Analysis

  • max time kernel
    149s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:22

General

  • Target

    2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe

  • Size

    197KB

  • MD5

    0da03db861609ce5d2f7075059c41f71

  • SHA1

    11001db7b0c0a83612e91587aa621e17ab36b309

  • SHA256

    4825ad8c88f1fbb6a19c34a89ebd938b91f8341cb30cdb7cf216757b57c1001e

  • SHA512

    718cbda8488a15c19a4cb21b2c5666c639e662c88fac4a081c14b6cc95e64f6190aee42e70f273f6d38183fc90eb03c3897b887b5f35f0cbbea46b59182832ac

  • SSDEEP

    3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGflEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_0da03db861609ce5d2f7075059c41f71_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe
      C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe
        C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe
          C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe
            C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5012
            • C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe
              C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe
                C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:968
                • C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe
                  C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2484
                  • C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe
                    C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4724
                    • C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe
                      C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2468
                      • C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe
                        C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2320
                        • C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe
                          C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4308
                          • C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe
                            C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7A4~1.EXE > nul
                            13⤵
                              PID:4808
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{53DFD~1.EXE > nul
                            12⤵
                              PID:1376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4D0DB~1.EXE > nul
                            11⤵
                              PID:2712
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AC523~1.EXE > nul
                            10⤵
                              PID:5032
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{074DB~1.EXE > nul
                            9⤵
                              PID:432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B809E~1.EXE > nul
                            8⤵
                              PID:3004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4DFF~1.EXE > nul
                            7⤵
                              PID:1600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C53BB~1.EXE > nul
                            6⤵
                              PID:3512
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{99D46~1.EXE > nul
                            5⤵
                              PID:3504
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBD5~1.EXE > nul
                            4⤵
                              PID:5068
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9AACE~1.EXE > nul
                            3⤵
                              PID:552
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1004

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{074DBE8F-4E21-49e1-A330-499557A09302}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  88912de5393e531fe00a2adc2956927e

                                  SHA1

                                  68e344e5e21c7c3dddddb2681f2768b1852d3a7c

                                  SHA256

                                  7c9313f755bb6493c044f8ee50b07b4e367229a42e6139798bf362207fac5744

                                  SHA512

                                  6f7ef0c10b549ac34bb4a6750ddc3ab3391dd36b9b069a627edf51f17f9762823f67354a016ca0a0b0c8801160278122c8edf865c5bb1a9e342373c926c3e226

                                • C:\Windows\{4D0DBD47-5DF7-4e41-864F-F0FF1DEDDDDD}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  f5a24b39704957c26a2a581c2ee14907

                                  SHA1

                                  ef989bafc07196f7cf2e625f89ae442ea31bb806

                                  SHA256

                                  392b0578b9da37472a9eb6c0db3dc78b1db3ff882b46ff654907226518ce9976

                                  SHA512

                                  f2b7b192bf4a924952bd91f284e79912396ed03861342a75373a5a878e5624ab73f784ce1b5d5e5aa5fa4a1b42d00064dc88c78c977295dfaa5f930d2afe76c8

                                • C:\Windows\{53DFD35C-6FEA-4e42-8376-B394404B1AD7}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  48f8f0885dd877c1885ebb8e896c89a0

                                  SHA1

                                  c0d560ed164531b854144841bb8fc9ae24cef030

                                  SHA256

                                  ad9c054b18703c0a560699e28637229949378262c4fd0297663f81433c13a558

                                  SHA512

                                  67c8b94a13408f6093d4353620ba974eb3158e8048b48d2c543da8d3b7d4395ac63855731b41ef21939c125aa3d1b5ef8c952ba8fd2774ffd3a7e719b5fe5e77

                                • C:\Windows\{92C6EEC8-2ED2-42da-947C-87BA0F18B4B0}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  ff5742a575c2833000ae071b72258a5e

                                  SHA1

                                  763d729dcd5d132c9ca9d64e5faf9b6f9017f847

                                  SHA256

                                  3d4ad9985a08c3041d94378d3ff3245c8106f84b8c19570e7263308518d0819a

                                  SHA512

                                  6f9f8410a890ca3ab99b2ca709b5c559e1756bbf6a28684f5400b57d6a98c80a1a72083d2522385252e6c7e4d738e31f7df97970382820cb024f623ae918d645

                                • C:\Windows\{99D4680D-BA9C-4c80-9504-646A16104998}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  77d707cc315d02d290e9bc1c7d96e6a8

                                  SHA1

                                  e10e889450742ca58d6ed160aedb844d1edbb1ca

                                  SHA256

                                  92e244e970491f26767eece391b9d6fe0b3fd51806c90c84675e942889d46317

                                  SHA512

                                  ec632629a2f59c35bb04fcffc296b8628cc361f1243ba7a8aa84a650da2b99a9d97865ea9d0a8651ed02015403669d0485ed5d865593a49ba3251e13be4b77f9

                                • C:\Windows\{9AACE733-D40F-4085-AD76-84BE7353859B}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  cf0f11b7ec143213d54f8c58a75032cc

                                  SHA1

                                  d8a4bff85e1142a6c098f7922f539c60974cc6aa

                                  SHA256

                                  c48b4ebfcddcd3edaa92c71fe20921e9d362ab7d698f0f494b438c474661baaa

                                  SHA512

                                  71f3a440b723d7795e6b088307835f070c915de180677d774fee15de7cf5c8b5b631f799dae3ec4a3e41fa048d275bd4ce1495ecf666feb6e45f7476627b5cc4

                                • C:\Windows\{AC52356C-CC8D-4231-9255-CA0691BBD852}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  bdf0ce51aec66ec1ae5d5b8c006168a0

                                  SHA1

                                  1c018a0237a46b07168cdf08a9c05d559f9413db

                                  SHA256

                                  964785e87b5dfe2a12f7ef2e822bef7441bb047a5334d3240ee76b02d22d18ef

                                  SHA512

                                  fcce6f40341002e404152cfd434245ca63267fe867cb2d0bede8e2500d79f79cdc882f6a0e73841ae34b40f163b855c6725bc2f40f951c3b7429380248e792be

                                • C:\Windows\{B809EA42-BBA2-4a64-9F00-3C6AD92268B5}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  62d5177d959432f4dbae4abf05fdf36d

                                  SHA1

                                  0d841b3710ba96e1179c1d1bd1c5ffcac4d3286b

                                  SHA256

                                  ec90ccc264d2eadc25a984741c27a146209e55421c58be91601d6d2a57e61193

                                  SHA512

                                  fbb204e5d6fa32e99c89e079abc9bc9ead53ae31c16f353ef95f9bf4ca15f9902028fc46ac927a479b3ec8fc2232ae19ed8b03d1aef91c14f887af21b2f59a23

                                • C:\Windows\{BC7A40FE-51CA-4b5f-B8F2-0440B0DE1213}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  8da0d5ae136c1afdd2f2327f0bd79993

                                  SHA1

                                  0e046cefa3f8c926f6bf1ca706830fb2c1135d70

                                  SHA256

                                  63fc4def3e7502b511f728cb8215e141498786bdaed171072962909cd66e7a8a

                                  SHA512

                                  7b4b6cdebf570bce8e0d68c8098562557e4e6388c2455063a59496edfb0144682dc24fc615255a27f67e25059920adef618b0e1a978c009c5c0fe2f6abf602fc

                                • C:\Windows\{C53BB17B-CC3A-418a-9FDA-AB1CCC5D5F08}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  8d336a4b3dc55f20ceb4939bf95cf10f

                                  SHA1

                                  865d9fcfa713f185501788bbe40c46a6eaa262c0

                                  SHA256

                                  95735c1de957ecbc38b899b28fbbd9637c819a0f7443d904507aa87e00625841

                                  SHA512

                                  26d09d7ab4e96cfba73fa678b95522d39e787b715a238dfedf72533ad040ae7e13743c7dd0b4e09d564f08615c139501ab0b1cc573258d49164cb4fad36e6d40

                                • C:\Windows\{D4DFF0C2-A810-4199-B651-C8391022BF19}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  74717dddd54aefb6806290bbb34ceb94

                                  SHA1

                                  26e9ac3f57230a8ea1aef23e4d6f624440c89232

                                  SHA256

                                  272de64826bc5122b0f878ad0906244d5cfaaa221ffa01970f52748cf0e467b2

                                  SHA512

                                  3e733437d7bf9f36d6af82095161f3e8859901894aa8b0fda5a55a342cdfbf55516550f3e32cfcaf24992ad4faefd10ff5c99bb3fc13b370794e785d42225f1e

                                • C:\Windows\{EBBD5B11-1C4B-487f-801C-1DE109ADB838}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  b33215fe8a93f7d6be4b990497b4f9cd

                                  SHA1

                                  464469e083eb0a1a7affb92fe0d7c11987d1c1d3

                                  SHA256

                                  09fd55a2beba009e6442b9401d62f842a38f1a0a36f9d299caadf55340fc2e33

                                  SHA512

                                  699a20397e4a4885b55616e05c70a1b6feec0a8035491648568883fca1b884f1fac501db04c30de8324d187b614e8d9300bd71c04960a7630c869895db82821b