Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:33

General

  • Target

    2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe

  • Size

    197KB

  • MD5

    1b79f7a7b43252a50deeee1b37920bc6

  • SHA1

    e5158a59de2e0641125a7dcf7583c63ce1ffca12

  • SHA256

    f50bfdcc2f255991febeeeccd6d84b7c1c09dd9c99f2c3d0b288fdfcb12840c5

  • SHA512

    a5de5791da9c8448776fe315199155221c358472bb0388d052c056b15f25c4c1eb8167ddc21671f85f70b35a218b0ba0d960401425765ffc1b9140f141ef2947

  • SSDEEP

    3072:jEGh0oYZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGWlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 14 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_1b79f7a7b43252a50deeee1b37920bc6_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe
      C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe
        C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe
          C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe
            C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3704
            • C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe
              C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe
                C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4404
                • C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe
                  C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:380
                  • C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe
                    C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3564
                    • C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe
                      C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:532
                      • C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe
                        C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4640
                        • C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe
                          C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4348
                          • C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe
                            C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1096
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE8B~1.EXE > nul
                            13⤵
                              PID:4204
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{84C53~1.EXE > nul
                            12⤵
                              PID:2304
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{771A7~1.EXE > nul
                            11⤵
                              PID:4388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{76EE2~1.EXE > nul
                            10⤵
                              PID:4508
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EB0A5~1.EXE > nul
                            9⤵
                              PID:4564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A1619~1.EXE > nul
                            8⤵
                              PID:3316
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{20A2D~1.EXE > nul
                            7⤵
                              PID:3300
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4BBEC~1.EXE > nul
                            6⤵
                              PID:1216
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9DDAB~1.EXE > nul
                            5⤵
                              PID:3164
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{07067~1.EXE > nul
                            4⤵
                              PID:4508
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0F83C~1.EXE > nul
                            3⤵
                              PID:832
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4896
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4224 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:2028

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe

                                    Filesize

                                    130KB

                                    MD5

                                    cca51e7dfaa5f27a249469af368a4655

                                    SHA1

                                    04a872c7d638dcddaec7cead1dc401c95ac9d07c

                                    SHA256

                                    25470cabaa697c40591c0332085586b324c6e5c877694960b9a4a1f03094f17b

                                    SHA512

                                    44be8af59519f28038e2f8f5c66cba7a6b6fae5f46e44e83a976b3309f4bd9594ac85cfa96107064c534ebf31f4e913eb48a2b3f8f7e1af620b4a32ec244e1c8

                                  • C:\Windows\{07067EAB-9D51-4841-9266-5A212058E859}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    2993494add3e412e3c5c56b8d200c2a2

                                    SHA1

                                    4923e8042c5bc177f5f373681784eafa685f6da7

                                    SHA256

                                    9b0cfdf648cd75d6ecfe4ac19b2ab48e9e1b49b3cd547d0449a028a60fcf6ddd

                                    SHA512

                                    b898bcf0ff87ee4655b696860c41c21de41ab415001f61ccfd956e2eda19af1c1cc94e09dceb57cbca1704a978532b326f3613ad5b7d31ea92211b73400b389f

                                  • C:\Windows\{0F83CD59-DA86-481c-B635-0B85AD568669}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    548ea5db646c24f49b5eb3bea5fd7458

                                    SHA1

                                    1bdd14dcf16cc43126aec5fadd5da574cb39ed41

                                    SHA256

                                    393d73f09757daceb5f9331b67579fcee6af09107b6b65a505f1d0f5ed8f6576

                                    SHA512

                                    40fcbd1fee864722e3b2cc01f8fd9c600ddea25c4937208dbde38f2070eebf116e33dd3366dbfa3b67c274941e29f007b93adcf3e0e5bf1d1831ce3f99e2a110

                                  • C:\Windows\{20A2DB40-9CBD-4cf0-8B8C-A0BC06B70EA5}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    f49a5f3fc71e272472d342c3b38f193c

                                    SHA1

                                    732ef5f2244ce298f4b19d97152d5581bbd23302

                                    SHA256

                                    dce6a251f87a3f11353d02310d421393528d1993c90853f87aa5faa03a349504

                                    SHA512

                                    71d73ff2f18e2116b8a0120551300eb43caa9af5b4b012f88299439926abc1d4b65c26fa49933c57ba624fed83e084c0e21e49f7c4ff84efc9bd43274d6f6044

                                  • C:\Windows\{3D7E64D7-194F-454e-8186-333C59E578F7}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    55b35606901ddb9001d7aecf35d66491

                                    SHA1

                                    da77a85ce0445f7e89e7a98289ee267bc38935f9

                                    SHA256

                                    f5604da47d608512f1dc6eb6e5db666590e5998801220d346c298caccd222c65

                                    SHA512

                                    ddbca9e5b605fdef2439f2fc0bb7b76b9620dc113e012ddeaf4d76b2e3cf70174ec4fa272e81f9f50c81f20669995fe49851c2848e5f0dee1c56e8967bd2766e

                                  • C:\Windows\{4BBEC3D3-05C1-4cdc-B2F3-9EA7C001AD44}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    4b86245c0a3e54d5b4bd7e69f15de39c

                                    SHA1

                                    aede20f0b579147b04111789db5c0ce6c9c4d48f

                                    SHA256

                                    22083a09eff09101ab166ffa48524c249b1b1d7fd4d0f16d73f4bd1f3f5e73c2

                                    SHA512

                                    73aedd80eb1172e393998430dc0f8aae54ba759a29bad7dadb2629c0bf9ad743c0960374d1dbd7460ff3f21c449d3e2b712b4515897c3ee7ef5a6823c489ef1c

                                  • C:\Windows\{76EE2A53-169D-4fe2-88F1-FED477FCDF63}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    417ee8f1429e9367853267d5fc0328ee

                                    SHA1

                                    800651ed04339a8b1894b1dfff42adacdd7c5bc1

                                    SHA256

                                    648f072119e72e117308f13c35271f090a59943417cdbbd03a243e860ed986e2

                                    SHA512

                                    f7886a02b56d0ebf9b8c24a66d3a2c7230d7561d24820a0b1b2294fd53a8ffa61182314f6a1540c25197a8039cfc6b2a759fb782977dbbae279fd356a03c29b2

                                  • C:\Windows\{771A7F74-6948-4205-87DA-4508981A156D}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    c9537d3be1791e3f08c11ef9cd04577c

                                    SHA1

                                    7be77506a41daf0bbac3491ae0118d4c960913f3

                                    SHA256

                                    b903599cf6010d7873ef204c20d2460876a56355af8e3384354387a85c940a53

                                    SHA512

                                    e2984d264b2ab70306491aeea6e0ceefd7ae5920a24a11136e4b8b39110b107881b9a2da9bb6a8165b5193b2ef44cc2beb6cf446256b7e86c4bd3d451b176348

                                  • C:\Windows\{7AE8B8E6-17AF-45e6-84D3-662DA4341A7E}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    63c1bf58fa9612eb1f6a5798be2ebcf7

                                    SHA1

                                    2727ce40684db0fdd50b8f17f44971c3a6dc42c8

                                    SHA256

                                    24ef24706c91f85de202ee1013b1da312ae5d3851523c7fc00c6af8c82ffc7e7

                                    SHA512

                                    008b98656fd829fe4fa925574ec870cd6c2650bf7d01a7ac9f24e2b3dac7b357a78af0fdeba730d81fbbc89f95bcb079beccd1fdfe0b504ab1225df4ed71acda

                                  • C:\Windows\{84C53DE1-987A-4a44-8D11-1DE5C214FAA2}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    a38d7338dacc42228b21e01d03fcb93c

                                    SHA1

                                    ee7225abf8ee23f802185edb8a0f5acea7e84e35

                                    SHA256

                                    f7481e04575040664c113f2cdc513e494bfc70529e97bad3c1cc1c94060ea488

                                    SHA512

                                    d4dee547aa5846439fdd3825fb2480c9a1189ff234595b3cf44d92f3ac7c1ee90a7dd04af9c1d4680a9cc6fdb0f41462b139b811dbca5d7140311b0ed4e811d5

                                  • C:\Windows\{9DDAB469-8DF8-4f29-AB7E-D515444040DD}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    d757dacdcb362e0ce3af605dc8618600

                                    SHA1

                                    d7dda4a940408ce62324ee13be8a0a5e0bf560ff

                                    SHA256

                                    8aa8b06052a649ebe0c998ac11111ebf29ad2d7ff89a850153644b1c9d9b7a0e

                                    SHA512

                                    9da3daab4dc9a41f533fc0b4ce55767eae211e916233d9072d7f4a321951751c4a2cd68d2950e5eb481543b6bba033afdfc4b2f7212c35a9aec4e4b92bde29b4

                                  • C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    fbc51456463e31bca13898a39887a643

                                    SHA1

                                    0d1c41b396847662a3fcd0434b3b9002feab89c6

                                    SHA256

                                    85a9946e6a217e9a2f7fc4074965e7a22e20a76ca7ba7b9746ea003979cffb38

                                    SHA512

                                    a4a1147af7721a1893627c1dd1a4cb5a403fd63245493a3e45a978060ad6ea335dfecd14c8153eff26db6701cfcee5537213083b0c3f2f90ca58bdda0bad757d

                                  • C:\Windows\{A16191BF-E242-4f12-A904-4E1736978238}.exe

                                    Filesize

                                    136KB

                                    MD5

                                    b1a9f29bff49b339b30fc32f4c86ced1

                                    SHA1

                                    8690ff1d4fd76b76c38d4199ff7247899952ca7b

                                    SHA256

                                    92189e99592c76fc19b240c7d644a1290afb1967eab181523261369f17821fc4

                                    SHA512

                                    ee3f438dc62457462dab5f5d068382f84d3561fa043309afb91d2786bd79542efa5248ca2df9ff49e14f90e9b8234554fb04eb1371656db554fedbf4b467ca76

                                  • C:\Windows\{EB0A532C-DFBF-434f-BAB7-0C9C230BB97F}.exe

                                    Filesize

                                    197KB

                                    MD5

                                    9ef53047d8e6c14e7e67491137a0b4d9

                                    SHA1

                                    fa3bbca105e3b8e1094860e7b727dcfd2377f4bd

                                    SHA256

                                    9e7fc29ef0ae93271150677db1db2efaadfa1c86c9e603c9efec2c6c979ac5b6

                                    SHA512

                                    673bc129a064a7bbf82204b8b89875f2a1ace2fafc18323ff5a9adf994c0793ef9076bc9e0bc0cfbc47fe3a66e348ac51a1e0a6009896841e289dc5f8d9946f4