Analysis

  • max time kernel
    149s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-02-2024 01:36

General

  • Target

    2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe

  • Size

    197KB

  • MD5

    5b7a334f254fb584e0ce8faa81c233bf

  • SHA1

    2beeb5d3bd037985313a4171e59377a642ac6463

  • SHA256

    42e08e90c2816f29ee731cd5acf3fb826aef24ae66a890ed20059567e830229d

  • SHA512

    d10ce77cbf21a8050266d257a5998acda5336bcaa060f1fbeae067ff7b9b5d8a816f62d7cb94934e8f270a310fa65a1d0cca0c96331fc07d0738661b4a6dbc73

  • SSDEEP

    3072:jEGh0o9l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGXlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-23_5b7a334f254fb584e0ce8faa81c233bf_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe
      C:\Windows\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4364
      • C:\Windows\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe
        C:\Windows\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:724
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6262B~1.EXE > nul
          4⤵
            PID:316
          • C:\Windows\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe
            C:\Windows\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1444
            • C:\Windows\{36295453-43CC-46c8-AEAF-513709D030DE}.exe
              C:\Windows\{36295453-43CC-46c8-AEAF-513709D030DE}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\{38AFB09C-6FB9-44a9-970B-803761272B27}.exe
                C:\Windows\{38AFB09C-6FB9-44a9-970B-803761272B27}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2780
                • C:\Windows\{CE55F913-449A-4955-88EE-A33BB746F923}.exe
                  C:\Windows\{CE55F913-449A-4955-88EE-A33BB746F923}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4716
                  • C:\Windows\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe
                    C:\Windows\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1152
                    • C:\Windows\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe
                      C:\Windows\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3388
                      • C:\Windows\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe
                        C:\Windows\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5040
                        • C:\Windows\{19035EF6-5F68-4d78-A471-356791591846}.exe
                          C:\Windows\{19035EF6-5F68-4d78-A471-356791591846}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2336
                          • C:\Windows\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe
                            C:\Windows\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe
                            12⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2748
                            • C:\Windows\{B74CED50-ABFD-494e-9282-784D0A061099}.exe
                              C:\Windows\{B74CED50-ABFD-494e-9282-784D0A061099}.exe
                              13⤵
                              • Executes dropped EXE
                              PID:1408
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC17~1.EXE > nul
                              13⤵
                                PID:908
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{19035~1.EXE > nul
                              12⤵
                                PID:2824
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{852A8~1.EXE > nul
                              11⤵
                                PID:2892
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{5BAED~1.EXE > nul
                              10⤵
                                PID:4880
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{4F3AF~1.EXE > nul
                              9⤵
                                PID:4304
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{CE55F~1.EXE > nul
                              8⤵
                                PID:4972
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{38AFB~1.EXE > nul
                              7⤵
                                PID:1068
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{36295~1.EXE > nul
                              6⤵
                                PID:4392
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{9FFC1~1.EXE > nul
                              5⤵
                                PID:2416
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{69EEB~1.EXE > nul
                            3⤵
                              PID:1708
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4988

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{19035EF6-5F68-4d78-A471-356791591846}.exe

                            Filesize

                            197KB

                            MD5

                            86a8021b6e56d684a53d566173c65498

                            SHA1

                            cd736982271f7c6f3088ad89abdff00b0e8b3c55

                            SHA256

                            e8f63f5f1ab5e60b32801240b721d523a08aafd73ceb919235559517499134cc

                            SHA512

                            3e9cc8214dfdced7d63b191ea2907ed88f4d7fdabdf8b4aa1047a0dd5e839556ed6bf510935e228eb8c87bb65d3adc0c9f45f44cb24bbee73ac7a1a052c9523f

                          • C:\Windows\{36295453-43CC-46c8-AEAF-513709D030DE}.exe

                            Filesize

                            197KB

                            MD5

                            d08a76cffd79bf65f040a623be7bb136

                            SHA1

                            036e34f7d056cc4a3812e1cb413a3114e2cf8dcb

                            SHA256

                            9e72330d5c27504920d82aa673890c0c5e217cddcd9c43209deee967a88eaf0d

                            SHA512

                            22efebeac198d5c5394233cf4c7292c239aea318b78acb7662be9b97b100a9139f60e8886492d8a88cf7a68f19c724b8532eb63f8c39016098c304bbe1ae42e9

                          • C:\Windows\{38AFB09C-6FB9-44a9-970B-803761272B27}.exe

                            Filesize

                            197KB

                            MD5

                            06a966878c1a67a811ee8342e99e5063

                            SHA1

                            6493a8e62d192780982f701fcf93d06428de0c65

                            SHA256

                            90ed391064fe0d9066c7f519c9cb75c1015e4449c5e6fc1dc879832b704378d5

                            SHA512

                            7eb80be3ed4091627c4c6a198e8ecb734a9f3958168d0d553c50c7783cb667daf0840682d7718f4c0da21cc7e3b164992c9f15b90ffdc40890f61d554b56e373

                          • C:\Windows\{4F3AF152-5A8B-4e59-80B3-7DCA8370E30A}.exe

                            Filesize

                            197KB

                            MD5

                            44a6a418511873fb84afe181a3bf5138

                            SHA1

                            6471fece781b1feb296557c7b7d8a3d06a6529a4

                            SHA256

                            5ffb05e5463b3bdf2bc63fbd158e32c5618dbcbbadec485d4d1e57679d5d88ca

                            SHA512

                            38aa0da87b8653565aabf5b580c5ce6eacd169a5efa46a9695244cf70aff9a269851cf067041d6a45dbac784f382ab2b067a0c65731b8b54eee91dca4d270715

                          • C:\Windows\{5BAEDF87-DFF0-4324-8B23-4DEDC3C25EBB}.exe

                            Filesize

                            197KB

                            MD5

                            8472a58fbb93f622cc6557a186b5f920

                            SHA1

                            07fe20a0d26e2455feffbf05e914aab035a812bc

                            SHA256

                            65e05eafc9c9e7e0f28a9de5f54d5b16d29931236b6f09e5f3cfb4431f007e37

                            SHA512

                            3a96b24fead61ed8644f4a4fa2ab1d4f2f64e3a5d57094c057e4e693d25a2f9ad57cc8dc268746d4a99cbf4cbac10fb8edb1f2a027365210c13ac568b9579c49

                          • C:\Windows\{6262BA7C-96DE-4bd1-8B74-0897F49E71E9}.exe

                            Filesize

                            197KB

                            MD5

                            e80b0cf20e73166b77aa851f6fdfab33

                            SHA1

                            1f4666fd60378bbea20964d13615eda4339d1900

                            SHA256

                            f8b449899c5415f6b35444423bc8b93a2b492f81e4dd6bba7bdae4dd4687df64

                            SHA512

                            f9aec36a949666046a200ca4a189c14a9c2e6465f0ed19577dec05692c3a98c8d2fe0d0825327aacb0b6161f2044fc93be8b41a5e224db945c4ac7c5375e3227

                          • C:\Windows\{69EEBEBC-F81D-4ab9-849F-495F8D1C5770}.exe

                            Filesize

                            197KB

                            MD5

                            6b8f796672d4f71402b1690fd9e5813c

                            SHA1

                            021026f44fa13095be04a845167682d0fed6806e

                            SHA256

                            40bada44f8db5215c969af762b64354587f1f8db0b6330fd0bb23c0fdcd23aea

                            SHA512

                            62da4c89fe2f8f3fd6c7bbbee4e236e2392dc448af4b56d0c52ea93730f910b266888690329a58b1c3337e0759abf87933e10110055b7a12759b9a916626e5ad

                          • C:\Windows\{852A8DEE-5243-4c9a-AA4F-584A4080ABC8}.exe

                            Filesize

                            197KB

                            MD5

                            185359c88906a9d61a667a666a451f7d

                            SHA1

                            ac2639523e0cd8f04695ae1cabf9bf300c64c120

                            SHA256

                            1eb1c558d54e244800f56d15911b508f696c76911a823ec24c6e680e2f16f1c5

                            SHA512

                            9c4cf0372212b80abb0f9b11f39edae346bdfea6fe4d21074561354823ed88fbf4ba2f422e4ea190a1a7644f9621bf7bcccdef8409a15c8fe51a1cf98091da74

                          • C:\Windows\{9FFC12FB-6B84-4fa4-98E4-73F1F0669675}.exe

                            Filesize

                            197KB

                            MD5

                            a1f69482fe6257bfb0c987c44c8a3f20

                            SHA1

                            60fa5aacdcc958f7582166d17f0ab5c1a68781eb

                            SHA256

                            3b7b667871a1edc0357b0eb9ec1bc21829522f8c087d889862e7ddb9e126356d

                            SHA512

                            346cd58301c5a3b480fd70c439d30daf13fe93fe94c73a75ec97f52b6442c9a0ebecbc7cbb7edfc17f5489a09c0cabbf66de13754bf61c976b4b5bc9e5bacd0e

                          • C:\Windows\{AEC17550-B42B-4dcb-97B6-F2E103618EA7}.exe

                            Filesize

                            197KB

                            MD5

                            b6481f05e9d781cb090004a9b2dff03e

                            SHA1

                            2e98c6c12f47a8c298813d7c0bb7ba86feba7355

                            SHA256

                            f53043fffe0b59de0564803227cd6e09079a137ee0ddede084a8f777cf9ecd28

                            SHA512

                            f923eb44be602205ef95dfd16215e2e3d44aa5e1eb7506c10a60f2d0c4ce43e958b9c91cbbafb5de8ae80a62d1a10b9235867aeedc8d90dfefc50728ad376f68

                          • C:\Windows\{B74CED50-ABFD-494e-9282-784D0A061099}.exe

                            Filesize

                            197KB

                            MD5

                            bc617ffcf86aa2c98a53c6f97ab92fe6

                            SHA1

                            be1ab98438707a1f0cd6bdc4e760a6c17b1f5481

                            SHA256

                            c970b84c5ae53b17f4ad5e852a1631470cd576223c9a6d4d382643069f84f1e2

                            SHA512

                            674d885801163c36e72dd180a9d20744cdc9879580f522966ae6fd22ee41c6a2f9032bbba0e1ce9a03dbf58864489580306abeab9305d87623561d09079c2ee5

                          • C:\Windows\{CE55F913-449A-4955-88EE-A33BB746F923}.exe

                            Filesize

                            197KB

                            MD5

                            07b3bcb54ed383e6eda9cedbb256eaa0

                            SHA1

                            771cc52b838080c9784a22cfebf657320503564b

                            SHA256

                            57a1c9a2d2c1f847f8fcb1bfd161123f378aa846ef2ed76e3297fe0e150c2b1e

                            SHA512

                            be29857ab29572d139857918fb700fde60b367b9ead030c1a8dc7f3a032acc071e6d59bc849421374f5ceb47e295183e282a25a12c65f9db149bdb273160a1e5