Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:27

General

  • Target

    2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe

  • Size

    408KB

  • MD5

    60519da15958b25e42df8453c8d8608d

  • SHA1

    bd54a40bdff07aef1ce2c870492368b064982458

  • SHA256

    620766325486b4b603153ed34ab08978e3da9627f47f0b56623d4ef551b23671

  • SHA512

    badebc03c40bb371ec5748115c4dfd8ebbaa639034d524fbc1a631e3bd756ebfb380873957281c6443d97ddefed8bf77a935ce07dee37f35d578b96c95359c06

  • SSDEEP

    3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGvldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_60519da15958b25e42df8453c8d8608d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe
      C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe
        C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe
          C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe
            C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4332
            • C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe
              C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5000
              • C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe
                C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3216
                • C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe
                  C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2304
                  • C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe
                    C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3888
                    • C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe
                      C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5004
                      • C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe
                        C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2612
                        • C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe
                          C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          PID:4952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F1A75~1.EXE > nul
                          12⤵
                            PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCD6~1.EXE > nul
                          11⤵
                            PID:4628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{77CB8~1.EXE > nul
                          10⤵
                            PID:5100
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{50959~1.EXE > nul
                          9⤵
                            PID:2464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{06ADE~1.EXE > nul
                          8⤵
                            PID:1684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{729AD~1.EXE > nul
                          7⤵
                            PID:2556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B17A4~1.EXE > nul
                          6⤵
                            PID:2420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC84~1.EXE > nul
                          5⤵
                            PID:2040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{558D6~1.EXE > nul
                          4⤵
                            PID:4392
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD77~1.EXE > nul
                          3⤵
                            PID:4664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:1740

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{06ADE9DB-E4B5-443d-8186-F20B9B77C05B}.exe

                                Filesize

                                408KB

                                MD5

                                f8cdaed21a8b002179a39d0ff888dfd7

                                SHA1

                                9c48eb0f44ae3dfc12b5a73909235205285fbef8

                                SHA256

                                177c9fa341083b4100f70e1528718ba0fd5fe95e5751a3f11fbccdf9a742ff43

                                SHA512

                                8777ae8d97445b78a7de9b1fec648a3625e99a1b6d27e59ac15a43d32c1a22dc653d1e9d56148041599fdab96c392860cd871ff1761629a2367f837a6c988193

                              • C:\Windows\{3DCD6A6F-9AD3-40b9-A55B-25B232A46B49}.exe

                                Filesize

                                408KB

                                MD5

                                c60865db9dc7cec55eeb4b031cb623bb

                                SHA1

                                3793a5776ac32e42dd0137c511f01499b19acf31

                                SHA256

                                30d9918665979210ae8088b0b8917a2587c8134f47395e6c91972c5bf43b7108

                                SHA512

                                03d285b39ecb30618418e55aa2a11596a823f783d1cb0b5b288297f150b61d477f7f5b6c157fc31b797c9d866396122a732480f93c93371eefc5de670f928270

                              • C:\Windows\{509598AB-4B3F-4e15-98CC-3A3C07E6D1DD}.exe

                                Filesize

                                408KB

                                MD5

                                de2a3345e71bbfe2e1e0ae0e7117cb2b

                                SHA1

                                e3e87fbc6ffeba0c27d8ec355d05f03870e4206b

                                SHA256

                                d9cd32e79b9252c7de95008894c36f5156ded46e9f11cc37d03995a47c65da0b

                                SHA512

                                cd365f548a507bc2ebf31041a71d2da2d9f02965bc83cf89538b533073cdc033ac2f5d1cc554478087b8b658ef160534105ffa51c37d81bc7880eabbb416593b

                              • C:\Windows\{558D66EA-34A4-426e-A7BB-6E728C6A0712}.exe

                                Filesize

                                408KB

                                MD5

                                2497466caab534f89f8df00398c9f42b

                                SHA1

                                5abb0260b3041f4e7abb026c79aada6b17adcecc

                                SHA256

                                6c1e2ccdca6cb783e31d0283d061842345329b028df00be04dd6fa01d399f5e7

                                SHA512

                                e521fd7de442bff2ee20b275397e71dcb46079c99ff79040c7be5a1ea4f5b578b8c2a01cf88f17d040d02d8938aff945e819382c557f75921da27549990752b7

                              • C:\Windows\{729AD2D4-5B03-4c9a-BE05-7D72620D03E9}.exe

                                Filesize

                                408KB

                                MD5

                                fa906f0320cd43ca254b88858ea380bb

                                SHA1

                                66ef744ef0702a04b61a847277790e3b606c91af

                                SHA256

                                5b4ec02fc08942aafe18aba8dc678d746d0db5a2c61edf5472ffa521b52cf385

                                SHA512

                                0aa5ca3976572d857cfb7eba254f5ff22fa862ff5dd68ebf23f0193973cbc43e997bad54986ac75df07a726c5146d84c7a5a376b0338082c79cf7d9f9a1adb80

                              • C:\Windows\{77CB8FBD-1CFD-498a-AA1E-485ED95732A2}.exe

                                Filesize

                                408KB

                                MD5

                                38840202eda6e5361a340efc55616d22

                                SHA1

                                5c604014c232c5341ee604af65bcb7b4e22ce470

                                SHA256

                                a48cd787ce82587c64974a523fedd97accd142adcde15aba9acb4c2411c0b579

                                SHA512

                                ea8d6db81bd06bae687c9998f253a806aca1fcb1b8a8c6388d1a1a632e5977ef28e06ee14c53eea92b69e23f2f2d5361e0bf6ae18985b067d04e4099a285a61a

                              • C:\Windows\{B17A416D-A83C-4226-BD76-03C874EED344}.exe

                                Filesize

                                408KB

                                MD5

                                5a2182df51dcdc9373e80db8898774b3

                                SHA1

                                9bd01b4ef25721dacc17bc6c8bbf5d82b573169e

                                SHA256

                                e55c9e1f281d321f9dfe6176ade0c1615339551b58faa152219792cc8d101e3d

                                SHA512

                                e72c750acb6606c837b1e1504824400da4b512656b5806ce2d965a5f08adaa496d871fb10ae1467d7b79586ff48132bcfc8fa0492b192c0fe6cee0f12c070c2c

                              • C:\Windows\{CC2EB825-DCB5-4f93-AE85-DE25677523EA}.exe

                                Filesize

                                408KB

                                MD5

                                81320bdc8cbc7973873ef338cb7066d1

                                SHA1

                                6bfb3cb89e056fa6385b67e42a4f77c0cda4827f

                                SHA256

                                1cd7d72d316024796e93e2f8ea848dd456063f3e572d0fb9507c6e94470911bb

                                SHA512

                                71fa3d276fb20ceaeb1211458ca5e1fa331244ebd42c8edbfac57af81ceb6b978c02a1334e82215b5400c5e32d2cb6875c092c3e040e0d11325a5df8c4584b37

                              • C:\Windows\{CCD77BBF-E7DB-49b6-8174-839B8225FABB}.exe

                                Filesize

                                408KB

                                MD5

                                a085988fcb2df201bc8e1e3a678b97f6

                                SHA1

                                07feca3eb52f2f15b18c3ce53efc056e29ce453f

                                SHA256

                                61e1ee1d51776e0d31e3d9f62c452a9190c8186f85d4d7e733fb2caa0e149a63

                                SHA512

                                949e335c44bdcd256fd8b46ddd13be1863913591c996ca2038bb222b55b87675967643e7dd3c28da9d24400c70c470f581b0269d0323afe4fee1e941c27ea31f

                              • C:\Windows\{EFC84F65-B632-4c1a-96B7-E1E529832E55}.exe

                                Filesize

                                408KB

                                MD5

                                78f6e86f4ad600d4760dc1b8b95b640d

                                SHA1

                                3187b172307de9c91049366f82ba1178801ed67c

                                SHA256

                                61833cf64da0c8e940d25429994c6f1aa6c6bbc33de4c1662239f2a933c6d34a

                                SHA512

                                1226dc7c201ecfa85954e29da61833e80e82f19848e4137eb2e5000464a479cf79c37946845cfeee44d0c9feff1bc1798f45ed664383380426dbc118e38529a5

                              • C:\Windows\{F1A754E4-E0CD-4a63-8965-AEF17971FB57}.exe

                                Filesize

                                408KB

                                MD5

                                f1bc830f25b0209f05e65544de850fbc

                                SHA1

                                71cc48993ad9abfaea655e3141f8c114c8719529

                                SHA256

                                f68e6701bea65de2e7f2a6a4a7ef94848527a1a142123c56f9ae8cd2283ccd71

                                SHA512

                                d33d9dea7cb7ed742da7e4c73da874899acd1961f383b10eabf5fa66a1f13f0520375e62942be99986d2c4e7c87b3222cab7188dd4ae7cc7a50a2c96e38a3990