Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:43

General

  • Target

    2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe

  • Size

    380KB

  • MD5

    050b37d7510f8a8ef9f98757c220251b

  • SHA1

    8c9c533b59ff94f0b50103a37bb32804f74b4868

  • SHA256

    a6a9bccdd59afea874a4d7da4f11e95a5b58e652c88b5da4b31d4cf38932eb7f

  • SHA512

    9bd18744772cf7edeb21d0f44711e110724f57194fd556d50365ee233d53e8fd98ca8593072042cea34f166838519e0a9e6972645d231623fd26244699c0bdce

  • SSDEEP

    3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe
      C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe
        C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe
          C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe
            C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe
              C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe
                C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2760
                • C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe
                  C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1940
                  • C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe
                    C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2772
                    • C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe
                      C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1676
                      • C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe
                        C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2260
                        • C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe
                          C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:356
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D11C0~1.EXE > nul
                          12⤵
                            PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{95BA3~1.EXE > nul
                          11⤵
                            PID:796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D5F0E~1.EXE > nul
                          10⤵
                            PID:2092
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{18D4E~1.EXE > nul
                          9⤵
                            PID:1184
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF8F~1.EXE > nul
                          8⤵
                            PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F86A9~1.EXE > nul
                          7⤵
                            PID:1976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA0F~1.EXE > nul
                          6⤵
                            PID:2896
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF1F~1.EXE > nul
                          5⤵
                            PID:2452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{33DA5~1.EXE > nul
                          4⤵
                            PID:2804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9C748~1.EXE > nul
                          3⤵
                            PID:2744
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2220

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{18D4E9BB-9C34-4f7c-AEC0-DE60763B35FE}.exe

                        Filesize

                        380KB

                        MD5

                        3d43d2c21c9d5924c72fcc4da8c1d50a

                        SHA1

                        454339ca9374107b9b851891a69cb364c6cb3791

                        SHA256

                        3e56ce4b521d2c283ba6d74813d67fa5ba298688a9e897406f4270d816e47db2

                        SHA512

                        4b9190c19c6bfe3c0cb17bddce87eb5abeef85fedfe37cf4c3f91dc1d8bbd85caaf14f78b156a0be904a295939b84af17e5137d183e2d3f951c4f68942236850

                      • C:\Windows\{33DA5C50-ECA5-48c1-B051-58D39C953E04}.exe

                        Filesize

                        380KB

                        MD5

                        efc663a94c66617487f54027d1d7abc6

                        SHA1

                        48d3b49064d722367ea1528f28d1276bac7c5b94

                        SHA256

                        0c3b559bb2302ca76bcaa403b82a9e7aaf623d1677e750f3a8d2bade26f745a8

                        SHA512

                        be1182c4b368731c535f0054cfedd125072196eae62a5a9a7d4a217e333f4a3a6f8f64b1c9b201e624ef98f71687efe87d996756d2ac717b078bfbebf9e9d401

                      • C:\Windows\{3AF1FD2A-D3A4-49d3-9B75-E36846884BA1}.exe

                        Filesize

                        380KB

                        MD5

                        de4f789e133f4d017e82430e867c9860

                        SHA1

                        d9ecdffd971c01bff902c71112609d23e6bf36df

                        SHA256

                        47d34486921eb0417df556cbad315034779232efe449f6ac2623a7048d5d21a0

                        SHA512

                        e337a9000788d82e2b71fa43009d3a936c05bad643cc9211a43ad0815965ce5c7f839080585c8ff66c63126a0fc382294ca0b456bb07328383b6d91240990d23

                      • C:\Windows\{4CA0F9AE-DE6C-44ad-A7DB-0279C6362B3F}.exe

                        Filesize

                        380KB

                        MD5

                        bad273cdd25901f0e62b4594498b3feb

                        SHA1

                        eadbc95b7bcfaad68b4a89282d2ddd90d7b175db

                        SHA256

                        9a3be17c5059bb855b691e1c70cd6f0a452732893e392f9c6b136b6ca10bb4c1

                        SHA512

                        bcfd7b4c2aa300141304695214f1e4f329874ebec9d7582472f5984ac12a950183e4232cc481cc6b4b94e50eaeb89cd4527f43500f3be8e24470cfedce2a699f

                      • C:\Windows\{95BA3A96-770C-4284-A5BE-E0B26D14D494}.exe

                        Filesize

                        380KB

                        MD5

                        3affdc6a1cc46c57f2c3a0f483dc6b88

                        SHA1

                        767699a7ebe2f788e52f427bfde56e673892724f

                        SHA256

                        7cfbcab684017d1368563a35922c13f99f92e2ae91392478633a470bbe207268

                        SHA512

                        819db71f575379f1c2194f3ebcbd0695138bc5d18007e6a6a57bcd57cd4c9f03a44a9ace6633e24947959897aa346f2b25bfc207eeaefb4f20d10f7943de0fb4

                      • C:\Windows\{9C748D5E-7236-4342-8B1B-CED67D0E616B}.exe

                        Filesize

                        380KB

                        MD5

                        d5a2728f40d835e0a9ebef1fb0673a8f

                        SHA1

                        e1dc5e347b7395b440834c50e9e595e9a2f237df

                        SHA256

                        87b6c1be91e91cb185214e5ee28e41a6873ee8f7f60f5dc7e3729be807ba70d3

                        SHA512

                        5ff51dcc0382b8f8478aac39c90f4847354bdf90c7bd6d9d531d97e9cf636a73680c65ee5f0dd65734eaa285229d1e61fd9c687702095facb6b1473d599cf26a

                      • C:\Windows\{9DF8FF41-D816-4f96-866A-00B5D753F12D}.exe

                        Filesize

                        380KB

                        MD5

                        d765da34a8eecb0fc3677ffff7bb10b8

                        SHA1

                        28dc7241e739c133abaf891c73472a926ebc8d21

                        SHA256

                        fde11c6011534f5256cb60e9c2975f8cc815986bc2a419b96c07bf71df2e7260

                        SHA512

                        06e9b25eb1d90c853e67dc79bb190517526ce0a7170f9783f21ce3b249cad2e60875c669d9686c1013dc0a035fda8becce80a819e96a076f101152294e521c8e

                      • C:\Windows\{C17BF9D4-3B5B-4fe1-9267-340023DEB00A}.exe

                        Filesize

                        380KB

                        MD5

                        f5f706d665ff8ad90dada98315e09e34

                        SHA1

                        ae8e79b2eb1cc10803f47bc57c39fda801482ec9

                        SHA256

                        4cdf52ee15b1bd3551597d772315c3bb58a89b6254a743bcee58775bbef70c47

                        SHA512

                        17f294151d5d490e41dfc2c7ec1f35197e79d2cea097d14729d07b989ad93950cf037595aad246630d363c415a0cfe2bbef40b6d25850449eff34350a9fcbc33

                      • C:\Windows\{D11C081F-7763-4ed9-940C-B03C49B9AA2F}.exe

                        Filesize

                        380KB

                        MD5

                        da6ab89146eb6f9891773ad4ff9132f7

                        SHA1

                        b1d73345b8df66498a81de0fd7f22ecd8f3296bf

                        SHA256

                        48a4f6f882f09c7cad61094dbe2f52f1f82fc87964f5c638e978687653280c83

                        SHA512

                        daa1f8ae6948edac87eef7678844ebdc298e2b331921a438889f07335b3e92cf8443b1940fa4c6582bddb874e5ac59f6d44bdf220b1cc398ea591f1b03d1349a

                      • C:\Windows\{D5F0E945-2370-4254-B4EC-185B5068A5D4}.exe

                        Filesize

                        380KB

                        MD5

                        48a9d791ba4af39e65a957c3f01a00b3

                        SHA1

                        90e92cbe041c505c39f96d271498c1f3aa393e98

                        SHA256

                        6d8fc6f88a0c7b4d6e6054a4cd50d728317df513111af9220996ce1a97460f1e

                        SHA512

                        b59857b2393569f05acd5e2d1771d6be7b8a101b41b8388d9e7d5363c208b24c78d0111444bdee6f064feacc02c0171ff736c7e78709918f1c3b8b22dd8cfe5a

                      • C:\Windows\{F86A9266-C867-4256-9B13-F763FBA2CD68}.exe

                        Filesize

                        380KB

                        MD5

                        b2e34dfa0ec6ff047f98cf292cdc73cc

                        SHA1

                        000b86a4c3c9fe619f3200feedc275ce3e54e30a

                        SHA256

                        cd7c15ff17433300917060792974e90d668c05d393daa06a489193f2854b4400

                        SHA512

                        1d5ee903e64784a73c64570bd0f4cb99a46339a9cc58903305057e33d52d9c379ff990359948853a63c9b8cffda753597d92e48aa244895d5fb9979544058e40