Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:43

General

  • Target

    2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe

  • Size

    344KB

  • MD5

    0274ff2311ae5e9f0eae93830e95841a

  • SHA1

    634acfa3b32020c9204fc0d8f9e292d0b9457151

  • SHA256

    ce8aef93e0582a35fb4c5a47cec3059b965dc8e08cf64c24a4e7144428ef7def

  • SHA512

    461bb60697f398ccbfc28003be77ea1332ba9ef1e60418a517016d51280ddf1ea399989dcff73c869dc8bafff4cfd60cab34f79cbbee9879f41fb2e3e5122299

  • SSDEEP

    3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGmlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe
      C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe
        C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe
          C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe
            C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe
              C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:336
              • C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe
                C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2208
                • C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe
                  C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1448
                  • C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe
                    C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2192
                    • C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe
                      C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2384
                      • C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe
                        C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2920
                        • C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe
                          C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1256
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{18E1B~1.EXE > nul
                          12⤵
                            PID:600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F01~1.EXE > nul
                          11⤵
                            PID:2228
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CCD~1.EXE > nul
                          10⤵
                            PID:2952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2BAF7~1.EXE > nul
                          9⤵
                            PID:1056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2AB~1.EXE > nul
                          8⤵
                            PID:808
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{05B54~1.EXE > nul
                          7⤵
                            PID:2200
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56188~1.EXE > nul
                          6⤵
                            PID:2776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F8519~1.EXE > nul
                          5⤵
                            PID:2796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{54538~1.EXE > nul
                          4⤵
                            PID:2680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C926D~1.EXE > nul
                          3⤵
                            PID:2764
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2096

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{05B54440-EFDD-41a8-B51C-B2A2F84400A6}.exe

                        Filesize

                        344KB

                        MD5

                        71b6f0fa3f4fb9f7564bfed9ff806519

                        SHA1

                        ecfe1609f48be007c8ec8f719c0c398f6dadbb9d

                        SHA256

                        0acdd013a5949a6d3774703f22ee05c9aef478240a2ed521756be2efd8a48eef

                        SHA512

                        b22a5028fe73d4652345ce7d01fe733b610ff8fc1ec6af6696a4afe0da4644f30de955c506938a50563385ad77461a4a5eb1436b2fcb68579d73e94c3132f82e

                      • C:\Windows\{18E1B225-C919-45ca-BDEE-C1E6989C54CC}.exe

                        Filesize

                        344KB

                        MD5

                        e5e8106a44cf4650c40008bd90b8f38d

                        SHA1

                        6ab7a3a06ddc7ff94003053c061382aec1d85a70

                        SHA256

                        5f6019b78d9c4eff83b6bc799749a7594974ea449e2e5d580844be0e0ff6715d

                        SHA512

                        3256b170c4c692ebb60baff5176cdd116da302746ece5f6cd40939e9bec735f7917980154ecfcd3ef41d585eaf96b97c4c63679a865cbf16b7afd376c98bc9b7

                      • C:\Windows\{2BAF7F36-7711-4d03-A083-EA12CF9AF238}.exe

                        Filesize

                        344KB

                        MD5

                        f939e63c4cf1c1dd35bb0ec54fe76e90

                        SHA1

                        5435385eb818c06459fc249ea7ca8d0a72518637

                        SHA256

                        9c19b5bbc201ee5015b6f51e3d457e317c4521ca082c7084bd4edaa62d65736f

                        SHA512

                        3e895af2387efc9aa5a7e6eb4b2d90f5c301d93ebc3c95ecc10b5a2c4e62ff88a6d6725fc45921db6d4265b5326414a26b695d67e122ea0a6ec9cfa718ea2181

                      • C:\Windows\{545388F7-5839-422f-871F-519685AB2725}.exe

                        Filesize

                        344KB

                        MD5

                        28f0f4207f2202acc027d77a0cc73075

                        SHA1

                        a0a08dc819507d3a375e07103ca78d9cb00534b2

                        SHA256

                        6bf6c9f92296190651f32cba015a32bbd872a14157c7380f6d01b941f98aa0e6

                        SHA512

                        5087d0d26942b800c1b874ad2c9b9fcf32d556033262752de0a98cdcceef78a56209625dfce5c5f1b4a68cbd3316b2a6ad37d57ffcfad4e8c367515488aaee2f

                      • C:\Windows\{561880D2-6A4F-4635-84CE-92609B6E78AB}.exe

                        Filesize

                        344KB

                        MD5

                        c65e8b9e5edc5870f00f3319256eecc6

                        SHA1

                        1da239d2b302015bc200c34d56acaa709b4c0aed

                        SHA256

                        055b43ef786959ea6286bdcea12f09c91736d31caca75cd940877d0513f130e5

                        SHA512

                        c62316cf16f0d3143cf06422d0de845130874d2f30608c925781f0b53e322b5c8b7f3f3fe34f5d2c6407efe1bddb6b0a9caf182345b287c29f99a85838bef9bb

                      • C:\Windows\{5D2ABF10-80D6-4a62-BFAB-95150665A248}.exe

                        Filesize

                        344KB

                        MD5

                        3dee73dba0f88b29b39ef58f8eb0dc97

                        SHA1

                        fbd1d468587c7b0ed309d64431851a5d24064064

                        SHA256

                        c54bc53d389ff3209acabae369752e6c472a8ae4359ba72cecdcfa244151d3d4

                        SHA512

                        f345f90fcbb9230d1f86957de34a0372c3f42ab71f939e2d71315f80a3c3d1eaf80cbbf2a7827741c62a471bbfb84e9245fc521a1e33d722053e4d2239e3ef09

                      • C:\Windows\{7A22ED86-7318-4fbb-ACE4-4F50DC95F078}.exe

                        Filesize

                        344KB

                        MD5

                        e412c4c763fbb5b392981a0eb49caebe

                        SHA1

                        79630549bcbef1f109f1fbbb8880d6ac895350e1

                        SHA256

                        3b21fc6d70580fd0e539d6bbc481966032b7a598731a36a3ef7debbbfd2806c9

                        SHA512

                        7e4739f3cdfe94f6d83d66f69f699d4ea739d9007a7c589070d80bed4950063210dc26ea681dbd08e83536b7b22fb375673099253a1ad49f015862761c527129

                      • C:\Windows\{C3CCD424-E0A7-4cd9-8CE5-BB87B2253A17}.exe

                        Filesize

                        344KB

                        MD5

                        242224bb020c83093609444c21499ffd

                        SHA1

                        2903bcda21d3b1bf0c229db02237b120acecfa2b

                        SHA256

                        493f1f0fafda31ab80629013e0ea926e26c029641dfc7c56781e3159d647f1f7

                        SHA512

                        0599d2670d9e1cd2354b554c392f459b8bb10939685a3d50362f6de694deb631470edbc11c08631b66f0fc4329dc6ce29244da7396838b98a19c88348c0132cc

                      • C:\Windows\{C926DAE6-41EB-4e57-B8CC-93CA9278979D}.exe

                        Filesize

                        344KB

                        MD5

                        dd6207f4e74aa65aaadfc1928cccbc25

                        SHA1

                        a5e988c838790eec389e681f4a9a32a0894c0f34

                        SHA256

                        3d1d907f81bdb69e4a2b9e30afe9955c8d19c679bd891fe4a704135b787feb5c

                        SHA512

                        d0fa19158f9808389813324f8d6c23875d9bc6a5f27897cabcd35b7c9fa1356ed845ef1891f94ed0c5b689f9371f9164ff0d74530aeeffb4a53836cfd6ef463b

                      • C:\Windows\{F0F01248-FE59-45f4-BC5C-A51DB670AEC8}.exe

                        Filesize

                        344KB

                        MD5

                        50b1445e4eabdc993c368754ef6aedfe

                        SHA1

                        3613e89413e2dc2cf6f55db0abc4110edead3ce4

                        SHA256

                        1af6f15c78539e8616aa42caf03393a77c683491b643887e755dc5263f2276a1

                        SHA512

                        bf607e7d012a1ca3ee83e10a22a851cfc38142ee7e9f72cdf0acf414f50177674b3e1db501ba3f5cbefac58d957fc4e25e9598b6895779da70732e45acc5facf

                      • C:\Windows\{F8519853-3D29-4512-BDA8-434C5C695304}.exe

                        Filesize

                        344KB

                        MD5

                        9c0f1ddf503e82b2958e3a488eef45a5

                        SHA1

                        26f24cdf1121e4983a12b0e593d3bbb7d183c30e

                        SHA256

                        282e66cd1f52c08c57676ebc3cd95338ef3ee9fcaaf7133383470746f13c3c37

                        SHA512

                        084bdd1f4c8a533a9f3196edc282902f8942f0deebf5ce5dca11f9b56e6c5a0c39834af8dff63fcc6c6f276730c89b2e6f872c7d4f1aab9a78b1a7aff54d79df