Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 19:52

General

  • Target

    2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe

  • Size

    408KB

  • MD5

    810074d7792fd317e3ca96f6eeebe3bc

  • SHA1

    aec915f1c3b177aeb021b3e4ebac9879534e75f8

  • SHA256

    6fe40ad407fa1a10ffd59ad3d5c546ab8981b00ad90e74b01f30e6fba26b2a1c

  • SHA512

    40ec2064878db8515ce0cc2a7e677ede8b3e26bdb545f6116b2c61a19c5d418ed2fd4e66a74b1431ba074042fca97c4b9c4ba800a86f2883c5151d43e5e289b0

  • SSDEEP

    3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-20_810074d7792fd317e3ca96f6eeebe3bc_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe
      C:\Windows\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exe
        C:\Windows\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe
          C:\Windows\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe
            C:\Windows\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe
              C:\Windows\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2716
              • C:\Windows\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe
                C:\Windows\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1960
                • C:\Windows\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe
                  C:\Windows\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2736
                  • C:\Windows\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe
                    C:\Windows\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1244
                    • C:\Windows\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exe
                      C:\Windows\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2200
                      • C:\Windows\{AF190C11-2964-4c13-80CA-4702B86347DC}.exe
                        C:\Windows\{AF190C11-2964-4c13-80CA-4702B86347DC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:768
                        • C:\Windows\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe
                          C:\Windows\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF190~1.EXE > nul
                          12⤵
                            PID:1788
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ED7A8~1.EXE > nul
                          11⤵
                            PID:584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3AFA2~1.EXE > nul
                          10⤵
                            PID:1596
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70A88~1.EXE > nul
                          9⤵
                            PID:2984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{19DD2~1.EXE > nul
                          8⤵
                            PID:1348
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C8CA3~1.EXE > nul
                          7⤵
                            PID:2156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AA264~1.EXE > nul
                          6⤵
                            PID:1612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F86A2~1.EXE > nul
                          5⤵
                            PID:1364
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2A62D~1.EXE > nul
                          4⤵
                            PID:2424
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C47EC~1.EXE > nul
                          3⤵
                            PID:2540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2484

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{19DD2C83-37ED-4ae6-87AD-22E1325478D2}.exe

                        Filesize

                        408KB

                        MD5

                        3451e0b5de5c3baf515230fbf11fd00f

                        SHA1

                        4460a7c30ee2352919c430116bb18ca3eba6d695

                        SHA256

                        65f2cf98a33907eb5ce6c6e052d77ed4f46a83a55668d188befd1f97a242f4f0

                        SHA512

                        1a94a51d26b162d0f10f5c88cb18aa11529dc4101cfc4f6fad7e7024723e93a8538930c3466366124f93aaf171c0f8bc5c4c66c83dbfd9e516106c86b129011e

                      • C:\Windows\{2A62DD74-4C56-405a-9178-756A9D9025E0}.exe

                        Filesize

                        408KB

                        MD5

                        8ff2c0d7fc3ae17b5fe79f5d3c31eb8f

                        SHA1

                        4ebb1c4644af383adf3646346793f86326827f9c

                        SHA256

                        6bbad76f001e78598df2614f1fae6f4b42dd4dfc128e006ea16cbe5f62921a6a

                        SHA512

                        f572656cbc1234c05d874b67b1a08be2246296ced47d4bff92898b45f55171f952dcc6a91be51e613ee9b2d277946b80f093e1c7b8d0648c520eb85816d80e9f

                      • C:\Windows\{3AFA2950-EFA3-46f5-82F6-837BA1FFFD1B}.exe

                        Filesize

                        408KB

                        MD5

                        245d7a7945bdffe2f96af6df0ada608e

                        SHA1

                        32d81b2b1e5228d791b339273c58dcdfd312534f

                        SHA256

                        89d33a4934cbcc96ef226026ae3c88dc800dc18b4cc1daf8e3a4e5c8d05dc805

                        SHA512

                        c86e111ce8190f1e53c08ccee2a873ec075c7988d0010bea89fff73b1dacf33fd0cbbfe1f8e93888e5f9082a003ec33305df36b1d9e00a4e09b2fe38bf557360

                      • C:\Windows\{70A8842C-B048-47e6-9D8B-AE8728BA950A}.exe

                        Filesize

                        408KB

                        MD5

                        69c0bf7ce322a2d2b69d633f78547de3

                        SHA1

                        66fae684f3d14809f57c6d06f6db77f7625a25bb

                        SHA256

                        c928c05a8c4c63c0e1d18b031f0d300554522961c22b83736ff494f7aa0dd0fd

                        SHA512

                        912a59e724812f9caaeae09a8d3cff4bfb95620cd3bd1f1f9c81a1920b2c208ff581c25fad8f431d6cfcbf3c5e20191275d9528d32b64df1e83beb0e9c124619

                      • C:\Windows\{AA2644D5-DF70-4b77-B2EE-FE86CC01F1A3}.exe

                        Filesize

                        408KB

                        MD5

                        8975e9efb42bda81eacc0af78f5ecdfc

                        SHA1

                        9547e1e7e066da7d67487f030da15c244a456809

                        SHA256

                        788049fdb35cbfb551b9c1d5bfeb1d705eb0dc3a99cf68aab4de23f0754232f3

                        SHA512

                        e78ab84d2cc19f2948978aede538c6b17d5527016f853b0f7b789141844dce553caf5b5259727250332de619c6d7f7b4593cd6ee8fafe5fbd28c90494f46ee98

                      • C:\Windows\{AF190C11-2964-4c13-80CA-4702B86347DC}.exe

                        Filesize

                        408KB

                        MD5

                        bb9d161addc2880f1f3d3ced29302c06

                        SHA1

                        216e14733f5d6b6c46367892bc8d52b3425a18e4

                        SHA256

                        422610a7cb2061be5a9dd773b4328b776df56a90df259c1894c0283ae2aa76b1

                        SHA512

                        eb287390b88e34bcf9f1f8caf0ddf0639a10aa4b29e70cb41d9ce17697d6e7389d391ead43188e52930b74f54760180fa13b103bdd723fda20f4e4941e4cd1e7

                      • C:\Windows\{C47ECC75-DC33-4184-A8EF-32FEB6CBF077}.exe

                        Filesize

                        408KB

                        MD5

                        23c324a3d34781e65050fec65f33eca3

                        SHA1

                        554cdce3e33ea0be85ca6383e79854210242ac4e

                        SHA256

                        157d3acf68408913573219267de7f3a11bec3add4b23cf30d9576a54927679a3

                        SHA512

                        6bf58061bc2604953d064c57a3d65849fa79764ba9e1248d0cb533eb64e289b93dc8f34ebb0a302a18971fbb02ba83aab89058a0b4c294a254444dcd6a6169db

                      • C:\Windows\{C8CA33D3-A7D2-4bd2-AD99-4CE3803C03C4}.exe

                        Filesize

                        408KB

                        MD5

                        335a973ed426c1f5c378978c58e2ec8b

                        SHA1

                        4e55311cf565cf1b2abd322046c3633503b9100c

                        SHA256

                        d38b6dca50162694a78419ec02b36f35f8a4ac9926b104ddcedf4f1ee3fac546

                        SHA512

                        cd466c4cac401744c2508d84ef15e263ef9b2c99ea6ea2095fd8902da93e74301eae9c78ee46c1e7850be0166ac58952b55c5b14b5ab99daa85a386572e5dc5d

                      • C:\Windows\{ED7A8968-0632-43f5-8BED-34668FB124CD}.exe

                        Filesize

                        408KB

                        MD5

                        c398ef7a8414dbc871efdab5d15caca8

                        SHA1

                        86d204cb308b664f343e94242ab06f789078e8b8

                        SHA256

                        ace4336cffe1078b228692e8dce984169e2d74c5865bcb58e730bd240e29d705

                        SHA512

                        a5a26d78a16bcb98e558e27252a38dab013adcc6c13bf076490ff6afdc427ac081cad7b7085f13b89e577fa409b2766dfac53e1751d4c02dc6582b5254af5ffa

                      • C:\Windows\{F86A2A92-F6EE-4068-B27A-5B9E5675C7C2}.exe

                        Filesize

                        408KB

                        MD5

                        c1d3ac9f15d8c9abe3cbb0fdcf45354c

                        SHA1

                        cb73553f4c254b0869ad83b13748c0e61f137ef9

                        SHA256

                        7ffdf43ce7dd9ac12b44fa6b768b41ef3b9316a5abd489c5ed20b874dcd9d0e4

                        SHA512

                        7f69afa1db022e151aa3959e756b5eb26ee858aee4738b1c4012bb8eefc8a0e1a6f0f0917624b1414ccfaf04d6399dd2ce0b7bf810fadbcad7121d5ad914cd73

                      • C:\Windows\{FA23D76D-8ED1-450e-BF2A-E50FAA4111B9}.exe

                        Filesize

                        408KB

                        MD5

                        0ef00a71e38175c6a067fc84c4bc68ee

                        SHA1

                        59ac470371a270635a9a0aa3691c2feacabb5856

                        SHA256

                        b1cef1b72cdc5b20520fd82b546eded8711291b6fe37e9f24e68344f7fb5ed6b

                        SHA512

                        2e96e2dcd8b0ca9bd564688845adabb0bf64b307033c52bc288d6b1b6881a76a84292471f9dccd81d84457fb65a72ebc1702d5cceb4cf14e8123b33133960544