Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:45

General

  • Target

    2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe

  • Size

    192KB

  • MD5

    41a3bfd84351468cb374b10e6bc69476

  • SHA1

    251255420d7c9a4f63a904db85c1df31f5464c11

  • SHA256

    a263cf6a0dcd6ead2d64b8d0e8bbb36e23ab47bd532c14a5a9eb948521f26e2e

  • SHA512

    d9da1e919e6c09cee37c34ad6c19232790d46651bc9b92f79514718dd7eee04c7ab2f945ebdb20b4fdeb0da13575addc8d942ed9c18fa9bae017227e93823d5b

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 14 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_41a3bfd84351468cb374b10e6bc69476_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe
      C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe
        C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe
          C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe
            C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1308
            • C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe
              C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3656
              • C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe
                C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4816
                • C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe
                  C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3908
                  • C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe
                    C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3192
                    • C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe
                      C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4416
                      • C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe
                        C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1456
                        • C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe
                          C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2084
                          • C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe
                            C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2443B~1.EXE > nul
                            13⤵
                              PID:3092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35C4B~1.EXE > nul
                            12⤵
                              PID:3060
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56A8B~1.EXE > nul
                            11⤵
                              PID:4220
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{49CC1~1.EXE > nul
                            10⤵
                              PID:1956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{74D39~1.EXE > nul
                            9⤵
                              PID:1976
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF6C~1.EXE > nul
                            8⤵
                              PID:2868
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{42358~1.EXE > nul
                            7⤵
                              PID:4704
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{361BD~1.EXE > nul
                            6⤵
                              PID:4716
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{388B8~1.EXE > nul
                            5⤵
                              PID:572
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{60652~1.EXE > nul
                            4⤵
                              PID:5116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A8917~1.EXE > nul
                            3⤵
                              PID:452
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2128

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{2443B8B1-45DB-4df3-BC7A-E5D0F71D54CD}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  c7d92ee3be68f611ec3f16bfb9c050b5

                                  SHA1

                                  552622e8670500582f035564e83f3c5853ae2e61

                                  SHA256

                                  fdce9c01927dc47795e839c0dc5436941dd50fbcc698df34b077a6ac6dcca968

                                  SHA512

                                  81e90887aa1606656dd37414306b98dfda57ca2b4202af1e762d30b26f00b76c62d778fd86d4dc3c4c1e7df49c9200188fc87f7535d59706746ba85cac795aad

                                • C:\Windows\{2AF6C54C-74C3-4ad4-B942-0D367DF13BD5}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  f16e770826ff4462e8ea7f16866df9aa

                                  SHA1

                                  7dfe5b0cef9c89c8458e3bbec9c7a51726dbc17d

                                  SHA256

                                  48e73a899456d636f5340d964c7880a21b56627027a2b5357e0ce4f33077b789

                                  SHA512

                                  5371a2ff27a53a73b192f87d43e009d64b0508a32b7a93ef71b4f3676a9b6cdd020d2744621396c535a64c58e8be8ddb78f8ffc5eb7c1049b4e69b7aeccfb79e

                                • C:\Windows\{35C4BA13-0E52-4031-A865-893C625108D4}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  3ca176834e19e1fcce55c4459ee3aa32

                                  SHA1

                                  7b29dbbb64e26fa4512219ebac4d8b67e54831e4

                                  SHA256

                                  aaa31616c2d975d821d8b8aebbfce02551aaca01f73b6bc9e41e5bbe31ece0e3

                                  SHA512

                                  e842cfa02da49db2c9cc624ec17fa2f81a1dabb4044912ea433e6dc5bbc1c157b19f79bf5d14f2c3c7eac2914035f289879bf665d8005e67a9d61790f0184164

                                • C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe

                                  Filesize

                                  128KB

                                  MD5

                                  3b7d8f06765878c2cb7b078747241cc1

                                  SHA1

                                  a0a8c8bbe92d748a31f4ff8ad40132ba358e1374

                                  SHA256

                                  6656cf24b62ddfdf95a992ac09f61d8c7a7a5c2cbe583bb4628757c07bf855e8

                                  SHA512

                                  8fb430796439f07302ada65c7573c3b2e33bbc3db7113bcda1aafa7de4e0cb496f864e201eab862ab2c6f096e1a8a76eebac40f16b0fd58778e2a352ebe45884

                                • C:\Windows\{361BD565-F520-4a0c-AC81-3EB5639A041A}.exe

                                  Filesize

                                  58KB

                                  MD5

                                  5701e1f2ed0c0f911de0286dba777765

                                  SHA1

                                  9e51219ae9a105d9f6e8ed41613e74dbb4d8bf87

                                  SHA256

                                  30eb511bace46334394f6e7acc3801b46056429dd8b32a3ecad7f9348d2214bf

                                  SHA512

                                  d99d12eb449ed25a412b3f3dcb033f6407a0201111c5305f158d6b63548797dfa671f8b78a7f90d0db78066f265f6097fe772fa886417744d30c6d5e6dc795ce

                                • C:\Windows\{388B82F0-8EE9-491d-9C5B-CEBF8F60D077}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  0f16dd0befdc1566ef7ac383b39c69f5

                                  SHA1

                                  34a2bf4bbbfccb33722a7cf4dee2fa236027f414

                                  SHA256

                                  ea22e918411991f5c954918fb8745fa3294e96f8e78968a737b828263b5a014a

                                  SHA512

                                  68c8dbfa465e5a59f4ff84486994e8457aca7b373c59e5bb88fe49955aaa32e3649e9af532ef5d91c109787236f1303037023ec986125addaedee0e6cd9cee3d

                                • C:\Windows\{42358362-7D64-474d-B848-4EC07CD85593}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  a3b7c939e1e66c91de21258e1a47a3ea

                                  SHA1

                                  0520697cc09b555a251b23e542507bd0eaf731a9

                                  SHA256

                                  a4f3fb6da4121f3122eb0a06664747307e55137c22c40a3f832239922d3db0ef

                                  SHA512

                                  951b39a0f30dd3686eddbde4e15322d0444744af504bff286c8c579dfe6fbfce084cdee4a90b8c6c8656606fcbee6e4c838e0b3a4f68481849480769030bde99

                                • C:\Windows\{49CC1E98-DAB9-4620-9657-880BF5F522DA}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  4400866ebd747de0f8ee31efbd45a142

                                  SHA1

                                  2bee6dc889dbcc5603a72035a375268b22e2614c

                                  SHA256

                                  76c35aa9552bb2765f3cc88c0b1bd9c8ae872f66950a2e30613c8876c647e141

                                  SHA512

                                  1f9683dfdadad10dc5e8cea251b5dcf044dda3d7b2a5ab9dc0de3395a4b117baa3808b2ca5d03abc29f4b11795395ed62d81b8757194ea0a762aa7c4e8e1cf8d

                                • C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe

                                  Filesize

                                  165KB

                                  MD5

                                  ad6196546a8f3d314f1b1abece0037b5

                                  SHA1

                                  e8fc2843f287980e4d694e6ee9f7acb8753cf746

                                  SHA256

                                  953330cd1265fded3b3ef3c02000701408e968c67ff641fa93161e8d1643dc44

                                  SHA512

                                  db48e077d4a3bfd017b8b9f8abe774cb93457f2f5c5ee8c21c5ad19a2cdabeadeb7b04b17bb33adea4249bb5a0b8c61db2d12ed974248fffc6ec4e0b8f3ba56a

                                • C:\Windows\{56A8BB8A-41D8-40ce-99E2-125C8B79ABD3}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  53a9770db007d1d593fb65817fb49e09

                                  SHA1

                                  b82608c523b289bc5441d4b8c8a02f3c5b891019

                                  SHA256

                                  c1120b4d6ebc4a7791a78e30b432d825425d3e44589926eed4b6ac43e7257382

                                  SHA512

                                  19c91614b9b69fb239fee8e3109e5e089751bdaea05d1e473fcb84e0233f69e97d276835873c4d9be8c917c17d15159da9b5ab932e15d83db9789131bd9723a5

                                • C:\Windows\{60652E29-8BED-404e-8F02-F4FBE2CD08EF}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  86418327961cf4c1db1179b6553baf6c

                                  SHA1

                                  40b7e6c2d7561f7b471c62bab3b3cb160359fbae

                                  SHA256

                                  eb1603ada95fe6bcc61a6a7924db6f4350526a19971a406284dc54106d45f1b7

                                  SHA512

                                  ed7e4074955432a2327b96048b5e36ec573d3681cfa2ffa7ed5724d7d524bf038c4d841df55b255cf64341f2883dfd1e9b89d9d16e58cc202ef6f8da79d925a8

                                • C:\Windows\{74D39418-887F-4c99-8E18-114FBBF96294}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  00299874b0236e63b864946a74b883b2

                                  SHA1

                                  01bc8acdebfc8b18d70d9a9f963d406dbf911007

                                  SHA256

                                  8054743345aa2dd9b2883008ad3923ed27820451be67f300584f28fc40168b84

                                  SHA512

                                  b2f9c6a01c718e0c1793d9c77e2c13ef440d17d39ddafc46d19c8bcb83601096c6da7910ec3cc7fcb40d8164d6ee7de7f4b29979aae0b9798a7ed315ccbecdaf

                                • C:\Windows\{A8917BC4-4EAF-41f3-931A-6A775500B0A6}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  a7c118031f79e3996b1c156417d67b50

                                  SHA1

                                  60d3cd7a6004ccba9ed10b8a531fd2c78bbe0af4

                                  SHA256

                                  cc3eb543bf767c7a2e5379612d1eb36357f902479ee80c05935edbd1c747bded

                                  SHA512

                                  3a90735e6001246c6b57ba229f0dd5e79da608fa2500492632a18c993d5146f39e9bb312a6531ffd067b06d59baf445cb47c507528efb3834129ba1861c3ce8b

                                • C:\Windows\{CEF1478F-9B1E-4b2a-8F20-EF5126829E0E}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  d7675d543077f692bc244a8842998afc

                                  SHA1

                                  5a991601e4e59211cdb933c1c5312e71810023a8

                                  SHA256

                                  5b985511687f7d186172b5f4eb368d80be565cde0bfaf1240abcc4bb93ecec60

                                  SHA512

                                  fa8234ec01b23137389432e458ea0e015f70ba239d0324e98f16cc3b396e3362636d3d680284a5a93916e5eb3ddc4ea4085a4efc4ca1d61079b0f532ef5b5c5b