Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:51

General

  • Target

    2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe

  • Size

    197KB

  • MD5

    50c172c6f6287f85183ca033525e3bd8

  • SHA1

    e864c4444e97779c074d08522cf8d39d351b9ea0

  • SHA256

    a165df81640d91fa0676d16d7c2e604afa1055dc5ae45dc6907bb79806be5bee

  • SHA512

    73d799742498a9bb2cea7af12c222fe7eaa214a5446e42212f7ede492a83094e25bf7084d2e449d651b1106cbb0dd9971d8843469c8e2440259ab1c649e9f765

  • SSDEEP

    3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe
      C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe
        C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe
          C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe
            C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe
              C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe
                C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1716
                • C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe
                  C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2168
                  • C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe
                    C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2772
                    • C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe
                      C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:868
                      • C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe
                        C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2068
                        • C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe
                          C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2732
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DCE~1.EXE > nul
                          12⤵
                            PID:2860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB3B~1.EXE > nul
                          11⤵
                            PID:2408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{53F56~1.EXE > nul
                          10⤵
                            PID:1292
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C62F2~1.EXE > nul
                          9⤵
                            PID:2708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E45B~1.EXE > nul
                          8⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{09ACA~1.EXE > nul
                          7⤵
                            PID:1760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6E4~1.EXE > nul
                          6⤵
                            PID:2968
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{40BB1~1.EXE > nul
                          5⤵
                            PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2A0F9~1.EXE > nul
                          4⤵
                            PID:2720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59E6C~1.EXE > nul
                          3⤵
                            PID:2276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2144

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{09ACA319-E429-4a76-A9D4-DBBF23A5FC06}.exe

                        Filesize

                        197KB

                        MD5

                        96cc21f0343d9c4f983d0d37a6256e2f

                        SHA1

                        6a6c24e969e4f5a1e807cdaa88efc145489e9993

                        SHA256

                        b0324fe3896d6baf88ed4546deb43970e70680968b7ff50509858fd4b4412f84

                        SHA512

                        530a12bd544d9f3195db75ce9f743a973e7d9de5853928f3b242a45caf1c858c545da6a70646505a00ab408b36f902865a65986d7c157c49607106e5b54da088

                      • C:\Windows\{0AB3B16E-1D7C-4a3d-BFC7-C156B42B11C6}.exe

                        Filesize

                        197KB

                        MD5

                        2725a46010d284ed99c6e7b50549b804

                        SHA1

                        86f777348071a904fb7189a80dfe039e787e2147

                        SHA256

                        8fa5baefa4e5b79df73c1c0400dbbab10ff50427f6abfb455bb4feff878f5458

                        SHA512

                        085bb09a135e5615b9ff99e35c38f74135b039084b361e1f8ef68ab945bcb5543e34803710e297d9def7c884b0a8e7d2c2d0f2712a99112161b482c3f385f7e6

                      • C:\Windows\{1E45B0C3-8C3E-4423-8D79-3669119EC76E}.exe

                        Filesize

                        197KB

                        MD5

                        627062d829ddb37a34b8818aa006c478

                        SHA1

                        451f2e47ae915c40a9cf6dbbff4136703b0fe2db

                        SHA256

                        c7da0bb704e161189f7f2369773557a9b815be4513eb5c3985d327f68eab1726

                        SHA512

                        7c1a40593fbe5414aada9204c878c22d9046a3e007adfa3c7d55cbeb3b35d019d336ef410c693944db611886fdfe5068b6c5418d900ee62896d4d4ae040a9415

                      • C:\Windows\{2A0F94BD-1FE3-41a7-8328-8FFFA3BA77B0}.exe

                        Filesize

                        197KB

                        MD5

                        e9b4e42e9ffa52439529cb9736ded565

                        SHA1

                        d56f67306b06d4e8a5eb94718a921da8bd3901e1

                        SHA256

                        2bb97e956d9d3f366f0d7d6e034a6d03a0aa35ff9fd535d2fd74eff856139028

                        SHA512

                        dc357b5b4840ba1fd4fc0eb79c0b93b770980289340192501c8e6a453df5216737d7f1c97911e6e5896d2427402afa7b4051f22a7fa5c69806c00b9702524323

                      • C:\Windows\{40BB1530-EA53-482e-B63E-594765E3390A}.exe

                        Filesize

                        197KB

                        MD5

                        230b1e0d572eca2cac4686e3ad668ede

                        SHA1

                        f75ff287e912990e17b50597d7aee10660669667

                        SHA256

                        fb87f438f5cab1d7df302820272bdf30fa83a0d46ef8c9deb6a1f357a5941771

                        SHA512

                        2d313b39db72020e9639e0aa403e3bee0040d4e6b874e1eba626a437fd0ce16a83f0dcfbac183e986a2e684747562c9ab70d4307f63bf2bf83e76c9d96d29913

                      • C:\Windows\{53F569C1-F86A-4333-8D4A-2F40C686676F}.exe

                        Filesize

                        197KB

                        MD5

                        e5178df96b38d059e2ad26451ed0aa0f

                        SHA1

                        6decfdfb1ec0642cac8f7528e9a6efde253dad07

                        SHA256

                        55ecca47dbb34c581165d5a257823f6d2eda8c6ec9a542c22482ad6d2e79ced6

                        SHA512

                        e7da5fb0fe62525736aa68cfc07e29db84d75f8d715aafdc5197187ed0c57baf97c79ae02fe4a74d5ec4f45f64ecb0528ee8044fb1dbbd208eede2539007a046

                      • C:\Windows\{59E6CBE0-9C82-4a3e-AB45-8BF0B9FED937}.exe

                        Filesize

                        197KB

                        MD5

                        ae47fd39e0f524895da97319b80587ac

                        SHA1

                        0033db7047bc88bdbbe8bc7af059dd084aa63de0

                        SHA256

                        0a66691c7b8244f9d10db0d448fed9f960b04dea2f91735358cca6f5e2319f1f

                        SHA512

                        217ced15ab0543b3f2bfa4b591df74ce9d686966cc04048833c221f86c647d95127198bb42e5234712f8c51a4f51cc794da7f7301792008760ca2052652ee736

                      • C:\Windows\{817878BB-966C-4369-ABB2-4CCEC114C9C6}.exe

                        Filesize

                        197KB

                        MD5

                        b9fc9f60a3929548681fcacb721807f1

                        SHA1

                        4cddc683dd374594becbb58b91f77c18ab5aad8d

                        SHA256

                        df9e5ba9618b93fde82bbb7ebc917d61c44e62e85e4635f72bbf538e4bcda61a

                        SHA512

                        ec34d81426c5c66421c91a9abb66e4db9d185cad5ded86dd221ed89fd7265b48211ba0e6b0c9406a65de191db631b53954ce9f93470444e95a5f0c89020625a7

                      • C:\Windows\{AE6E48FC-AE7C-4731-A316-20DE21DF2C91}.exe

                        Filesize

                        197KB

                        MD5

                        10318d868331c153afc3ad9ad75ce019

                        SHA1

                        0bd18dc0de878dd2c2042d383cb44deb09b4edf3

                        SHA256

                        262b6071d87b78168afa3623a91a53e86f6a1ee44b6b826d66273aa5ff56ac6b

                        SHA512

                        eeb38cd2851b3a3e134c282a65c5c0de7a79d75bafe2c3c6cba641abefe9fe55b4521d661618ae3048d8d7e84ac7972f85ec8ee98fe0009a2cef22c3c46a2d53

                      • C:\Windows\{C62F2553-5BF4-4b31-9444-DDF82792DD7E}.exe

                        Filesize

                        197KB

                        MD5

                        4b7e0b0b7f4f5e45b1924e9221a96d9a

                        SHA1

                        226f37cd2b90834110a46e3b2450d7e0aa0a1a9b

                        SHA256

                        b7588cf0ec394bfe53eaa4dd360fedfd6490769d677d899a6057ddec549d46d7

                        SHA512

                        e6963164c1b52597046612e9be7503d25209292d167b718c8636ad6698dd0a361314c27e9b5808f62be87716d2d101d83d7533bc4cf808e63cef9198390050ea

                      • C:\Windows\{D9DCEBAD-200A-49d2-8295-9AC2E41660D5}.exe

                        Filesize

                        197KB

                        MD5

                        19cf994a5beea939d499563c317e24fe

                        SHA1

                        10b596eff1ed0ea2517e8fc1be9f80c7951cdcff

                        SHA256

                        16efe45fff092ca786eaae1179bb11ae2ff7ca2336ee95d39d31d3ef997414ff

                        SHA512

                        45274bed8bf1cd74b95e69816444c84f3823b60c1770a79301e20afd67c1bd01d725faa886d0abc6ecd7e936513f30f5304b4594387b39d59b51dd0b387eabe6