Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:40

General

  • Target

    2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe

  • Size

    408KB

  • MD5

    3165b9f7012dbb650ea326364bd4808a

  • SHA1

    e861b7427c92db1c83ad62ee631e7bea1bc4aad3

  • SHA256

    81553f1592a6e50fd6facb95710195f8a3d6b4e9e2269bcbec79678d17b0c182

  • SHA512

    d5cfcda780b82859f88541a43a35c1b6f636bbf87ce6d05994cac07077534aeee52604524608b161a849233c4651360baafe88d76111c04237efbb7e4ddab00c

  • SSDEEP

    3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGQldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_3165b9f7012dbb650ea326364bd4808a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe
      C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe
        C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe
          C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe
            C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe
              C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2872
              • C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe
                C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3632
                • C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe
                  C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3684
                  • C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe
                    C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4080
                    • C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe
                      C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:548
                      • C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe
                        C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1968
                        • C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe
                          C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1148
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D2B~1.EXE > nul
                          12⤵
                            PID:3196
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BBAC1~1.EXE > nul
                          11⤵
                            PID:4548
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E54C3~1.EXE > nul
                          10⤵
                            PID:4920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{77591~1.EXE > nul
                          9⤵
                            PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5D9EE~1.EXE > nul
                          8⤵
                            PID:3076
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A5EE6~1.EXE > nul
                          7⤵
                            PID:1480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1FF0B~1.EXE > nul
                          6⤵
                            PID:4040
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2197D~1.EXE > nul
                          5⤵
                            PID:2120
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2E312~1.EXE > nul
                          4⤵
                            PID:3400
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{47BA0~1.EXE > nul
                          3⤵
                            PID:1416
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:5112
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:396

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{1FF0B8E6-6E3B-4612-823A-84DFC1B29D56}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  1621f13afd01660d04a674ab644c5e49

                                  SHA1

                                  4497ac719660aa0d555e86e1e3cd3a88d445e17d

                                  SHA256

                                  961104ab387497dd86914599d5a0b038d9e5dd69c74b1d304142ef2472a10e04

                                  SHA512

                                  1e0c58d517c328c327ac19cccacac571d3357fb193f9d600d304d827ebac4562b532bb686504c72aa129f9825fe8b610f27105401646d4e91278d6216f8b6566

                                • C:\Windows\{2197D2BF-4031-4864-8338-89ADD2AA9500}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  587b7d4b954a4cef2e92ecadb5e2079f

                                  SHA1

                                  e1f5a776214389059d331aac54f970b8703dc740

                                  SHA256

                                  35e9298bde40defec090fb819e12b70d0a62fd7495bd6408106e8ce18162ff89

                                  SHA512

                                  04596edacc6331fe4a31655172eacc844e6744ae4f776a00ae01942c9db480ce2d8a2379502d63843244536920797279619ef2d93d901ac0495beaa0f93690eb

                                • C:\Windows\{23DAC6B3-FB50-4562-A919-6DE567CDEF5D}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  106976e94e6d2d155a0694ecf9b12208

                                  SHA1

                                  aa283aed1e0dbe54ea6dcba78fb560648c755ba1

                                  SHA256

                                  5b99c975beceb7fc84e723b128a0c492d977a98df89935afbf680c0b2d9fa260

                                  SHA512

                                  65d0ff816b4a16892922f0e91eb47b9c63b7d7e50ad8eacb8bdb85b4feb75e7e5ccb11c7339d5a6c956a5551e6705e24ec5b2fe4093db4bcac78d5e36be2bc95

                                • C:\Windows\{2E312C99-BE09-4d60-852F-924EA9BEF217}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  2661adf58cc1085a05a164e4f282836c

                                  SHA1

                                  a437fb91e661a698ca16a14c4074e77c381746da

                                  SHA256

                                  5d66c31f49f7f973bea8249ff5a60db617b7a12b1b815213cbf819f4786b4ad0

                                  SHA512

                                  c6c63aa89a904b9db6b833f4f33c406971fb6472d712742138f06b84efcec9a3e28ac9680309406dc1fab0732b6ff888dac1df3e1289ed7e1dd7a7a2ac34c37f

                                • C:\Windows\{47BA070E-A646-48c3-9CF8-430F095B9F8E}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  0fca95936320ef7652a6226c696db753

                                  SHA1

                                  19301c0f6a1db028c870d2bc4d11c2f9ca8a2080

                                  SHA256

                                  878af7c83ab958f08ac591529648d7a19c98e3f1ff3e2e00b3811578b3570117

                                  SHA512

                                  f34c0cd419ce56f776ee9cbd6fb79b7fe21b08b31a65a6dc0d3e275fc9eaf73c8413d29de5ffef90f6611c2a586ff02133168f01a711f865c292c830df7865d7

                                • C:\Windows\{5D9EE67D-88A9-4350-9CE0-E8481EC3C32A}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  7120fff8ab996c36830f3f9f3125760f

                                  SHA1

                                  26d4178273e95d0ce3950fd3f72f875697143e7d

                                  SHA256

                                  e29ad291faa377c41708cea6edd25d895e41a42c701d114833b538f64c86de3c

                                  SHA512

                                  c8e8f6c6efb34e7a4afbc2586e802c5abe4c7ec4e733c10611f900c20d62f0f9920c78c20ff2d60b9f870b760f64ce4bfe0cb651ff89c7c5b3cc5568be006c18

                                • C:\Windows\{77591AFF-1B7E-46a3-A9CA-3FB5CC001627}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  43dfb71b4482e4557379a2295aee8be2

                                  SHA1

                                  b33ee106c44b8546d4c4eeed7ec491a7c404ce1f

                                  SHA256

                                  3b7f7731df850b57267e425dd060a59905e5ea1ffcb6077003aefe398705e54b

                                  SHA512

                                  6687a1040e509febed8437ee2ecc030a3872013ee95c5fa1f86a2627c0f218f74d9e81a603ce7802eafbd2d4e7f75b00ce45d094ad6c49e5242dfc914d4aff41

                                • C:\Windows\{A5EE6AB0-2004-4492-B7A9-6F7219E0F87A}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  60e3f1188eb9543985dce240ba146172

                                  SHA1

                                  ccdf18e1a8fcf7a9802c8b19cd71b599468d7d58

                                  SHA256

                                  0df832e047d3f0c50a7ad982736a491f910873be0e957f21f8cc9e86fcb95f9b

                                  SHA512

                                  6f98d730985212f372e379c9cb53e2c9a535e76f6ae634dcbd820a8eb6f203cb6e80071a30840bdf5b68ca94c6cf6247201bbc3cc800b3704868978e3c693111

                                • C:\Windows\{BBAC153F-BB60-412b-8C3F-F1B34EC93524}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  cd798d87908f4770b05dba0ea015ce78

                                  SHA1

                                  9b60aba1f4e87eb91bee8ce68e1d196f9b0a9033

                                  SHA256

                                  9e869640cc2fb619edcfca48e778cd59833c2380ba6e32d694b7e29ed7a41963

                                  SHA512

                                  2363ede2ff5c55249031501917b0c3f67f79522c1c1e9f7afc1e4954a95883e777c7f9a2fc3f47b59c0d31961154f971417f473b1eb6c530eaf291fd839d9c0a

                                • C:\Windows\{E54C357F-FA2A-45be-B6A6-452751C97022}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  7fc22b8a82efd85fec22b43327a33ba4

                                  SHA1

                                  fe10711d8e3b8f56f9a5c94a0a94bd706f0eb54d

                                  SHA256

                                  7097f4214f12471f7fb616dc38213eb166774956e72bac78c93f507309dd92c6

                                  SHA512

                                  b3b83ddb0039ad0da0143bedf141cb1ee2390674dc9c4ca5d8ef698806d2241fec16d4cb8e23af69852cb34b249c5fd5cc8210c1fa1341ce9757d18be2d5361f

                                • C:\Windows\{F2D2B923-E5F7-4039-8524-2F186A503072}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  5ab84c126baadf46c059da66b6b37cf3

                                  SHA1

                                  803599193cd9e9e16092627f6b77a11603613c68

                                  SHA256

                                  544489fac4679b40a6396c9785b7e52d84aae92f40705e3392177ad067867968

                                  SHA512

                                  791b9b5e2649781ac6e03fd628d8c6440ca3c6068eedea47372a6aae931ce4e71b26801a617179a6bb7047cae76cf8fb07cc7e091c29ec212a364b8d3e7d995b