Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:26

General

  • Target

    2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe

  • Size

    408KB

  • MD5

    5563717ece795b8d9bcdf32e23573d0e

  • SHA1

    64560ef9cb7b54b3c16a5cebbf8a79e68ddf4b32

  • SHA256

    07490cb10169d4341dce83e183cf3cb2daec726e0c991bcb2c9d959ba3b57615

  • SHA512

    51b34fd5a59962732707f669897a6c8ab3c15e8103b8f223caae38e568b439c19de8508e3d01928e82bf280fbbadf6334019faf593aa9201df29bcc251c62874

  • SSDEEP

    3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_5563717ece795b8d9bcdf32e23573d0e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe
      C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe
        C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe
          C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe
            C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1476
            • C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe
              C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1188
              • C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe
                C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4208
                • C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe
                  C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1604
                  • C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe
                    C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4864
                    • C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe
                      C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4440
                      • C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe
                        C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3996
                        • C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe
                          C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4916
                          • C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe
                            C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4576
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{522C2~1.EXE > nul
                            13⤵
                              PID:4320
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{64B36~1.EXE > nul
                            12⤵
                              PID:408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{57276~1.EXE > nul
                            11⤵
                              PID:2316
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9D190~1.EXE > nul
                            10⤵
                              PID:4028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{05D8E~1.EXE > nul
                            9⤵
                              PID:2340
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{290E7~1.EXE > nul
                            8⤵
                              PID:2076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D5EA8~1.EXE > nul
                            7⤵
                              PID:2488
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E1DA0~1.EXE > nul
                            6⤵
                              PID:1408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E6122~1.EXE > nul
                            5⤵
                              PID:2136
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9A28C~1.EXE > nul
                            4⤵
                              PID:4644
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB5A~1.EXE > nul
                            3⤵
                              PID:4092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2740

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{05D8EDEB-0AEC-43ea-9027-4613FF1458A2}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  2e5e3f3c3f6d71e91da127674915dfe9

                                  SHA1

                                  d8481b00d37aaa7e93232257a05424315a28dfd6

                                  SHA256

                                  05b09472fdc47bd524966c4550f86ebf589eceb9ce9e091c3ac2f21466a754ca

                                  SHA512

                                  16978dbe3b750bd82587130628ada86c16d874841894e2a07bfe82c00f3fe01ab5d0cb24540e88009d75c7f6c3749ba7f151e0720ea7d29c1a832c8ee19f9de8

                                • C:\Windows\{290E7FFA-9EDD-4d68-80DE-E574B5267DDA}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  70da9901c64d8ba8fb67c90e22945be6

                                  SHA1

                                  c311cf5106f104d8632c43f102e81eca2590e438

                                  SHA256

                                  fdfca74e5ecf0b2d5f2bae3ca266c9a3689ee51b4ce79bf937490d4b4caf1e11

                                  SHA512

                                  5e2836a7d1bc5b44facfbec962f8d298e27f646acf4c4d5c820e379d5a5a788fce9dac8a805cd9bdb804ca7e55f0e59dbff213b1b7d8140d17122df6253c0a79

                                • C:\Windows\{522C254F-592F-4129-836C-CD7F331029B6}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  122bcc6a1b6213c5febcd55e32782ec8

                                  SHA1

                                  2c18d4dde1a1077c0036ccd038b55a34fad9250b

                                  SHA256

                                  f06ccb1a4a5fcb55e9ff90233c055789eda94eb7135b7b4675152274519099b6

                                  SHA512

                                  0978dc7f4552696b1782ca9415d18f00d39430dea3ef8802e8dd01cc729e0006241ccdc119146af24990e9f0103a5b5046267842767b0c861a274a1fa20958c8

                                • C:\Windows\{57276813-B02B-47df-9D70-1E3C0B09D1DE}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  258c6feca60378dff101bf334e0e79db

                                  SHA1

                                  e9685928d6793a2b51aea7e8b4a6ef82c384ccb3

                                  SHA256

                                  23e9c4b2da06223038654051030ecef1e9c918e81f7870958ed27c5261727200

                                  SHA512

                                  4dcc672908af334c3502a4894ac9ba635d899e1e214036002f0237dbd6dba82acc2ab10091613aa127f82ab1c13db8031e183bf260de51cd0fb047347dd78467

                                • C:\Windows\{64B36113-3956-4e8a-AB00-6E5E880DE7D5}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  978b09c9cfd75b3d843f0db0a6eed64d

                                  SHA1

                                  53c64c22a5b5438562849063ae7b2ea30c8b13a2

                                  SHA256

                                  96debc6763779e15f7bd0d1e16d17025d0d5f62aee7047e2441712d708c543d5

                                  SHA512

                                  beed3dd52ad4f4aea445ffe12af09aa5e465868164a3d486368604be40e491d6751c87d8f5c0608ab33f0f4cabf8dfb17b2ed988efaf620d0d0e2d0744a34bd3

                                • C:\Windows\{8CB5A265-6D71-4ddd-BE2F-A6FA3C12FD62}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  88c3aa68b4031353e129ce9e90e1a94d

                                  SHA1

                                  8769d549c9bc14c8f76e046f34fcac0ca5242752

                                  SHA256

                                  4b2c5de39470eda9515877df37182c8c64132ce5f64ff2d87b7b0945534c768c

                                  SHA512

                                  94c2d76c18e6bcab1047522713de8d4b741f53ab4f3a169b552a0c0cb1fbbdd8c3072dcbaf437f0acabaedbf81a3428c48d8824bf89ea6395dd6e3c18b5e6e9a

                                • C:\Windows\{9A28CDB9-93CA-4b3f-A6AA-C3B4FAE447F4}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  82c81495e641c9fad127da3cd37d0a44

                                  SHA1

                                  924763ecfe7e72c21cfaba9088ce45433b669552

                                  SHA256

                                  5906c179ff4f4de9e91641882557a279970507b0c4cd4a0abd9dad254a69b368

                                  SHA512

                                  4fee49e4c9b4f5a045c215460e2ff0c6f0f72cea46762d28022ae001c22cd51a7606657a824798b36b84ed435a2607fffb41317a9450a6372776166e79c40b0f

                                • C:\Windows\{9D190816-1739-44f8-AE4E-86F59A3B8F8D}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ed7a3d9d8fe69854cef4af9c7277f27d

                                  SHA1

                                  e0482173c75e0114303a1a4ebeb6c5cc82271cfb

                                  SHA256

                                  63592201ef6812b455619dd1446046e1bd83884c63699e1d2ed5eb4ea346d63e

                                  SHA512

                                  8c377a1bc8c517f01069b5097031b870fa1b2a0be63853a4173cf249cae41f4c8ba64d6de718930d259292e4472645269806d53e49300354a1a49b0b9a91482f

                                • C:\Windows\{B4D81ACD-DC42-49bb-9146-35E13A5AB7C5}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  b0fd514bc925b3f07bd1ebfa63c05f63

                                  SHA1

                                  1688ca90f0054392b0062f1e4e858994925d1869

                                  SHA256

                                  638bf0a421389d67e06bca1f04043fea861f172e3fbb2159cb813f0d1898c17e

                                  SHA512

                                  6cc8ddbee6395980a662042167d142e1da902fa6aa14de01cdacd7228b17db49841b1aaf4e7a583c80a868d9aa8cbf912b1366c3ef9291a56cc1696a7c026525

                                • C:\Windows\{D5EA819D-A84E-4dd3-80E8-1CD9B83DD1A8}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  bd778c51783d35b41bc0470da5d6f382

                                  SHA1

                                  a5496d6c5657df05c346f0a0bce9b57b8e0a0cd4

                                  SHA256

                                  9e8b6cfc138f98d63d22152d6368c88b83cf2c2a4967084fb32594b401d36277

                                  SHA512

                                  7a549692c124eae2c6303196fe9e9b37c49ee9a38196f43f309186197ec142430eaff77c6822949675b23e75d8cf36bac531039c72e27c49ed8d8acc47487999

                                • C:\Windows\{E1DA00B8-5DCB-4fe4-BAEC-59842DAAAD02}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  e4e8c89d5655bd7d88394763da5ff80b

                                  SHA1

                                  14b59f875f127baaf02750086cf6cd1447f57fb8

                                  SHA256

                                  41c50025da9bed2b151b43e906b562a8273053c55be0dce666611ec487d4c8cd

                                  SHA512

                                  aae27ac6be5476086d17517667e79e8e01665e3e10fee85b5574831a749c693f3c517909beab04ff1a38dd93adb3f68b4e0a991e434d6fdbf2b6c6484c58af6d

                                • C:\Windows\{E6122B18-6B08-4ea9-8089-6B830B04D3E4}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  4b3f5bac184ac4e52b95d460558c9919

                                  SHA1

                                  d497b693626ac0a52da006d8b1c78b23ff5af5d8

                                  SHA256

                                  e25a11dcbce071042321e254567d08cca4e66badf3c1a5626d2ac8e50f7476d0

                                  SHA512

                                  8e464b398a604ac4e1156dd338a64b8d463eb335602856865de2ee030dc184be6d7f11b2fa1c99d64211d84711c5920b643d7f11c5ccc979817437720bb30614