Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:49

General

  • Target

    2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe

  • Size

    380KB

  • MD5

    f036fbd260dca5a72a2b761714835ff7

  • SHA1

    fe5480d67ab5bba2aafecee3959c00bef49081ed

  • SHA256

    c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da

  • SHA512

    d6bdbbc62a92136599d9d31defb0dcd369f91902ff2a48cad8cea1ad9e8adf3b436f43df659a68a0570f895547e7d6558bcd6598f78456cc0e4a77bfc7579aba

  • SSDEEP

    3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
      C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
        C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
          C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
            C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
              C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
                C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2768
                • C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
                  C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:748
                  • C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
                    C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2468
                    • C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe
                      C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:872
                      • C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe
                        C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2096
                        • C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe
                          C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2072
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF97A~1.EXE > nul
                          12⤵
                            PID:1848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{25CDC~1.EXE > nul
                          11⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3A856~1.EXE > nul
                          10⤵
                            PID:2496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E7B4~1.EXE > nul
                          9⤵
                            PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A4020~1.EXE > nul
                          8⤵
                            PID:2040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{40F7D~1.EXE > nul
                          7⤵
                            PID:528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7B07F~1.EXE > nul
                          6⤵
                            PID:2660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0246A~1.EXE > nul
                          5⤵
                            PID:580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{21D7F~1.EXE > nul
                          4⤵
                            PID:2476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{67D77~1.EXE > nul
                          3⤵
                            PID:2712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2968

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0246A2FB-6463-4b59-A604-E0385EECC415}.exe

                              Filesize

                              380KB

                              MD5

                              db7aa5b7695086d9774eee3006e63e8b

                              SHA1

                              ce387f701380657bd05dd3deec5b17f7df94d022

                              SHA256

                              e87fbfe6163185ab64b517e82db03e844a8fa94a67a49d9fdddabc632da4befc

                              SHA512

                              f4d4d650dd90f257b5ae3a73e424ea6f268a02e664c5ebbb8c633cdaf282d914270bf6baa63a6431f81e839389f8dcc2f3ba1d20af7250d6c67d2857601af27d

                            • C:\Windows\{21D7F2B3-E7BE-4cd5-BAE4-2EC32CC090BA}.exe

                              Filesize

                              380KB

                              MD5

                              cac5499d8d7f46de07a2698e4b1fca86

                              SHA1

                              19d9c4bd117e85ae37723d2a2afada8c31a1662b

                              SHA256

                              3e8305fd5178bbb5d310610a4eb810fc13056054b2fae005473a8899c4a1cfbe

                              SHA512

                              86cf60343b8a7876dae1390bea60043480a01a34238dd4309522f99edaca75bc6c4ad6812af5b16e9391c1ababff3d0a56742b0aa4d631ca87763700fa73d1e9

                            • C:\Windows\{25CDC359-E355-4fa8-8DBA-CACE4A966B37}.exe

                              Filesize

                              380KB

                              MD5

                              51d6972bd13f374904d2425fa9260fd1

                              SHA1

                              5f8ec7f8a516dc33eca8c167d20241c21f14f38f

                              SHA256

                              446dcac08e7116c135c311ecd0ebc6f30b2790be5a3a4f653d424242f2632377

                              SHA512

                              4e837cf159a8f052bf5d8bfdddf191fd54522af62b15427c3be6417d3ef4cfb386e3c4a2bf80112effa0809bac5bbdae0353a89ed1a11b5d97fae41476d4a781

                            • C:\Windows\{3A856EC4-AB78-4adf-80BF-3D1980AD4F3D}.exe

                              Filesize

                              380KB

                              MD5

                              7941e23059e3d610f8e728b148b38256

                              SHA1

                              f5dc5bb7715e702689f887d8026e9aeeac01e42f

                              SHA256

                              51af5bbaa8e72224b856bc1927b6aa68c2cbea4426b59768ede6b37290c8f49c

                              SHA512

                              87186d913cad726b250614283ef56a48981f5eda04b1b3b2691b3e9333ef5775c4f824f78cce862076d50ffd2cb0b7d9dbb7494b8d64d5bf9b247ab4139afd55

                            • C:\Windows\{40F7DDB3-A6A4-44fa-A2E3-B8CBC23ACF73}.exe

                              Filesize

                              380KB

                              MD5

                              cea25b498077a23ed2c17343e6074acc

                              SHA1

                              16f24ac8ac75238895e9af936aa5f4d67281647b

                              SHA256

                              6089aaee336f57def4afadb9492892de7314c9bfede0ce38807b864c76e17bf4

                              SHA512

                              778c6dbe8fb6b3fdf0cd884f16d2caa22b4d06fc6d39e3b70bead7093f8a7e9302e84678fbd338c686846700c6ecd1890418a570a64138e6a8e39bd4cb2844d4

                            • C:\Windows\{67D770EE-D16E-49d0-94E9-4687A2731F34}.exe

                              Filesize

                              380KB

                              MD5

                              798b37a5ec6d1894c64137cd814ce2ec

                              SHA1

                              0d2f774073bf7f6cfe5394c154b0c558ba3d16fe

                              SHA256

                              7abefc5775f08409d124fd389511d52109fadbc58582b6fc99f173dd337d8c9d

                              SHA512

                              bacef93bc354bed6c545b136db76c8d97a4efbc92567488143028d7f45065e70a671373a379d7c7690c1790ffb9eb5617a2f9f44975d61642697110e9c48bfd8

                            • C:\Windows\{6E7B4FE9-B387-494f-A943-D3C282BA57DC}.exe

                              Filesize

                              380KB

                              MD5

                              57f57a7eefcd2b10b298cb3901da8cfa

                              SHA1

                              6681442d56079990ead67be77ee8f41393c7e8c4

                              SHA256

                              792d25ec4b27b97e02a61059baf4dd82d2c988e03c97edfa8a57f6f8d95b3ca2

                              SHA512

                              dbb0ac5fac4b6352dcefe072e2f115b06c328f4696290234968d0a3f04ec246347a820478b8263f3fb81ce798264ec91003a71599a7c323c25732b3514a6534b

                            • C:\Windows\{7B07FA29-B8A2-460b-ACCB-961C905FF71A}.exe

                              Filesize

                              380KB

                              MD5

                              d483b89cb4f6d4b8fd5a8335dcc7a0f3

                              SHA1

                              2075abe6509c5bcdd0aae7adbb1755df436edc49

                              SHA256

                              c3721e7798fc5ca40f1dfc7d83f4276433b08ad40926fd0f16230b983130bac4

                              SHA512

                              e5fb251d0a87628fbfd6ae27f9f0bf8535d441101795d9fa9d6e26c487a1a266a952ebc1562b8cce035a99f2e52a18c89ab54704f395bf6ded3815294e5845f0

                            • C:\Windows\{A4020D6E-9BC1-4f6a-9283-202CF950C12A}.exe

                              Filesize

                              380KB

                              MD5

                              12bcccd9444bb6221de6441de11dad82

                              SHA1

                              20968c1cd024ba741aef164acb60d68314d400d6

                              SHA256

                              31e2dd275513bfe5ce39b43fe3e082710aaafa08a53c7178e538c0e85cf0ec01

                              SHA512

                              7d615609abeb3f298da6381004d9c6e421cc2419ff7265c282cbd91737d4b9438ec299ac8a83b36b4ef8418934ecd65fd921ea3c2538fe087b2b169d213c3aeb

                            • C:\Windows\{AF97A730-98FA-47f4-8B6D-F6FE99FC424B}.exe

                              Filesize

                              380KB

                              MD5

                              9a613d3c95f31a3e480d351f8d8645e5

                              SHA1

                              bbb9682bdecb70f4650c19c1b5890ba6467297d2

                              SHA256

                              15b55173db355edf7a58a1320c4aecd3e3e467b429b57efe82cd706ea8370d21

                              SHA512

                              1138bd7ab3fef6a77420ef1b3471bfd9f7eb33070796dabf9b0eeb73de6df5f8cd2f2898ea57a5b3febecfe8bd2b2a39a3972e06d26302d4cfe750bd9c19a009

                            • C:\Windows\{DA228BF3-5263-4748-8ED5-FD16E842F2BB}.exe

                              Filesize

                              380KB

                              MD5

                              a95d460006ccf8acfade824368945f59

                              SHA1

                              327c70eda9699e50aa41bab1368aa20909ea1dd8

                              SHA256

                              760679e993412bba2781ded187b6e91aaf8403ab1b5d84d51770e1b6419558a3

                              SHA512

                              d22b0495550830a107cb1529bac2271a91e4a074fae9f2342af800559dd56ec874bfa5827f1e738a1c4389211037be737a9efe6893e478511770745261d2c154