Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:55

General

  • Target

    2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe

  • Size

    344KB

  • MD5

    808dd2fd506c4d92529be8ef0b673040

  • SHA1

    183ed54749759b2c0bd66ef19e1b7eeb5b87b8c7

  • SHA256

    572fa7e5bc407aa57cc5d75092843b5552b40ef7ce6cac2138d7c9ef69bd62ce

  • SHA512

    93daf1fbf909e3967c6c9171ee2abdd699bb5a1a5dd1f24deaa6b3c273fef7c0f8b353e225d997f9d3553199104a7cfd72e7e962126eace0084d8d146a304f4b

  • SSDEEP

    3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGelqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe
      C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe
        C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe
          C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe
            C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2476
            • C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe
              C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe
                C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2412
                • C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe
                  C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:628
                  • C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe
                    C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2764
                    • C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe
                      C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1984
                      • C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe
                        C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1300
                        • C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe
                          C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:488
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6A267~1.EXE > nul
                          12⤵
                            PID:1484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CA4DC~1.EXE > nul
                          11⤵
                            PID:2868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5DCA0~1.EXE > nul
                          10⤵
                            PID:2080
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5FAB~1.EXE > nul
                          9⤵
                            PID:1620
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D626C~1.EXE > nul
                          8⤵
                            PID:2400
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFB3~1.EXE > nul
                          7⤵
                            PID:1812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E16E~1.EXE > nul
                          6⤵
                            PID:2832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{96FBD~1.EXE > nul
                          5⤵
                            PID:3000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE55~1.EXE > nul
                          4⤵
                            PID:2524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E17C9~1.EXE > nul
                          3⤵
                            PID:2580
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2840

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{5DCA0619-A6B6-4cfe-88E4-919D3CDF50BA}.exe

                        Filesize

                        344KB

                        MD5

                        363e2e407bf57dd59447e1ae33b3a836

                        SHA1

                        deaa3cfdefe08d73f38a936c1b55637507eed925

                        SHA256

                        2c703ef60f94637b846ae8921aafb9208de07c91c8302fc6f7c57ec6a387e491

                        SHA512

                        df496568b31eb4ff0084eaac0684bfaa8eba604c2fb2d6ea280a63adf47f09637d3db4f3dddcf467646437ea2313369f55206763fa4be7f6b742e5e460a27bac

                      • C:\Windows\{6A2673D7-CF52-43e4-9206-A0E4816020D2}.exe

                        Filesize

                        344KB

                        MD5

                        fe8e93d5d20f985fb5f16f80a49c243e

                        SHA1

                        5b8916d73e308173a0f6c1684a824874fca731de

                        SHA256

                        ba4cd8bc6f56701ce8c144d68a062e28bd3f643806b9c6b15f7fc4799741e3db

                        SHA512

                        929d391b491d43fbb0ffd3816196daeebc53ff7259edfda2ba1f606f20caae588ac030ed2318c53447ea9f1cabbbb4dda14a9cae07c175416fb02f8263dc2ad6

                      • C:\Windows\{7DFB390D-AD6B-459a-8B16-B1C8BB9D8203}.exe

                        Filesize

                        344KB

                        MD5

                        7f16f2a0e573d4459b713b57af5f7b44

                        SHA1

                        df7ee56151ba777cc104e7f33b166c9d1a75155c

                        SHA256

                        7c2367a5393587117a004e53987bd66b4f203a7006230bfc8a791269a22e5af1

                        SHA512

                        c9ef1af09a47e01be2773bb841726b40b923833500c35bf2a5bd5fe801e0c690da975a8a4ceb6184580652bac11a6670ad41bad28e5ab27cd045f6638c7d035b

                      • C:\Windows\{7E16E6D2-4914-4ff8-BEC6-752F8792FFA0}.exe

                        Filesize

                        344KB

                        MD5

                        6115c3580dbd03d74c8fc9f463163a79

                        SHA1

                        69fbf3eb591ab7ae9ab4b13b2bec69ab60b859c1

                        SHA256

                        7a71fc736efb3b6b02a4ba4f5763b08732d669b3b695d7e4f4996581be6009dc

                        SHA512

                        9ce28142af4f32e9748fe748cbe28e9d9de9adda001604140b7e10804d34d11fc6959fe64636c5c58cdc6ed3c278e3095557ed90ca29e210bb622b451de53b4a

                      • C:\Windows\{8BE55C28-3045-4ce9-88CF-3E56AD957577}.exe

                        Filesize

                        344KB

                        MD5

                        6dc09cdcc1fa03cb3e0f6f254eb912d0

                        SHA1

                        f58d9e6df97b18801fb392a4ed5be5fb505b9d2d

                        SHA256

                        b5f6399ef9b28e31eab8b65889c1dda74a38d6869aca4b2540b589747aeda8e7

                        SHA512

                        a1973841d6d46655bc06cbe00d3270d48048dd12581164393a7ae66e826584c4cd681177f0eeb7f5d68db5300c76f8978ff4c9d7ac42ce4b9edbd96d99c50380

                      • C:\Windows\{96FBDB4A-BB6F-4376-8958-F3A0A8309044}.exe

                        Filesize

                        344KB

                        MD5

                        cedd8fedfdfb9223d4d025e4c1fc7348

                        SHA1

                        8e87fafe5728c26fb920522760ff3ae011a18a02

                        SHA256

                        7e16afd2e326d12b1203de5b7e4119ec09e47bd2434022f5a542c61e9daa0386

                        SHA512

                        67b42c8bcb4318762fb43dcc427c9350866267836a3a3ee5037c779113d6c00df073bf33439094158dc5da7a809238ebaebdf31c1ef4fbf52dd934b7a42ad815

                      • C:\Windows\{A5FABF7C-1C11-4d8a-930B-088E024C05C7}.exe

                        Filesize

                        344KB

                        MD5

                        1fe66a40bb5b7c04dd8436006fa699ef

                        SHA1

                        96ed928c25e0768abb4bd95980ca80fcfd1e69e1

                        SHA256

                        0b4c24d2cd1689bad939a3dd5c682b35ee365e3ec369e43e21f30ff83b6b0134

                        SHA512

                        5cc9a89b1f7ced1864af417229c87f766e714bcfe11069f75f5d6ef630d63fc7e167a51be1059722050ce1c1534c3bf249cf424517f2e8ea1b3b4329f093b2f1

                      • C:\Windows\{A859487E-8325-454c-8E3D-93E4909EE838}.exe

                        Filesize

                        344KB

                        MD5

                        829c4e10ed1f24a033b7ba866f02e509

                        SHA1

                        742376d092681d37c59bab4155fafc5f8ee2a4b5

                        SHA256

                        20e9e34efd98d524041b19e72b064085942c621110f20ebedc16eb428fe1dc33

                        SHA512

                        d0fdf0c00e40aa21703af6d8d4f445b95c02a0137f5514b83caa51f25e99ad0555a9f04f5ab79221ed52f97e7893457dbc8b777a1845c77d08388c0b47ebbec5

                      • C:\Windows\{CA4DC051-A22E-4d62-9599-D6B570F049ED}.exe

                        Filesize

                        344KB

                        MD5

                        39bcb74b065e99595b1d32fd84e851df

                        SHA1

                        f1cfceeb949fc8e3ac04a0afb69c06b2d2158840

                        SHA256

                        866d4fee8040b07440bad146a45e82547c2a563ec6f60306403a4f11d217c8c9

                        SHA512

                        77eccc3d75b0abf81c8f814639c5e69d930d2ca632c9fae49c902ea1231ee02a182822b8f22bfe0a76ba4270de4257ed9ca25b1b13f9902d6b7ce94f11a58f9b

                      • C:\Windows\{D626C78A-83E7-4151-A7F7-F46927379BAA}.exe

                        Filesize

                        344KB

                        MD5

                        3ef9c932a68298aab1cbe01299a1a4fd

                        SHA1

                        ad6d195bcaf691b202cb0e49cdc179fe84de6033

                        SHA256

                        0e9ebf3b9822bca1ce2632b19db33b4fd413d80445c661d27dba6daca2c30c03

                        SHA512

                        ad70bc8152b16492d08663bef11d286362156e1400147018f62b917b58957f216427db21b46f360fa98b4b9dccb0b2944c0564b1bbf6856a79654306e6127fae

                      • C:\Windows\{E17C9E3E-3466-43f5-A766-21779C09E6BB}.exe

                        Filesize

                        344KB

                        MD5

                        6df5ee1f39fc95475fa99ac9ab20d8e1

                        SHA1

                        0b6d285047a57279a62339a48f371f5caab846f0

                        SHA256

                        c504c8118632e1c318b14ff163a25d2c18fc67b851bc84530a166c624ff1c977

                        SHA512

                        8294759a20c2585ef4baf4d94fd68402e97bdd75c2ea910a7d1100d9225b9d72522446883b873be74de5828ef46ae659566a3c393a1b0cf97d6f8e7b8b93c6ee