Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/02/2024, 18:29

General

  • Target

    2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe

  • Size

    380KB

  • MD5

    72b5ec8cb5d376250ba151702695f3be

  • SHA1

    9e558c9f16989e1a00fd28c0b2f81b1fcdd24bbe

  • SHA256

    520d338b11bfbf340d06acb11adce78059ffbf3807b7b9de0ad240a7ecdf1c93

  • SHA512

    b567798375578adb3a89178447e59c64e401d73c18df28136ba9bfc25e02e27f1562a203a5086b8ae3fa3e4d027d462983ce42c7621eb8a9f5e817f8b4033351

  • SSDEEP

    3072:mEGh0oplPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_72b5ec8cb5d376250ba151702695f3be_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe
      C:\Windows\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\{0F35082D-9E16-4e07-8772-E96441572C47}.exe
        C:\Windows\{0F35082D-9E16-4e07-8772-E96441572C47}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe
          C:\Windows\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe
            C:\Windows\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4184
            • C:\Windows\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe
              C:\Windows\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe
                C:\Windows\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1364
                • C:\Windows\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe
                  C:\Windows\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4808
                  • C:\Windows\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe
                    C:\Windows\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2716
                    • C:\Windows\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe
                      C:\Windows\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4008
                      • C:\Windows\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe
                        C:\Windows\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:820
                        • C:\Windows\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe
                          C:\Windows\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:456
                          • C:\Windows\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe
                            C:\Windows\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2084
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0EA~1.EXE > nul
                            13⤵
                              PID:3992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{17851~1.EXE > nul
                            12⤵
                              PID:4756
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4AA45~1.EXE > nul
                            11⤵
                              PID:2500
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DE68A~1.EXE > nul
                            10⤵
                              PID:4868
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{528D5~1.EXE > nul
                            9⤵
                              PID:3972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{81905~1.EXE > nul
                            8⤵
                              PID:3288
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{34470~1.EXE > nul
                            7⤵
                              PID:4032
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F0883~1.EXE > nul
                            6⤵
                              PID:4064
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{11F71~1.EXE > nul
                            5⤵
                              PID:4832
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0F350~1.EXE > nul
                            4⤵
                              PID:2584
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{224A3~1.EXE > nul
                            3⤵
                              PID:3484
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4856

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0F35082D-9E16-4e07-8772-E96441572C47}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  3558f84eaea99dc026fa5f4c6f538066

                                  SHA1

                                  700e1eac9eafe8b3292b2cdea948bc9758863fa4

                                  SHA256

                                  e13ff50f6f3d397af48ad8c3919e6d7c5fccf77d875e72ce44698c8fa94df2ee

                                  SHA512

                                  92878db92a45c8b982502ec0318cc3d0ff6cfcb2af60cbed79aac74f1d24200192a71bfea0a5da5e97df931e7b1a844f5fabe372922930a57a726fd3e165fd61

                                • C:\Windows\{11F71B3F-13B4-47c1-B701-750F29C5BB9D}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  f9a399f851a1ccfeb4a69e1b27d1a7b9

                                  SHA1

                                  9b9b8fb49809a2bbf4348abf5b3c8b46aeb4a54e

                                  SHA256

                                  3fe55b8cf9b28fe1c490860bc2e00fe35cc499727b1d9a5c19253e1874dbc9b8

                                  SHA512

                                  9ea4e9ad1c16dac5247b4e0ed061f03937f99e9649eff7dddfd524c094eb0057ce86fddc945c419a25baf23388ee4b8adfd7e0976ff550c2722e47377dead69b

                                • C:\Windows\{17851244-D249-429f-9ED5-BA7FB3F58C9C}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  bd359737d5cf020551676be172c832ee

                                  SHA1

                                  c2b28b7fd5854696c64fd45f04aa2bf3a0469708

                                  SHA256

                                  b5119970b60597b1aa811fd2cdc841b94dbea859a47795a7be74cfd1339c6f46

                                  SHA512

                                  73755395fd5c74d78f2df776949b7d5f89c11972dea2a4628a4ca019b04a0a5b933b54ccaa3976f39b81a08012add3563667b6bc50f973971486a5c330e5ce2b

                                • C:\Windows\{224A3FFC-855E-42c4-9FDC-F7D797E0CDD1}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  51bae7b447c103e3b6d5d6fc026ef6d0

                                  SHA1

                                  f590d5e912a9155eb6de9686987a9bd6e69e73c9

                                  SHA256

                                  9faa4ed3e976c874c85dc48e46092bf8850d13eac74a47b254367a05964e92d1

                                  SHA512

                                  7009d9ac2de7141cc138a19285cef3561fc695953fb8e5b3d2023ec0231c11663938969d28132c8783462f8bcfe21e390f2de309e8ec806bd02c81055211b115

                                • C:\Windows\{34470C41-B55C-4e05-927E-7A37C1CA48DE}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  0a9604bab8044f6ab9ce1e94dde88305

                                  SHA1

                                  3ce6b51d0617fe46e440d06fc4fb711debb2745e

                                  SHA256

                                  cc241883b24594e9c5b3380aa25e98fb74c1ea8743188d70f2bc820351a9c078

                                  SHA512

                                  9cbac406f287d33685bf7c890a1ad5de9799702e990258e600f26f03b17a6a179745a278926ab1e66c720d9ef962ea01429face2726655bcb3932d3beca66379

                                • C:\Windows\{3C0EA91D-2160-4093-BCFB-27B32D5E3A6F}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  aab8398fe819ae134561853977fab8b2

                                  SHA1

                                  3c724305350e6e545ccd9728fcca71f27f673f83

                                  SHA256

                                  cc89069b6b6faa77cace2df44be846b440a65983355a5581cbbcf0e27aa50dbb

                                  SHA512

                                  887d0d6d7a3b5c382a3e45bfcabb22a9942e38056837ab726b750401f2c302ec9bb8f24756c89242c33bcabb35940e6df8ff37db379767ad4e4171996d16611d

                                • C:\Windows\{4AA45C61-63D1-4286-B657-67203CB3ABDF}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  d3c6c441dcbc8ddd5beb33d299f771df

                                  SHA1

                                  4587a909283eeb82b9e3ccdd3b65ae557ce0c702

                                  SHA256

                                  8e5512c4891988abd8cfa9266e6bf6f89552aafd282e3c36c274eb24bb3946fc

                                  SHA512

                                  93829c74835f01c4d923ad5ab7b228ede3c3029a1523f156981f5780b369afb2b80ce66c087b47c40edfe735d1487f3db82c8a2e2399c7f3fc6be48ec53bbd65

                                • C:\Windows\{528D5A00-4804-46b3-ADB2-8EA1B2341C38}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  bf81637ab72daaee8909aa91ad17ef67

                                  SHA1

                                  eb65a15c7d5bd532a7a493ae5bcd5d5dcbe2c544

                                  SHA256

                                  2566b2462120420f447006b2517437588536e0eb3a76a839b3565ba54990e8b1

                                  SHA512

                                  ca7005f045713d52eaa9d72e1427f484a5f0ae832073dd431096bf18d8f33b2e9fdfd471fe662ac6aa3c701c4bdd614d1da26b19dad042d82e1bee841c7b7433

                                • C:\Windows\{81905B33-D031-42b4-BD3D-8ACE28B47E38}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  834403435c8d66c52f92c03c099ea193

                                  SHA1

                                  19e4b9c8d02fe0ca01fc0f325a2a62e1b9fbcc5c

                                  SHA256

                                  7030ccf9b2cbe504085c00c3604665915e000a7747441a7ef32707041681f9d4

                                  SHA512

                                  993ee4fbb2c1bd2411670c9f5966e3f4ebe1556ff8129321aa1439f820ce22763a5485c7a776c938dd61c2c053ab6640e277086fdb9e61349a5161fa1253f6a2

                                • C:\Windows\{BB8D0E7E-6FA1-439f-8EDA-031AADC7AFB5}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  a639491dfa7bc927e81363bd36e88db8

                                  SHA1

                                  f862a1d5ff827aecb78f05bc024e9a2adf6ca972

                                  SHA256

                                  1329080a15393bc90257a438794307d459502644149c71c190992c70e0ffb26a

                                  SHA512

                                  f8eff2c2c90c8cb2da5ffd903d3a32a59a1f323176f4bff2852302799f2e297384d27ff5ff821abc3809836277b1f0b192aa720c177a61c04ab28f86d7c8337e

                                • C:\Windows\{DE68A89B-4186-4c58-A5BF-2E5E65A261F4}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  19fc701d1700ed4aaae6ed44a4deb623

                                  SHA1

                                  97e00c141bc683bda1e0418e3618a68023a02997

                                  SHA256

                                  b0f6ba3f75fb4616ba69bde7bca773a00ca34dbe6c218fa7ecda2c40d021e7df

                                  SHA512

                                  e4951993561a717c8c8d5d7de2050e06a841934b0d556fd7a04ddd8315f30c1a78fb1532589dd7412936b14fba0a064825aee116cd049add39faca416d739238

                                • C:\Windows\{F08837F0-F69A-4e61-82B1-AA63AEABD39C}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  da70c9d163329a2b0695b87a9fe92889

                                  SHA1

                                  703986ea48ba7084eb5f7057f21ddfc4bbf1258e

                                  SHA256

                                  8b2cc30a925f2ada9e500e012e181a2f52f4312aa3d8ef67d5b55c25b05afea1

                                  SHA512

                                  c907fad6affc4856ff96467bb3d25f41b2439cfeb4884d90b3de133782a820145864b9f1d190c893db071155d8a4553965c3333ccd381781c673ec2ddf873cfd