Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:51

General

  • Target

    2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe

  • Size

    380KB

  • MD5

    639e527998e0506714a7a8d6506c11da

  • SHA1

    a776bb9887b916beb52ee968de4d82b1dd300acf

  • SHA256

    b56cff8022659e2c0d5276ca259b67efe56c4e36c126c83ab95a739d30f62bde

  • SHA512

    aada1a38ed5946e066fe98ac664c9e4f73e9a1a9dee4eb70075e729d667fa1db13b0451f31559103746e98457789a31e12ab686f0756321945bf541509823296

  • SSDEEP

    3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe
      C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe
        C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe
          C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe
            C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe
              C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe
                C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1972
                • C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe
                  C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2776
                  • C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe
                    C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1456
                    • C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe
                      C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3028
                      • C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe
                        C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1864
                        • C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe
                          C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7B542~1.EXE > nul
                          12⤵
                            PID:572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D5247~1.EXE > nul
                          11⤵
                            PID:600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC11~1.EXE > nul
                          10⤵
                            PID:1124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3419F~1.EXE > nul
                          9⤵
                            PID:1524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AA2~1.EXE > nul
                          8⤵
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{325CC~1.EXE > nul
                          7⤵
                            PID:2852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{212F9~1.EXE > nul
                          6⤵
                            PID:2980
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{576A5~1.EXE > nul
                          5⤵
                            PID:2824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{79117~1.EXE > nul
                          4⤵
                            PID:2568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2131A~1.EXE > nul
                          3⤵
                            PID:2676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:2532

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{212F9DD0-147E-4dfb-A8DD-16FDACEC6C35}.exe

                          Filesize

                          380KB

                          MD5

                          cdcf4a9899de7f419883a4fa3d87555a

                          SHA1

                          6f82748980e6156b8d5f81baf987e8e0e8e7d00d

                          SHA256

                          4131bcac41f0abb4e7ead8f7c7fc6815cf80ac1e67bef9ca5d0e9d91ed18b039

                          SHA512

                          75f303cb114b8bf8995b25d6ba39c1e5b9abce6857fc169c3c2f62894215c844743284c700132beaba93236916af729a95312c3239eb5d47973ecb957db98aa2

                        • C:\Windows\{2131AF11-F503-4ea8-B826-FA8749AB2C04}.exe

                          Filesize

                          380KB

                          MD5

                          3b0f16b7ee98bb39adf4c79593bcdf01

                          SHA1

                          d9d8bf1a09ef3867a963ca316c37057352b47fc8

                          SHA256

                          b3579700061f2490a81940e33c82e8fc90e7a6bdf4867ff47d0c94a423d1ed83

                          SHA512

                          4cf4df2ff971ff382a28565fe53204d8965ebf4f90693a921328f7146d3e03010757bac9429476144532a149304f12d42527d930927c39a21817a1ab209390ae

                        • C:\Windows\{325CCD52-CE02-4d7f-9E8A-AE83CAF4264E}.exe

                          Filesize

                          380KB

                          MD5

                          0ba0fea44e9564ecbb32913168d27cd1

                          SHA1

                          b50edf77f66086a1be835387de1243807109cd43

                          SHA256

                          7306856e579436eb1f99d9c8d5d45fab3fb72af6a5d51c194627f3c2a76ee1ce

                          SHA512

                          9b1405f3e475bae7223834698890aa38b4e240947573f5d2a5aba3b9e6f4e93d074b8889b3345ee3ac9bdc8ec1bde0dfce18c55beb89f9d3bd1090e22a862ad3

                        • C:\Windows\{3419F1B3-CC30-4e64-B70D-E80C33440473}.exe

                          Filesize

                          380KB

                          MD5

                          eb64eeb8b6a8fa6d9d841f35abc20ab5

                          SHA1

                          58d8ac7e0daca663f0e246f1243e97f4a0e79ed2

                          SHA256

                          c5ee4ca50c524bc7bc210ec8171b5dca6e9a57661fc974b81f1a4a7410cb090b

                          SHA512

                          edddd6dbd1c9cd1eb21cb26dd0dea5b6a2d21365ce48467f3c362a7216b427aef40366f4c0815157f3a8ef27fe4a563fdd67e397b4f4867de0cfb4d0ecc071f6

                        • C:\Windows\{47F582D4-40A1-4d9c-9457-AC6CA2BFEB48}.exe

                          Filesize

                          380KB

                          MD5

                          5293d10255d9ebbe70d024ed5119f056

                          SHA1

                          ab326680b318490078d04770f350cb1c48057fb1

                          SHA256

                          540171e2fd5ed41f8269f1712cb177134d1503219a85625faf032a1536f98723

                          SHA512

                          1119b1d737a9270bad6e0081d85828e5a0670c314a8c0ba75896147313a32ddce23a5785e507993856db1dc9977d5e2f936a888c8ec503c49786da4f7c6372f2

                        • C:\Windows\{576A5771-6210-44b6-B079-D768B4AB4CE4}.exe

                          Filesize

                          380KB

                          MD5

                          4c4a8e9a89d98a8897b1e8abd1cc02e8

                          SHA1

                          6f918b4c22ee28922b9148e2b61847f42df67224

                          SHA256

                          c95e8f32677b035b4ae9b9ab0f82f9ca73f0b2b79a72b4109eced764b5997a77

                          SHA512

                          5be71d6bbea799cf73cea5eed11fc6b37059e007efdeb60b8e6ed653ca6e0379040876f74f333b29d3e1e6f4b3ebbf3c4460e508c055ba6db4c65458dd90de85

                        • C:\Windows\{79117DC1-9642-4a00-832B-D1587459CDD1}.exe

                          Filesize

                          380KB

                          MD5

                          56644f319786488189b73b544fa7805d

                          SHA1

                          2bbb567d41ee7463c32f6d333c59e1bd2889171d

                          SHA256

                          2da8de27ed7823035c5945d6598a24548867238ed355421478013c44abd7869a

                          SHA512

                          dd0c0c5ade8446736000d8500f39a4be9c2598d9a712612076ce46a8861cd521dd7ad489b70a64f8b2631abc44be7549f90289b1498bb8e98b157e8dee557999

                        • C:\Windows\{7B542881-E784-4a99-8D39-81CDE9CEC4DB}.exe

                          Filesize

                          380KB

                          MD5

                          1e00a5858a522c9c61528ff2a20a14dc

                          SHA1

                          cb4ce876a4b2e77e85402fc5bae58011d59db1bc

                          SHA256

                          e70b28a4622b5d2539be1d5bbc47818541d132fd7c22ef8bc8b044263b018ed1

                          SHA512

                          258ea6d354ec5ce04bbad8481d348df0bd8181af3292d72ff8b8405ac7258ea9622701ca626648a6806868a8caafd21525b9057b5175e11f405cf884f0a7e43d

                        • C:\Windows\{C8AA2AE6-C465-4e58-8D10-2B66A0EE5377}.exe

                          Filesize

                          380KB

                          MD5

                          5867335e22dad6dabd8e261a3baaff01

                          SHA1

                          9bbaff3ef22e4a8b4095a7c19b48d09fa997ed03

                          SHA256

                          79fcfc173b8c67e84107698263a767ef8fe4256c56526277f2afd83b9c1c2cbb

                          SHA512

                          554b1a8d49189a69d9de53e756292a77525560120cf6b21f7a274a3ae5124465300bf9e1eebb25192663d9db246e95bdc6c2874eca85ab5c901755d5d9128524

                        • C:\Windows\{CFC11523-3EEF-46c0-A70B-8D9519AA4485}.exe

                          Filesize

                          380KB

                          MD5

                          6834b97291a2a692cedadb1601fd061d

                          SHA1

                          bc2944f43d314dd53fe9f5a5a98c06893ee9c5dd

                          SHA256

                          b1edf6109e48c695fc14f2bdddd554ba80245f55c7021b1e99c53d2d5d3f35a3

                          SHA512

                          9efeba34cd98f3b9668db92f9a3f3bc1ed345072885433d3e242c724957519819dde6f8467beaff37f5a74437b6c9b13842ed1dd5839d57303d1383f95931714

                        • C:\Windows\{D5247CA5-769E-43de-8DE4-254F44BDDA6A}.exe

                          Filesize

                          380KB

                          MD5

                          ff4d00d457c97f974dfba93749f164ee

                          SHA1

                          abd4f9bba1e88bafd3cd2e5ba92af6a94a96861c

                          SHA256

                          1e142d75f96d4940ca34621f2eddee5f90d27663a9eabf31bf28aee11cce213d

                          SHA512

                          0725fbdab7c3d90b872d05195cefacf542c3fd0d405e3d8cf127c71d9ad4270d3458002c28d9c091bddb24af528bcea8d341f4e3641eaf42c9d0faf4718535f7