Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:25

General

  • Target

    2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe

  • Size

    408KB

  • MD5

    011e13009db147c44f349d7df4be4eb4

  • SHA1

    f84399f6e29ddcbefc34d19c70a78b7fe4dd4dfa

  • SHA256

    e9bac8a8f3efbe8ea9484670da653e7f009ce10481497f61747df5db2c40db4a

  • SHA512

    8863b3d7391d1ef1550da7dcf666542cc4e239fd0d0bc623933658ea43f622ad706b87a3bffead1c7fb083870a260823c985e1c62f0e6a7117658054e8f2f679

  • SSDEEP

    3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGyldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_011e13009db147c44f349d7df4be4eb4_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
      C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
        C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
          C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
            C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2316
            • C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
              C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3716
              • C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
                C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:412
                • C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
                  C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2184
                  • C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
                    C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2320
                    • C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
                      C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1604
                      • C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
                        C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3096
                        • C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
                          C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3584
                          • C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe
                            C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2A44F~1.EXE > nul
                            13⤵
                              PID:2000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{53FCA~1.EXE > nul
                            12⤵
                              PID:3200
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCB0~1.EXE > nul
                            11⤵
                              PID:2424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B698C~1.EXE > nul
                            10⤵
                              PID:3184
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1334~1.EXE > nul
                            9⤵
                              PID:3304
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{280C3~1.EXE > nul
                            8⤵
                              PID:3532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{74128~1.EXE > nul
                            7⤵
                              PID:3848
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D773D~1.EXE > nul
                            6⤵
                              PID:3880
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E1145~1.EXE > nul
                            5⤵
                              PID:336
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF590~1.EXE > nul
                            4⤵
                              PID:2544
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{05A41~1.EXE > nul
                            3⤵
                              PID:668
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:232

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{05A410A2-9AC7-424c-8545-254B84A6828F}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a7550814e5ceddba2d236c68c9db7b2f

                                  SHA1

                                  9480fc49bd0108653d69505669526dd7f0c3c22f

                                  SHA256

                                  aeb3b20f58906aa5059e94ac0dc85cee0565b2ce0768b110989598c9bb94e543

                                  SHA512

                                  c0d87b2d33f3306df59ea77bdd5e43789d247e237d3a10dbe0116cd60ee00491ebddb8ff5d814c76c8bec85bd12a97c0cee29718451451ded99520d06329c631

                                • C:\Windows\{280C34ED-193D-4e05-AD77-77DA8B2F88E7}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  6a2822ffd4ed5318b03dc9f758c229a2

                                  SHA1

                                  37b0da5f3dda82fd3dc472f8505dad6b265c4f91

                                  SHA256

                                  970d921525c8283246ada37ac5d5bab8593f1ec1f529de75bd783c33905be603

                                  SHA512

                                  fba191853b1cc5835401e6d43547bd717d7be4bcef9a66bc86ab7a7d107f55ebcc367beaddb30a370919e76606afbd6948b9b24586198271d99ffcb613b40d8b

                                • C:\Windows\{2A44FF38-6D53-43f0-8C38-000AFFC9EBDE}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  b4a0ae726cfcb78fdf1f477b3e1522ae

                                  SHA1

                                  3aa62d0de78a84c0919124c725e341d61eb5a5da

                                  SHA256

                                  7f81be6ee1fa4b10fc077eeceed4fbeae17c662aff9e935a44c82eae1110775c

                                  SHA512

                                  cfb5beaa31f255d81ba5b51387311d8b96082e324604cf94e4129795260cf80b63c260f3021ec29b9f5f75206be003ce4dfff855903f5b2a1ef3390b56b8e04c

                                • C:\Windows\{53FCA375-C1D1-4a49-AA44-0123F3596CA5}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  8e53448751cfebff2ef7d89238e1acb5

                                  SHA1

                                  fa4de38c2654d31d15cd20f5bc87b666435ae966

                                  SHA256

                                  b18ffc49ec76934012fdabedef156aae6691d7de3d015a01b164b982e2aa4d4c

                                  SHA512

                                  e10cf90e6c9da96f93dbf71d39eec7f114474d8744878dbfbb7f43266d1b747b6498ec54d6c47b8f421f4edd622e00e97aa34052097e8df462f66ced7e1ad1b0

                                • C:\Windows\{741286AF-A3C1-4e68-9963-B3A4D9D3B652}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  cbd785abcf81395e5c6b35576e8aea1a

                                  SHA1

                                  7c775cd2c4e4f976caf2be3e661f846d33d9d0c5

                                  SHA256

                                  b44ca5a968304e99877f1b27ed4113b7f0cc50ccf0981ead55138ea13ae9c6f0

                                  SHA512

                                  829dee45d7a916248c9423a2686d76548b16be282d4659fcc63da0ade81b0e26c37eb5ac16feb7a916b29de041ab378b5d223e9c228ed8a17e8fdaf0f359f531

                                • C:\Windows\{B698C8B8-DA09-49bd-9878-78397DEFAD00}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  bf1fe7ac730308e273e3c764511d100c

                                  SHA1

                                  8f5c21e27a93de03b55e1b0c9db257bdc683e378

                                  SHA256

                                  53b8b828e3243bbb8af7fb68aa92f1ea03abf8b5ed4b2066e014cad660b626f7

                                  SHA512

                                  0d78c8a05a0d7ddcfe82adf0b8b2552c84540930d349c926a764e22a5d1c0b16b69df86c91ccabeaa554d2d44db57367b041c0101b59553f727f0e8f9c9493cf

                                • C:\Windows\{CC170EC3-DEDC-4d96-A8B5-174C62E27069}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  347ca2aea7503c1720a6f089cfe52209

                                  SHA1

                                  3d63cdd15a388e8fd0950b1c1202679b93df4b22

                                  SHA256

                                  422bae897342bd627003b08b0f458f50043c6088112aa70ada2d9aac4923ebf0

                                  SHA512

                                  49b408ef889e18fc538aec0f1533f2f39e27ce2967b76e64e50d90e48bfd3889ddf53815a3b674018e0760e072afb7e7af70ec13b4f2ebd6c634ad0a907dc92f

                                • C:\Windows\{D773DCD2-C63C-462b-9A8B-70051F4A2EBC}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  d085c1f10ba21a7c895405764b136c45

                                  SHA1

                                  b3c4aae5284965fb49ec57b3d96350cf0215c825

                                  SHA256

                                  67f19e5a1685f6e5552203704cc24c6b11e57384df0a20c80b5a471eb7f215a9

                                  SHA512

                                  2a9ed37f42b3e52e64228f49974a9b61a137904d6f55b2f04ffae568c3b98f41e89be7a0b78b5bd9a938acf6c25afde613d2aaa398a4042a471b4e08d1a6c8d2

                                • C:\Windows\{E114561B-0C00-415a-BAAC-206BA40D6295}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  476190ed351ec4740a1af77cb50ac150

                                  SHA1

                                  4e5ab03a8b389d03af222d3be1a31829be26962c

                                  SHA256

                                  8ddeb6a3018c9cf9af0e63179133d1833adb478400de61c6f1166803f2df4270

                                  SHA512

                                  89d186379ee8674945b827de393ebb6bdbe03d8dce1f831d8aeaf598614926f9ccae25c178493e3dd9e1774e949af2c7fa9e3cfad028e8753245a1e24dc23a32

                                • C:\Windows\{EF59010B-69E7-40b7-BE1A-D0DDE9F1E367}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  06556908af90a5bb64d4890210f92435

                                  SHA1

                                  72aa27784c401dabb2fbdb6ef9652fdbf38850f6

                                  SHA256

                                  0ae4abb2d27b0995cf291fa97d3c59daa6612c21166113faeb90c2937f771f4f

                                  SHA512

                                  446d944c14f77a1da669dc0173679df4a247fae36d6996e2f981da398a91e8eaa0f7f04ae47ddacec3c01a77a08621471418f576ee3b2db45e8f20e7137f0c91

                                • C:\Windows\{EFCB0414-9BEC-4918-AA3F-DF260AFAB5AC}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  926053ebf3c2f2d4c3d76ac70763063d

                                  SHA1

                                  96dab02f33ef525f6bc9ad76f948258e7350f133

                                  SHA256

                                  e263634f8dbd02139ef290ca34069c6e0ebc60b18d39478702b5b2ea9025a8b5

                                  SHA512

                                  b38a29c8bfa7e269ae68d3a2330a681a2e43bd7bbc313021a9ff82e6dc8b010bf94cdac71019341e02c9bdd30862fd60dc88afe5a95f9c8db21297ce1a41e2f0

                                • C:\Windows\{F1334345-3122-4ddc-AAFD-8DC5782574CC}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  809133b041504bf7f98e1490bfe4c547

                                  SHA1

                                  d88348d7a20744e6cf63155fc23e981c57213071

                                  SHA256

                                  ee9e4f0957467cb91fb75dbb89a98d076dea870d850fd850072f010aab9e6324

                                  SHA512

                                  1a27bd55ae1506c5c3b8522295d53b43e80d7ae5bad4cf6fc6860e131068dcdbd29de25ddc5ccd65c8ce29910e88dbb34db4fbcd03b54fed451eb89bcfdb867f