Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 04:41

General

  • Target

    2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe

  • Size

    204KB

  • MD5

    956e79eb73c9143bd4d4050b31e4b8fa

  • SHA1

    f793eccb9add50c4d1708dbfe061b12808c5c07e

  • SHA256

    dd304a280fa670f746cf662faa1075faba580015775820450a813f17a9e36735

  • SHA512

    74ef24b0ef1bb0b79b5c1410ec2471e3723c152236c65849c0251adafa4245f022fa741112a5503458cc0325fe7108233a8598fffce9d72a2581cbaa00742e11

  • SSDEEP

    1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe
      C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe
        C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe
          C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe
            C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2212
            • C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe
              C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1440
              • C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe
                C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1496
                • C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe
                  C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1608
                  • C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe
                    C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:636
                    • C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe
                      C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2844
                      • C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe
                        C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1936
                        • C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe
                          C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0F0BA~1.EXE > nul
                          12⤵
                            PID:524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FE993~1.EXE > nul
                          11⤵
                            PID:1964
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9A4F5~1.EXE > nul
                          10⤵
                            PID:2824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7CF~1.EXE > nul
                          9⤵
                            PID:996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26CEF~1.EXE > nul
                          8⤵
                            PID:2028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF19A~1.EXE > nul
                          7⤵
                            PID:1660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DD998~1.EXE > nul
                          6⤵
                            PID:1848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA10B~1.EXE > nul
                          5⤵
                            PID:2188
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6A03E~1.EXE > nul
                          4⤵
                            PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2F730~1.EXE > nul
                          3⤵
                            PID:2508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2608

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0F0BABA9-6EFF-4d3a-8214-30A5F1F80CB1}.exe

                              Filesize

                              204KB

                              MD5

                              864e9c667f122ccc22c8a4d7f37fe887

                              SHA1

                              04e0ff59eef2b6ffd5469de3b7560c0ef0072ae5

                              SHA256

                              662725ea473bf3a717b70afc2976aadc055058bde2d5f3c26fed0a3ef7bf5ac6

                              SHA512

                              0bdb2f107fdfb948517b8157c93303efcf05fa3d16351d263cfc76f5b9ba0b074318b90ec6ea5874a9697fd704f1727c0780b7212503cdd3df787503b8b63e34

                            • C:\Windows\{26CEFD38-CACB-4149-8932-4763B5CA0A32}.exe

                              Filesize

                              204KB

                              MD5

                              bba478116d06c7c0063c5ef82c445195

                              SHA1

                              0bb943aef7c182c9a00b104fabd6c98f70af50bf

                              SHA256

                              c00d54c6828718ff019b8806aaf8a07ba6135b88e134960bc99dcda08078ba43

                              SHA512

                              070e76043f56d9597104a2f6a6c2e7d4d3f03a612267bbf4492dfbd0019b2c3245b0ba5516a0cbb3fa6bb3333dd0acca8c7a1ce67366fcd8249928ad929e69fb

                            • C:\Windows\{2F73098D-B9F7-479f-9FA2-2562DBCEC950}.exe

                              Filesize

                              204KB

                              MD5

                              86c173566b0caacc21e6abaaa327b089

                              SHA1

                              8919ed34a8b9e360f804ba2a352e7fc6c81f8b6f

                              SHA256

                              962febe74cf2477a3b3be1f5e57256b5569866e6088cf7f1be20e261562713be

                              SHA512

                              abf5aab0dd3a2a7013b718d25173fe3e80001466defa37413ad6351eccc60196542b3eb0aeb7a49b94e4e3d3313d32f9e50f523dffd2353b33e822a2f153c879

                            • C:\Windows\{6A03EE75-F1B3-4ca8-B033-9A037C853C6F}.exe

                              Filesize

                              204KB

                              MD5

                              67ebfca75694b65c350ec54f8e53d5dd

                              SHA1

                              ad3da2e0ee922e59cacb6dd91e885bd8a257393e

                              SHA256

                              42c829b93cb1294ba7d2a54e87ccd67486d8929344b64072f1a7daab2bab382a

                              SHA512

                              26125aa5f81ee27a54612f5e2cfc18dc6d02d6e1b47b7286ec926862f0547aba1fa12723d368f88cfc4e3cd54dacd87b582fa3dace2209bd974e79e2f4d6ad7e

                            • C:\Windows\{9A4F59A5-D42D-49d6-836B-C49A25129D58}.exe

                              Filesize

                              204KB

                              MD5

                              0bb26f79349e18b0be1fdaf977919e50

                              SHA1

                              1b0c8d96c56ab01b955bfd8ee2ed07967ab85508

                              SHA256

                              c0632b2cca657bc14d4d92a75b9e76ebb50ca04cc27ca71fb5624c948cc027a5

                              SHA512

                              eb8dad88797d02d04d26489e36bda20270ef7fbe644de8fedcac524b776d95f249708f9d28b96e210bf99be659c23fd3710f5aabea7e05973a931870cb917f1b

                            • C:\Windows\{A0F95182-EA2A-4579-B49E-EA318A32B022}.exe

                              Filesize

                              204KB

                              MD5

                              96e3b55fd1c63d4730bed8986d48aec3

                              SHA1

                              3be4627493c9d34e59bc49db315ae572704120f1

                              SHA256

                              65b37a5196e732b1055f2d5332d5d19abc4648295ecb75503d54770aa3a5fce6

                              SHA512

                              e0844e092503c2a6f02ebad150e717a5def30b39c48aae69d67ae6388e963aa2c9f2bdbb71e197440800c706b35459dfdc88464fa0f12cf8c94cd9b6c1a645ae

                            • C:\Windows\{AF19A7DE-D5B8-4937-A9B7-12BFBAAF7BF0}.exe

                              Filesize

                              204KB

                              MD5

                              2f4d09ebffa6d2adeb8a72722eb2892b

                              SHA1

                              71d43b3ac2ab81414db79a91a1b8072114321582

                              SHA256

                              3787df0773358b4c344712a6ddc716ac925f69242643ce33939822dca96943ae

                              SHA512

                              1a69a6e7f053feedec1e4467cc5383918085e088e5eb09a3b5d4fe476a1263713602a78288e6ea3a9d19c8308037a7af0b75c70c6d15e4317a361003709b187e

                            • C:\Windows\{DA10BD5E-2492-487d-A96F-8BB505535B22}.exe

                              Filesize

                              204KB

                              MD5

                              c4ddbaf73167c38ec392beee6aae1b50

                              SHA1

                              5d8fd7c901ae786ddbe2e81438b1685c7a705160

                              SHA256

                              26910f10ea894c83f32d0b18ef19f2c05b963b3cc80a07b2c04443cb89ae506d

                              SHA512

                              f40e5ee709d202b230905b41fe66a5bc47fed5a2589226575a8d5963b77d2ae8ab89b350a5ce4d2637a074a6e3be437b9f2f1745fe23276b2335ba8ec9c177f6

                            • C:\Windows\{DD998FDE-4686-432b-A2F7-92D9F0CAD667}.exe

                              Filesize

                              204KB

                              MD5

                              e9b381377d0df4ed61f43cd75f82ce36

                              SHA1

                              a310102a90ad1444f0d22467c95e26eb31409107

                              SHA256

                              41eb0cf5153859ae8c7ad56467e2fc6278337f549a8491e6d7e51fb9afd15e66

                              SHA512

                              4985bfb190ce1e20b1011d70012d227a17fcea45062a35e9252b82b17c6adf44c692570c4a24a6992a57f862571bed6a6b5f6bf02d85a979c10855c8d939ca52

                            • C:\Windows\{FD7CFDCB-C6B0-42ee-B472-E7C08A3521AF}.exe

                              Filesize

                              204KB

                              MD5

                              5751b58bced3236ef5b1d9317d0755ee

                              SHA1

                              1c8f945dbd979e848de57cd47dc33446442b00f3

                              SHA256

                              516b4df0c8a946c4c531422465865ae99e3c2cb9a77a43527cf37e5aa98e2520

                              SHA512

                              647b7c484f8a92543f866c4742a6a5fd6ea740c71abe13344b6e9b8c8aca0b017487a7926b96600efb0cea33104b2a5fa56d41a4276d6ac7ee479c848e776f64

                            • C:\Windows\{FE9933A5-BB0D-4db4-ADBA-708CEF62C078}.exe

                              Filesize

                              204KB

                              MD5

                              bb884f39fc82199aa70b287cb4c08df7

                              SHA1

                              6ed4de95c877eb5ccc5d0145292e5dad571c0317

                              SHA256

                              8eabfe90f0e2db642addff503c40f6999e870f7638a968de3d64f9b037f14fc8

                              SHA512

                              c612ee4325d021d634ef386eb91955e84c9648a05be92cc9592bdf8491cdfaf3b10edd3377df2da181d5247bb15b2aab4f43b7f553b928f340787d219c54230f