Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2024 15:28

General

  • Target

    2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe

  • Size

    216KB

  • MD5

    45886ed8872c2047266f3d095cda4b0a

  • SHA1

    ccfc7df17fbae56f4cab6fe43cd0e1c4d379062b

  • SHA256

    e9bd989f4393d3c34c997aea8d4beb783a97308953607125a4f557728fd9a134

  • SHA512

    ef458237f89ba08162f0c573d729f87fc8a667c883cd2c9cf8afb783ac1b4879576935a5a9191ab65a485f5d64aff34f64740c4ec9803b26720ba5734d6424b0

  • SSDEEP

    3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGVlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 13 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-21_45886ed8872c2047266f3d095cda4b0a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe
      C:\Windows\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exe
        C:\Windows\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:8
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3350~1.EXE > nul
          4⤵
            PID:1140
          • C:\Windows\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe
            C:\Windows\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2516
            • C:\Windows\{DD626137-924A-4f04-8907-537D25588A79}.exe
              C:\Windows\{DD626137-924A-4f04-8907-537D25588A79}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4720
              • C:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe
                C:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3408
                • C:\Windows\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe
                  C:\Windows\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:444
                  • C:\Windows\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exe
                    C:\Windows\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5096
                    • C:\Windows\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe
                      C:\Windows\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3168
                      • C:\Windows\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe
                        C:\Windows\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1892
                        • C:\Windows\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe
                          C:\Windows\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4380
                          • C:\Windows\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exe
                            C:\Windows\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exe
                            12⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:952
                            • C:\Windows\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe
                              C:\Windows\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe
                              13⤵
                              • Executes dropped EXE
                              PID:4060
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{63258~1.EXE > nul
                              13⤵
                                PID:552
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{66047~1.EXE > nul
                              12⤵
                                PID:4736
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{818BD~1.EXE > nul
                              11⤵
                                PID:4204
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{9A55D~1.EXE > nul
                              10⤵
                                PID:3680
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{347D2~1.EXE > nul
                              9⤵
                                PID:4064
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0DE~1.EXE > nul
                              8⤵
                                PID:3724
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{3312A~1.EXE > nul
                              7⤵
                                PID:4844
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{DD626~1.EXE > nul
                              6⤵
                                PID:1384
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{933F2~1.EXE > nul
                              5⤵
                                PID:4680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A5DD4~1.EXE > nul
                            3⤵
                              PID:4280
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:5024

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe

                            Filesize

                            98KB

                            MD5

                            0c662e9e89adf85daceb61eda7f9da1a

                            SHA1

                            b72c09fdf6ef8e59b0ee4413785823c5bcd1d265

                            SHA256

                            8fe057742ff942a1d196c5362e82249bbb92f660a0ecfe863bfd17b8f332db7b

                            SHA512

                            66893f46148888f9c05ab6877c66d2e327ff327819420efea1dbe1e337075553d59cdd1dd9924c301c333b90566a52c1e3905a7a221e36491153f2ccf287082b

                          • C:\Windows\{3312ADC5-43AB-49d0-B11E-E0DA10BEBA84}.exe

                            Filesize

                            216KB

                            MD5

                            380da408ec0c2c2c40de1728ef50f994

                            SHA1

                            20bb3e4a3d304bdd813e5e0261dc2d49b7f08671

                            SHA256

                            b4503a98a88a116001634e5c38dbb57bd2c6136a584d0b3559c1af4bab198e71

                            SHA512

                            51f3a22f16e49dc9a805039da63f2d35faa14a50d3b090cdcb0938d6d704d0b638f3b65b9eb5223270fdc2263706145e291d1188064320f7b27817e5dcb26d08

                          • C:\Windows\{347D29BB-71C5-4e53-8140-2310B252A4A0}.exe

                            Filesize

                            216KB

                            MD5

                            a0e7285900dce66bbb29efe3fda184a5

                            SHA1

                            46dc1840eac9fa2fa486346d603eaec7cad5e81a

                            SHA256

                            0803d1d7b44ff9f51907c8026cf3596c89e0a2b3432569a879c5d5efedc508f0

                            SHA512

                            ff848b9a2d4c366afc9f3ff90fa5f0a678f88594803e9d9f443599df7607960002a19c220da397cddb0624c1f6839768952da88e814c42d3e77ea77147603945

                          • C:\Windows\{4F0DEA36-29D2-48da-BF5D-6FD31F2A6AC7}.exe

                            Filesize

                            216KB

                            MD5

                            7b58538864267998d86c2a7e5ca7b3b8

                            SHA1

                            c4f86b9d9f6f5619ddd5b038e3956df8004f1710

                            SHA256

                            340257bc5efbf6eb19064170d183a547761b98636ddf9b1658a5915451df0842

                            SHA512

                            bb66defd516212951008346f4162ae9d6c47ca558e0d18fd343cdb55a49f45554e386134bd6e7c92498e559adc611afa2da48851f5375199226d57b64be545fe

                          • C:\Windows\{63258706-DB8D-4ca1-8226-18D4D6862C48}.exe

                            Filesize

                            216KB

                            MD5

                            5572fc2eb554756eec5aab4472e84baa

                            SHA1

                            a7c41b891e20a2933d02d4b37c736fef28136acb

                            SHA256

                            5055a62c9f2e2399c6b2e3ac6e278046be4b2299ad6697a4a949cae20e411d3c

                            SHA512

                            75cab04b2e03345042254507e128a53e4ebcd503f80ae4fa8b6adcd86ac66b6f43b87bc1b1edf28555aa30cc28c6b85acd5d2477f65584a3e8848362c2113c9d

                          • C:\Windows\{6604739E-62F7-49a8-A8F1-E0C758B41B09}.exe

                            Filesize

                            216KB

                            MD5

                            3cb4099d03b55c9d3daede0725b72c41

                            SHA1

                            47bcf9202e9a473dd0c7348a4fab08e6428342a1

                            SHA256

                            4d2c017d1956ac86e8abf33a10af8e95462eaf37330b0797373ad05be4c65d1a

                            SHA512

                            533201d2c530347495ec916a0c1d544f9ec0ec8316d8ab66033d7aee82897fba2b1a9cd813b9d66ae3a6d3450cd6b0827e6016a24849d1c9cdda4ad798d2b4b8

                          • C:\Windows\{818BDB1F-0C8D-420d-9CEA-3A0BFA07FC2F}.exe

                            Filesize

                            216KB

                            MD5

                            3de4ed1df1b03dab9a8199383a9ad51f

                            SHA1

                            3c1f185195de79dcf5ccf7f295b9b7078f90dfa7

                            SHA256

                            169d311d4ece76a879566020592adfbea94378cc5b4a5dbbd681f613542d9a40

                            SHA512

                            baf4481aece0bb6685e688c55b9296d4083ed1d63e6efa41647513fc63f3387efa82a5e69a6f5dd5af1446e1210ac3234876486cccd438dbd45cff5a138699de

                          • C:\Windows\{933F20D3-0B31-4e5d-80F1-D7BB4792C66D}.exe

                            Filesize

                            216KB

                            MD5

                            b0c50d3a332914dc599194b952121801

                            SHA1

                            7875e786ec150fd358536451d7af91ff98843e5b

                            SHA256

                            fd273ea58046705e66e7239507b00f742108f0627f4993d892d1439ce18a37bc

                            SHA512

                            3288480841bb0535bb2407734daa92c579f349cb76e2e99b02686dbbbed73d749165a5b6f1408183d876f723ed8a9e5420b5637bf8d16936e3d69c3741f7c0bb

                          • C:\Windows\{9A55D2C0-8186-4490-A843-8A1811C8DA99}.exe

                            Filesize

                            216KB

                            MD5

                            f3e0565c5cbfeff021849f595236083d

                            SHA1

                            f9222a9600f13c0beb4381104853e7b5fe8930e7

                            SHA256

                            60c2a9a624666f8782235f6e22e8c00dabc54043c3da6ab387a5a0ce38d75451

                            SHA512

                            4cde079b249439f7f37e2b544d110cde1bde4849b17f7623fdadbe6b556a6e199a1e7ef9b1c06522622fbf62c43c6b55f946e55032d57d968c8b7c86dbc46511

                          • C:\Windows\{A5DD4EAE-C5D7-48b9-A140-9ED0FDD27318}.exe

                            Filesize

                            216KB

                            MD5

                            5717f639bb5de4be8f5f1be68ed914c6

                            SHA1

                            3e66dbecd177b2ea5f247b2586fa62b09005e2e1

                            SHA256

                            9d9b1c79295b7d87cb8434dac3e733bf12c5c70f9f0878ec280bcb87311b177c

                            SHA512

                            0846886aade6a83af1ee817120aefebf5d8872283cfa12b0eea653c36f4e490589ccc4538cf7b885b743ac3294967a279a784ea038eb6bc5dbd185ada58b5acd

                          • C:\Windows\{D3350BF4-57C5-4726-A22F-46597343A5D9}.exe

                            Filesize

                            216KB

                            MD5

                            766375126c28c3483019caea9716bede

                            SHA1

                            4f35d0a7a862b5d4e0d07087114168a2aafa7424

                            SHA256

                            913f0c754e8b315502e8eb492344b338d92e4f1d96fabf7d5161add61113cb18

                            SHA512

                            6713568b46b0dcae4d8d7eafff15581fd263dd942349fb4cc285f43e17ce861511973abb1043f76ff3db19e7c8110e7eeb0927780ad9962fc2ccc6c09edbacb3

                          • C:\Windows\{DD626137-924A-4f04-8907-537D25588A79}.exe

                            Filesize

                            216KB

                            MD5

                            3aea3944a5763b1393c3e4e4b8253b92

                            SHA1

                            afebc8b0ae99e74bd9e1dc4809f5c65e20b3a3d0

                            SHA256

                            07bbc6d3649cd6c5332edc6e2be81cbdd1a978a16a4b0c7a5ea75f320a702eb6

                            SHA512

                            a3699c713709c7d78a7e83e7c8af910c008b7b63ddf4d59abbf77dfefd9257dc3ca7b9ac9bdefcfc27ed9903f77999e65d3374a65661fc7c409008dad321677f

                          • C:\Windows\{F62BEEFF-A906-46ba-B024-6C9A2A9C0B56}.exe

                            Filesize

                            216KB

                            MD5

                            92a40fe1a8e852ada69a804b0cf2dce6

                            SHA1

                            097b416a7669617a4c5ac89968c22d24f637080a

                            SHA256

                            d565f7a52c5e154a375fa629c0b67f8c18f9b7e25595918f86bbeab21761a235

                            SHA512

                            a89d648c4ed04a88600d88e018c9514d5d50e2faeb483be10ddfd722e4e8c1f013f5158310ecc1db83b2cfb907e27ea69d35ab98d3c33e9b6b0778439d758cdf