Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 23:29

General

  • Target

    2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe

  • Size

    197KB

  • MD5

    7700691d1d8ba6023d1d9bbaa3de7429

  • SHA1

    d6e1723304c1fea09129871ff9e6fe1cb83ef91a

  • SHA256

    e48951fb1eb66395f19027038718abafe06697d96adda70534ba15c0cc7ac7a8

  • SHA512

    c0e6f62e9bc01b77fa423855f382da849b4718cc6cc55696cc08a5b554ebcd0d82a92248d99f8733f08bb0a166004b12c8e0061fa0cb0f8018cb9273263fc5be

  • SSDEEP

    3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_7700691d1d8ba6023d1d9bbaa3de7429_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe
      C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe
        C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe
          C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe
            C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe
              C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3252
              • C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe
                C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3220
                • C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe
                  C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5044
                  • C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe
                    C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4956
                    • C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe
                      C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1420
                      • C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe
                        C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3140
                        • C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe
                          C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4704
                          • C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe
                            C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3918B~1.EXE > nul
                            13⤵
                              PID:64
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{68F3B~1.EXE > nul
                            12⤵
                              PID:1992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{23165~1.EXE > nul
                            11⤵
                              PID:2440
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E60F0~1.EXE > nul
                            10⤵
                              PID:3564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{86F67~1.EXE > nul
                            9⤵
                              PID:2180
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{134A5~1.EXE > nul
                            8⤵
                              PID:4068
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD48~1.EXE > nul
                            7⤵
                              PID:3256
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8CD40~1.EXE > nul
                            6⤵
                              PID:4048
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF947~1.EXE > nul
                            5⤵
                              PID:408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8B401~1.EXE > nul
                            4⤵
                              PID:5072
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AB45C~1.EXE > nul
                            3⤵
                              PID:3400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:5104

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{134A54BE-D340-4ac4-9B47-C24BD3AB8B2E}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  7ec7c296c9feaef5cbc79346743cc08e

                                  SHA1

                                  b16c189a86b2b7543a24350452476514b3671c65

                                  SHA256

                                  a9e1d5af92d131812381c439922923e5ebbe9203e155014e440d8baf979cc53d

                                  SHA512

                                  2aa17c3f1569cbf7ac21964aff57346230749887316f4c768a7ce2aeb1a6195c7b5c152fb0f403604c0957ecb23db4255eab99e41ab3e12aca05c7bdc7a639ad

                                • C:\Windows\{23165439-5507-40d0-87E0-44DA67AD8BBA}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  619ab951baafa425c0c8d262b30e262b

                                  SHA1

                                  935fc17742754e40acff04720916acb08c7c9af5

                                  SHA256

                                  3bbe74a70af9f84b5d928f6d0e91035d6449f922b83c15eb9d7bf7fee328be76

                                  SHA512

                                  2a95be8fc84c0257a94bf66fd7fc158dccd9efcdd873e69053877198edc471508542bdfb30f26787dfd9c4393cf46cac30a93a7a60f61a3f208454760c666d72

                                • C:\Windows\{3918B111-817E-44b2-B903-8496C332C94B}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  6cac860cfdb3ce2e185fc59a208181f7

                                  SHA1

                                  072e612aa9ac14ccc8a6216836cd00b1c9f307ec

                                  SHA256

                                  2dfd46c24e34892638bac5d02e69b7774398e705832a8da0a841be713829f2e4

                                  SHA512

                                  742d06f7d29fd57dab9d0d9d96d54ad0877f6208e918804a11f649c9f514fc3d52a8e9edba04db4c1957c4073d8a40d9fe0fad57e1b70d8d0cd272f721f07ec0

                                • C:\Windows\{4CD4879C-A249-48a3-A27A-C43BB29809A3}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  374f07b6aa3ffcee853b7a554f790f4e

                                  SHA1

                                  a7515baf9487bbe2b69c2fa2721240c34e822bfd

                                  SHA256

                                  37e622ed28c4653e6f7fcc1d952cde18edd186b0b5e97a318e279e06ab58a6fe

                                  SHA512

                                  fd210822fcc3bb79accc5a7df6499aa3a10b0b9e04a29c5ca892f7fb6c6d2003bd395477ebabb952329171b2fd29f8f2bc896f870fe6bb9c0e36b7af5c7e1b6a

                                • C:\Windows\{68F3B260-ECB9-419f-A6E0-75228242B783}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  9c4ba614e06b949b1edd56220f24e012

                                  SHA1

                                  56e5b0d307478611c69eefed771aa0af025e2d01

                                  SHA256

                                  e2c527cf97c7cf2bd4a656363af539f62158ed97f26592dc3ebfa7ac23087834

                                  SHA512

                                  13942efe7ce4f18d11eeab435ebe9f290a57bd910d0c20ccd091fae10a58e072fb838580e0e84b7369c073105339c3a5a8e56cc0d310df8b240616c19ed6e298

                                • C:\Windows\{86F677AC-1CE9-4b3f-81A9-5A8F80FC99E6}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  83110ba80eba22bd0239bd592b9e097b

                                  SHA1

                                  2ee014c4fbb6f0a64b8207bbe2dec283883bc504

                                  SHA256

                                  8d69c02d00e871927ede6169e96a0ee30898f0cbf1316848bd18be9a1d6cc05b

                                  SHA512

                                  4b968acf061e1b3437b3587a8087725b4a86071e7c42e7471b8ee451dc2b81f77a2bcdde9a654d08440ed89cf8b9602c6f73adbbfb955522a13e70f30fdffd4f

                                • C:\Windows\{8B40133E-EDB2-4d22-9EBD-A94C9E811FE2}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  c82e97fa401f2f3daf68c9593ca9bf9c

                                  SHA1

                                  08971b20b19731c5e2a46b407016a6d09bb36d69

                                  SHA256

                                  337a0eb0ba44d357255493bef374bf7768efd7781c9e0972bc11c0b83771f440

                                  SHA512

                                  fa978af771c898c9a91651a8af00bcbb735ab67059632882be2b4e46c8b3871f124c26ab81bbff93ce2e30306c271502282e97551c54c82151b8be34088b500d

                                • C:\Windows\{8CD404AF-B0E0-4e0d-BDC6-E112FEC650AC}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  952897cbcbcad645036bca2cc9f3e356

                                  SHA1

                                  9d4bd55162e5589124adc580d23bd1f1c2af4feb

                                  SHA256

                                  9f4dda4e49db472e95426c781e9d72ca12b7af5ef40df0842a3da9c84ff48baa

                                  SHA512

                                  f7836f7961bd4c46290c3d2550fc1a1ab6e766c9eb42fdf0b186f73020d1fe07dcab0a2b8e165a8f983758188710b2b1eb26c124303b7a8410944707b7c3cc75

                                • C:\Windows\{AB45CC08-B088-4182-9AF2-5EFB265E37F3}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  674a5393a2a376e1deec7a7ac7b537fe

                                  SHA1

                                  8c6028185affd9c5e4287319d2792104beeb460f

                                  SHA256

                                  a14373251ede7656ba0e663c99d821125687e298e660c710761991ef509f92df

                                  SHA512

                                  81ebba36583013dde926f5b83967f2355d1d9aab3f31b9610bc185d5c3174864af48c07c6dc50299620db406de29122f002190f89ec79d57264fd338d2f8e020

                                • C:\Windows\{B29C7468-FA74-4bd9-8F20-7290C473AA9E}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  0992fb00c2243a51cb78cce49361ca7d

                                  SHA1

                                  2e6814582d6e3906fdce032179c732c044559ecc

                                  SHA256

                                  ea55c098f7bc16008ffbd505611c8d4764edef88f75972e59e4117e8950a064a

                                  SHA512

                                  6f7a7d631ab6723c31801d7d8e0e730b911ee645d856e081c1346a4f2b914d3832a9799e8669c7df9276bc62bdb41367d3ece4080dcd42fc39c3011a8fc56168

                                • C:\Windows\{E60F097E-7A63-4d31-82E6-6F6233D7EAA4}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  c40dd394d23cffbb4672b76e41e23810

                                  SHA1

                                  495c497c331d3872121c4b4a8108cc983c97e27c

                                  SHA256

                                  9e43bba213842ebb58e3585e25d6217781de1f31ce252d2cef1532243b5ffb9b

                                  SHA512

                                  fe318d1e018dcdbee9820ce28da16ba9d44217f32f82439f60329cda9897e2810bed3e5b0ed307d817d41cabf9ca86e1c4fe81af2ff57b99981c99f605e7ac44

                                • C:\Windows\{EF94757C-4601-43e2-95FB-3473002162AD}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  3bcfa94acb83c266ac12c9696fa2ed6c

                                  SHA1

                                  f690fb244bdaddfc5d733e7870713cdb88d2a387

                                  SHA256

                                  df3486fa77f1983b49a626e5284dd0264798e2fbcacc411d1460a32e1bcb55b0

                                  SHA512

                                  49ddbe20318311244f69e5c3420259a8c815445b3284644dd0885144f56434337ede5e087218198bdf4a1949f6bf86b45934c8b03bcef29b149a5e5d012e8e3d