Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:45

General

  • Target

    2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe

  • Size

    197KB

  • MD5

    43198fa1c0eff6a701988f839ed3aea5

  • SHA1

    6e6f835d17aae182ac0e3e06d0177ec0193fc4d4

  • SHA256

    818b27ecafd62407479133bef34779c7f3c126e11351b413201ced809f20f8d8

  • SHA512

    e1b4c4473010928aafb3f8082e5259e218ad66b1178a528a15ef1c9e1fadf0a9e4805b44ee02a46347954fdae3f36f2519ef3c4de41e66d8d2f4d079d455803b

  • SSDEEP

    3072:jEGh0oal+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGslEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_43198fa1c0eff6a701988f839ed3aea5_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
      C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
        C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
          C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
            C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
              C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3596
              • C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
                C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1904
                • C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
                  C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5024
                  • C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
                    C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2600
                    • C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
                      C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3188
                      • C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
                        C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3276
                        • C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
                          C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2188
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A2771~1.EXE > nul
                          12⤵
                            PID:976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E33~1.EXE > nul
                          11⤵
                            PID:3728
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E1789~1.EXE > nul
                          10⤵
                            PID:2724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{080C1~1.EXE > nul
                          9⤵
                            PID:1632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D630C~1.EXE > nul
                          8⤵
                            PID:3868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8550E~1.EXE > nul
                          7⤵
                            PID:3344
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B97A~1.EXE > nul
                          6⤵
                            PID:728
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B619F~1.EXE > nul
                          5⤵
                            PID:968
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5C226~1.EXE > nul
                          4⤵
                            PID:2732
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2519E~1.EXE > nul
                          3⤵
                            PID:756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:3872

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{080C1650-6AFA-495d-8A4C-D70BC3A676E3}.exe

                                Filesize

                                197KB

                                MD5

                                5b944cc48aa80445754ecb73fe94767e

                                SHA1

                                0e34b62e6a48fe90c2520d04924dea5fa2def0b6

                                SHA256

                                4f18f6fc52863001a1dec92979986171eb3940e46af8c5d2973097972e941af7

                                SHA512

                                142cfccd2f0e281af7ba19f423610c3c22cacf6c989ad41ed3cf19dcdd9a350252f5824323cee6882b0c0ddf44dd97c3003405b13c065000ecf286322fd56e6f

                              • C:\Windows\{2519E19B-803D-4f14-A7C1-3EEA40BE72A9}.exe

                                Filesize

                                197KB

                                MD5

                                e904e8a83fad10d0a63cbeaab5a3bfb4

                                SHA1

                                949575c2c873809366776ccb91f533fdcb0ed451

                                SHA256

                                c84fafa2c241b628c88e757da4497fa9f07a843753b26678da76b82cf396dd05

                                SHA512

                                b9cdd94c98ecd6f2c927c1f695a2c90be1a988324105fa4d69f559e925de58d3bfb77aebd61854e8f61b7ec87fbb3f504760b6a38ad654b25dbd75033edaf39b

                              • C:\Windows\{2B97A8FF-23C4-4088-B04A-9EC4F98F0CCA}.exe

                                Filesize

                                197KB

                                MD5

                                c34daf0ff0c2db9aa6c619c21ddbfd37

                                SHA1

                                4e901782334d80d9aad083cfe5e9f1d165297a02

                                SHA256

                                aac4b5267cb997c45cc21132407cefb2ccdc8fc5b74d9a6ca60c8a8515938e50

                                SHA512

                                8777cecf8a417e191cd04783007d3c63ad5f9c9c85e58ed00508aea1becc48ef1895fe4a49d14c8ea9c2c1eb36f7cb3d638b5fe40d05851699e3b039f7b395dc

                              • C:\Windows\{5C226931-FE38-48bb-A411-AD3DC11ED8C6}.exe

                                Filesize

                                197KB

                                MD5

                                f625b9c6f1d28d9c668c3cdcf058f2fb

                                SHA1

                                4baecf07fafdebafadb1cd5cdd2d22a7524e3202

                                SHA256

                                06a7c78b5211b81f5e28a250b678d2d8fccfa6f448b8726480fba25b955056fa

                                SHA512

                                baf12093ba46e1f916e1aded68eaa2e710d8061027d012a9d06515bb2dabd372ab150f96ab562276cec7b598d19f57217fa833565e2ee13a6ccbce464889c568

                              • C:\Windows\{8550E314-E587-465b-8CA1-259E76846DE8}.exe

                                Filesize

                                197KB

                                MD5

                                c927f29ce27be9cd8a0f0c17430da951

                                SHA1

                                db74dee01aeec937729f99779aa351c25af72fe2

                                SHA256

                                8140acdbef506542bd3736cc338dcab4eab86e4b58cc7dadd02720adedaeb77d

                                SHA512

                                1d3a6066ac417db1984b3528313f6c65d2b7ab3128bf78df3e2211a2994eb72d2a4f4eb43b07c19df9787bc6c2dd9c4b984c1a1a0a0d5e312158cba3ef64bfcc

                              • C:\Windows\{A2771FA3-44D6-4c67-AE76-132DF2BE2B24}.exe

                                Filesize

                                197KB

                                MD5

                                5c4ff13e4a6dc60b6e4c8177b7ee714e

                                SHA1

                                59519188b796f62ae848c3bde354b026e8f2bf36

                                SHA256

                                f3d0f052ea4960aa5eb9dc54e879edc516f38a71096854af3f7cf603fcc64b3c

                                SHA512

                                73abe72e47b23acd90957482970a95c8c136f1cd1691a1e87dfa8688e370fa8f05dd7a54720b675bc849023405d018ae33bccc8ea9ef100b4d2772309dce5f05

                              • C:\Windows\{B619FEA3-45F0-47b7-BADD-5A9D2BFFBFD3}.exe

                                Filesize

                                197KB

                                MD5

                                cdca9b33fedde9a4bfa8467cc54a6666

                                SHA1

                                8690d99555f03cddfe10b9d2905788c4c650960d

                                SHA256

                                5eb687e1a261dc43e28ebee11401335efc2bff90f70186a89c797c5159d6b3c2

                                SHA512

                                425c6b7b28055be958f646b1cb8c9560a9544ff8402bee6ac165ca84a1720582eabd21bb474bf91c83394051b4ab5209e597863afe90d53d513d8d54c19bf7a1

                              • C:\Windows\{C3E33CCE-A31D-46ae-8A27-44E3ED31DA2C}.exe

                                Filesize

                                197KB

                                MD5

                                f43427e664148170aba2b37861057efd

                                SHA1

                                fe0dfd6bed8cbc9e969f161addbe7ee727896414

                                SHA256

                                c8ffdb4c735e1425a3a55ad89fcc57d5df30cde9ee3578cf2cfaa078a2124567

                                SHA512

                                2a07b60ab92b84c13e38a20500d154dad5b3a86e4dce6c457ae9e4704a3bc1cda6a85852464c6a3e32447771700c713252e25c383afd6dfb59e944ea999f009d

                              • C:\Windows\{CA2BD3FC-EA8E-450a-87E4-CC657555F803}.exe

                                Filesize

                                197KB

                                MD5

                                51b6334063f4dbe29dd3517fab7186e1

                                SHA1

                                d63f66873f06c7bb1ea989faa419c191620b39b1

                                SHA256

                                4d1ddd706f23ff4e685d63ad106e00b6d5aed11d47da48645ed8967430f3d527

                                SHA512

                                d424fce9c63cb3603b5d7035373c889a5e4fb13c63ab2a6d10b47f897fdbcb5246fc94661d459dfed225b08212530486b057823831ec59d26c117776c6626e65

                              • C:\Windows\{D630C050-8602-4fb0-9220-CD1AC33254B8}.exe

                                Filesize

                                197KB

                                MD5

                                cf1b5d9ff12e2d8d23e2d937420ea6a9

                                SHA1

                                5cdedb6fe64b40d0c07c09d3f88defbe33060711

                                SHA256

                                a08781e10e0270ca1e6f25616bcb35b31c281d9b1009ce57b1b45ecb652f7fc8

                                SHA512

                                0a7323e6b0ac0cb2f19ffa8a8141bb5597ecb398a4a46eb51b8ecca962429ef5ba310f67361c53638b3dd8f23ba150b5eb87d765f258840c64774f3238268220

                              • C:\Windows\{E1789309-A042-4e75-A122-FE7D8CF7793C}.exe

                                Filesize

                                197KB

                                MD5

                                c9e8992deabf78659a6b84688a6d0992

                                SHA1

                                d5de0218d2e9951d0e04f9dfab2325600d041b74

                                SHA256

                                b1edb2400e4fce70e19b910372e1fc843a86c42444e0b35bf70adb925d1b533e

                                SHA512

                                547aff14685b26d6500ef64cbae07767d4351d15af8aa67e084bad54b83ba792590619c2918bd4b0d40e8a084671aa83cf6e7fb30a79579df131aedd51c694c8