Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:53

General

  • Target

    2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe

  • Size

    197KB

  • MD5

    7301feddda6b25fa3a7b33330cbcf8a5

  • SHA1

    9b609736c4b860903ce25b43d2cc8558ce5e5dd3

  • SHA256

    a8177f1a02ae27411c3159ad5289da8b29017045f942d5311f915d3f4db22dd6

  • SHA512

    673df0ba7a4f69b842599a0d4f3bdb72c8984afec15c32ce5a02ed7c751838c6debc3b6b547793c310e09176a44144b4a0072fc956e85d6455a1a93941f53f30

  • SSDEEP

    3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG3lEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe
      C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe
        C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe
          C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe
            C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe
              C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1212
              • C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe
                C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe
                  C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1664
                  • C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe
                    C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:804
                    • C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe
                      C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2784
                      • C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe
                        C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1200
                        • C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe
                          C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABFB~1.EXE > nul
                          12⤵
                            PID:572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{007DD~1.EXE > nul
                          11⤵
                            PID:592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4146C~1.EXE > nul
                          10⤵
                            PID:2380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E018D~1.EXE > nul
                          9⤵
                            PID:316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7961B~1.EXE > nul
                          8⤵
                            PID:692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F90C7~1.EXE > nul
                          7⤵
                            PID:2008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FB7C5~1.EXE > nul
                          6⤵
                            PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A25C~1.EXE > nul
                          5⤵
                            PID:1236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{906F2~1.EXE > nul
                          4⤵
                            PID:1152
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{46278~1.EXE > nul
                          3⤵
                            PID:2632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:3044

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{007DDBD6-9988-46e1-8AAA-B66F4433442E}.exe

                          Filesize

                          197KB

                          MD5

                          a92d37bb2767f36006d3805b07d641fd

                          SHA1

                          687712868c531210174efc24e4f403f8c122132d

                          SHA256

                          3fa619535f34c28837e40db0fa653872974f8659c45c5e02654b104f6944a86c

                          SHA512

                          be94cdde076b27f66441a4d08558cb4e010e46537c31427b0784e228c6b6a4eb03507e10ea92ed7f3134e9b5248db39be7efb6f9b4b407cb4eb9fe599d23faa3

                        • C:\Windows\{0A25C888-D129-4792-9A56-53C11A3732C3}.exe

                          Filesize

                          197KB

                          MD5

                          297f6583a5fced8be664100c42bc2d67

                          SHA1

                          bcc789cfc9b56fbf00056aa094afa8e21d7d5aeb

                          SHA256

                          3fbd275283109adad4941e19828b71b256e80c0c92a1993d91a21470f92cde44

                          SHA512

                          88912286bf5b64f792bb36399c57ba57bdea12a60c5322dc63c7e02a9249404a0bfa2289100fabdc7c68c0dde85f1e575fc30e9c85d25c6b646444deb6415bbe

                        • C:\Windows\{4146CD63-A845-48bb-94E8-46F23B4C1B00}.exe

                          Filesize

                          197KB

                          MD5

                          982764a00e3260a199ccbe8cd32b58eb

                          SHA1

                          b7784096af12f8cc9e7dfaa1ca5ab52fbea39533

                          SHA256

                          2a8035ec7a7f048da96ed2d3c88f2be9f6d9e4d206b7c107b9f88e7a76c46442

                          SHA512

                          71d736bc7e6e9b9bac3dcf854db59673540aeeda4d2090bc8b92dd10ebc1bea9bd6baddbb8eeda291d2078ad0d8a5e13c6db1689af0ca060937066a4a904677c

                        • C:\Windows\{46278B0F-4043-47fb-A50E-1FCED2060369}.exe

                          Filesize

                          197KB

                          MD5

                          55aaaba87a62f2f3f6459960d8e1d1d4

                          SHA1

                          e1907a9168fe31641f7291edbd38fc777c4ca95b

                          SHA256

                          2e32f27df0e0c74a759f9784752d0a3d084ab1805d9dd6353ef697af90d7af19

                          SHA512

                          5ad8bfe2894338cc884fc00457bfa02c34dea98a1c934f1b1097827cdd5d3fb25294aac3108622937c824c318cacf3f464e20748a5325d59f8ae20325eac1124

                        • C:\Windows\{6ABFBEF5-4EF0-44c3-901F-19A3BE366DDC}.exe

                          Filesize

                          197KB

                          MD5

                          0169cf074fd10b5ac0fcad1dab8905f8

                          SHA1

                          d24a0370986a4a09cd6be372dcf95f33db5814a6

                          SHA256

                          02ec44738f286c2c33e9a997f1c2beda95b1ab03ab7150d0abd59ffd43d86173

                          SHA512

                          b778a67b170acaf3f8d03c990c28a921433421c5a7d90d89d1e9a2bfa08a561121ce8e086699bdfef315da457dcf5dae166a8c9bb05ea741da58c788cfa26264

                        • C:\Windows\{7961BFF7-4303-47ba-B75A-A6A0F2B39CE4}.exe

                          Filesize

                          197KB

                          MD5

                          ea8d4bf158e86f0fb50513540219db52

                          SHA1

                          55dadf6838ec51bd0589d20d703a3603843594df

                          SHA256

                          a2c5aa845591326ec1d2faa677d0343c54c97afc8544eeca4a85c26b4e164007

                          SHA512

                          c26da445bfaacc58e5783f36268910df6ce86d591395a6a06e7da94cb07b0539d9ab717236c4a4737a6e2e3b568387483e8dbf93a2175388f30d4674a47d56b5

                        • C:\Windows\{906F201D-0C39-4d31-A74E-F84956A77A1D}.exe

                          Filesize

                          197KB

                          MD5

                          def3018e209126e15b1c740077b487b9

                          SHA1

                          d811aa7e484115f0b2babff355b11b52e58a2ad7

                          SHA256

                          533b506cec1b392724d8fc09dad4e3fb19b58022185c38b54f48123ee9c69b26

                          SHA512

                          e13c5e75f47ae9d4220482a373b204457ca5b69b8d8891d3562f48beb179fd0c01fb3f2daf975548ea967d7ea207bcefce34a1191ffd1cda09eeae572aae9046

                        • C:\Windows\{E018DAAC-59BA-4949-825E-FDD20F8D3471}.exe

                          Filesize

                          197KB

                          MD5

                          bd5cabe38e079f5a82d333c0d9b7c4ba

                          SHA1

                          1bfb607e0c97fafdd8584481d7d8e1ceb51db9b5

                          SHA256

                          adc4c05e5efd574d2880e636c612bc332b987a7aeb7091e16f408bcfeb46ed7c

                          SHA512

                          05640df943f7966153e74819d9c07bb479e3246d34b7685a956ef39bb8d8c26a9b737758d9f92e165626b1dc8c8c232819f740e0af7e7c8ab579d742c08fc112

                        • C:\Windows\{E46322FF-AECA-4833-9C9A-59B270BF2CD9}.exe

                          Filesize

                          197KB

                          MD5

                          afabff026ddc63bc812d505dc58ed98e

                          SHA1

                          b52d6c0ac7645740536c7e4c958adfcbbe7d55d4

                          SHA256

                          3d6f3296fb632f6a44990e6fc98579ba039d93daa541cb3e72b43bb2642ee658

                          SHA512

                          83ef68c6b1a5c4f0a19a6a75c77194940a8dd6fb6e936a5a5baeb8dda3888aec315ed8d1861303179dc1e940af0198f81ee3255cd238fa49a9b52e3209304711

                        • C:\Windows\{F90C77FB-8F73-426e-A96D-4CD2AABC4ACF}.exe

                          Filesize

                          197KB

                          MD5

                          94cc08fa8199f447355a32121a4dcbff

                          SHA1

                          95c7b2c2192ab2dab8ac86b651aa9d2219edc42b

                          SHA256

                          65f7ce1a48d3f44bc9c931c02c7d0dfccf7ff044b8baf4c6d98e4f62e416baaf

                          SHA512

                          c27286938ec5b54946b82976d6ffc07343ceaa2c88339e48c6e29bfb22ab2a98112ae1b7b17b5a5b6db5f63b8d3d82648d018ba636012040f95d4858471bf6d7

                        • C:\Windows\{FB7C568B-3ECD-446e-B7FB-F8CE9F37951E}.exe

                          Filesize

                          197KB

                          MD5

                          a9550d59ed1abe686f4462fb89ac90c8

                          SHA1

                          b5121504b2508612e16960c61d581fd6619b666b

                          SHA256

                          91736213f7d7b6fe7be8a9a0441ee881e2d1618e7786ef755aed589012474d3d

                          SHA512

                          98224248879f78c264fc07601969a8c63cd337e475098436929451ec9de2e2a347c03fed160ce779072892e88b44a49e6428badb7061c34560a9f23e421e94c0