Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:46

General

  • Target

    2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe

  • Size

    344KB

  • MD5

    24eadd4d609b1d0fc674c021cf1144f9

  • SHA1

    82d210e775bab311ee3214f13bd6a18dbcd46ef1

  • SHA256

    16c8741c332d24feb1e8bcdd9d90a7ce4c0d6b168a091e716dabaa1fc6ae8175

  • SHA512

    785456e14279dcf1192070dbfb4e06fe7904377e501a314e42987a3766991a4ea9d3b91a9dfc2f6a5b2105654eed3c6ef12a2159caeb5578e705f1260bf71bba

  • SSDEEP

    3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe
      C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe
        C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe
          C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe
            C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe
              C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1536
              • C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe
                C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2160
                • C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe
                  C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:352
                  • C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe
                    C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1844
                    • C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe
                      C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2896
                      • C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe
                        C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2560
                        • C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe
                          C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1068
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26876~1.EXE > nul
                          12⤵
                            PID:584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE9C~1.EXE > nul
                          11⤵
                            PID:536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{860CC~1.EXE > nul
                          10⤵
                            PID:1040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A040C~1.EXE > nul
                          9⤵
                            PID:2788
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9172D~1.EXE > nul
                          8⤵
                            PID:1664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3639F~1.EXE > nul
                          7⤵
                            PID:2368
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{649B4~1.EXE > nul
                          6⤵
                            PID:2700
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2C8D1~1.EXE > nul
                          5⤵
                            PID:1512
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E40BD~1.EXE > nul
                          4⤵
                            PID:2600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{04985~1.EXE > nul
                          3⤵
                            PID:2768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3032

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{04985B9E-B464-4f2b-B4CA-584A8E64E879}.exe

                        Filesize

                        344KB

                        MD5

                        4bdcaacb417d93a45e0de1c3dd03bb71

                        SHA1

                        e29146f85c2fd25beac4d18112faefae3bef6e09

                        SHA256

                        820d42182f964907afe576e37c197ad66bb2f50ab24cb735c7f01bbfe04e5861

                        SHA512

                        c70de25713ff407f9a794e0c082a2d2023c4dcc3bb226ab4de8b9b8b7e4c7ed215209740a7a6d5dfb676405c930ce62115e77bdf0306439e733877ef552ab3b5

                      • C:\Windows\{26876394-7762-4a75-9B9E-DE6FF40DEAE3}.exe

                        Filesize

                        344KB

                        MD5

                        3c967a3462f3fc21f06b0dce61a8266d

                        SHA1

                        f10fdddedaca7322f84e012c566a0e019e06338e

                        SHA256

                        5a1adb6c46dd7bf69164fffba9f79bb0be1fef3bfce60381e67cea9a601dd974

                        SHA512

                        f0e787217da56675dddef871e7b806972c3419e64b77beaefbd10db7c3e271a6813ecd512c4b9857e6ba121fffb26fd7ec8c868e208949b4a5f27887049c2173

                      • C:\Windows\{2C8D1CD7-E64B-4357-8A44-93AEE7AE2AF8}.exe

                        Filesize

                        344KB

                        MD5

                        6fe938b77a80e830b1ad1e08e640da74

                        SHA1

                        115dd4ce07a6ca0cfb2b7b8be0f037392880fecb

                        SHA256

                        43cf001817325a071a449ec74508fa4381ac1367b820bf8f4d21a0b4220ed401

                        SHA512

                        adddbb20dfa7d78e2f2d34542a555058c7e8a0b1d6f273e0435be15ba95a1d84aeaf1ffa8513dca2deb4158c7173470add010c4238dea33361f7cb17821dd0f5

                      • C:\Windows\{3639F753-306D-4545-A65F-F9EF26B1B393}.exe

                        Filesize

                        344KB

                        MD5

                        e56ecf9f0f61dc3ba9e14144aede4296

                        SHA1

                        afe40211ea764cc945db026b6fadaaa702d6c8ca

                        SHA256

                        251c4e18fe00a9fcb2c88d3f65e2a58b68ae818419a666d9b661b75089ff170e

                        SHA512

                        e2049e25f1ce2e3686e17012f6e4107bf55ad8843218784a95deada507086dc663792ac012434c1bf51d55ea79d54a90e594eba24d5776fcd797ddf0e8dbe442

                      • C:\Windows\{649B4ADB-6932-4d60-8A61-7422D7576C94}.exe

                        Filesize

                        344KB

                        MD5

                        59cb914f2c06052837070acf5ff38c23

                        SHA1

                        ee549b72a00eb9ce1934c111955153a118723666

                        SHA256

                        736a763175cc62fc014a4eb1b2b0d00da9458d09a1f414ad0f2204c171b0b502

                        SHA512

                        2b5fa1993a276af757698e8e7ff0e08c29e46045e1dfac46f53ecc8d5a7e21a55e0a6a8d9b64a4212c196edbc22142ae353d693b9810b000811bf5f200e66d24

                      • C:\Windows\{860CCA45-D390-4aaa-B743-EEF6A923076A}.exe

                        Filesize

                        344KB

                        MD5

                        de4e612c33f5cc7ce173afb1e9f42d3e

                        SHA1

                        b53bbd2700890d73e1357e8fa4d662108efab76a

                        SHA256

                        e2ce5ac8de893b8a6c1502a1dc1da43ddd3567ee66b957d0e982a5267a57dcfb

                        SHA512

                        f203e9499b73c8d4baf1a3ae07f045d51d7161607785df40f4b9eb2dc42f21785975a39e758f91b0f486000ee75bafae95963b01390fc720cbe8cb6328f66215

                      • C:\Windows\{9172D8C6-A58E-48c0-8C9E-7F2FFA7AFE0D}.exe

                        Filesize

                        344KB

                        MD5

                        2e2f87d2cf2cdcfc67419428ca5de118

                        SHA1

                        880a164227821dc42316abad1f87abb25c9e859a

                        SHA256

                        01d66ee5a9f8249eea0e25f464e03daa0a7d90ada22febf464c7c5d5629c2da8

                        SHA512

                        2284adf003b0ca87fcf9114f5952f64acb0d92f57ba7ffd9865080e0db01eb43312cbdf1c874e3903bf26bc84ac1d8452998eadf28f068f207aa56113c3a7f16

                      • C:\Windows\{A040C519-27C1-4361-8F4D-EE788A4999CB}.exe

                        Filesize

                        344KB

                        MD5

                        026c6b7fd173bd872809a3b0f369b82e

                        SHA1

                        62a7f030f14dfc4eea2f3f10b1e4f0d29fd3cf8c

                        SHA256

                        368398404a7c94fbf48140322392181480a403ac1f9822501f4453ec4208be1a

                        SHA512

                        3ec6927ccb0d3d39e0f074834a901f18aed881c1b65f57d732a7fd0d64eecf4a94a196615d5c6223a30cc7a092ac6961a51967fcf72bf5507c18fb62040c10c7

                      • C:\Windows\{B6AC68E8-60B2-4fdb-837B-2FED732128BC}.exe

                        Filesize

                        344KB

                        MD5

                        eae671b30987b1f2acb959844e4b021d

                        SHA1

                        c357992d44bdf7f7f0631d113656fc38c5f88c14

                        SHA256

                        f017fc9186ff847797eba4e4abbd276a548476805162c08302584f4ce175513a

                        SHA512

                        62bf5c4d9ae13e993aef9f86245f041b63c2078c9a3a362c63e701da0830e02452c468c6a689707a601c6fb367c6d1e8c25957f8cd905960d271da110afa1c61

                      • C:\Windows\{CEE9C394-35EB-4bc2-9392-22007027FEC6}.exe

                        Filesize

                        344KB

                        MD5

                        b2e66b0a0262df27c28f69839ed87f12

                        SHA1

                        0e747af242a7d087b83fcaca292c65ce88f0343e

                        SHA256

                        c8cb54409ef10a73243370293d9329b97dd67c7daf03c63c6386ffe50c741136

                        SHA512

                        48100724717dde4ad672919581b0f49a225616b704cbb7233e04f5e4deb46651c0a31159c6fe48f9b14d9f790c853bf595e4be5e6c436a2bcd37ab9ee47d6ea2

                      • C:\Windows\{E40BD509-8E68-4f8c-B1C1-1F61AA1208A7}.exe

                        Filesize

                        344KB

                        MD5

                        5d3c182cbed4bc96523469d9a6d5b59d

                        SHA1

                        c32457f68bc6a257fa81de3fb6573c9ae07790a0

                        SHA256

                        1a47a527e4fa9361cb95174f5d13c0ea4b63301579912c45a907882474dfc2d9

                        SHA512

                        98eec11bb00ccf89bcc2271d7c30f5a4115632a21273dc6bbaa049f2fbe81d5a475e1b27ab7dbb07bf22ea0355d620bd8442e25c01785c599a76f35feddf41e8