Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 07:43

General

  • Target

    2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe

  • Size

    216KB

  • MD5

    02cee40891f0ec895fee7ec2e24c90e3

  • SHA1

    7743bda3774f8af185c52a078fd12e46467ac500

  • SHA256

    ff12976a1169418732511afc0a1c16e08f5f3b51a008e8a752dba255770011d9

  • SHA512

    f479598a28cecbf455048d211dd1fac3d4e15180eba2d709f71f25f1e0c045ed5bd5e61d46a7989d2a956330bb0ae5273637aa1bca77bc3d5fd389a2124c0b26

  • SSDEEP

    3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGylEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-23_02cee40891f0ec895fee7ec2e24c90e3_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe
      C:\Windows\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe
        C:\Windows\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe
          C:\Windows\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe
            C:\Windows\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2112
            • C:\Windows\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exe
              C:\Windows\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Windows\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe
                C:\Windows\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1704
                • C:\Windows\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe
                  C:\Windows\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1936
                  • C:\Windows\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exe
                    C:\Windows\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2220
                    • C:\Windows\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe
                      C:\Windows\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2332
                      • C:\Windows\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe
                        C:\Windows\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2808
                        • C:\Windows\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exe
                          C:\Windows\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{74984~1.EXE > nul
                          12⤵
                            PID:348
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CF8E0~1.EXE > nul
                          11⤵
                            PID:856
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A350~1.EXE > nul
                          10⤵
                            PID:2420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3FAB~1.EXE > nul
                          9⤵
                            PID:868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1D887~1.EXE > nul
                          8⤵
                            PID:2248
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA88~1.EXE > nul
                          7⤵
                            PID:1032
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F282A~1.EXE > nul
                          6⤵
                            PID:2768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA61A~1.EXE > nul
                          5⤵
                            PID:1700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD15~1.EXE > nul
                          4⤵
                            PID:2632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C1AF5~1.EXE > nul
                          3⤵
                            PID:2788
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:2532

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{0A350C63-BE94-4dcc-9C57-981B688BE607}.exe

                          Filesize

                          216KB

                          MD5

                          9ab26710c4e5da5eb1fcd4c78fe775f0

                          SHA1

                          403f3229450cfa2f780e08c505d27d5eecb59d9d

                          SHA256

                          82107413d6bc0f4077c810a71f4d121f173954dcec8cf337df9e8dca50ad2495

                          SHA512

                          cb01236b6ba48adc2aa3e73d72925cec0f865647361f928725394a55ab9a85a1618e6594cf1fa29658a3b4092b68e5e48426be668b395860eeb8a054e6f5ef22

                        • C:\Windows\{1D88732B-E8ED-4ee1-8C7D-2C323F4FD190}.exe

                          Filesize

                          216KB

                          MD5

                          dc444cb88a53bc739f8892f2fd918d0f

                          SHA1

                          893a489580e54353f0bd69cb0313e64fb1aeef2b

                          SHA256

                          d2d008db628f800ae698ec81883b9890e59668ed4c01952f1b030a89d683669a

                          SHA512

                          9f3f867723750a6f3aac1af8a7dc1a986e00e8f8332263280c3d7e841849023253051c7f22a3e49a551f0928a1f30b1ce19722e47dd90c39336df3d499122f08

                        • C:\Windows\{74984FC1-F4AC-4b60-87E4-89E899C069D3}.exe

                          Filesize

                          216KB

                          MD5

                          f3ffd0a47a18f31ed6e1ac958933e4b9

                          SHA1

                          71713ff0aba74d88b9a5164a347031119aadfcc1

                          SHA256

                          a52d4155444685f5c1d3bfff0a9ee4d8e0fae4c24313ea9460bb34d93e0c9e9e

                          SHA512

                          725f9416c2445fe2d03e079f771ec649e6e5801df3f73a1403a4f4943d2c68ce2a966a9113933502753f2645fa7d21609228a10bafcf74b093003c085fc0e3e6

                        • C:\Windows\{A140964C-65B3-416a-B9F8-58E2C3E27349}.exe

                          Filesize

                          216KB

                          MD5

                          3ef07910dee09972ffaf4caaa37280f6

                          SHA1

                          bd94e81f615d24abcf75c04bb4bbdcb74700079e

                          SHA256

                          660919094f5940760857f1ce4a3c22b3a9f5e1b9e97a53f3e477ca4699d29d55

                          SHA512

                          0fb760d1f2a5eb79ea2007d1c6bc0602ff3fea1c5797e6d5d5c1d93bff7ac0af20793ee5c62f676b41f3ad44ae6ca3710583c68b0df076e88aac322d1da97d40

                        • C:\Windows\{C1AF5211-C094-4eb3-816D-BDB03698DE2A}.exe

                          Filesize

                          216KB

                          MD5

                          246f5ffd1247427e252bb4e34f5efe1b

                          SHA1

                          a042733f0c09afa5aaaf6d4f6b650a7eebc7b461

                          SHA256

                          e5fa38bc468f363a600cb81ccc5a03debff8065715fe03125a856aa2d3394186

                          SHA512

                          a9663b4a700edcfdc9a8351e04a53c2e1b26c1f3d6ff52343bdfd016d472283d609c7bffa340cc8c1e3ffe8f8d866a388131911aa927fa666b7a9547b2594678

                        • C:\Windows\{CCD159F7-D5CB-4008-A755-0ABC80C69BAE}.exe

                          Filesize

                          216KB

                          MD5

                          a34810583457ed31457a2acdea512f31

                          SHA1

                          7b722b51ce43522152af1b0733e345729da42b60

                          SHA256

                          4af62cbc8603003216e054943d87b9ea8d8de611894bf2d8274027c0e3a5a1fe

                          SHA512

                          05687ee0089ff5280ee5b64ad05bdfe9359ba4b92cc15676b25c5a74ff7cc9c606e64bb341566bb61e01b2c8582b462538c566c34ee79dcb65bb9a96fe90aefd

                        • C:\Windows\{CF8E0266-7451-4412-B8EE-4EC6EAD9B009}.exe

                          Filesize

                          216KB

                          MD5

                          72a6cfdbdacc5ce0c332d1eb36a147b1

                          SHA1

                          f544c8c2b5b94661f104fbfed3c2df011b40e2f8

                          SHA256

                          01bb1ec65b5d78ea0b461710f99a820d430856e85601bd1b458267c0f28125e8

                          SHA512

                          5e74cd699df2a113f518e5ea43dfb1e8f049705f39d4071ff73bd2e1183e9682db2b012fc8d2ee84d19c9b51dae54de7a9be3ab83058c9f161f768639bc624d4

                        • C:\Windows\{D3FAB376-66A3-40f3-A598-0B223E61B11D}.exe

                          Filesize

                          216KB

                          MD5

                          32d74ed21c058d8e69f6fa0ae5bf2254

                          SHA1

                          fc426d8e2dda48607d29e6c30ad6b3773320433d

                          SHA256

                          562a56144dd9886a3cd2eee5518eb0a537eb0424d62f4fc49ad119b7ec3dc69a

                          SHA512

                          a75f6cf306b21e6d532869a73195d734dc43a22a706c0ad6211521bc81e5a0874e79b800340b2cc028c4fff208be73e8733ea930ca5dd4e8c1513d32737adc83

                        • C:\Windows\{DA61A470-6B12-4f5f-9657-5C2E147557BF}.exe

                          Filesize

                          216KB

                          MD5

                          0fa9e4c571ca6a16c1581d6402cfdb41

                          SHA1

                          d7a5edb0b8318eb5205f30578d8bec1de3391227

                          SHA256

                          5f88fabb8c5c43072d0d7b6379aa1daff12193209f1d05312fd99e9f2ee53e1c

                          SHA512

                          53ac368a7317ea591db9b811508ccd9474ed993eb290be6f1affc32ff1b54020035af2f5eb435b6ff4fb0c50982f308a2cafebed7364b85e1d470180ec21dcfe

                        • C:\Windows\{F282ACF9-8BD7-4d5e-82F2-7856D3DDDFC0}.exe

                          Filesize

                          216KB

                          MD5

                          bac86534533c039b28883ca921edbb6c

                          SHA1

                          5d8b8b3cd6c93f0459aee824216a7a6983c3fd8e

                          SHA256

                          0631cdb0d943d5e6783581e2180f55a635c2b3a6d904bca0916e9f80922c9732

                          SHA512

                          6cfc8513a6fa64e1589cb9cea5b356e8db533ce277f0a4c95611fdf74e44406a9c6738f5c10d4e4b993eb790dead183daf495afe67204edd3af527ad807577a8

                        • C:\Windows\{FDA88231-C4DB-44b7-9967-7B01D577896B}.exe

                          Filesize

                          216KB

                          MD5

                          8e99435cf5027ba70802cb7ef97283aa

                          SHA1

                          1c97d2278cda0336f38a4f6adfc3e44888c5df4d

                          SHA256

                          43c5d3cc1772639487e9dd97ef289378d57cb38b84295282a8d0daf84e8e6b17

                          SHA512

                          777e871d6b7cc5a4d4f0769758b4ac58f140546e5e6596c18d5049bef217ae2f589da9b0237d7f1d429c5a0e7f7a3f43f37f1349a3c79a9afcef2188f65063fb