Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 13:02

General

  • Target

    2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe

  • Size

    192KB

  • MD5

    bbd2ad36aa1b9adf5f31332454266a77

  • SHA1

    cff894d7680556127fe6dbe464379cdeefeadff7

  • SHA256

    83eb37dbccf3f2c7998b6f691bc6f9b26c0e746ae2d67ad0378b20aae86e1db0

  • SHA512

    a9b982b2ab11a7089bb2ab7fc3ab0d06d506368796ad7da70d6e2bca54626188419ca5c90a865cac92e3bc121722af47be4e459dbd6b9fbe83d12d19b38ef671

  • SSDEEP

    1536:1EGh0orLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o/l1OPOe2MUVg3Ve+rXfMUa

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-06_bbd2ad36aa1b9adf5f31332454266a77_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe
      C:\Windows\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe
        C:\Windows\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exe
          C:\Windows\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe
            C:\Windows\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe
              C:\Windows\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe
                C:\Windows\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2560
                • C:\Windows\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe
                  C:\Windows\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1400
                  • C:\Windows\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe
                    C:\Windows\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1948
                    • C:\Windows\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe
                      C:\Windows\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:832
                      • C:\Windows\{97E1E047-694B-4d06-B37C-32849774422A}.exe
                        C:\Windows\{97E1E047-694B-4d06-B37C-32849774422A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2896
                        • C:\Windows\{5B2A8849-268D-422e-A151-5C700A80A12C}.exe
                          C:\Windows\{5B2A8849-268D-422e-A151-5C700A80A12C}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:300
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{97E1E~1.EXE > nul
                          12⤵
                            PID:1952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A66A9~1.EXE > nul
                          11⤵
                            PID:3020
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{21A4D~1.EXE > nul
                          10⤵
                            PID:2036
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7D546~1.EXE > nul
                          9⤵
                            PID:2236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E9FE3~1.EXE > nul
                          8⤵
                            PID:2052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D6E71~1.EXE > nul
                          7⤵
                            PID:3012
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB14~1.EXE > nul
                          6⤵
                            PID:1960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B7440~1.EXE > nul
                          5⤵
                            PID:2764
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9CAC9~1.EXE > nul
                          4⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{30AD2~1.EXE > nul
                          3⤵
                            PID:544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2836

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{21A4DDA0-ADB2-44d3-9B0C-D659C491C3FD}.exe

                        Filesize

                        192KB

                        MD5

                        5b21ba87f6582625127569e086b2c7bb

                        SHA1

                        a543a892aa7b7301c976c2e2f718166d17207691

                        SHA256

                        6e1a79222b1b3d3be649f3eb8d6c3e1e1b298c23d280666c7c13daed14e6714b

                        SHA512

                        6e40f743802764722a86493b4c3c66229b1cafcb40a04b2a25ca13a4b2049e159732ff70364bf4092890689385bf5be8643fe1dc5dc52d5287883b7d13159158

                      • C:\Windows\{2DB14747-CCBA-4f00-9594-55D9EF9325A5}.exe

                        Filesize

                        192KB

                        MD5

                        48659820d69a164f0ec1c194e6866cad

                        SHA1

                        844454fd7bfc72a740777b913025eee262b01219

                        SHA256

                        59f5f4591dc1e06772183d73b40134c30e431b7cce24495cac98effe910866a2

                        SHA512

                        65a022cf4c2d465b5fbf9714f427b02cbdf5bdcf8936517c58527e55d764879344925460ad85e05c4dcf522aacd25e44362c4fd45ffabe1d2e471faf01b1dfa8

                      • C:\Windows\{30AD265F-E92D-42db-92D5-D3A61ADDC4C2}.exe

                        Filesize

                        192KB

                        MD5

                        2a337f6806382d1a1d741264cfd2b2b8

                        SHA1

                        4d01f822cc4fca72445d26f38364b66011ccb8a7

                        SHA256

                        d48b0e5821c6eb3ebe48366e731fe4033fd33a896fbc5cbb670258378e863a47

                        SHA512

                        5dae009470b23855291aa4d50ba5bd65489c0deb9a1f5145d286b23335a3f86db633a5c053dff9ce98462eff43d7b9ad11fd7fbe1fccfc4f2143de4b790b86b6

                      • C:\Windows\{5B2A8849-268D-422e-A151-5C700A80A12C}.exe

                        Filesize

                        192KB

                        MD5

                        92190948b3838598a96ce8e2bd5dcf0b

                        SHA1

                        66574fcb2ea6d84baf85d86ba23b743c4d568490

                        SHA256

                        85dab2d9c7db051754c55cbde8f97f841cd242a5bb05a542c87d1f2d6ea15a0a

                        SHA512

                        ba5e6aaab3a0949c2bd66e966bfb6163ccfcd4762e6eba465743236a83e860721e76cfcf505d39fe351bae79cef0c28d0a6b256d9bc442504a2c42ed70cb06d0

                      • C:\Windows\{7D546B70-8D7E-4e57-ABC5-E0BB4C698545}.exe

                        Filesize

                        192KB

                        MD5

                        736247567f906649edb52dab914d4d1b

                        SHA1

                        ba0881ab39b43969bed1f30b3e29fd7e0ba85992

                        SHA256

                        4a6aaa16751f687e5d006239ea0f9f73084f117c2e72e569b2187f8ff0874bcf

                        SHA512

                        9c9e2ea0a02d19686538e2b48babce974115d2817c1b6c783c19754e68e2e2018348a912a9d14d65e315c9ad586668a70f96e64b40bb883674ca84b27c1b427a

                      • C:\Windows\{97E1E047-694B-4d06-B37C-32849774422A}.exe

                        Filesize

                        192KB

                        MD5

                        bacd2c06de73badf4cc7ae5fd8c29249

                        SHA1

                        7bf60b105d26636f150ccbfc794f6baabe5e5620

                        SHA256

                        7c06bb807e9d243b55d3e93f2e198b9f5249927468eb8577c23063c422b59132

                        SHA512

                        e70981e728413d6d44b7e94e2b949f01785a342d7fb5e64bf04f57a456ccb192baf0003d2c5310d396672adc635249e760d496d05c5461cd59f8d7c1b0c98f0c

                      • C:\Windows\{9CAC947D-9D0C-4769-BB93-084A732F0D3D}.exe

                        Filesize

                        192KB

                        MD5

                        ee590592260638ca3a2eafc6224c5a4f

                        SHA1

                        a349dd677eda52b1395db024f6b7ebe925bf4161

                        SHA256

                        16295746f7477c2bdd60de99cfa8b012ce852e889bb5092b07027609bded7369

                        SHA512

                        491b7b00aaee0c32c2ec449bfe65b9544abae855703d55e56b0209f3f429cd69b37160a1db4153a1490568bfd77b4e1733c21c1915269fc59eb405c88c412c44

                      • C:\Windows\{A66A9645-A3BA-4709-B7E0-775806AAEFD2}.exe

                        Filesize

                        192KB

                        MD5

                        95cc0a79736dd3ab19a30c6a8d7b191d

                        SHA1

                        be1d22f33c0ee5c236288a055b916ab72d77d382

                        SHA256

                        54ed3b2ae1ff31053e99503e1d104ceeb4a1cc12dc85ee62565be4b93e8d6bb7

                        SHA512

                        6dfbcd1086a4dfc95b11d1fd217dfe70a433f4ffbe7df588d94801e41dd24f8a31a291a251b75b606938e628dac35451c1fa4c2e9f50ba4e91ba30674fe97e79

                      • C:\Windows\{B7440503-E93F-42e3-803E-8DD8E80803F0}.exe

                        Filesize

                        192KB

                        MD5

                        6499e08342fdf0146bfdfc4e540af249

                        SHA1

                        65a49b01c02c0b4027d21d61d04418fda0f02a43

                        SHA256

                        118fd50ee030a68b35055fc74ff3df792a483acad4a897d45ed5b54f0ea39bae

                        SHA512

                        0b97a4431ee78b518b55e05385347608258d0bf096b7b6146f5bb919afb10e88dde88fbca0528a958d4c41639e185b092fbe6a8a921b69ffec35f0b173fb83dc

                      • C:\Windows\{D6E71D17-8CB9-48f7-BF05-4EF989B7ECE7}.exe

                        Filesize

                        192KB

                        MD5

                        02455616e73bfe7f5c27283aa26c39c6

                        SHA1

                        aece9eac49a33bf4ef9e7600da43458b0f0af71d

                        SHA256

                        ba323632cdabf116c750cdb714316379fb57f28e1a3a03ce101f01f2d087a4b7

                        SHA512

                        6d0987fc92ef20fc3ac3a0d618ea67cbbec795bd01ef1a299b08812b865cfca669dde706ef2ce24605812cf632c3d29ab31cb1004cc4be22a3055072ced5ac6a

                      • C:\Windows\{E9FE3EF5-1E33-4428-B1C3-7A8F8ADA6D17}.exe

                        Filesize

                        192KB

                        MD5

                        9b3207a97a02f05a998978a257c51285

                        SHA1

                        813bcd09d1fd8c768e2dc0fa779c04f8ba4c3691

                        SHA256

                        929e2d7d7f1406508ffecf84fc2253f8ea772889dc276775aecb80da3a6b9577

                        SHA512

                        c6056d3ff465d8d8fff00b49f50a6cc739b3d3f1f3ad1467ad584485aa852fff4b8bba7f9241d1af1686f489fe7858144d401fcc78713cea26896335186e8834