Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:23

General

  • Target

    2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe

  • Size

    204KB

  • MD5

    1f57b3b2e0426da9841dcf20c031e1cd

  • SHA1

    a98d6c1eaa825a4321d01c66ab5df496002effb5

  • SHA256

    73a7aea95d6e7f8a274bfed7b82ef7bd0c2faa8a042c8f59cdf44f7b73491df5

  • SHA512

    dee901fd35c0aaba529b039fd744e90068bc6111dd9f1fc6760572a4abce07a8a9a0b347ff38441248139acb41970813f2805cc21a45ac0db5c7846bec8adee8

  • SSDEEP

    1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_1f57b3b2e0426da9841dcf20c031e1cd_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe
      C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe
        C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe
          C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe
            C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3248
            • C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe
              C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4896
              • C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe
                C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2740
                • C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe
                  C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  PID:1660
                  • C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe
                    C:\Windows\{844AF8B5-67E9-4b60-B862-D0132AB79617}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4864
                    • C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe
                      C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:768
                      • C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe
                        C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2280
                        • C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe
                          C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2816
                          • C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe
                            C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1184
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{922BD~1.EXE > nul
                            13⤵
                              PID:2192
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A705C~1.EXE > nul
                            12⤵
                              PID:2532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{06E78~1.EXE > nul
                            11⤵
                              PID:4824
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{844AF~1.EXE > nul
                            10⤵
                              PID:2364
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C546A~1.EXE > nul
                            9⤵
                              PID:1888
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{60B53~1.EXE > nul
                            8⤵
                              PID:4276
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C83C4~1.EXE > nul
                            7⤵
                              PID:4000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{60FDD~1.EXE > nul
                            6⤵
                              PID:4424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F01C5~1.EXE > nul
                            5⤵
                              PID:4052
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{02C13~1.EXE > nul
                            4⤵
                              PID:1044
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F2246~1.EXE > nul
                            3⤵
                              PID:3960
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2064

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{02C13666-E42E-4851-9D5C-A2B21AD239BF}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  a00470546208979fbef9de90c66ee2e7

                                  SHA1

                                  6a551484118040a05cd48dab14a3461346eff7d9

                                  SHA256

                                  790af07a96a255f1b008b07857be199d5bd6a1b81e22ae27d5fa92d84be554c2

                                  SHA512

                                  ec66304e79dddaa9d1cb5dcdd1538414c799915d53b488fadf933f677ad06c6e41b484403ef23777cf6f27454571fb312803bdcb8b5ed854ecbf6ec369f85207

                                • C:\Windows\{06E7869C-4BBC-43fe-841E-5C8ED95B37AB}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  b580fef4b3f0694af11dafe7d420ca32

                                  SHA1

                                  3d5c003f97c3fdf195a04e9fa1ae5e3ee942e842

                                  SHA256

                                  72d0ed1fc33354930117e354700f1fcc6dcf061686c6b747233bae08718d1032

                                  SHA512

                                  8a4f0043bb892cd9b4f77a27778aa5eedcb429b785ff6b0366d23c97f79ea081bf400eb63803803cfeff5bb7e124dfd7e6222216cf84b2b157e88c9dac205177

                                • C:\Windows\{0948C779-DDDD-4b8b-A74D-73DCF1171F57}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  fd4aaef922b7bbbce0f98f0d21892f93

                                  SHA1

                                  795e470ade6ffd2bccf39deaf95f1a3f9af4e504

                                  SHA256

                                  ad508dad33e8f018a69448d1012f703c64e7098d5b2e306d894b8c50142fb523

                                  SHA512

                                  45d9647ccb364c8c0c29369fbe24928e0d2ae4514c3d76a876e0c6ffa86d5f731e605834bb831e66c33364bd0a217f03ab2c47eb8e4176fac4c0bd60769ff6bf

                                • C:\Windows\{60B53402-B2A7-443c-94D9-9A9EF433B625}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  9d53619cd30fa43882b647c0e414d2b0

                                  SHA1

                                  892174098883a3924f2b6fc102554140b4fe07d7

                                  SHA256

                                  fd6f36ab2cd315e1bf19a8a27e93c3212c5ae4915677010dbfffa1100b22ef68

                                  SHA512

                                  d955b90b7db5b19737554dd36868e9109303ad84d2d8a3247900ecb8fc7538605afc49d0f2499dc3c2cb7077bb9bd30de85d9a30a01e4b8e2a5a76ea3f177a3f

                                • C:\Windows\{60FDD9A4-2E61-4951-83D4-A6221473DE44}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  90daba52049b932a0bee2a6c4a99b529

                                  SHA1

                                  13a41c1ef35a88a5cd7c35881fa68eb3b4c10e6d

                                  SHA256

                                  961de6077251df4dc460ba85f917d8f68888ec903d86bac0b8eb33e161b4eea0

                                  SHA512

                                  e1a4854c123cb56ee3b695b0e806741a77a02196c833313926644115cf8ee44a6ccc4651883373ebbe2d4c796ac9cc6528a4f45fed1c6a36f373bbb05de72cf5

                                • C:\Windows\{922BDA4D-9FD6-4214-B69A-43A6DFBB86A0}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  9ac1b1ebc8269f440e033d83c7456314

                                  SHA1

                                  bdb6a44dd3d735561c853a9c6f2e5d35b522ad79

                                  SHA256

                                  34fc1b6388aa77487462d8af99772aaff3b04089cba3480d97e941e323eae623

                                  SHA512

                                  008ec4d50ab8137389a3b6618851401b5a8873d1ad36e3fd690e2ad4c283fd90d990138a5d1959725370b3d81dff32064afcdf17220a7bda9979dc0e67dcd989

                                • C:\Windows\{A705C457-6AF5-4a2a-96E1-EE7046BE98B1}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  132db0dd058db563b45cc32b07385940

                                  SHA1

                                  e3a31c642306be6bc5defb4793b8173cc4abb1d2

                                  SHA256

                                  4839377d0b71c92936a9dd32c84abb6558ae582de41c5c668e7137c837bdaac9

                                  SHA512

                                  7ee5724e8d200cbb16550b32d0b34c671d7fb59d04dda72279e289c316a166b8f5dbc157bc1229ad7868dc1d853b0b2d8ecf101b744d9157fead2286dc57d427

                                • C:\Windows\{C546A100-6D1E-4539-95B4-7D9630D41E13}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  f38d5d6e495123ab90dcea1c9396cd5d

                                  SHA1

                                  fb94c4cdfc82418cb5f66d9dbcc37a30f828d625

                                  SHA256

                                  5548f22f61c39454860189d9fa29037aebb5bcaa9e79f06e6b1cec4353a4514e

                                  SHA512

                                  9b08442243e4139fd7f5d745fca1ae1dc6f95f4debed2a556102019f96f443a3af6c777a93ec5313541c71f44a64d8ade91ac597841f9ca5a93521e273dc990b

                                • C:\Windows\{C83C4698-91C2-4a39-8475-D5889B245D6D}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  08ce0da54c7a22c30affef5319fb0a57

                                  SHA1

                                  2257aff90e9691a3a1e651ab6cadaef38afc592d

                                  SHA256

                                  1a0200d31a27dd94891f04ad20aa9992cb8231ec8b81cb7ce15347a9dd4e908a

                                  SHA512

                                  84860e47798499ddd540f652d79103558ebc2ea12edffd4eee6a8eefb1c0457ebebc678f10f0d3c318808ab458a900bdf3fedc9e50646fb8eee5bdc16411ac1e

                                • C:\Windows\{F01C586B-E700-4f29-AEB0-7B16E6D33D4E}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  1eb1efa41a1f8a74ab5202983fafd400

                                  SHA1

                                  1f97fb40f8b9031e5a88aacdbf429eecbf7f2122

                                  SHA256

                                  31bdd84953cfd5a162d330ce1cfe21f5aacbe239dc665139d519cd2362d06877

                                  SHA512

                                  d6ca79ee320b6b5e53ea4db2e70574a31ca9d0478a345397b35f4db75cd9cd4b49785c9333714a4027939f6ce82bdec77b6bd13953d2441f052255f83c1788ec

                                • C:\Windows\{F22468F8-2413-45e5-BBEF-083E79560F7C}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  ab4f5f4702d7d1e8256056a0a436e4b2

                                  SHA1

                                  1b6ee746c13a4af8c6ad9335411d57e756335cb9

                                  SHA256

                                  a0f02b6efb02183ae16d34882417cfa7d62c54b3fcf11a4a16486a5904fecbd2

                                  SHA512

                                  77a7dee410e595a2859786a19987baab9a66cadd9c83c537b1de25e6cb690dfe5284f11ff0842e33f06a4ee822d18a9242c62c316f1496eb7044a2b0f28b063b