Analysis

  • max time kernel
    156s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:25

General

  • Target

    2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe

  • Size

    344KB

  • MD5

    02df46e8c5329e63f5ec9bf636f35022

  • SHA1

    39c38efbaf16218991bc24267b70355f90731b9a

  • SHA256

    81a487f5327b4005b040996fbcdc64b9d9e70023f47d3bfcf57f93d762a55a47

  • SHA512

    6e1211682b49f5de51952eb5f0545b80a33210e32b0ad1dd09f88d2ad0c3d45d88fe9b5e287a09dedc9cf1e33f96a9c89e1d90f96344e83415b9e76e4ce45cb2

  • SSDEEP

    3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_02df46e8c5329e63f5ec9bf636f35022_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\{BC689295-DDC6-4101-BD61-EA5837D77485}.exe
      C:\Windows\{BC689295-DDC6-4101-BD61-EA5837D77485}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\{267F06CF-ED21-422d-B770-4A2701D7B694}.exe
        C:\Windows\{267F06CF-ED21-422d-B770-4A2701D7B694}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe
          C:\Windows\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Windows\{94363654-19F7-4678-8B07-D5CD65D36F09}.exe
            C:\Windows\{94363654-19F7-4678-8B07-D5CD65D36F09}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe
              C:\Windows\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4680
              • C:\Windows\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe
                C:\Windows\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:64
                • C:\Windows\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe
                  C:\Windows\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4380
                  • C:\Windows\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe
                    C:\Windows\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1244
                    • C:\Windows\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe
                      C:\Windows\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4028
                      • C:\Windows\{1E839587-FE50-4d42-A95C-8612D512782B}.exe
                        C:\Windows\{1E839587-FE50-4d42-A95C-8612D512782B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4044
                        • C:\Windows\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe
                          C:\Windows\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:808
                          • C:\Windows\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe
                            C:\Windows\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3392
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D11CD~1.EXE > nul
                            13⤵
                              PID:1316
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1E839~1.EXE > nul
                            12⤵
                              PID:4776
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0A0~1.EXE > nul
                            11⤵
                              PID:2576
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{18F6C~1.EXE > nul
                            10⤵
                              PID:1920
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4D344~1.EXE > nul
                            9⤵
                              PID:4216
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{89AF3~1.EXE > nul
                            8⤵
                              PID:4472
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D9D95~1.EXE > nul
                            7⤵
                              PID:1044
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{94363~1.EXE > nul
                            6⤵
                              PID:2064
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BA14B~1.EXE > nul
                            5⤵
                              PID:4912
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{267F0~1.EXE > nul
                            4⤵
                              PID:1692
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC689~1.EXE > nul
                            3⤵
                              PID:4852
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1164

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{18F6C0E5-BA5F-4964-86D4-E7FC35F10B55}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  2c5540a0f911e7db4656926c3adcfb3c

                                  SHA1

                                  1df8f05a25502ff4884374ced1c6886565a5c3e5

                                  SHA256

                                  3f83cebe70bcbe8d8f0821ad0c1cff4f7e18f8d73c9dacaf4e471aba9bcbab59

                                  SHA512

                                  aeb6afbfebbae2c7e903d5c4da1377b95fb63dbeaa20f064db391b8a336d66b3eda350620be64cb16c0e5f59c41538dcdf5438b7c90ecef39ccd9999854576ee

                                • C:\Windows\{1E839587-FE50-4d42-A95C-8612D512782B}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  012604ab294eec1770dfc2ded574e1ca

                                  SHA1

                                  8dc865ec317649091d51fefa1b62d472d58ff580

                                  SHA256

                                  aa171bfbcd1dc420a0cd793b8e272e81701f1b0d288a12d6d12d68920b35924a

                                  SHA512

                                  79ee7b0ea5a165c9ec0dcc7f911681abd1a1f98fd81535e27bdd07df70e888d80ad2a0a28c8fc1c561a0d31283679cb8476bd6b1fa02281776b3f4d190a62b5e

                                • C:\Windows\{267F06CF-ED21-422d-B770-4A2701D7B694}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  f3fa84d287a99cd0e097bdfc80e1a269

                                  SHA1

                                  bf778edbd932925473b949ae5ca00921612f9cd7

                                  SHA256

                                  96ce59d2f43de6ec82263944699b4813994f38fc2768d0141ee9724fc2284f0e

                                  SHA512

                                  6a6f7a06ac466b8f2f6051bb14b80a7648e69e1663fd4612677e14c3cf58b8872fe6cecff99b62ca70b2b192ef47771c3457ff2f0ca936f74af730c281769eb6

                                • C:\Windows\{4D34472B-DBE7-4bcb-9E1C-4AA1D6EB2080}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  825456a2bed572757822f29cef50ea80

                                  SHA1

                                  e6304c5ef4a2e1c0c92ec49d5a794341c0639989

                                  SHA256

                                  5f742294946fe2e5d10bc96f8da81433b7f10bf23b334bd97602cd45a9200907

                                  SHA512

                                  55cef6a8df85922e2d1a35e89730df1b9ceb96a598fb520a0d4ebbdaa3a9906d95c32dfac54f64eff4f75883ae5297e5cdc125b767826b0302c0d18187be83f1

                                • C:\Windows\{89AF3A4B-7DDD-4441-8D5B-051CDADCC4F6}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  d6cefdfccdb872b99c8e1b870e64e8f5

                                  SHA1

                                  d69a0d6680bd4215bc266ef47cf52d96bed7befe

                                  SHA256

                                  b68f5c3cc05966ee36fc3dc7957921f0c8680b8b713e4e3ef0b4a6739e177a9e

                                  SHA512

                                  2bccd6a879abaa9aec5ff5e8185de6dfa1188b7b215f5e40381f4ac4c4c3c005f22dd9f6c60cd23ac1b1655e2ef0b198f6c18a451120956f1f5454cc40e15a5e

                                • C:\Windows\{94363654-19F7-4678-8B07-D5CD65D36F09}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  372ab1ffb6ee78a1ed5a982910193973

                                  SHA1

                                  19ad626b70d43014e05c82e4095e2df1dced37c5

                                  SHA256

                                  013e38ba65e6ea736b5a87f46d4481036c9d728e3fdb92b317dcc6533e392ea7

                                  SHA512

                                  70c96091b7b4bbfcf8cdd12d3b77d95ee97e8b651f636400e04c3273ad0dae009a63b611ed1212ed41bbd8d1402c8ca158c97768ac8e51cbaa1468d3b78b8df4

                                • C:\Windows\{BA14B5E8-4534-4e66-8D75-F022991DA23C}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  ee05685c7b970dcf673f9ebf062faa63

                                  SHA1

                                  595ea19d139224be7bf8070596ee3ef2c182475a

                                  SHA256

                                  d811ce8809271bbd6600f26fc9d47d1bd37c99ceb5f582556757c4273fa5677d

                                  SHA512

                                  5c5dd96cdb1578e5b8b6eed559fbe4b69e0ff1ee57a88b2cdf633ee4bbe50d093f2abcb0f3d4e0b0e6b647c3057e2de6e52a96cdfc223146ca5ac2614f64778e

                                • C:\Windows\{BC689295-DDC6-4101-BD61-EA5837D77485}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  c38f4769b4e2908dd1c7f683b0b2d7d9

                                  SHA1

                                  1c2827b5ad02ead6a63a87f99e013d23a3030350

                                  SHA256

                                  201523b09c288349030db4d5fab966028a6c5c599f3e141a7460624a41707b39

                                  SHA512

                                  eee6a7ff3d6715554865149ca700021c05f6365df9a515f0d2b9a1e4d010329b9241a9be41b8969c52e105cd28f007cd5cee7e37b2c0f65af12c416c0253a6bb

                                • C:\Windows\{CE0A0E6B-4C0A-47a9-B535-F84482917B5D}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  0d48bd44c10744b0de2ff79ec541a324

                                  SHA1

                                  7f5103cd6b18210ccff6d5dcb05c13f2d424bbae

                                  SHA256

                                  fc179016fc97981cad794d28927795a1d60f8203fd23d6aac9009da0e3e251e7

                                  SHA512

                                  43e2633ad7ce85d5e2ae8966eed1122b0f220f11bd267eb5e6bd4f93c94c112e9ce46e61c31ade5ba5a63dca446ce1e546aff67a85e0119b82b863dd56cb97d5

                                • C:\Windows\{D11CD935-48D4-482f-904B-5A7A29BAEEE9}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  4148d5c79246434524345401ed06933a

                                  SHA1

                                  7c6e9e6869176f33de72a81d67540e3e08c6edb6

                                  SHA256

                                  97269594132ab851dfa4367cc095f89094c5eabb8e97d8db5878e9249a9d8f88

                                  SHA512

                                  7059bd1bc3691873668773e86287156f03d6b18f3cd316148042bcc7e3113e228d60a3a842e5ea6efec0808893734a84843d04d7b673e5f0350bc5be1dcd939f

                                • C:\Windows\{D9D95A58-AA04-4058-897D-7E7D0C41EA9C}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  6a79f739517b3714af643fa28751ce33

                                  SHA1

                                  81a18a05a6604505bf5f3e92b46a568026ab2664

                                  SHA256

                                  d90d6029cb469f5f6bd62d37bb10f295596688189267cd54ed3ae3caa3ba161e

                                  SHA512

                                  9e38a99d7a04cb42b569ee006e9477a7d0414e9560eef185398f85482c6695a44e315827c8f3921e3994c0c0667ed192799b869a627be3895af490ce5cdf3c0f

                                • C:\Windows\{E929C434-DB3F-4f5e-8E6A-2C2EAFE0C8BD}.exe

                                  Filesize

                                  344KB

                                  MD5

                                  7f0263a7db903a3ecaddd2664681564a

                                  SHA1

                                  11491f4225e17811c950ee66d0ce789f05373ee4

                                  SHA256

                                  fa630b1440ea4dbeec213c22c86044d41b0a92b67a325e6c18c2a94c6eac9e67

                                  SHA512

                                  96229b6cc09aa1115579dff15ab26b2fa9bdddf23d16864b9c1b9c1e6867d77dfc6c1af8dc671accc07d1da3c91d03d0c135a6df427dae577355d6cf0b39bf60