Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:28

General

  • Target

    2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe

  • Size

    168KB

  • MD5

    6f7eefc4dcc19cf96d504a8d70f186ec

  • SHA1

    7f401dcbab81163ca78f4126cde960da282c3e34

  • SHA256

    2da291a4b4ede9f5a03b2c37df6a043eed126b6c3a488c3edf8e7f086dfc1ebb

  • SHA512

    271dee908d308300a63dd805bc6a74868552df15d176d9526ab20a4db67c07534c035b97bb168f0a4cbc8de8085cfbf2c582999f17a4ac4c20c484d0ee8a256c

  • SSDEEP

    1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 13 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_6f7eefc4dcc19cf96d504a8d70f186ec_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe
      C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe
        C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe
          C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe
            C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe
              C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4048
              • C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe
                C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3496
                • C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe
                  C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2080
                  • C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe
                    C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4516
                    • C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe
                      C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2232
                      • C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe
                        C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2564
                        • C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe
                          C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3024
                          • C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe
                            C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2008
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{26510~1.EXE > nul
                            13⤵
                              PID:1052
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FF609~1.EXE > nul
                            12⤵
                              PID:232
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4230D~1.EXE > nul
                            11⤵
                              PID:4380
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EB994~1.EXE > nul
                            10⤵
                              PID:4524
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{61D0E~1.EXE > nul
                            9⤵
                              PID:2716
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A74D6~1.EXE > nul
                            8⤵
                              PID:4284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{96B07~1.EXE > nul
                            7⤵
                              PID:1956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D459~1.EXE > nul
                            6⤵
                              PID:1396
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7020~1.EXE > nul
                            5⤵
                              PID:64
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6033F~1.EXE > nul
                            4⤵
                              PID:3184
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B7F~1.EXE > nul
                            3⤵
                              PID:1016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3940

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0D459E8F-EFC5-41fc-9915-E7DFB0CBBE6C}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  5237f6b7b6b7821e06a3edd0833d3bc2

                                  SHA1

                                  11401acec1301eaf901d0f8b6bc7486cf3d2953e

                                  SHA256

                                  af4e806a5a956bec46189c188ac230926d2aeb49063051ef5c263ebfc0c015a7

                                  SHA512

                                  fadcc8a9fcdd3453333d6a5442bf1a1fc76eb646420d1196b9ddfe5fc126823e942a282181e850bb2276419bd0e8f3512538fd6240d85ffa8201a696e146f98f

                                • C:\Windows\{265103C9-430B-4f0a-9818-6BD7EE838406}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  f34b8409633dba039481280551fd4eeb

                                  SHA1

                                  4828820e77b10824de4fdc502bf5df29f380c269

                                  SHA256

                                  711a1363101b5e4cc4f667e3be70b2d6b6b7ca97ab0e65da8dacc488498c6e62

                                  SHA512

                                  cf8ac527c04a127e7b62446e1bff6f84e35bbce20a179b9d36c56215b9e6964a0c985dab47c936e60673e537dd5babe09729f868084b4f78ad10a682f3985ce8

                                • C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe

                                  Filesize

                                  109KB

                                  MD5

                                  fe2bc60abd87b30bd3b72e7889201c15

                                  SHA1

                                  82bdd91ec15f5da8dbfbf2564fb9734d72bbba76

                                  SHA256

                                  c3b82ac77a18271b78b50bc644b604c49ed50ebca1e74ff1be5fd78010a52aa6

                                  SHA512

                                  7169fc17e3f657b121b0c93b96c83f8c11acd5e6b05c2f32f85f6c21eeb8f9694f9529b142702545a05bc82d93710818c3ec17cd1f9801eebcad9ad771535c0e

                                • C:\Windows\{4230D073-77CD-453c-A048-C265E7B6C88C}.exe

                                  Filesize

                                  64KB

                                  MD5

                                  7b3964433f61b823c378e412c551c8b7

                                  SHA1

                                  7d9e3e3096c1fae79809bbdffd48886db119b503

                                  SHA256

                                  fe4da07fd704ff8009f65865f14c6e699b088b20fa86ad1b2d2378f3a2128620

                                  SHA512

                                  fd0f217ccd26211dcc2e493dc194a3f0b33186582180af7ee6e26d92e15d98c5f7ade96d6206c0db5a0685cc2b0ec9c08198ef7c5c5f21dcc48d78e4825ce768

                                • C:\Windows\{6033F77B-1201-4192-9A20-4578E4AC9D91}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  f15b33461ac9a83eed236f5b934cbe22

                                  SHA1

                                  78c7ff3c060461b78f41de81336a487cf6cf0362

                                  SHA256

                                  e7c82ed7d0bfec120b2cc07137173f6829278b9e8c881eb62bda5c8c220c9a09

                                  SHA512

                                  24e82333016f3b5f5d8edbf6c91c4782e6e6c67ad8d0c561ed1978b2faa923d6601048740bfac1fb05049c14faa57416a621d14feae07f4721c255ba7c473026

                                • C:\Windows\{61D0E909-6E6C-4dc0-9649-8352FB05D048}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  b4758265a1bcb744da59142f4f21fb10

                                  SHA1

                                  d27bbef5ea913b5dbd6ae44bb21b1263f94e20e3

                                  SHA256

                                  60583ddb6f0a12b0fb0e6bf17b83f700e502c88ba0fcfa15d960cff67838ff41

                                  SHA512

                                  76b38b4497fbaf1f5bb419dd67c3262de6128c4a38b451d657b9f372a3f8b339997226c85a8e4817d44ed478c56549364379e12b1350e2cd1ad1b500ee49d2a9

                                • C:\Windows\{96B07A12-BBB8-47c0-B2C6-504FB8EDF56F}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  4c200c84ba34def1fe624f14731ae243

                                  SHA1

                                  4830ad5d634f74b543430ef2288fe2b7b27f2693

                                  SHA256

                                  75205987d26d568bca19e39b80fd67172ee932d023e46bffd1fcd09c7dbffdd4

                                  SHA512

                                  0aff53eaad68eeaa56fa57cfe903cf219ac3c63d38aed0120dded0e18f63a2c4d8245b133b4d12366255c9b8ad0f593060cdd2bd89b917f846c46411e053e185

                                • C:\Windows\{9CBF6982-3869-43b0-821D-45007428D1F7}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  4f2de4f0cf46e93a4addfdd360be57b0

                                  SHA1

                                  15d3e623ff339f6c4723af02608442c10205d70b

                                  SHA256

                                  71430d66ad0ca9578ea99dfb54168d702bcc39821643c0ee5fc2d914cc5e1715

                                  SHA512

                                  f88529cd96e04185ea09d2685f3a2cd0b8f432941f12a86c23c4979bc2b6256b8f99babe006066842fcdd3ae83c3e8216861ebbd83a5ff66a885bd7de4140e64

                                • C:\Windows\{A3B7FFF7-35E2-438d-8CD6-655C2B39A951}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  5b9430a139ecaee61573ebe8426f5eb5

                                  SHA1

                                  04ed75c542a4307bc498c60512b1ae7adba5adef

                                  SHA256

                                  fb40a326f6845a378db2cb744f565683764f8fc35048fdca0079c2b9379b3241

                                  SHA512

                                  e06c8ce49678d21634d9c0131cd21d37d3765dd45aaca01040ae5b06f547dbc08d9f780ea04695f172a1735844c09d2e11434e4cb427843dadd181037486290b

                                • C:\Windows\{A74D6168-E472-442b-AFA7-3A3270527283}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  47882488cf23c1702a8cd47c00178f9f

                                  SHA1

                                  a403275e4be5b321aeb45309a67cb8b670690680

                                  SHA256

                                  9ad99cfc1d83f99ddb0d50e9869b5c1229e772ec278f6ec6886dfe8958c6ba81

                                  SHA512

                                  11fd836f4046fef617c84ac7ea9d85da87fd684e59f95f951895d85b162783b85f4415e8e2a3f4503cafdc7ddb3dd90313bcb495a9e1677b74217926e6a762a7

                                • C:\Windows\{B702087A-6271-48e1-B654-048916612255}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  245269caefdf73472f343bb76da7555f

                                  SHA1

                                  c507c40d01457f68524c6618d7bbff671c54f7ab

                                  SHA256

                                  def68294b8101d9f07f69ebf48249d07bad9236cba1e07d1a3358d242d64d164

                                  SHA512

                                  18b8e0b3ad3763d4aa841d9b48748dda7c257287521159488c01bf4b4c76260043905d9bd2ccd1169adf961a992d86bb21a06a568491bae0739117c9fabdf76c

                                • C:\Windows\{EB9947C9-53B0-48ce-BEC3-0F6418F63653}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  b0ee43ceef85b06bb67e9c637f93e4b8

                                  SHA1

                                  f771e96685459ebf626e89960d3a99b0706c5fab

                                  SHA256

                                  6f588742d92ad5398bf463e75609bfd4bcbb4289e0eba1a7bda9a0eedf55dc1a

                                  SHA512

                                  3e4e5049b6316397bf64280e206f9701c5e7f4ae5a255ff5a191f6b9711566c421a921a67655f52519fe272f51f4be5a105b96122aa8d555aced69155b08c675

                                • C:\Windows\{FF60991A-0B2A-4aaa-BEE4-345B87BF6463}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  7ce1ec0c4a3b0dac191b0e5aa2433d4b

                                  SHA1

                                  6e9d809458224011bee3fd854ca1105373c14d10

                                  SHA256

                                  1107f4f0be773b9becd8cbbb7b1734eb942ca446ab24df43dadfc2e8c4c45fee

                                  SHA512

                                  f501f8aec54e166d2ee83d03010f5d37da9afc3a2917e59035ff31640f166dcff75fa6fe8db13bafc9f89410cf1ddc3b8e52944a89a89220bc9e3b6f9806df02