Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:31

General

  • Target

    2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe

  • Size

    408KB

  • MD5

    164de08d5920bce67bd0075809e6beb7

  • SHA1

    c840578699cf5038dc4093f890e17c19c8bad8a8

  • SHA256

    a201e4705b075bf42639fe006c80d8c6a1c97092cce9d540478a68a6605dc605

  • SHA512

    271a1af102f7877dfab8b99ce1295c4125b8743c092d7710b2b2b181a9023a286639b9a919998d4c5d2d0ea662860159f1fb7fb36ed8dfe3bc64a19f215b2c4b

  • SSDEEP

    3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGdldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_164de08d5920bce67bd0075809e6beb7_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe
      C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe
        C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3404
        • C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe
          C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:524
          • C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe
            C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe
              C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe
                C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4624
                • C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe
                  C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1188
                  • C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe
                    C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1860
                    • C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe
                      C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3584
                      • C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe
                        C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4056
                        • C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe
                          C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4488
                          • C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe
                            C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B49F1~1.EXE > nul
                            13⤵
                              PID:4792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CD0C1~1.EXE > nul
                            12⤵
                              PID:928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEC7~1.EXE > nul
                            11⤵
                              PID:1288
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{67EAA~1.EXE > nul
                            10⤵
                              PID:4476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A5E71~1.EXE > nul
                            9⤵
                              PID:4724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DC392~1.EXE > nul
                            8⤵
                              PID:3528
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7928A~1.EXE > nul
                            7⤵
                              PID:220
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{98390~1.EXE > nul
                            6⤵
                              PID:2432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7A1D8~1.EXE > nul
                            5⤵
                              PID:780
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4047F~1.EXE > nul
                            4⤵
                              PID:2376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C1487~1.EXE > nul
                            3⤵
                              PID:1188
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1080
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:2164

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\{0E824713-12B6-4dc4-B02C-D8CC6B3515F7}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    a28b95e4c2afdfc172591f374bfafa4e

                                    SHA1

                                    b043104438e486f83235430f15ecdc261825a9d7

                                    SHA256

                                    0ca7c450fa96d1cd359341643c9a181a92930275443ad76bcc3230e52fc3f9a6

                                    SHA512

                                    b7ca8ee701100f494f46f652bcbce4f34bfcca05a4d73dd4d9724e2d3a7ffcc02fcd2a2e1dae542ee5407f1ede132eeb36309c824b5fb8410c9e9754c95528d1

                                  • C:\Windows\{4047F151-F5B3-428c-9065-74BB13FC01E7}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    6822c062a6193fc9b110d60141911442

                                    SHA1

                                    832a2bab459971279a0be22c3c497895824b24d9

                                    SHA256

                                    e781bc9ede80c86fef40af68046924dc316223acfca632c267ad00919dd4a3d7

                                    SHA512

                                    53ff51dd2268aa28c81cc99ad442b30eab518bb9036f442e15e4969bde08e24e3d3cc58a26809460eb262fb452c9d7d8f6f5e5f59d97b390b57bca05c754d0e5

                                  • C:\Windows\{67EAA800-E614-40a1-B7DD-0D97095EE950}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    0e95545d51ecdd67ba0b934041f13241

                                    SHA1

                                    122464d3c861bd3eb1b6597117880d35863ab140

                                    SHA256

                                    1230ffe58a9718cce1d4c9ba854a02066442af221f47da2e658f2be5d7153105

                                    SHA512

                                    85f23502b4852fb12d347a458089acd1ae69549048e5535d07de1efbb9fb283a5974d44cc4ea9669df5226309179c2e564712bcb400601fc1ac79565da84a193

                                  • C:\Windows\{7928A926-96D1-4569-8672-1371AB35C300}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    47e04ced1c2db2935026a227926ebcd6

                                    SHA1

                                    a3c4c4a3942771b5742ccf8693212ee101079fec

                                    SHA256

                                    3b29723d796787d129b5dbc005498142c3ae95cb1b0e48ca8f214650933184f8

                                    SHA512

                                    05e3bb029e3b233e01dd135be42e38f481950302701862379b57d327709031f495c4b3da546b37d2dab8bc0f6c87e1149078b0e03868e1690a12db7f28f456d5

                                  • C:\Windows\{7A1D86F5-EEAC-407a-9CA1-BE4569038184}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    7b63b31385159d4733045e1054b49edb

                                    SHA1

                                    1b93e4f9f8acc0becefeda31befe305c2b242e87

                                    SHA256

                                    1ada88a4b298996703f2e652ef6189d519eb5d8c9c51e7320c17ee08f27e3b69

                                    SHA512

                                    9742b6540feab5d1cdd238aa3c4559488fd444b07a9728d145c3e9c932658925abda330464e2f3b75ace26f739302aae4b94be9e0c87d61f95f41b4d84a29c5e

                                  • C:\Windows\{98390355-6891-402d-927A-52B1E7189C9B}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    ef5499a41592997ec8ca74cf3f689649

                                    SHA1

                                    84517388825a894c75b4093b1a682f664f73061e

                                    SHA256

                                    0e6bc8ee87b54ceab7ff4e5c35d6ed8f239bc8134535b7789b73ac2be0c6703b

                                    SHA512

                                    e3ab069f94ad4223a2147b11ac4952d85f24c02b99bb5e6e0668fb0f2a6b6fe0cb13a860c3d2501ed6b3013722b13ef83885a3844be9adb309447c590011eb45

                                  • C:\Windows\{A5E7109D-AE94-4470-B6F7-5F31C9834698}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    b9293e774cd94a788396b30464b8b819

                                    SHA1

                                    20d02816fb2e7f4b5c36a05ddc0595b0d1f29757

                                    SHA256

                                    665e27cebcc4f7321cf2aef0f59028e03e59bfa4f837a463686834b3fd883104

                                    SHA512

                                    146a2b92685951b35da8fc3a83ef82227eee727ed3e7c7f6aa82ac35a0a21b801282ce765d4a1121ad7e9253040e839175cda4366525f006952917a32c1c7614

                                  • C:\Windows\{ACEC787B-2000-486e-8202-B09C9CF892D1}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    4d84f15606401cb742f115d34744371f

                                    SHA1

                                    6839f696ec877dff4554ad58eaba66877e015c9d

                                    SHA256

                                    95c99d02c81794e2e2efb5d101383834936f522e002d3f2d704f4e286dc609ff

                                    SHA512

                                    e7c81211fd1fbe2fdb093f5412b28d80c9166f38432d1adcfe6085256c3613f2c50a38b6e111b1fff9b07f6529379d9a5cbb736713115f4e0d02ba5a84587737

                                  • C:\Windows\{B49F18D3-5A3B-4067-9364-726C5BCC3E29}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    fc72558249d967002775beed8e140ae7

                                    SHA1

                                    e1f511923db1756a88595ea9a9ed5fdc25f6fa94

                                    SHA256

                                    5d522fbe1de227a84c9a46a0743b0d0776091364a0015cdf01010262d76173b0

                                    SHA512

                                    9a261cd4b793605895273a5b1ffa74cc2467ab20e2730c2bbc62b9effc0e97bc4a1a6ca7d21060c975dc4f814e780ed80994708e45f8456f6d62482599967ba5

                                  • C:\Windows\{C1487626-296C-4ab4-9CF2-9151C92E0F26}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    6a44eea4d9ee4644da0f417a6e62c31c

                                    SHA1

                                    8180cafbc6821cbee7168eaf3516d243d30f5f8a

                                    SHA256

                                    af427ca61bc00f5de18b688fdc8d7e821610d655ac9c0879d5d749ed720edd93

                                    SHA512

                                    199fd36ce92ee3e75338dfad55c7f13034d2b4baa070b78ce87cf0d7415c2b08574bb89fcbc32fb315dec949861a7cc117a18c7bed7242ac72728ffca97aec9f

                                  • C:\Windows\{CD0C126D-BF7F-464c-81D5-20282407A79C}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    88f0d17a1e9c2fd69373dc00d9fe0e0a

                                    SHA1

                                    35c46a0e8ce212f83cdc1bf706ac231c7486fcb4

                                    SHA256

                                    de97abc898f3a2470951d7f53b5b1fbd68ea7917e84899a220c6ddf01d7f696c

                                    SHA512

                                    0f22a6fb9ea991fd94a272e4ae8f88ef009e02b112989f814a3c257a73877508986d21ce92454e92a5b40078d2d64b87735f22bbd4c8628ae0747f8fc9202f67

                                  • C:\Windows\{DC392DD0-8D27-48d0-86CE-67B54EFF477F}.exe

                                    Filesize

                                    408KB

                                    MD5

                                    20f72f12d151ec7fe7922214446a59d9

                                    SHA1

                                    74df359bd98fc9de661547848b231b6a4995ed56

                                    SHA256

                                    8ad33bbca96bee57753115962efdf01433c728d71daa5ac143a319e411bb46de

                                    SHA512

                                    c2323265e5d5e225056c25198401e632cbe99abb94b88595dcf04befc5d36dbdd4c484dfe257f298302f9b3b40e718b695359e5efa08bbdbb777faf9980dfddc