Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:48

General

  • Target

    2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe

  • Size

    168KB

  • MD5

    ce080d7ec34664896f059c69063afd74

  • SHA1

    eeb93257d28374130d94b3898d0036dbab979c3f

  • SHA256

    5563384b2a376a8d2599c41848198f4c7847fbc37711f65b0f9bf16de4d87f79

  • SHA512

    3921eaf84bd8235c739b8aba6e743716b72e606f0b8538ec00987c398f062e870ee0fd19e57219000eb7a4797b298cfc8540d8ee4915dbb23df405ca182b4b91

  • SSDEEP

    1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe
      C:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe
        C:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe
          C:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exe
            C:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe
              C:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe
                C:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1776
                • C:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe
                  C:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2124
                  • C:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe
                    C:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1452
                    • C:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe
                      C:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2924
                      • C:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe
                        C:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2232
                        • C:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe
                          C:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FCD27~1.EXE > nul
                          12⤵
                            PID:640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{717BD~1.EXE > nul
                          11⤵
                            PID:380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1C767~1.EXE > nul
                          10⤵
                            PID:2428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA544~1.EXE > nul
                          9⤵
                            PID:1428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC4EC~1.EXE > nul
                          8⤵
                            PID:760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AD4BF~1.EXE > nul
                          7⤵
                            PID:1800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{08E48~1.EXE > nul
                          6⤵
                            PID:1952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A4D53~1.EXE > nul
                          5⤵
                            PID:1604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3ACC~1.EXE > nul
                          4⤵
                            PID:2712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F2771~1.EXE > nul
                          3⤵
                            PID:2848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2628

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{08E488D1-669E-4939-A937-9670D4076D10}.exe

                        Filesize

                        168KB

                        MD5

                        487df655ce0f73fc635ca8488218a902

                        SHA1

                        504409b73472ddda3174823bd13187348d2f0222

                        SHA256

                        e16f97adab7e81c1b42a59e785a3ad4f63c3c0deb732b5a62a51c90279b85951

                        SHA512

                        fa10d06dac3717ee6b47a559ec697ee953a1d4e9cec0f910df2a2f9a10bba41b6359890a1db231677003191772cbe5a7225bb094f0257c2589218a0c5c953cc8

                      • C:\Windows\{1C7678A8-CE71-4316-AC4F-D64BB2063786}.exe

                        Filesize

                        168KB

                        MD5

                        9237ed0c6b2becc073fa8ff9ebc0cb6e

                        SHA1

                        b5654d1e533c1ff0574c64b0c8eb7ed89fa591e1

                        SHA256

                        aababdbc54d9df34ecf708c4bfdb837951199a596a04b245fd219b3775219eec

                        SHA512

                        bf94b0f61c5c3e9d35ae7cdb04dafb524d92c9ceb643c4f9e4d59af23fedaa7dcfc1dcab7dec11712881b61278e707e2e5ef803d50c270ceaa4affe11d9cfca4

                      • C:\Windows\{717BDEE8-02C1-44f3-AF35-64FE07C74DD5}.exe

                        Filesize

                        168KB

                        MD5

                        fc1249ca9624c0fad525432f9b35a32d

                        SHA1

                        c2f504b38292972ece56301d8e93b8d2bf5ac41a

                        SHA256

                        9774538178380578c0d69732dcfa0f8dfa4d3691496570ff01cab0268ce67895

                        SHA512

                        cf49b9bee65ba87e86c11e7839b542bad4352ce189c7b7c29ed3264297ae772d7c77b024d732768a35ea3a14954be93412e7446bb5fac2d1a723bbd7bbfcd81c

                      • C:\Windows\{9C5C70F1-6DF1-4461-9A51-AE56C416B1AC}.exe

                        Filesize

                        168KB

                        MD5

                        15695576fc6994f67f21ca6424d7ef94

                        SHA1

                        60798fe197dda23af9febe7aa894a6d5b205c481

                        SHA256

                        4dd0337c42240e6846250e461b0c265ec91f4701ad5809c0531c85e53a7baa4e

                        SHA512

                        62d1923ccf0665f7bf30ddef048d6cb7c14a1dc4665ec39ce758442bb42863fbbd19ed7221632ebdec54794a29c61fd012467c519e7f139e9feb01473de6ce5f

                      • C:\Windows\{A4D537D6-F9CD-43e2-8D3D-7934CB69C4D2}.exe

                        Filesize

                        168KB

                        MD5

                        5b0f77c4ecdaa526f2af908b8f1280f8

                        SHA1

                        d3e042e58c85161b17a3544824691ef4443eeff3

                        SHA256

                        348da14ff185a84db75fae3ff2b04d7b85bd8b336b389ebe140e320ffab580bf

                        SHA512

                        e3a7f47a43ec4fc1a6521fe91aacaabed9dc4d4305df4ead9d46017cd4ce686a226d1f2831391fc88b5f67730deafb5482e6a239e07b2e257ca103721bf57723

                      • C:\Windows\{AD4BF0F5-B43A-4d27-A971-6F7B8F85122A}.exe

                        Filesize

                        168KB

                        MD5

                        d8638e414b0c43b4111502af1a7f8fa7

                        SHA1

                        5ea82f5d91a5e5d6316cd510146d218a34538975

                        SHA256

                        f18db156c3398992693949b2b983e82395a64ea69dade6a653b2d701c2393f84

                        SHA512

                        d0d98d05da2e0d1285847ae8ee4c523c78d6fdc14d6afc459521b76e8c1376ae663351f4ad715f51073f185d6f9138edfb07ead839175cf5fb72e64eefe2a741

                      • C:\Windows\{CC4EC977-AD3C-4218-AE81-C98B7E5EBE89}.exe

                        Filesize

                        168KB

                        MD5

                        47a5c5be7d32f7eed5d2279c2d197369

                        SHA1

                        6987a0bda8ae39e140e4458612a0097e39a12528

                        SHA256

                        26bf7ae91a73183b6db5e81c7eb55d0fa005de63f0ed1234a1ca8a4de159a46e

                        SHA512

                        c889c6ddfe234aca11e119ad9aee117809e0219132dff2a461729f4a047ab3e19a5467d2fb1404db1b3b997b25214a1cfdf05e9f0fabec506f024319fab83a1e

                      • C:\Windows\{D3ACC84D-9ADE-49bf-92D9-20EACA1CE08B}.exe

                        Filesize

                        168KB

                        MD5

                        683626104f279c7763c8506442e3efd5

                        SHA1

                        44fd3ccd88444559d49ddcccc850296e69db9c33

                        SHA256

                        9183b5b92e911247ee603b861e124ccb6d9d7ea2ee5d852fe9ccb7f7eb61fecf

                        SHA512

                        98d5fcab407d20d675341f03c5ea5bdd5681b142fdd55947136879def9aba6f324934e04d2e7fe10a02aace80ee381fb45da55d8d0e8598bcf719cb59d14a1a6

                      • C:\Windows\{DA5445D2-D314-4db0-9DFD-5678A04EC753}.exe

                        Filesize

                        168KB

                        MD5

                        42e1edcf641f2c4148397668ddf054a0

                        SHA1

                        c30b66933482ffdb1e637eb9f65ede800d660eb0

                        SHA256

                        64c1f8aaff998c33263a0bc2888cc6e3116c399b0ffb6efaca1d0f84d95e41f4

                        SHA512

                        10bb16bf531a7e2ff4d2c39a81264a000adcf63848a57e9c7cc39ce1294069d3b48590c473e6a526788de42053eeace73860216b1c7272e95b1a03a8a7e3b37f

                      • C:\Windows\{F2771AFA-DC90-4edc-BDF7-83D932EB3762}.exe

                        Filesize

                        168KB

                        MD5

                        7d5e46d81942987883bb415178f9fdee

                        SHA1

                        9ba657323099428c0e48d6c2d3b09652d1cc9f32

                        SHA256

                        e1c0b937518775c6cb2b132ffac840a9daa7f6c3cfca2cbfb45aabb10814b2fe

                        SHA512

                        955baef29a6a02bae3798b26b5fcc285c1983166b76ea90b3a0d4dfdb548329cded3017d603fdc35b2e6daf190850cc56e1c4a434c2254810d1ee42f7527f6cb

                      • C:\Windows\{FCD2756F-29A2-4d90-BD83-1A515D25B81E}.exe

                        Filesize

                        168KB

                        MD5

                        122f3f1525fd8c91c6bab469330127f1

                        SHA1

                        ed5c6b3261fd5da4cf2e6d84f2541aacf7210c6f

                        SHA256

                        ebd5b7510370b1036037ba42723922fc3660b1c0937cb8dddc133a38bb96d4b8

                        SHA512

                        c08eb1ad8d41216bce53bd75683341b313a42bb358540226c211faea03c9c54c799a9588d6a1d9b3ed5435456ef210d6b06915d57bbab1d6a819849e83a59287