Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 04:41

General

  • Target

    2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe

  • Size

    204KB

  • MD5

    97860f63b56a11a2225fb7e0eae2928f

  • SHA1

    2869cb06f8fa1d11467034ee6d8ff34961169169

  • SHA256

    0793876b8f6eb4d121477510e83e4c88fdea6c79093fe95d4ee99c7396bf39a9

  • SHA512

    471d03f24bee300bc67bff010241872d5a2c7b33276bf764107d3ff377f110af5357f8b30f0cafd15d1b08c18d0c4c6de59656a71b2c9ab4528c1fc2ebc35ff4

  • SSDEEP

    1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe
      C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe
        C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe
          C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe
            C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2256
            • C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe
              C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2988
              • C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe
                C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1748
                • C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe
                  C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2704
                  • C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe
                    C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2840
                    • C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe
                      C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2116
                      • C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe
                        C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2288
                        • C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe
                          C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:488
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E59~1.EXE > nul
                          12⤵
                            PID:704
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D8737~1.EXE > nul
                          11⤵
                            PID:1784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA32~1.EXE > nul
                          10⤵
                            PID:1744
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8B787~1.EXE > nul
                          9⤵
                            PID:1792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF88~1.EXE > nul
                          8⤵
                            PID:2536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{53A9D~1.EXE > nul
                          7⤵
                            PID:1688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{66572~1.EXE > nul
                          6⤵
                            PID:2104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3BEF8~1.EXE > nul
                          5⤵
                            PID:2172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2F167~1.EXE > nul
                          4⤵
                            PID:2832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0744A~1.EXE > nul
                          3⤵
                            PID:2564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2760

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0744A0F4-3D3A-4751-B1CA-EB8D3A31ED29}.exe

                              Filesize

                              204KB

                              MD5

                              d6968f78757bdef61603001fa11b7e82

                              SHA1

                              877ea307bc94f1e3fdb17164cc636ae2bcdaafd3

                              SHA256

                              89c23028f1792a1205d543bab26fa602cd51c47da6649d790caa40e50553a57c

                              SHA512

                              e841fe3204a41e2ab2359bd301e692bce5696cb3c4a9c6762d90fa79080d23b014a79915db0c085864fe7403f05d70dc133b49f6212cd185b588281d3fb50e13

                            • C:\Windows\{2F16710F-609B-44eb-98AD-6781E8A5C6C0}.exe

                              Filesize

                              204KB

                              MD5

                              fbafb884ce838020496b5219ca93e091

                              SHA1

                              2cf1764ad58b1baf25f7dd194226a7417ff2eea7

                              SHA256

                              b50c4bc9acf8d0d8187415edea4126510ed688f321b62d1c3276cd8be7c59d67

                              SHA512

                              9d27a44facc5965ab41a3f21a52ba7284d8f659df50b15c27bd73985836e56f37301aa6bf448183d01dd80fe5f6f481d2723c21706c34b69faedc0902c37fc1a

                            • C:\Windows\{3BEF8E85-A5A8-40a6-9F0D-7FBF82C0DC2E}.exe

                              Filesize

                              204KB

                              MD5

                              c96e6c6112fed39a68fa4e468031661f

                              SHA1

                              3abf59abb1ef313328105ea74e0bf390eeb94b6d

                              SHA256

                              3e91ce757f4b31e999b0b80f44e8275aab6c4228a66cbf6a88f16850672c68e7

                              SHA512

                              145d0a520b0f8e680449dc87e7bc90d6333b8f1ea3aebc04855ce6b663e209bb788ec2bcde176d021b5589daf428db2a3a7bd0af5d7fa3c2d064a03d640a754d

                            • C:\Windows\{3BF8871E-1E01-45d7-ABEE-9A07E5A8C8D8}.exe

                              Filesize

                              204KB

                              MD5

                              4fc8e14cbdcbcfa952c045dadd154b1c

                              SHA1

                              a48f9b1a0ebf748266b81f504f6f533a1bb1a280

                              SHA256

                              02d32dd134c7927f2271c69e9e9518b5be28f4b5a42d0f9709ac5d33248bbde3

                              SHA512

                              61548e6c7555226ec2aa900b28e24c99e16e96831dec91942af859d1a36a6f9266116d564a15541686dca562f143107fc14cb38e7e748cc7a7982f455dee92b8

                            • C:\Windows\{53A9DA28-407B-4ff4-B9A3-D9AACC8BEF1E}.exe

                              Filesize

                              204KB

                              MD5

                              905a0604a2b3897c188c0bfed862bd9e

                              SHA1

                              1ebf684897d753abbb47f03f896659eb58758be9

                              SHA256

                              626a1f601772b93ee98a817ea6fa40371b119b8670cd5cec1aefaed1c20a703d

                              SHA512

                              644aa3c1e524e92af85fee0a30a94165ec09ab43e127d983a3d2d495b73afd807a195e29db1e91103f445538a2a86d9a2e5b2dbeb6507a4bf54df14639c92298

                            • C:\Windows\{66572100-77AE-48f3-B508-EC39010AE0BE}.exe

                              Filesize

                              204KB

                              MD5

                              4a9aca397b58bcf4cb45649f98f3c21f

                              SHA1

                              94ab4e67633bdb71288c5e644b0f37917f463336

                              SHA256

                              70da9d99425796be7a67ea9a433b8af7220bd92be9e7892fa0e247a151f69be2

                              SHA512

                              f6aed6e8740439ddc14139ac5fd48261b4becc27c52d852e6af859a6224dd6d214adbff9571a5bbd08e9376140e96caac84bc32df70d61e3a7bf818d47a0daa2

                            • C:\Windows\{8AA32B03-D4C4-4f61-9097-8A2E467D3AC6}.exe

                              Filesize

                              204KB

                              MD5

                              a8d035d2a3fc8aa88df6aae43b17dbd7

                              SHA1

                              edbb869fb2429c6e65143ae2629f580b3b073e05

                              SHA256

                              287f4998d86a600a7e295ec9dd9320fb62ee20d53192005d781e15ecb3508bd6

                              SHA512

                              f53230ce6d4143b35028bb69139ac01ea3fe519c445d5dce226b1ca74acbefff9ce70e30dca53ec706152d814abd2f41b935cbfc841675ae53ce63cff54c3d73

                            • C:\Windows\{8B787751-39D2-4e56-B66A-B9DCFB2A27DD}.exe

                              Filesize

                              204KB

                              MD5

                              aebb1e88604caa4f9d444fd31d47659f

                              SHA1

                              fd62fc281139afa9c1fdbcf5d2775fb397a58dc1

                              SHA256

                              8cc9c1a45c31b6963829661dd71b7ddbe60092071441a392976d71fe2b347616

                              SHA512

                              da0d34c7eefe0dfd6bdd30850d3473373f6cfa28cadf2cc7591584f82178475b56bd4dab4e558b7a9da16f5070b654999f05cad5e2505bf3c4df24961798f074

                            • C:\Windows\{9DEF195E-C9D6-40ca-9C4F-65CD477818A3}.exe

                              Filesize

                              204KB

                              MD5

                              e2255dd83854942a246cd6a729e37879

                              SHA1

                              9216149a758bbab7e921784cdd788c201ec76528

                              SHA256

                              8654e26c9a65a65dc532d2f37659661684f55f0d3dbc94e850236c052f6073d0

                              SHA512

                              3e9a4e88b8bcb6d6ed77a0688f128fe0070c6b3838138af17547359ba1b8808bb4e90ae2d7c17795e0400c71d7e3830543ad8bd7a457cdd09cede821c97fc51e

                            • C:\Windows\{C9E59FBF-8120-4fc1-B334-2317DE71C53E}.exe

                              Filesize

                              204KB

                              MD5

                              adec2a26f204cec484bb5171d4052753

                              SHA1

                              b2e69c5f8613b74e1df6f5369b8e9ce1d7ec3dca

                              SHA256

                              9be68bd6245dec8cb505d6c6e91a157476945e6581732c69b81253fc23ea3928

                              SHA512

                              01dad3b7b8c84f26880dc94c659a25d50f65fdb4748d08a37975592510f41af99e5c4bf38a0e4ee0158b339e4a996d440906c6e8667bc1ea434bb943207c5a9a

                            • C:\Windows\{D8737155-FE68-4a3a-9183-4811E2F23581}.exe

                              Filesize

                              204KB

                              MD5

                              3d363cac09b5134cd2b56d0fc250b765

                              SHA1

                              e00ab189d0a0dc246493491e75a2dd7576d80cf4

                              SHA256

                              d8e2303749dc69cbfd6dce9c6e52c0a995f37716395f702373015b8ca503a46c

                              SHA512

                              c0bf5137cfb49ee95efeca7f284a478ab7819aa1101b5f69a73d0086afb3fbcac42bb52fcdaae37b1231ebc18be2f4aeea25f7e530bbfade7526859f0834528d