816e07fafc64166ab0816d7

                            • C:\Windows\{8F86B980-6168-4005-A647-C532A5A89090}.exe

                              Filesize

                              197KB

                              MD5

                              c32086061c8a05518defb7adac317d09

                              SHA1

                              bb1024c9f4b57473454e62de0b46ff522c0a5236

                              SHA256

                              cb901e91ad47f0d8ccc3431a2d35221f71fa277f654a339163060cc3bb55da29

                              SHA512

                              0aafb626a1ccb96d47c51105228f13e66ec71926f2a62bb4b396f968a6598fa3689450000a2a100e8cc2ba6c01df45a2a68d3d00a6f6feebc0320c522339e78f

                            • C:\Windows\{D44FE8BB-A758-4604-8038-D6BBB468095E}.exe

                              Filesize

                              197KB

                              MD5

                              79cbc8085ec66c145b86355054490749

                              SHA1

                              710b02a2d6eee9bfb729233b12248b9335b48bd9

                              SHA256

                              44f96db7262e448a514acc5c0d3119f8461111ee5874d428eeb15b4a4432eaa1

                              SHA512

                              df72261494c3573983f55094f8b64f7388d2d4605c6e4e23ac70e8f91f1e43197e999eb45c839efd99ce9911c91693f580e02d01808d607d3685cb9bfc00c345

                            • C:\Windows\{E6B8E691-3B63-47e8-8344-4A35FE4BE585}.exe

                              Filesize

                              197KB

                              MD5

                              4ee820e0a1e61a5b0d333ee8296d1317

                              SHA1

                              599500b2b53aeaea8caf6608f014f7d710b8ab9d

                              SHA256

                              4710ddbc9c63759debd161feea8f51c4619bbb4dbabd514e1a8b8e23fb44f805

                              SHA512

                              cb3ec96a4951c03ec4746854cacdbfc0387985ad9dbe2a03666ad1fca58bd0fb4ee7ea2a04e0a08c7f70fa82d0d83188c4153f2422a46266f49adfc589b68119

                            • C:\Windows\{F17DABB7-D65C-43bd-8AB2-02A0F3F3E1A5}.exe

                              Filesize

                              197KB

                              MD5

                              eebb8aea957d2cf29eb0e5b71e9bc100

                              SHA1

                              7a461b535364e4b7f93199901baebb744368378b

                              SHA256

                              1c1396952983bd2815370eafc23d389f2a16844b52749980761532b4ae027dc9

                              SHA512

                              08eaf6900eddc86836b5ebe8d0321157b28c9a3585163037d3c312df6d94e951c9f5dcee97573db5b888ee70c24fdf02cc1cecca7a6e7e6c0a95229683812a91

                            • C:\Windows\{FC3A41B7-1E8A-4edb-A255-7E9BFEFAE188}.exe

                              Filesize

                              197KB

                              MD5

                              deb360054d213dd02c5a34c052be5b06

                              SHA1

                              056461744fb11379f1452f8806ae8181ecb4e6fb

                              SHA256

                              af1a7f4dcdba93586bfef6d92ff81143fdea2eb88b822a444837ef454e23deb0

                              SHA512

                              c6afe704a380320576002b2f5808c75710f126baadd7620aacfb349e570f36babcc1d77d6b1f07a753f91a86cc6872fed34bb9e61833b8b34c954f09ec27f94b