Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:34

General

  • Target

    2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe

  • Size

    216KB

  • MD5

    1d83b5d5a996b10bd072a83df62b3ae2

  • SHA1

    ebf526a1a66ebc4bf0b65b312c817c31274c2614

  • SHA256

    ab47f60e736382aaea83ac449682a8908b0f8fbb644d20ff975d9e27f82025c8

  • SHA512

    d06fa8d130a29711cdce26c8ec8b9a29dcb93d489b6d9e51399c9d8ae70efc2dd151644390b794e1eecd65d4213ba2c275f97d91ef1f0778612c9070a862b682

  • SSDEEP

    3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGtlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_1d83b5d5a996b10bd072a83df62b3ae2_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exe
      C:\Windows\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\{25420D7E-4119-40ae-8B32-15764EF66683}.exe
        C:\Windows\{25420D7E-4119-40ae-8B32-15764EF66683}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:376
        • C:\Windows\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe
          C:\Windows\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4868
          • C:\Windows\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe
            C:\Windows\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4008
            • C:\Windows\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe
              C:\Windows\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2152
              • C:\Windows\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe
                C:\Windows\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2660
                • C:\Windows\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe
                  C:\Windows\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1908
                  • C:\Windows\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe
                    C:\Windows\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2544
                    • C:\Windows\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe
                      C:\Windows\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3388
                      • C:\Windows\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe
                        C:\Windows\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2876
                        • C:\Windows\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe
                          C:\Windows\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3220
                          • C:\Windows\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe
                            C:\Windows\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1264
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5ED~1.EXE > nul
                            13⤵
                              PID:4016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA9B~1.EXE > nul
                            12⤵
                              PID:3260
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BA8AF~1.EXE > nul
                            11⤵
                              PID:4288
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA5C~1.EXE > nul
                            10⤵
                              PID:1660
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CDF7E~1.EXE > nul
                            9⤵
                              PID:2292
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9442F~1.EXE > nul
                            8⤵
                              PID:4928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D365E~1.EXE > nul
                            7⤵
                              PID:4312
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{300DE~1.EXE > nul
                            6⤵
                              PID:4172
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8BA57~1.EXE > nul
                            5⤵
                              PID:1400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{25420~1.EXE > nul
                            4⤵
                              PID:844
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{865FB~1.EXE > nul
                            3⤵
                              PID:876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3048

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{1DA5CB12-7BC8-40b5-A372-D8265748FC7C}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  16f95a3f3d2342a678076d481d3e60bd

                                  SHA1

                                  faeeef39a170fdce6cc633cb7eb6c47fd407e4de

                                  SHA256

                                  bba073cf337ecc0f820e3c1dc8319a0b3e43711e74abe51ca7c3d6f9f801082a

                                  SHA512

                                  d652b4a0b0b0d8e8c3a67c75101042684d953ad5ee4a5aa0e879189794e6857369060b6afca09b21963b947bddcbe4937bfd8a6e0f1d67dc50601aa329d681fb

                                • C:\Windows\{25420D7E-4119-40ae-8B32-15764EF66683}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  ac97d244c93abeaa7f6ce41613452fb0

                                  SHA1

                                  c7b9c91c6146e57376f20b73acf747ac3149052e

                                  SHA256

                                  80c660748240f997a9fb1ae6d45612b1d671bc8cc4bcf4dab093e14cbd05bd21

                                  SHA512

                                  a6ae8ea6ee301ebdc4cfa12d80736ff433c564043ddc2819c0f78f5bef7744b3f7469ced4928041219a9e10d941637cbf3eee2a4cab1146abf9994e9838944f8

                                • C:\Windows\{300DE7C2-873C-4fc4-A584-CA5D1F325252}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  48eaab127c27d7b6af12bb6b454b18c6

                                  SHA1

                                  8fa2d1cec680c9e36e6ea8e24aa438eef05e22de

                                  SHA256

                                  9a3b897ec2555f53ce411486e2f30fdca44221f07240e26ed057bc3b6e720180

                                  SHA512

                                  a47f5bf06428592834afb74ee62c2adb0b84adff5770821477011e5648016042322503bbd11ade46ebc9f87c3b946b361d8750025332de2bb185d934874b3466

                                • C:\Windows\{5F5ED9FC-F9F7-4050-87F1-D77F04AA2E1D}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  9b0c7929e2c4433513e4afa5fdca01f5

                                  SHA1

                                  21d688bdc8a7f3846e6ab7d13defd2e22364f31a

                                  SHA256

                                  3fff279021fbd0f24c81d4deb98c93174c5c26d66f06567c5d536203c06bdc29

                                  SHA512

                                  a0e9c93b81ad53cc2656e6dadd49d4bc1610a9dae9e4c31d59a1753a79d92c86e42742ea636ced01651c931a90c8cb227f973dfe29022ebbad05cd9ee14cf20c

                                • C:\Windows\{865FB709-2B21-4b13-B6BB-6B65A075923F}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  32e5d9650520756648ffe7448ad067d1

                                  SHA1

                                  c86f5401bffb6833187627c7dbce832a8ad67abb

                                  SHA256

                                  2e1f480200a1c665f714372fd1873769fa0d2766e80b99c45a127b0d1dfe2706

                                  SHA512

                                  56560deed6ec531b294269cf89af8e3d50b9c70828b5d4a81f311a3e99826e8a4fa0d732d8c005a1c104841c2c84bc707dd9ee06caa8fc9a83bb4410e46a0d1e

                                • C:\Windows\{8BA57586-0BF4-4651-8F84-D9E24B3FF680}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  266b09921193f3352a625ac08711f74b

                                  SHA1

                                  b1bc39199bcada051e046534b7e717ff1f0daea5

                                  SHA256

                                  1917e63e7639403aa6e8fad4b732cbdabccba37e4b3860c0b6969fe1e5bdfb47

                                  SHA512

                                  646035c06d390bfa6d993e50e7ac53e09786160f13cfb775caa14fdc828925a19a4518266092255e7dd4659aa0bac4c57d46fe50cbd29bd94d999be516627b58

                                • C:\Windows\{9442F68B-EF56-45c0-86B1-A50A6D32F293}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  45fef899868bd8d6cf82623e45226548

                                  SHA1

                                  b8fd9de8cb64614529c93f4377ba0f8fccc8c672

                                  SHA256

                                  8ee5c8b6f581fd291540b42ece6c9fd367b4b7fb60b35a5d788f38bb4fd18443

                                  SHA512

                                  682f5fb80bb0218984c1649e86b261793e7756ef47107f0d5e59b2e84b57122dc4f1534b6db7dd395d257150712344748d092deaf7897f7b0e19f1ae8350b9b0

                                • C:\Windows\{BA8AF8A0-AA22-4970-A997-1A93050304C7}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  693d99a8b31127a575159a755ff82fca

                                  SHA1

                                  6be7a8ac21ba3578b28bb19e32fbe2cfed47a786

                                  SHA256

                                  530f696dafcbd875682dc9f56e2e065e0ea9bad59c170d58d52ffbdbb56851ab

                                  SHA512

                                  72a96c4861edb43d5aa2a2e42e5b4c292e09ea07caaebe9f0fd7ab3658c385536cb4cefc6adecadccf55c493bd70df8834e4d423a7a6af268d733ab144085426

                                • C:\Windows\{CDF7E546-FBB8-4d69-A53F-08DD3BE42FE0}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  e17b5730862c1b3de1b80130d734cb70

                                  SHA1

                                  c38546ba3d30b9a157788a14cc5914cab70e9341

                                  SHA256

                                  b760807f537c5b044b21f4c321493d1e662bf9ebe559f1316a745da10a3f7208

                                  SHA512

                                  4e3bfa9b42afefadce12034263aa1590959594c7126dca8c056d151c69de07e5e88a9125da09ab00827cd14872979cc18bd56d5ec629bdcf1bf80789342c7aba

                                • C:\Windows\{D365E531-7C52-43fc-82F5-B13FB6DF7EBD}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  dcb416d1ec3845b863cb70d75d40910f

                                  SHA1

                                  490043d3db41f44b29d1bcb8ff5db8763f733edc

                                  SHA256

                                  dabbbc5963d1170205251225d863b0ce6d90d09535f7065d16d592f083bde97c

                                  SHA512

                                  54c3287013049152cf14dfcf50d5fb67e7c76f1cff274666eba5435bf45dce25d3df57a8ff319d0f211c2baa6c8c90d4a9fbf8c8117deb513625c9474576066e

                                • C:\Windows\{E8E99F58-F2DD-49c8-816E-01D1BD21A4A0}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  b611fd925b7ea322b4c40386f990f411

                                  SHA1

                                  7a326d0a79a60b71fe4e79721d45bb8cee858a0a

                                  SHA256

                                  a55428cc30db406081f060bb17154d39890bfebe8f59daaa9d43395e390c249d

                                  SHA512

                                  3c18911801fd666d083aabc7dc2231fe7b2cb2ddc9e00765be8c445e71af071076480cb8b25d51b1dca887d77f8f5a9a2f9419628f567d90441f4e587a22449b

                                • C:\Windows\{EAA9BBB9-03B4-4368-A296-A262594ADC56}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  bd3d70911a73bd7faa9a10fc4a8e1b4f

                                  SHA1

                                  5170b2d7eccc7f1886ea2629bdfe331324a4992b

                                  SHA256

                                  2c39d3c999f9f6dee8811b2358c37978867764ed282d16c730bb012da8324118

                                  SHA512

                                  068084f6923887b1a0183b4d9f3ca6bd96478fb141b987f9e48abba3b4e878f164d8750a82bd3c2f03fd8dc98f1deccad53b93c21daae487a0ff60ea16d626be