Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/02/2024, 05:43

General

  • Target

    2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe

  • Size

    408KB

  • MD5

    9c11706bf5946f6d22b7f731c75eb97c

  • SHA1

    1e76f30a91cdb725ad7e7773edbc875244265dc8

  • SHA256

    0f0a6713e66dd418ddeac4e53f14147de1016e44a14f5fa033b64393677be973

  • SHA512

    57fa26619233048937c2192241d2ecac8c869c6a6bdabaef906f7e35aec749a3f01c7dc0f6557209079b8db8e71c719d9b92aff3abe9a571ea64998333dca63d

  • SSDEEP

    3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG1ldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_9c11706bf5946f6d22b7f731c75eb97c_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe
      C:\Windows\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe
        C:\Windows\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe
          C:\Windows\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exe
            C:\Windows\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1356
            • C:\Windows\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe
              C:\Windows\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4452
              • C:\Windows\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe
                C:\Windows\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2928
                • C:\Windows\{7BADC034-F10F-4199-B170-13D39519DE73}.exe
                  C:\Windows\{7BADC034-F10F-4199-B170-13D39519DE73}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4532
                  • C:\Windows\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe
                    C:\Windows\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4580
                    • C:\Windows\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe
                      C:\Windows\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4616
                      • C:\Windows\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe
                        C:\Windows\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4456
                        • C:\Windows\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe
                          C:\Windows\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1404
                          • C:\Windows\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe
                            C:\Windows\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:900
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8DDAC~1.EXE > nul
                            13⤵
                              PID:876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A01~1.EXE > nul
                            12⤵
                              PID:1328
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F3F~1.EXE > nul
                            11⤵
                              PID:4404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1FE4C~1.EXE > nul
                            10⤵
                              PID:4336
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7BADC~1.EXE > nul
                            9⤵
                              PID:828
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{470CE~1.EXE > nul
                            8⤵
                              PID:4944
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CE1FD~1.EXE > nul
                            7⤵
                              PID:968
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{75099~1.EXE > nul
                            6⤵
                              PID:4544
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{19E04~1.EXE > nul
                            5⤵
                              PID:4340
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1ABDD~1.EXE > nul
                            4⤵
                              PID:3176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D35B8~1.EXE > nul
                            3⤵
                              PID:1344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1168

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0AEAFD4F-1830-4f53-B8FD-016E83DCA3AB}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  e3aee002beebd89140c8a5d31bc57134

                                  SHA1

                                  a62e7d7875ee1e79128a73192703806b7d930330

                                  SHA256

                                  cad7782ff1edfda22f978e77d7a220d3484d1a6ff0b85594e1eb2effd8e2355d

                                  SHA512

                                  f6b86e8967b69915b329b1be51ce9d8ea57ec48c5a7052d5c005850ee0c64356cd1f3f21af9da6d4ec82dea3debcc43c3133450fa470be4e43765c31b693d5e8

                                • C:\Windows\{19E04AF6-7ACA-402c-BC21-8081C0174A89}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  d9b50c211b7bd644b7da03a4bc898f50

                                  SHA1

                                  171689a8de849e9fc707c3e1074ed1383bfddabd

                                  SHA256

                                  b2ad8bf1f270fc19f20ea4663f6f1ce8963995fde7feb76b3c620462518c93d3

                                  SHA512

                                  11931b75d7d40f01fd713a5ca8ef49eef660bb3d032f560fcb35ce01b97194fb1c617fac76829465559ddb5b5ed495629e3dad3ee0a951cf65662c8ea66a2d12

                                • C:\Windows\{1ABDD71F-B9F1-4b47-8D7E-9683A223CDD1}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  8eab295f87f85ca18b7fec2a62ad9f37

                                  SHA1

                                  08eac8221f59c0e5d643fe0755f09774c8ffa391

                                  SHA256

                                  0ba256f9623421a751e2e8e1ab69c08ed40fa30732960e1e7e5f9772dc3a0d92

                                  SHA512

                                  a41544e9c78d9a97b0ef99bd3dcd7eeca4c7b6d77014c99e9e963c19f1252190adf81d76227392ce1826b6a85cbbc04c9bacc6e3c5a5c63dffc5f05f1230e50c

                                • C:\Windows\{1FE4CE87-E6EC-4bcb-A4BD-5CBC44DD22DF}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  1e141651fac13865095bb985d066bef3

                                  SHA1

                                  ed376a9a3b44daecc295f7076bf1147918f5f7d4

                                  SHA256

                                  943cb434c16aecccf361134a5d2c37882beaa63d2b66f9d71c36276f6a4cb9c5

                                  SHA512

                                  3dce1892a6e3aedfcf09f782a59abd6e8094f623761379ea36b5754d23c97494d5a32ee58e465d4e485a56ff3a3d2f016189a7cdbebeba042c66ede1e4a88874

                                • C:\Windows\{470CEB5D-3D96-4106-8EE6-CE54D1896884}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  1425b45a34101fdc14135bd7eae1fb86

                                  SHA1

                                  084270c18f7f1571a83b1790f797a611bf8d0362

                                  SHA256

                                  0636429ad5707cc38c242302b138ee3490fed42ea69095608277fbd06780ada1

                                  SHA512

                                  7e1460df06e4836ae6033e2a892d80370823bbe581739c21824973ed0b038d6754c1d83a4e84d013da64218c6b9bd1ef5106ff8b81c6a9c0d659048aaf04aef4

                                • C:\Windows\{75099AB3-9553-412e-BC3E-67D51D97A67E}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  345f9d8fddf6a8dd624934438696b904

                                  SHA1

                                  a8f5a0c67818b5536989d9b998a0d5e25d72e9b5

                                  SHA256

                                  e187ee2251d59bf6dab65cf5f2b44e80d9673451dcebc63e3c3d313b6f16fb93

                                  SHA512

                                  ebc21d3697bfbac2cf981dc629edd2ff84c29705b84f4c50bfa849d5ce4ee8f87f26beba8da4e8ac778588c85e5d7aefd0bafa380c1cca9a8741207a4ef5bd04

                                • C:\Windows\{7BADC034-F10F-4199-B170-13D39519DE73}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  cd835efcb86697666fb05ed5ca275907

                                  SHA1

                                  d54fa8aa20fa2a8decadb6940037f784c903c562

                                  SHA256

                                  8ec61a834cb37976606df185185181d90947d27f3938861e731013bad15bb3d4

                                  SHA512

                                  e78b1a5eec268115a8b4ddb3d7ccb92a7a4e3dfdcdf30520df689e39f8c0df696803d4eabde44602e491367d028b4b61c60ea929dd5c1b9a36e726049038a798

                                • C:\Windows\{8DDAC04E-1C44-4a6b-86F2-C8C1362D9ED9}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a8dc725eaa479d3574aa11b062ef621b

                                  SHA1

                                  49dd86d3ef0de8ae360a0940521ebb968246493c

                                  SHA256

                                  e16d8d2e5607521289163395bb45d0753ce4352e963c7465e1504dc8b0a32521

                                  SHA512

                                  e67bbc4cf2b6b268cf23b79b7d9f16833c53745cc9b61da7ddf3607dcbee9c6487a29186de17b9b9320c35c776eed1c4dcfdd86a395994317341e3f5042b1d25

                                • C:\Windows\{A4F3F108-D9A5-48b4-93B1-0BAB03F5D9D9}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  c95b9705ca425dfde28e0470d479f1bb

                                  SHA1

                                  b9e152393835828f66d691f29eeeac0a53fafed2

                                  SHA256

                                  d6abfeec5100e4f2ca2ecfb2003d61a3ddc4903ca4d0ec22b2135b0d4203a5f0

                                  SHA512

                                  5ef6dcbabbd1ff8f46d414cb92477b2c6476b981a7c1f75d6afc288ddeb9cf205a9a194c082b99afa4e30aa4dca0d2b99c80e20b81bc2c7c07e626e67158028d

                                • C:\Windows\{C0A01D1E-2706-4963-BCED-9A3658084BB3}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ccfe8a64b72f605945b75378cf0901fe

                                  SHA1

                                  fd43ac2201c79156ade6a99bc2928d950d4b838f

                                  SHA256

                                  f5b57db1b3501a0cce19f3a35e193d13bfa2595aa4b130a77153ff949807cf26

                                  SHA512

                                  80916f49f0547e0a3716a49242bd3bcd7795c4165ab21551756f67c3a7ea5fc358ae1f39ada9be175ae4ac7bf75eba056bc05ec752fb8cfae80d8dd2a210016a

                                • C:\Windows\{CE1FD5E8-7355-4d2b-A83B-DF3C342DC6A1}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  4c7a901803187bbcc76261762a4b6770

                                  SHA1

                                  a3c7a95e536a4aee4b98518ecc96e1a28e4b6b3b

                                  SHA256

                                  546fec85cc3ff5da90ae66144092a2a8789b35c0b6dc08adb81fb3226c96384b

                                  SHA512

                                  13171e30a1bce239478983339055ff12d1545fb0be5c446d966e2b67a86b4b1042692d728b765f83ff09b7c401fb54ade76193f188e406ff6d40c3a48956c9ed

                                • C:\Windows\{D35B8E78-2D1F-4166-AC21-1D9D12CD673A}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  8518e68b08d6ba88739799ddb4bd274e

                                  SHA1

                                  9048581872524ba1a9833abbacbd4eb39c726784

                                  SHA256

                                  c2c32bf7956dab3dd965b578dbdd5e4a95f619c434f92f5ed4f63195febe4009

                                  SHA512

                                  1ff66a26baa764503c2a09d6f8daf94b3667ffc4f59e4dfece6ce06489473235a9cbda5fe2fd68e5d85a6d7fccd1931a96339e8cb0c596eadb8e57335fc782ed