Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:52

General

  • Target

    2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe

  • Size

    380KB

  • MD5

    6d567ac7a66fe4ff2118501fe126bae9

  • SHA1

    133a6c80f2401f94d2646b7839f88606d8bc967a

  • SHA256

    2d9369dc9317b9d668139c100f78be2db8979ad4c67a3c62b91185ece6601adf

  • SHA512

    5665592a36e8c13be5ce5bbeaef83ba0ea7f8f905ff679d09240416e29fa70f9e481fbe1bdad9e78c0aff149b0aca1442fc582aefa5d5c74a473308502847926

  • SSDEEP

    3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGfl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_6d567ac7a66fe4ff2118501fe126bae9_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe
      C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe
        C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe
          C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe
            C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1596
            • C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe
              C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1120
              • C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe
                C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3036
                • C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe
                  C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2748
                  • C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe
                    C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2700
                    • C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe
                      C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1984
                      • C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe
                        C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2216
                        • C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe
                          C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2240
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{86024~1.EXE > nul
                          12⤵
                            PID:2220
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A1BEB~1.EXE > nul
                          11⤵
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{31969~1.EXE > nul
                          10⤵
                            PID:852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0244~1.EXE > nul
                          9⤵
                            PID:2844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{746FB~1.EXE > nul
                          8⤵
                            PID:2780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{07619~1.EXE > nul
                          7⤵
                            PID:2824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{75CD8~1.EXE > nul
                          6⤵
                            PID:2872
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{505FE~1.EXE > nul
                          5⤵
                            PID:524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{45BD9~1.EXE > nul
                          4⤵
                            PID:1836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4B71D~1.EXE > nul
                          3⤵
                            PID:2096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2300

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0761930F-1464-4463-BFF1-492FF1D93677}.exe

                        Filesize

                        380KB

                        MD5

                        c9c0aee36bafb5470c56b10534e084d5

                        SHA1

                        187d299536cb9bf7ebaa44e2685bfb184f5a8d65

                        SHA256

                        6f84f384f7abcb1047288e030fccf09fef72f3421095d1c9157e6f163d91bcfb

                        SHA512

                        a98ed5549dab500fc918b5ec9607682a1b2898493084f73e21250e64aa445047e5a075d88c93309e41af24d5a114849014d0b57b238f8c5008eba568278700f3

                      • C:\Windows\{31969637-6768-4d49-8F05-AFA506ACC880}.exe

                        Filesize

                        380KB

                        MD5

                        5424f1594f81897d89c2f6c44baed10d

                        SHA1

                        d87635add6aa9fafe1d34df2aac3a83f845b0343

                        SHA256

                        8f477dede05b732c49195e4893bdb32f5579eb0b64295df9579a33531cb54acb

                        SHA512

                        d41e61e8cbd75c8b99ed6db888bcadae8525cd270c3f48fca071bba7fb3ce1bb757aa98ab0f4c86139cf87410b70d7a359142d0abf2c010a9b8119495773dbc8

                      • C:\Windows\{45BD9FAF-2A2D-494a-A602-529AD7F68D69}.exe

                        Filesize

                        380KB

                        MD5

                        d3004ee00d113c4d432c58c5e24314ef

                        SHA1

                        94756de3788561656e293591a49ec4d7ea3dd70f

                        SHA256

                        aec09f500d5ed435f6a707269c74b0615cd9f1a7b4ef82c4cfbc878736c79a3c

                        SHA512

                        020d5e7ae78a0c87ba381a8d096a15d781a933f61766392dd63161e6136d0f1566e3e540dd09828020e7f50e194d5a7f72ae1ca95f722e41304defbbcef094d3

                      • C:\Windows\{4B71DE78-E456-497a-B7DC-4EDE826BBCF6}.exe

                        Filesize

                        380KB

                        MD5

                        0ff4bd1c7cb141a68c1c7b4b40cea049

                        SHA1

                        d9d6e98303b67424f643abd79ba2d064452dbbb9

                        SHA256

                        0baf1d448347bc10870ac60be3beb9250910c5a9a49dbd62c3673cf4274c36c1

                        SHA512

                        42cc17983d46f722bd2640fe7f1cff18658e823be6a29023fade2b47b88af70da2bcc2d73345cba97dcf839d986d0800093f4349af147aa36aee8b667abfaa31

                      • C:\Windows\{505FE572-2CB7-4809-B9A4-238336B1189A}.exe

                        Filesize

                        380KB

                        MD5

                        6c0773e996a713d66ba846d6857dc2dd

                        SHA1

                        d224584a99f601e1e8a24233a98fd812e8a9af80

                        SHA256

                        08775c760c63d40521addffe9021a001b206448d28c795e35afb993fa394ee00

                        SHA512

                        11c8a4056ce699ad2507ff0000c2dc0ee2b0fd945313efbdf8472eb54cd8b5e232d90d8bc94f0df6d14ff41a6f367a5fe38fd5a5162da0e695160f0df1209783

                      • C:\Windows\{746FB130-6065-4883-AB49-C07C9FCD2278}.exe

                        Filesize

                        380KB

                        MD5

                        e14de76e34ca00544ef7ed266cfa4de7

                        SHA1

                        4bcd0cede9b77934f72d942943f2f2944806b7f8

                        SHA256

                        0cab79ae07ba27ec5617ace7470f6e22a6d763a9d5d464df32cdae92b4bb33a9

                        SHA512

                        e1037db50589c9c729c189b97b9063008341ef4e88105b0703350961092a6bdedee65274a82552421e1f7014e15f54e632479886f5daa50009446e5316dc0188

                      • C:\Windows\{75CD81D8-6261-452f-A5ED-DAD95599FAE0}.exe

                        Filesize

                        380KB

                        MD5

                        f8f3376f9feccb9cdbd01ad9cf815fb5

                        SHA1

                        c15b6e3c77df388a49d1073a13b8cbecbab68a57

                        SHA256

                        94d0e999434d2a15a5e78964920c95acd5116074b009e23ef4160b50b96ce772

                        SHA512

                        abd770f00aa87fec23a48a0df2e5e9d68cc586c60e4f80f41d12e296f0db6e2572c52f283497b5384ff620b3dd205fc418bf099de8b436affc2a1533aae4a6e3

                      • C:\Windows\{8602491F-B75D-4a3f-984C-F0807537098F}.exe

                        Filesize

                        380KB

                        MD5

                        ca6bf83cd647c63402760cc75911c2e1

                        SHA1

                        03c846e74e3dda02d0680c57207825e8fbbb91d5

                        SHA256

                        df6f9fb4f90dd184cb71d2fda956eb00fcf7ef172ff83ada7ea3b3f1c0c6e66c

                        SHA512

                        1a32c9fbca89beca7bed1cf57ec78d2f1476ca1bb2f9b78f171c66e45526da8952e2db6cd37490b869ba21735716c245ec24de9b4e77df1355f9253cd3909522

                      • C:\Windows\{A1BEB2A8-5244-4f3a-BD5A-93258638948C}.exe

                        Filesize

                        380KB

                        MD5

                        2de85eb6793a2f34ffcbdc7e228405db

                        SHA1

                        27283c276817e81fc95eb3101137af3331b2392b

                        SHA256

                        4f2b35d9350d7cb23e7c791e95b1eaf3eaac5fbdd58fa55386315e43b9afd540

                        SHA512

                        302f6822e94f2026a4fe07e8583c1d78e602d3cb3ecc91f4774a739f72baae23c1311bfea551a2b53ce1d0de8415b2c45e922ddb3d87793fe64ed6de54dff6f7

                      • C:\Windows\{D59EE138-D7BF-4353-A41F-122628B33833}.exe

                        Filesize

                        380KB

                        MD5

                        9b566c164fbb41f9510053c41a0e594b

                        SHA1

                        3ea6f3aeac3483b468886feb581ed444e6fe9798

                        SHA256

                        cfc160e74be263f34bca3a7262f06fd62329186b280eecab08e7d3ec7de825c6

                        SHA512

                        a8e70849cc0455484e60e71d055da71fe13422654e8d59311d05396882898d27d9ebb1eb332bf8ce4c76f46346e7c2fef11448ba743fea6c8aa7d32d00a52c23

                      • C:\Windows\{F0244D1D-6623-436a-B4EA-792A36025D0A}.exe

                        Filesize

                        380KB

                        MD5

                        781fc567b14f3ff68f883d1cc1d3229b

                        SHA1

                        d7dc0efab11731cf9bdf5277df3e718fa59ac505

                        SHA256

                        1f01c1cf3a0c448ffec524be1ae99cde98090fb1ec7d5384945145da643196c9

                        SHA512

                        d00828504385b214ad269786cfd12d80a9fe02f7476870839ea73afafe08889b67aa09d66b652390ad7d755a541ebb3c4890f932b79d301c2f001082eac8ac47