Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 15:08

General

  • Target

    2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe

  • Size

    168KB

  • MD5

    f844085e931ec6f32dabe71e5314e933

  • SHA1

    975a67898eb5efa008571b050e6f3b0c9df5f42b

  • SHA256

    d49b9fdfde116b0d01978bdc33e847c319f68683a0d905d269a9ab0d08246c25

  • SHA512

    62210862a1cfd012c0d6f237696b7806f4beb44591d175235876e4a30ec01c208d19c8e7535b5c3a9aacc386df2f0d4941e60b413481633c966b5d9e9bd6e808

  • SSDEEP

    1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe
      C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe
        C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe
          C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe
            C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe
              C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe
                C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1768
                • C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe
                  C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2264
                  • C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe
                    C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2784
                    • C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe
                      C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2188
                      • C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe
                        C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2228
                        • C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe
                          C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2473B~1.EXE > nul
                          12⤵
                            PID:928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB74~1.EXE > nul
                          11⤵
                            PID:612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2F2D8~1.EXE > nul
                          10⤵
                            PID:2216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7664B~1.EXE > nul
                          9⤵
                            PID:1612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{444CE~1.EXE > nul
                          8⤵
                            PID:292
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A957~1.EXE > nul
                          7⤵
                            PID:1960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1D720~1.EXE > nul
                          6⤵
                            PID:1940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{52E8A~1.EXE > nul
                          5⤵
                            PID:2636
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{90D08~1.EXE > nul
                          4⤵
                            PID:2484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E9658~1.EXE > nul
                          3⤵
                            PID:2676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2560

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0A957A1E-5F98-4be2-B6AE-5FC556041B95}.exe

                        Filesize

                        168KB

                        MD5

                        4bdc70ad8185003ad786ffdce909cae6

                        SHA1

                        38bcc654f794f4991623f3f78eedd838dadbe658

                        SHA256

                        135ae1d3872b936039938536ed1df404529e4720eef2ca26f627db444c1c22aa

                        SHA512

                        e48e36cb930d68722053c4ee1827b72c5621d870f00cf03f8ab16729fcd8d090767a19a8179bfd8717bb806df7d5828671ced4bc1d0c5677ea5110fda22d554f

                      • C:\Windows\{1D720150-FD29-4b00-B773-6E26D31A25C3}.exe

                        Filesize

                        168KB

                        MD5

                        8c7cfa29a508d0bb026d676231bad248

                        SHA1

                        c397c32b5b623af89df6985b75ffefdb4bd6f8ff

                        SHA256

                        4d36a874237eacd91c1b168c1afe029f03cebb54a29bcb4358f3caec83b8fa79

                        SHA512

                        ba8b8bf1b0d72e4176b25350060bfca18d3588f8042aa69fc10c4525e107a7e7a529c0e7fc972cd48608e4c5924078930466cfc37a5f346c9decb941bcb35b09

                      • C:\Windows\{1DB74CE0-E449-4e6d-9A2F-27735CEBDE49}.exe

                        Filesize

                        168KB

                        MD5

                        49049346af258627d01ae70b91a16541

                        SHA1

                        5bbe7e9f7c6c4dec34c211dcb76bc7a19cb64d67

                        SHA256

                        976d634c7aa3948acda98ebc7d466e904108d2ae5019f58164edcc85014e172f

                        SHA512

                        b1b7c24cb5f3a734ff8235b50683beb8d16f040be72eabaa10f613b98df08632c81cbd9a1d7b499229be92eb622fa0298da0ff1662aa2801edbabd93c921e264

                      • C:\Windows\{2473B04F-11E1-48bf-960C-45B02D17463B}.exe

                        Filesize

                        168KB

                        MD5

                        c05bc2524c7bc91ce26959fa288bd798

                        SHA1

                        45c1fc45d6307bed9ce13d12ceab8133fda0cda0

                        SHA256

                        6563db7ad3c3a4f037038951396999dcc2d0071f382c141c0d6d159ba3b5ef17

                        SHA512

                        2a65945b356d22d05d19773d002f7c30cac9ca7c75de8f102bb4a8ef09dcb022c4cb2f5e6fb4329c715d36b68e19764b9d09b93390959058fe194380842e716e

                      • C:\Windows\{2F2D836C-C713-4b5e-9A38-7DED43D9101B}.exe

                        Filesize

                        168KB

                        MD5

                        2a214477a7cbeaabd959ad4e4126b17f

                        SHA1

                        627c9bb0d0182cb9bd85967adad7db982cf94323

                        SHA256

                        b3a124e61a262af3ad4a104abe0ea0fbcca8813dad4452c137aaf85c353a5708

                        SHA512

                        70eb77772750e477affa956794596d14c49a9b58e4309cfc0e8562fbe1566a27754b8257f4efa5cd3e9db5abb72676951df864aa627d1f14d878addfe8cdcf68

                      • C:\Windows\{444CEFB9-E8A3-426b-8FD0-59BE5C3A74C9}.exe

                        Filesize

                        168KB

                        MD5

                        d947157fc1656fccd3599184302b2076

                        SHA1

                        3c6853394f9c206241a232b752b956ff62338527

                        SHA256

                        fc8b25969dc26a682c56b793e57a1615fe6db333a144333e6a978ad159c12197

                        SHA512

                        86ab712a19fd4c07ae016549572d3c1a38c225a200a01a31ac750edffea649676f67752746ef91e47f957af0775e7cc9a34c473e5025e3538d9ee63878b35987

                      • C:\Windows\{52E8A389-E4D3-420f-BD5A-875CD7746411}.exe

                        Filesize

                        168KB

                        MD5

                        b36c72743b9a151376da8694be4f061a

                        SHA1

                        77ba3b5b625034cc00ea6f64579336007d381c3a

                        SHA256

                        7ce5156531d1afa2f30df1e5c85072b981ff4a97127caff1c0c2ede437514e38

                        SHA512

                        7811b539502af77e302ea8f59e240fd021b54a4b13c9a23f7ababc850bc03d1ae77b5663a134ee1d82e718fcf15a609a57724a1f961f80be8c83984f12e3b5ed

                      • C:\Windows\{7664B354-13C0-44cd-9959-285B55A67C8D}.exe

                        Filesize

                        168KB

                        MD5

                        a0ae086f0fcaea46dc0e772802d2f36e

                        SHA1

                        ff0ce6c09a818f6a4b5ebf06c10b9b8739de7092

                        SHA256

                        3d3c8acc253c7ce7dfb74a237124c61eb8686d7c0de9ad2557acf4c873cd7a72

                        SHA512

                        442579a8e4870b873f0f4b3ff9d8d2a018b26c8b07a56828355401f42515c04d878f7ddb887a27346699bc2357932b72a5a0d99d48212ec026a48c561e20b048

                      • C:\Windows\{90D0866C-FABF-4898-95AF-350E7079D445}.exe

                        Filesize

                        168KB

                        MD5

                        7976da946ff1f539e73b7957b3c6b41f

                        SHA1

                        a283d5a43bd277e37d1cd9e686115b00529bb5a5

                        SHA256

                        ef914edc10f11258cc44c29c658461cd67d98888c09a2f9e5b8ccb6277fa5b90

                        SHA512

                        ecb3ab658126e38200697c23b7acf0491f85aa14b53b2467b6e68bcd86e859a24904298bc6968076ee9ee896d5897c342f36b20c60294b5a5fea2a3d8cc1198e

                      • C:\Windows\{9594D5AC-CF0F-474f-B59E-3020576EBFE2}.exe

                        Filesize

                        168KB

                        MD5

                        f9a76c0d53e94f95efd3536b2f13fb87

                        SHA1

                        b65c9ab2e3b9723dbd7f1b312dc31e4b3f78b965

                        SHA256

                        ceecd74d6328ddbfe3eb27b63f913b88c6cbc2ae491a73b5c438f2ce9cc93f5d

                        SHA512

                        e1676ebb910daf9e9bac90a47ae3cd1b462a2da6ce5a96e4f9086d6ead863f06edbfb383632dbceee8e876bb2b983f6ee4bb637b124e1fad05d03abd40d50869

                      • C:\Windows\{E9658269-6E39-414c-970C-71E76E12B82E}.exe

                        Filesize

                        168KB

                        MD5

                        d61c1b340ca864c5f43da8f67b0938ce

                        SHA1

                        6ad44309c8f8ffcbc271c4e29d58a223bfd576b4

                        SHA256

                        e688377351db23c5c1134aa1d3bc2b4650ec0f50ed479f00dcc1a106c8cdb3b2

                        SHA512

                        202f95ab9e9d3869aab34d62f0b1adcde513afc2b8b63dd54fc36ab22111b46acfccf3e699da3de7063df34344966d2971e365bc8cf3c13f88878c600eaa3b00