Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:53

General

  • Target

    2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe

  • Size

    197KB

  • MD5

    75395c7cde9cd0b4183be94570719bdb

  • SHA1

    dde84cf6504ae75e56b7e939ceb0025d9670ee6a

  • SHA256

    7b46eff9608adc6d13237c8516edc6e511b2b2fa079a5df130f4cda58d71e46d

  • SHA512

    12d896269ddc038a6089207b88e872116a3dcd4b438b71c25fbd6d928478b7a7dd928e5423bdf4457171f66dca794c83f98eb260d31702787bba32a9aab44289

  • SSDEEP

    3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG+lEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe
      C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe
        C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe
          C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe
            C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe
              C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2968
              • C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe
                C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2712
                • C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe
                  C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2532
                  • C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe
                    C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2972
                    • C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe
                      C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2076
                      • C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe
                        C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2844
                        • C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe
                          C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{612EA~1.EXE > nul
                          12⤵
                            PID:2056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AFD63~1.EXE > nul
                          11⤵
                            PID:680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{09D8E~1.EXE > nul
                          10⤵
                            PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3706~1.EXE > nul
                          9⤵
                            PID:1644
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F532E~1.EXE > nul
                          8⤵
                            PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F1FA4~1.EXE > nul
                          7⤵
                            PID:1876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3A4CC~1.EXE > nul
                          6⤵
                            PID:892
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3940A~1.EXE > nul
                          5⤵
                            PID:2992
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{57C9D~1.EXE > nul
                          4⤵
                            PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6FAFA~1.EXE > nul
                          3⤵
                            PID:2720
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3064

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{09D8E1D6-F2BC-4704-8253-2035EE6BDD36}.exe

                        Filesize

                        197KB

                        MD5

                        2049b5eabc46e1bf9541ae5d50fc3895

                        SHA1

                        90dcbedcf5218fd2de1d7065e7e41f1366e80df7

                        SHA256

                        161d4350e26559236ccba177d41bba4e2b0c39337e5e282de946abfa2b73830a

                        SHA512

                        fe4e16a4f30f6f158e6c6cde2da95b1517b7648f7087273bbf6b78884fe32d1461d9b9ff1e49eae69614dece40771496878d8392bcf39662025dfc12bc2f13c6

                      • C:\Windows\{282A3572-3C1A-4ad6-8F2B-D6ACCB2C30EB}.exe

                        Filesize

                        197KB

                        MD5

                        5d2c8c630212023d639f02fe9d57f42b

                        SHA1

                        3aab85a4d7ac81f0774641c82bcf8d4973013a0f

                        SHA256

                        e757a3e4b4ee0164456159ffeb025fcaf0b2fa14bafc075b8085b0f6d5af86f0

                        SHA512

                        fd1d298db4a659f0dc65394bd6470c2157a16625aaa41204e50b49d01b93a13b9ec350b1a965265d578feea6c662195e7d90dfdb8bbaca9e5a8390e4a63422d1

                      • C:\Windows\{3940AD8B-3871-46da-821E-AED7E3387F31}.exe

                        Filesize

                        197KB

                        MD5

                        c8f90ed15fb9ff45548cb79a338b39e8

                        SHA1

                        e64b54f963c848b20749264f81cc136e32f8e3d1

                        SHA256

                        9adbd799c6d3259895b133fdea8367b88a1c475f24ae483b1f7cfb1ff686f17a

                        SHA512

                        70ede053dc4a4ad90e95059d72a7c632246a76beba83c62c948fa6e72db5666f13a1b2c8764a517dff62ec1532ba2aa227a90d6bddb1c3784d146b4693ff673a

                      • C:\Windows\{3A4CC82D-991C-4824-95FD-CB042EE6401C}.exe

                        Filesize

                        197KB

                        MD5

                        bcb675de50ccc3c3163e846e71b6daeb

                        SHA1

                        bafb371700dba520c0cf45c18200a9311fad30a2

                        SHA256

                        370d4e8a0693209aee46ed32c71b76b29b92881137a9211e176fe034ef12cfbd

                        SHA512

                        fca829365a7cda968fb1244371680265ff1d4b4bde2d4e01476b9b09e4097309484559110c3274825514f9c5dfd9729944d6f9bdf1caecfb3cae6b32deb7d75e

                      • C:\Windows\{57C9D47B-F7D8-4c79-B310-54F1BA127229}.exe

                        Filesize

                        197KB

                        MD5

                        e81f9993b6d8ceb526bbe7ec320267a8

                        SHA1

                        cc46ac6581620b8966c52022a4b7ca952b8d3d7a

                        SHA256

                        4ad216e1c1cce7342d3bb0814f91497761eb5a3570e335dcb2aa65793d987b38

                        SHA512

                        f7525614e2ae886f0451b40ba6667d930cac7e89c57b4fb71e74fc7544fa3ab4bf50241da52a8164df908948c6541d7dd306c8c629206dc169cacd5390633c12

                      • C:\Windows\{612EAB1D-7162-464e-93FE-F47211FEE417}.exe

                        Filesize

                        197KB

                        MD5

                        090fb6ead3aebcd35c5b44e25ebb6f8e

                        SHA1

                        539035af227c2e26529e49590f0f8081bdc5d36c

                        SHA256

                        4707c0bfb0201a7c56137b6cd4ed872b8872c25138a05c2b93ef435c8c708e91

                        SHA512

                        f7267a9fe1eb1e350f8aaf5c202a56f9a0b8a1aea571bddd8b448dc59ab50b5a2ce02acec060c2e885600e86927d7afddac6e4ae120bb55aefd738b16f9796ef

                      • C:\Windows\{6FAFAA84-3C9E-451c-B6BB-2F54EB4F3737}.exe

                        Filesize

                        197KB

                        MD5

                        9cbe145adf259a903c43aa5e4de62130

                        SHA1

                        73de981ef28762bdc272113f84eb810f9c4d817b

                        SHA256

                        f485135556d2eeb8ecd92d584a1828e7c45fe84ba44e2d2f873ce022e328feca

                        SHA512

                        1d9f18590ecd3eb1a7443c0c1cd8c3a5ca012b356da85c70d28d6667187f81d9bc33b94a347389fddd198edc6af271c531f8fb144f8168ce63dd477585727445

                      • C:\Windows\{AFD634D9-A45F-4f77-8B8C-4ADBDDD68F2C}.exe

                        Filesize

                        197KB

                        MD5

                        503ef30c2ce0b58f3102008d4dc5e35c

                        SHA1

                        c110e5f748dc55de89cc54ada8627eb5e9a02f04

                        SHA256

                        28b297473efbb138c042db3f917a70ef51819183f6dae78e129687ce83f4d43f

                        SHA512

                        312f119fec6fc4187034f16baf69f1a7cac457ccdd066649076a4568c8f6c48f7afebe5c770a35e64871eb55d71b5496deb59695201bca7d2bced3ecf4a82aaf

                      • C:\Windows\{C370617C-4D18-485d-B498-B871BF4196A9}.exe

                        Filesize

                        197KB

                        MD5

                        534fcdd9fb02593b75c1a3c217da2a52

                        SHA1

                        f78c1c682a1b2d6e9e3647e5a48b427c439cb2da

                        SHA256

                        a0a2bab1634e4997431f02997729c588b063efd5d6702493f828dd446bb21f51

                        SHA512

                        bfc417819eb556766eb6c6471e931e4f11f2ee93fa42a4e7d981ed1d2914c197e7942e10e95abec3f99c4dc385da5e5393a2a67a4df67a25177be41665452056

                      • C:\Windows\{F1FA42AD-D887-4dd6-9AF6-3470DCDDDA74}.exe

                        Filesize

                        197KB

                        MD5

                        07c9aa9cb076fdd3323de29e383d5e39

                        SHA1

                        8349429bd2280ecb9bc2afda4652db0b2891362d

                        SHA256

                        6c0960ad3ac185b10dad195ede7909d47a71f2df6ff12275d0c38806ddff9fd6

                        SHA512

                        5490216f7a296057f81a8e4332655723a2c8a0891dce6e0bcd6c3a3b1c409a58bb6370d59bf4182ce2a7db16e2dcec05adf4922d99b56f52a4310f36b3f8d81f

                      • C:\Windows\{F532EFC3-E249-4d19-A088-F3BDADE22970}.exe

                        Filesize

                        197KB

                        MD5

                        5926a4972a6403200cd70c4703f9e25e

                        SHA1

                        abfead9d906c8fb1ac6c45413da34f35adf237e8

                        SHA256

                        9a6eda854a35556a79fd5531fcc4e784bd9fbd0daa2fc28f50de107c1eb237d9

                        SHA512

                        de160840538d9b3e85b936f5bc6ad666a151a61bd6a0146abe8bd91bafd5e3ee2884826da17e8c5c5850182b760d57318369918e77936c3f72567776bb28f449