Analysis

  • max time kernel
    178s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:27

General

  • Target

    2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe

  • Size

    168KB

  • MD5

    635a3c6b18af3c5dd32a436fb72efa92

  • SHA1

    08a6d06c96872312e9ca0002face7a846d47e040

  • SHA256

    e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f

  • SHA512

    c6282bbfbf9b4681735aa2dea1652ea8daf81c9d4e9f06ca5805f04f4b88176d0740bf6575d38dce4518131266cf226f1c5f5494f8f656d257a1c116f435f8ff

  • SSDEEP

    1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 9 IoCs
  • Modifies Installed Components in the registry 2 TTPs 18 IoCs
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
      C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4436
      • C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
        C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
          C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:224
          • C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
            C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3548
            • C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
              C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2656
              • C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
                C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4324
                • C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
                  C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3884
                  • C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
                    C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5000
                    • C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
                      C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
                      10⤵
                      • Executes dropped EXE
                      PID:1324
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{36223~1.EXE > nul
                      10⤵
                        PID:3440
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC88~1.EXE > nul
                      9⤵
                        PID:2404
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E8A5E~1.EXE > nul
                      8⤵
                        PID:2660
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB353~1.EXE > nul
                      7⤵
                        PID:4432
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4F37E~1.EXE > nul
                      6⤵
                        PID:3916
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C3E~1.EXE > nul
                      5⤵
                        PID:4192
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{858AB~1.EXE > nul
                      4⤵
                        PID:4992
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{27AB6~1.EXE > nul
                      3⤵
                        PID:4380
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                      2⤵
                        PID:208

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe

                            Filesize

                            168KB

                            MD5

                            80b0abcb082d91d4bc9b758185f5a7fc

                            SHA1

                            619d17c84eedfb4e260c284fb2f0b6777db4cc80

                            SHA256

                            cd4a6d297c643207782ade5e00319cf394bc43acd34dcf197ea6c65c67f8925b

                            SHA512

                            fe16615944c8cfefd207674fe453693fb38a6f4b5b8a3446769c2456caef321f9a912eb95017a0aae561fde3539e34d09a1a19f20fc45632ee6a6a0b1fc490d4

                          • C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe

                            Filesize

                            168KB

                            MD5

                            bb9bb0787d340588e4321717d25f4448

                            SHA1

                            dfc0ffc7a44c40098709c612ae20e8ca28ff62a8

                            SHA256

                            833693c5faa31cddd7c1a7f58c3e23ac324bbab86a44fecc40c2e1c67e7a74e0

                            SHA512

                            346e3e48942d280ebf1e54647ce8bd45350613292c34a110aa28ed86d0e8e33bf94449960aaaba16b0038289b4f0de6de7fcfde1c34e7ba76e4cd17fee384b62

                          • C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe

                            Filesize

                            168KB

                            MD5

                            fb032d75e69fc91738a0a970e10ca438

                            SHA1

                            6f45843e2ebd65c7eb4be9c8431e47a6fc8b1ef7

                            SHA256

                            b80b48b7374811a235a0d377508f0b8a09a9ec094d2f9f0ea6646230a9620acc

                            SHA512

                            6cb2925fe4bb3b61a2bbf2b131b9070b60e496009836361c081d1aeaf52730e54361d08a8a02ff9e69a402028f5324764b505ac6ac2b6ff54ee8f4f6ec8ac4e9

                          • C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe

                            Filesize

                            168KB

                            MD5

                            f314fb6dcc91d777e9f8fdabdc8b41fb

                            SHA1

                            f22d8ebad4319da351818f5112525327647f2fec

                            SHA256

                            9c628763541afdba653b5302f097187ed23942da3b9085e4044e7ab6388b1eb9

                            SHA512

                            48b1a64ec9c9cd228edde66017c509b2ea9e52e00b68b485d62dc6455a9167c32a158fb9c8915715acca22741510314d0ef70b5d8c00e21bfa20f873a60cd3fe

                          • C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe

                            Filesize

                            168KB

                            MD5

                            910eb6415da30ed7947fcab3fc9bb58e

                            SHA1

                            b99bdbf53bc9c01c1634e9ebc503f8d24a64f1cd

                            SHA256

                            7c9fc572758e6f28bd6c195e674fdad65b545771c6f8321cb87b1fd22673d75f

                            SHA512

                            fe4cbb6beb0401315123936dbe9f92da8bcc524dc4e96471fed59e55765b1a9a7d7ca67dd66ba45e7f6b78e540d4e312bef804a9d7c2f569694db44ddf2d7e1d

                          • C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe

                            Filesize

                            168KB

                            MD5

                            d58b02f5a70aa36ba0e722076458c5a3

                            SHA1

                            46449b00de722ce5e6965652aef10d0ffdef0deb

                            SHA256

                            0b39b3b13ab872cbe3f46aa869f46f443bd9d2d5be33da914df1a31be8c51190

                            SHA512

                            bf27746c0f2a27b91532ad01c590f702aa97cad8029c9cd7f35f127cf28982a212e31742882aff9db5af77ff76773344e2ad847ee4c04b288fbdd9a2261ee90c

                          • C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe

                            Filesize

                            168KB

                            MD5

                            b0b002113bfbe3e1bebea22b10b8876d

                            SHA1

                            608ef026db226b020c30449a4dc111f93bb63784

                            SHA256

                            8fa543302070d433acf18b172bc70670d16ec83dd118731049ca95574558dbc1

                            SHA512

                            d9f8c8d080ea7320d2f77793f82d1cd3bce7d6bd8b56b7385dffbe1e72c3e9aea641613f558bc40ae6fd8b339b49da27d7507f9a4f259774edaf827489dea233

                          • C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe

                            Filesize

                            168KB

                            MD5

                            8ff9766b1bc7e0685489c01d2455732b

                            SHA1

                            aa6ada078fd92fa806be71dddb8442ffdbbef046

                            SHA256

                            bf4ba5671c5917dc44c5f979eaf048fafb0c4d4f86a3beae6bea34f6f41eda0b

                            SHA512

                            0bc3483e0e75cdb10e8c44ce7996e75b1a65533609621619a7db423af023f693b4349c2b362b43db18fd273bddae03fb2b8ea79ba953af5430dcc78e740e95d7

                          • C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe

                            Filesize

                            168KB

                            MD5

                            7f920956bf055810e088a31f7f2895c3

                            SHA1

                            1a53a8abe8d2042df2016a5c53904149e24822b2

                            SHA256

                            8326b89edca6f74dcf05e5140feb8ed4c3304ff517b77f4aa6f557d626a64a9b

                            SHA512

                            6e0ee78416bad0c95de67c51ccb99d9237a02ce15b542590d8f476c7ea4435b2dfd5fc8201cebc3121562ebffa80187fff2e965ae7926c68b3a1cce634be9e20