Resubmissions

02/03/2024, 23:37

240302-3l9thaah53 8

02/03/2024, 23:26

240302-3ev2rsag46 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:26

General

  • Target

    2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe

  • Size

    408KB

  • MD5

    5264be32e86275d2fbdda6a68bc09148

  • SHA1

    bd73f0431bae5e161f6c51b23d8ecb479e4105f1

  • SHA256

    83be2346e78cbcf6e06dc63789dcbfcfb87fecabc7b49f354fb6bcee7706c54e

  • SHA512

    deb386b08978fbe23c46b93b774440ffc767d6bd8a3f5faeaf696c812b7e94992cb13ef5a157457aa249c499b3e785968a4d53582759f097d51d2e60a5df0f16

  • SSDEEP

    3072:CEGh0oCl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_5264be32e86275d2fbdda6a68bc09148_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe
      C:\Windows\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exe
        C:\Windows\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe
          C:\Windows\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe
            C:\Windows\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe
              C:\Windows\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4880
              • C:\Windows\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe
                C:\Windows\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1416
                • C:\Windows\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exe
                  C:\Windows\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3240
                  • C:\Windows\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe
                    C:\Windows\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2672
                    • C:\Windows\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe
                      C:\Windows\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2520
                      • C:\Windows\{48AC6634-09CB-4c42-8231-45161EB43C93}.exe
                        C:\Windows\{48AC6634-09CB-4c42-8231-45161EB43C93}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4372
                        • C:\Windows\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe
                          C:\Windows\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1724
                          • C:\Windows\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe
                            C:\Windows\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4788
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A64C0~1.EXE > nul
                            13⤵
                              PID:3264
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{48AC6~1.EXE > nul
                            12⤵
                              PID:4484
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C5214~1.EXE > nul
                            11⤵
                              PID:2984
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3938B~1.EXE > nul
                            10⤵
                              PID:348
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{012E4~1.EXE > nul
                            9⤵
                              PID:3504
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D106~1.EXE > nul
                            8⤵
                              PID:2028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EFBC2~1.EXE > nul
                            7⤵
                              PID:3580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{00EA8~1.EXE > nul
                            6⤵
                              PID:2196
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5D503~1.EXE > nul
                            5⤵
                              PID:4812
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{94250~1.EXE > nul
                            4⤵
                              PID:4168
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3A05F~1.EXE > nul
                            3⤵
                              PID:4972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:792

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{00EA8D32-3B4F-4d3b-A739-6C264F7B3620}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  fee60521dc4b11749f91e22c8dcb08b6

                                  SHA1

                                  74262b4edb52cc451239a8a7202f2997d5d747db

                                  SHA256

                                  03ddd1a373aab1dd355db40c9bf9b310d4d3df47dc218561970855097a346936

                                  SHA512

                                  98565ce06af29ed0808dfaf20fb3b731d6e72619ba95b953a4465f72cf002e9b61fa8e8b594d11b0a325f2343ce66f3059384ef890e190c13baf8ec0b1274f4f

                                • C:\Windows\{012E4200-377A-4ca9-A0EE-3774EC556C13}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  b8b63b5a62294310344dcdb4bcd1e33a

                                  SHA1

                                  202f02e83374f26bde69a15e81259895298d50f8

                                  SHA256

                                  95fd08f84d14b5c497701fe142c57cd7930ce5eda4fd9a062ebc1a7656504119

                                  SHA512

                                  eef33a46b42bda0a34dc2c5b5d4e121352cd2e44dca551b8a77afd9e76279dd9e810cf7b6514b6bd1a7b6499817fca45856d1e6ba83eb47683351a38f639e57a

                                • C:\Windows\{0D1065CF-CF7D-4d44-8073-CDC330DD65E1}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  67264a21e134e86a2c5ffda1ad6ebd27

                                  SHA1

                                  4483701871c697f799135fb42c96de100be55227

                                  SHA256

                                  a2495adfce5d8b8f998577d72a232d6f4671c8b1f7fdae9f3363307456295ca9

                                  SHA512

                                  4acb2f234d68cc125108d80f839d62058aba6e948fcce8bcc477423d70a6f7c834d918570ad748c62650c6eb4068bfb4f4412ea41727a0e01d54bec42ee67936

                                • C:\Windows\{3938B86B-8E67-4158-B7E5-35A2AEFD3353}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  8e504ce48905caeed6a279804dff2688

                                  SHA1

                                  53a0764afbe8a44050bf2e6b3071ea40b1f6c1ad

                                  SHA256

                                  786567f5a2c51cd2d35acb88d956c7aa0a21b490e0d90e4cefe2366c101e72d0

                                  SHA512

                                  6db68bd43d9d4d11b161843c03152db8dccc4bbc5b6c5ae0ead1338bac3cc861b6d9897f36ec4f112f8a94c3d1534ff8b4bf824a95a15e6b5d70141c8f2d5363

                                • C:\Windows\{3A05F7C6-C953-431e-B7A7-6DC7F3FBEF4F}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  198febf251224eb28b0970eb21298975

                                  SHA1

                                  e0d8e19b391b5ed36a114ad40cde5ca41be3fb50

                                  SHA256

                                  14a07055af3ca602890e6b30f774a4efb677958fe2407b8fc896418eebc8fc21

                                  SHA512

                                  ef8c8bba5e8337d11cd0f62b25e8ae6b2f39ae18c1bf03e64d4c2debdc62854309ba968bfb6ece30de8d36ffa11ae67eb1cc5d265c97b6a8f20b1e9a0d6c3f27

                                • C:\Windows\{48AC6634-09CB-4c42-8231-45161EB43C93}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ecedc3b4c5153c7965237ab854bba6fd

                                  SHA1

                                  17866a0466de1fcfca472befd2cfb8dd5860369b

                                  SHA256

                                  43353767b3a15da46e75f48bd40cbaee5ef2e53a665bb3cf4a1959f620a8f567

                                  SHA512

                                  0b0bfcbfede5cd3e136a43495ac1555555c8f695fd6fca73f94da7f76a95c139ed4d21818581a2529644d7e03ccaae1c8955687fe20cea65309b3c29c7b66e11

                                • C:\Windows\{5D503DA1-8AC0-4bd5-83CE-51E93B005214}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  73bb5e6a308670c48389eb7f94682a91

                                  SHA1

                                  f425ab4b8b3e7a6b40d8672c40d659f0959cfc29

                                  SHA256

                                  2f3342348571c78dbe1f82867e3377a9153f0697b04f80c30998d02f8ce4e2f7

                                  SHA512

                                  4bf374a5d2702ff0757f8cfd09f94c6274193769bc3f80b1d2af8e7bd7bb405569eed6663f102f03fa3cb68575150b3a77023fb9bcd22ac636a5a38b794adbe3

                                • C:\Windows\{6CD1A58F-F41F-440a-BF39-7FA11B2BACD8}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  53cb58fa5196be9009d7090f9b2f0578

                                  SHA1

                                  094871a00a4eb1f98eff9544b373723731e7bbda

                                  SHA256

                                  f9bbeef5c8646fab207d2c7c3934a040b7358dae035d93daadaea594c285783a

                                  SHA512

                                  0c98825ee38989c3e7b5fdc99b04e747dd6ac1cf1eeb0fa5fa05ed407a7e0b3cbe489d61e2ffa2c351bc2557c9372a08be04b2fc8d375c26b024e7c94c32c51c

                                • C:\Windows\{942501AE-0BAA-4c45-9634-2678E1D2F591}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ac7807210ebf65c04a2a254ecc75442b

                                  SHA1

                                  ddbd43be62767d5a51cbf529d0c5e84447b291ec

                                  SHA256

                                  39f0507d72772eae2fa4af78d65df2f22ee982ae5702d8e9b49a35eeb8954611

                                  SHA512

                                  06fde4208de4169da547ac9d94c2621175e48fc9d1a44fc2ad2f2a636e0b08553e21ec0b5b7613cc829d375beaa2ae8f72aaabe2f23f8ef3a5f6c1eda0453f93

                                • C:\Windows\{A64C03B1-6DE4-4608-96C3-0F0AB3690F1A}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  bbd06334bd63077832864c832ba542d5

                                  SHA1

                                  2184e32b2cd2869c57ef0beca63730d62134e131

                                  SHA256

                                  4285f4d9056750ea56eebd29ec6d4fc57313083d357fdd635e4258d6b34d4632

                                  SHA512

                                  72533bf1c2696906b6a4d13b91eb86c7b22bb5ad49620e9be63c6d1118603cdb0d24d635432b83890a66bcefcbcc0970714b996d9fe815ee243c6e8ec1f21039

                                • C:\Windows\{C5214514-921A-45d5-8C4E-F59F1ADCEF94}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  fb7b620f79c468a34d0c7b91db14aa72

                                  SHA1

                                  742918ee98460593e14eec684e005c77f1570f81

                                  SHA256

                                  02375b2a9f24892a5d6f5298c0732648d46db438d18e0451cd491d4e1f0b80e2

                                  SHA512

                                  830cb7a0a79938449a6e317446bda6d54527f876131c4eee9c9e165e4cd11cc61c7d8524e6d9b90b8170d49590f32df4db8dad1f5868d21e6b221efda745b911

                                • C:\Windows\{EFBC2E0F-BCE5-4a5a-BA6A-B65465A1560F}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  8deace27e43709f20b6bb4c9f0a3f1a9

                                  SHA1

                                  8707b15388eb2fb8febb8556cb56d9d9c464c3f1

                                  SHA256

                                  68e8132084e03d71c33fe6c6d879e0e4db894f4ba2934527075a858a430cad89

                                  SHA512

                                  2d188379bee7e5dadd1bedc87e1682c0bd1e3078075e9a2367bae447344fa5a44c069f672ec82504efce70468313c4bbd53946495079e3476c841167736df5a1