Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 04:26

General

  • Target

    2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe

  • Size

    380KB

  • MD5

    886c0ff26e3a5079f29bc8a6e2c25646

  • SHA1

    61538066cc38d86ffd79c935f8054fc33923ef3e

  • SHA256

    32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd

  • SHA512

    a5db5a8ea4985a1ead82537b16c1daaac00c315b1e7ed9a84743edec07c33a2515d794e9ba67b5f888c0db1c131dd02cf93d00c462c208a444ce7d050ac72061

  • SSDEEP

    3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
      C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
        C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
          C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
            C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
              C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1516
              • C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
                C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1916
                • C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
                  C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:328
                  • C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
                    C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1572
                    • C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe
                      C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2376
                      • C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe
                        C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2860
                        • C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe
                          C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1260
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B88D0~1.EXE > nul
                          12⤵
                            PID:664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DFFFC~1.EXE > nul
                          11⤵
                            PID:2304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0EE8B~1.EXE > nul
                          10⤵
                            PID:2124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8441C~1.EXE > nul
                          9⤵
                            PID:2404
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26D32~1.EXE > nul
                          8⤵
                            PID:1420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1C01C~1.EXE > nul
                          7⤵
                            PID:1672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80140~1.EXE > nul
                          6⤵
                            PID:1448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{028D7~1.EXE > nul
                          5⤵
                            PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B303C~1.EXE > nul
                          4⤵
                            PID:2820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{10794~1.EXE > nul
                          3⤵
                            PID:2692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2712

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{028D70CB-E1ED-47c7-893C-B8A4913A54C9}.exe

                              Filesize

                              380KB

                              MD5

                              32abf136737b41587b273bf80e2eef3b

                              SHA1

                              95ba1edec3b4c574f10ff360d816ec5bb5e15c06

                              SHA256

                              4fb461a9b65778ccf66886b0d27676db8d917aea3a9c82d22fe620389571961f

                              SHA512

                              11c8388a6406885ef401300ab43f795fcbdc114de916dd2faf409dccc0fab0f2096c94986667c53c4a07f0ffd6de5a72f5661d6a2fd6dd1cf428a212e7f3e447

                            • C:\Windows\{0EE8B37E-545E-4269-9E9A-F1FC0A2311FA}.exe

                              Filesize

                              380KB

                              MD5

                              47ea89c92d8b695ed2bdbfb2188f2c5b

                              SHA1

                              638dd1566751cdf32145535b63c351ac5f91aad2

                              SHA256

                              c403c4cc26b6efbf43e76f7b3249d24b3d9c32aadb3bf75fdbf840e85f3878e9

                              SHA512

                              3166b53375485a8ef40316d63363b194b5d30abe15dd43283071fd8ee1b14f4dee20fc5cf1adfe3f38745047d22d97f3c8a4d7c454b3501649b3b89700ead7bb

                            • C:\Windows\{10794911-E79A-42ef-8CE2-19B63A14FC1D}.exe

                              Filesize

                              380KB

                              MD5

                              7c2c750a390c08138b28045ec14e5da9

                              SHA1

                              628ac48125906a3cdb5f0d91c38330f24c66e58b

                              SHA256

                              16a0cbbca6817b8f0523053b15f7bbbbf00deb764163eaa66c2cbc0ebb4d4633

                              SHA512

                              ce0937c20e4133c6ed6ace6553ba037f2de0ff009a9f7c8544c9dcc555a2739a1271540e12668039bd781ea8cfd69aefa3ede44f3f77ef73c7d2639447e3bc94

                            • C:\Windows\{1C01CA9A-5779-4f68-B407-D655FBBED702}.exe

                              Filesize

                              380KB

                              MD5

                              15ac04327674cb3c511eb80b37a8205c

                              SHA1

                              0691e341ceac2b9e6383c36e81d371541b447e05

                              SHA256

                              cc9d7087b8820552acd5a4fbc0113b21a17d25005908cc9fda698a6666b81eda

                              SHA512

                              5860a33d58084d2cd0aeb5bc9b014cfcd1cd341e26366fd3f5376a9d11c8ad1591221b3e05c6f23971a590eaebfbe06d01e7359ad21d14b45d340a8483e4d5e4

                            • C:\Windows\{26D32D72-2446-4a46-ACA3-87177BA46D3E}.exe

                              Filesize

                              380KB

                              MD5

                              eb0111f0f0e4cb4190064121613d0bd6

                              SHA1

                              c67693986926a7099e1cd5f93482401eac5b7a97

                              SHA256

                              ed1e4ccc7accb1ce67aa9ea75eee37c236eff009aecdf90171aeae3edc54fb11

                              SHA512

                              226237c4d19ec6a3c179f4fa8216af5996c89076b6e5d527ce08ebf71dd38d81446e162988cc70809e36839b7e271f0faced508b2790eb72f209e9a31dace377

                            • C:\Windows\{66C3D7B1-9977-40fc-9D04-1D9BF56A8EBA}.exe

                              Filesize

                              380KB

                              MD5

                              7ed226c3e2880cc71aaecdca5a4a5550

                              SHA1

                              fe4345f38f059309fce810f17b3661040c5ec749

                              SHA256

                              02bddfa355e3e2ca035c0e59681adbbc5d5e319197d6844027bae7c62856df65

                              SHA512

                              668e81c5ce237fea5d940de424ff41805957351e477f4ec8e7d98f28bee06d1d427c40bb66f1da55e6d756f5e25eee0d94a1e75fa1f9f5d21a017a754e7cf8a2

                            • C:\Windows\{801400A8-B30A-4b8a-A70E-288E0A37BC8F}.exe

                              Filesize

                              380KB

                              MD5

                              8f17fea1e1765e222a3ec6e30f75aeb2

                              SHA1

                              9ed24768f56862f69b05d038f03b2fa737c708e6

                              SHA256

                              8a58d79e41ccb0eca29ccc3d594577f49d645826a9ba26ea99a49a98c0f7bd26

                              SHA512

                              e4b1ef49b3affbb378e21c04c66b1a058e6290afea83851440fd537384a00db970ae7f33aceb6d4dbd984461da6cbc818ecf25331831bed62fcf96766af3462f

                            • C:\Windows\{8441CCA4-F1E4-4444-B360-F5CA94860F31}.exe

                              Filesize

                              380KB

                              MD5

                              8ad4e2ec5080bcbdbd9b6bff36c266c1

                              SHA1

                              8f60e343c73665c6051e8d5726df713d825af971

                              SHA256

                              885388e2da1da36fa00dbc3ac1cee1adadf7870027dceb6755cc748cf5abb3cb

                              SHA512

                              38752f6a03a59e3415ff0f5489931a1b4e6f3dc4229768190e4243e3cb932200e5eb6dd48d668314b1b1b5fbf4bd1254b65d4a211441cea373e3dbe3188df5e1

                            • C:\Windows\{B303CD1E-15F7-4764-8654-6F9FADFD4773}.exe

                              Filesize

                              380KB

                              MD5

                              1cbeafb668317a7722c6466f66085ec5

                              SHA1

                              c81500d7ce44b2c736a0006d51fd250dc5bfded8

                              SHA256

                              0241153823616050013a1c4b7f5d9e45ea38ab7b2c223b9c80f1c72397621e4d

                              SHA512

                              b368b330c85104511a02710cf50f1a8c7c67f0e1ba45ee86d7c7d7fdd543c48e05394c18d154e63b6e4f80ce8080f7d8dc5e3b6424d417e43b216949aca201e9

                            • C:\Windows\{B88D074E-D186-48a2-B0E1-77DC68488FB9}.exe

                              Filesize

                              380KB

                              MD5

                              863a852135fe62a52596bf704159d36a

                              SHA1

                              2cac4b461da9d4a8b4df30da52f20f7f2ad7fa91

                              SHA256

                              b52f3cda897fca2beead34e08e941f16c7b9f2c0b83ac05e63b6ef668e3c4dc3

                              SHA512

                              4d85535617e262bdb79da9b6ad2c32bcf2b485d564a0dc7aeaeb91b0f6ae8b27da07fd779648353af06d3294a2e0751d6c0d161da23707bb541751d68a365105

                            • C:\Windows\{DFFFC588-1004-4cd1-9806-A9220FAF676C}.exe

                              Filesize

                              380KB

                              MD5

                              e45e796a8ca92de1a58558505163dfeb

                              SHA1

                              5dcd257259f1ebcc069481fd99b3e548c90497cd

                              SHA256

                              e5ac24180ef8fe260b8b06b5d00c61475e5c4939893ae42c2a048487b3f56edf

                              SHA512

                              77e1eb484d58329d4184d6b2b25d3c53db0dd28bcead0856cd26e0c019dc14f768afbea17650e075ef9ab541c3b2b24313ba9b7b76dd31cf40bf4ffd3e0e5ec3