Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:43

General

  • Target

    2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe

  • Size

    344KB

  • MD5

    0a755e821f5f8006a843b9ec0878c779

  • SHA1

    4a481c3ff19aaf6c5d2f00654cee5c0d06a87184

  • SHA256

    08e176d28691fc2e5eca6d6b5709f56f60f1ff0109e7e3d9a78e361a99fa6818

  • SHA512

    d792ed635304e7be64ecb6134df83f52a9168ce60af2a63da4e25b2dc680d6a59daa7d791aa6de902d5cc4969c1fc47401f7cc6f66a52e38fbae1b01abe10f0e

  • SSDEEP

    3072:mEGh0ozlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe
      C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe
        C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe
          C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe
            C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2200
            • C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe
              C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2864
              • C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe
                C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1644
                • C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe
                  C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2404
                  • C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe
                    C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:700
                    • C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe
                      C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2616
                      • C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe
                        C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2084
                        • C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe
                          C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{89685~1.EXE > nul
                          12⤵
                            PID:1328
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{85796~1.EXE > nul
                          11⤵
                            PID:1500
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D93DD~1.EXE > nul
                          10⤵
                            PID:1612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F3210~1.EXE > nul
                          9⤵
                            PID:1156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2F9F5~1.EXE > nul
                          8⤵
                            PID:2504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ED447~1.EXE > nul
                          7⤵
                            PID:776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A369E~1.EXE > nul
                          6⤵
                            PID:2556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9776C~1.EXE > nul
                          5⤵
                            PID:2588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F2997~1.EXE > nul
                          4⤵
                            PID:2656
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BF603~1.EXE > nul
                          3⤵
                            PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3056

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{2F9F5243-CB38-4375-AED1-BC1DEF50DE2A}.exe

                        Filesize

                        344KB

                        MD5

                        8e034af0a745e8cdc638fb0ddb74c4bb

                        SHA1

                        7d567dc3bfb5440d574bcce83792e49c25dcbe4d

                        SHA256

                        492cec2a3e50d990ee5d12cd74cd3d0d639802f8a9654df9a691ec7b916cac56

                        SHA512

                        cecf6c2fc91174abce6e13905803feafa5d5cedd279c3f652c19d4393a8a736fd3ef58a3ab7d44901f332572ed08f1e6034ffa6c05360151a731cf3963d38b1c

                      • C:\Windows\{74B9109E-9B90-4003-B786-1E272E72BE91}.exe

                        Filesize

                        344KB

                        MD5

                        18162b7e22a31f7c8a000390a2567fb8

                        SHA1

                        0f8fb50b57dece84a5ed8d77c1f0d275a5137666

                        SHA256

                        f7ced574ac1014f7eedd1a319a5f4c1f7d1bc29b1977a56905cf76bc9218757a

                        SHA512

                        eaec5756b66ed3d8222a87e78339ddb87ff01ac2b7613748088e7cbb9cfad77d75b0d233316e41efda291816196c931dde603d8ecfdd99e18da3f720ee69da8c

                      • C:\Windows\{85796DE0-F775-40fb-B4A8-48D33281E574}.exe

                        Filesize

                        344KB

                        MD5

                        025aa65efc04ebe37fec855cf756e6ea

                        SHA1

                        5042789341e747242db862e83d4f3bbedda536c7

                        SHA256

                        01c057eb3019b575d3e5eb7e48840c1d34db77844fa8db13a8d0e9c76b96a680

                        SHA512

                        2571e92126c040e266f0829ea2c65b013f3df6421503ae4d3f33b05f6d2c90cb8083a20ed1c1889dff199f5b3ed0e76ff01f25256db6ad45edb51ddf6e542850

                      • C:\Windows\{89685C1C-617C-4cfa-8A26-9812EBC61243}.exe

                        Filesize

                        344KB

                        MD5

                        eda735b0f6eb1678fc12249e6ad5d801

                        SHA1

                        e074d8d1e7e2d05a9d3dab1693cddee780157e09

                        SHA256

                        f8583f18197a65b7500841d452ac60bdd86d86b8bb3bd26b16051fd533fac95f

                        SHA512

                        dacc68909226826196ce6836a46a4d3d8831ba13924f393a3abe64abadbc29e49ec63c5641bb8c8458a3d59a5c151c7c48f85f17625327e63c6c9d2cb2bfa90d

                      • C:\Windows\{9776CCD5-DF3C-4c1e-8854-90A31C3B6659}.exe

                        Filesize

                        344KB

                        MD5

                        d7b16169956ee57994ffbf793d32ca91

                        SHA1

                        2569af9facb0cd606aca13d649ab33d4bd8be7db

                        SHA256

                        bd3189154e86c37f126f961d87bf6eed1d9523c3a41be9cd3f7fa1671975a00f

                        SHA512

                        a097b2516e2845f0b772fbc36ac36474e5b39f9efc4c22aeab881b3467d1b2bf062deca3c4fc3e6b46a7e5f54d25ba4fed218ddd820cdd4e43f8fb69a568b4ce

                      • C:\Windows\{A369E39A-89B5-455b-B7D6-782D83E63C99}.exe

                        Filesize

                        344KB

                        MD5

                        32b7df794f0fe3cdf5dcdd9de14e1c6a

                        SHA1

                        e498c2892a3969072ca598bc945bbc48cf105ac5

                        SHA256

                        d245c83887f56522c72f3249c64f411c37019c8a9902956e350e7196cd2ed7cd

                        SHA512

                        2588f3484a4ac885cbb0b9e05e55e46e3079a66e6549e73c5f22c757e6470fd47ff27cfca30645f18c4e4dbb99c487bb7416415e9370b6e896ba4105918359e6

                      • C:\Windows\{BF603A42-CA1F-4fcd-8FAA-829CC6EAF8AE}.exe

                        Filesize

                        344KB

                        MD5

                        b9ca2756661f6ee51a0ff13b10912f8e

                        SHA1

                        b080d8acabbdb86b7546fb63f840b6ccc7fe2374

                        SHA256

                        e8643dabb769720ff888aee633972dd8a7cb6a92ce479c642231211d3ce8971d

                        SHA512

                        381fb4880b47cacca9b7eef8a0d811b9ed987936e086747421d9b15770507881526600519ff88ff47546c71a89b1a20cd0dd374dc0bb56824ca94b9a622a567a

                      • C:\Windows\{D93DD83C-028B-4ca1-BB61-2A3507D47695}.exe

                        Filesize

                        344KB

                        MD5

                        135bbb2a4f2d2ab744a638c8180f4893

                        SHA1

                        49f5be33fc2fb2f5775a8e7dca8d7ddebffd590c

                        SHA256

                        641cd230089fc7cf178a16c2f4cdbdcaa8fce3ce108a6e98e24b7ba1f6330019

                        SHA512

                        3f377f49bab00dafda4c9f3574c5120e1741735c57bbaab0492373a57eb400b422725852456eedac02cd7d2dc4c0a425902d405d9c67588c66186d401ce590f4

                      • C:\Windows\{ED4476ED-C73F-4162-8CA6-8C783E5AD96B}.exe

                        Filesize

                        344KB

                        MD5

                        efc762434d5b3ac247388d623ed5ba9b

                        SHA1

                        bfffea59aa30090bbedb73d8394e2a493ab84289

                        SHA256

                        f0bf41cc6fd2f45358d9ffcec7693b0abeca36474e31ba1e3118bdc19c9929ad

                        SHA512

                        16ffd095cafd3a0b84042589c2a7328b2de85d6ade79d392b98d6893e350079ee4f3493716b2efef48e9004b55f0c04227cc5d52a18b3c0ade406186a8c4cd41

                      • C:\Windows\{F2997367-45EE-4a6d-800A-06E97D37E978}.exe

                        Filesize

                        344KB

                        MD5

                        8817d652f8f96852526e324ad6178adf

                        SHA1

                        a3b41c32fe867d0b017bb12936672e95ba1256bb

                        SHA256

                        bd5270320f98f53058b984a8fa208ae9a4ef4cfb5ca6e05af6f9b48bf0a203a8

                        SHA512

                        a468f970c8930fbbde6a2928f38a7b8239505e40510699cd3335ff44f2b1c2e9301603e7959259cde125e69d570b1b0c23b8bddcf0421bf636aec4a6040ae44f

                      • C:\Windows\{F32100AD-63B7-4759-A591-0FD33F67C60F}.exe

                        Filesize

                        344KB

                        MD5

                        eac995c40d5ab3580b820e74a4973e1d

                        SHA1

                        e6639b314b31ef907e682afa9e086e20be3bed8d

                        SHA256

                        1a4e5ee6f88b5e6d673c10042e2cec32005a120c4c2d7703aa0a817decc26664

                        SHA512

                        f00d815894a26ca68353810b99bc81112428f0eea6ec090765dc343fd429d73ac672a9eb903244fbdf737e524b398d0e36305094e94571f22222317bfb5a84a3