Analysis

  • max time kernel
    149s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:27

General

  • Target

    2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe

  • Size

    168KB

  • MD5

    0a5b152cb8c16f9ca55148f4565cb954

  • SHA1

    28e8a9135e60e20862496f0007c9dc69c20a74ad

  • SHA256

    9aadba2e559c63d5f1fc87ed0e5afe68ba12a67a053aefef880d7ae9f80f5689

  • SHA512

    986751a468cd12a2a53bada435e623937e33c581f151621a89ed0aac7f2df300df9f7aefa48ee5952f770c21f1af64875ca071d092460f9db6c094b68930fe0d

  • SSDEEP

    1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-02_0a5b152cb8c16f9ca55148f4565cb954_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe
      C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe
        C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe
          C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3780
          • C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe
            C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe
              C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3044
              • C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe
                C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1220
                • C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe
                  C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3168
                  • C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe
                    C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3448
                    • C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe
                      C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1764
                      • C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe
                        C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1920
                        • C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe
                          C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4240
                          • C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe
                            C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{617B6~1.EXE > nul
                            13⤵
                              PID:3636
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{73C1A~1.EXE > nul
                            12⤵
                              PID:1204
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BA985~1.EXE > nul
                            11⤵
                              PID:2468
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EC9D3~1.EXE > nul
                            10⤵
                              PID:2128
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3DC9B~1.EXE > nul
                            9⤵
                              PID:4176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D9ACC~1.EXE > nul
                            8⤵
                              PID:1116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{109E3~1.EXE > nul
                            7⤵
                              PID:4520
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{12BE3~1.EXE > nul
                            6⤵
                              PID:4036
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{631AE~1.EXE > nul
                            5⤵
                              PID:2992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{93C94~1.EXE > nul
                            4⤵
                              PID:4424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{107DA~1.EXE > nul
                            3⤵
                              PID:4868
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1328

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{107DA3F3-432E-4731-8DCB-3EC16FEE1BC4}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  43c51fb80aa0f1b98433899f89f4d71e

                                  SHA1

                                  fd1fbf6b87fd46d8a18ec8ad0e864b56767adabd

                                  SHA256

                                  18df50f2ce0960e9e7fad557e167a11bf46f526c286062878d7101a4040cc278

                                  SHA512

                                  ecb1a2dfd387a26dbc680254545a2ef3d239a7ee040a8795ef613123024cdf61ce26d7a4ebbc2089a122414380e7f92bca9a28648def9465cf3d8539f6e0fa69

                                • C:\Windows\{109E3B1E-9226-460f-9A30-02585EE25206}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  4ef422f3c6ea451cbd7f971d43438ec6

                                  SHA1

                                  9dba89ea587070541976b092fbe10d2a8d49762c

                                  SHA256

                                  fe0050c1edc122ebae968a569a2eb81bb56066d30f4fcd605a5e4a71603f74a2

                                  SHA512

                                  9cfaf34d79b03de6e1b0019a43670390ee0cd55360a856c9f69988aaaa506b835fba1e2072f370dba25fd0c0506e8583f7889e35db8f8db7d4d8690f7c35b3f8

                                • C:\Windows\{12BE3E2C-4B07-4bd0-9D63-9641B4310803}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  305179d79c8a0a123bc347f0b5f78514

                                  SHA1

                                  abb329fa8a8553f2c26de2167ca7ef682c396961

                                  SHA256

                                  b53918adb8a367a68a8c9c06b87fd11547876a523a43ebf8ed51a86b2ec56691

                                  SHA512

                                  a6e4ab3a98050933fd02afcfbb68506b614ecf524c06580bb1cec0d70ef74f9a4e569edd881472e41927f1048d8ba8c5db6928568eea1c2a69819deac734b8c5

                                • C:\Windows\{3DC9B2ED-5190-42a4-8B69-E30C00678AA5}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  c1d84ce1e59d84f86f591cd4350a92a0

                                  SHA1

                                  631bf32ee6b8fb35751bd8f30beddf48d7ea6b28

                                  SHA256

                                  ffb21f2f2473b8f5224f962accb68e6e81dfacb3649973cd9cde8f92dd6ddb8a

                                  SHA512

                                  b8d24e06210843c81d4a117a5324e070f6554ed9ebee071a10fe69db56cdf43644a7b98bcc5b9d75345be7a92c0fa778b59a89806c5983a6888f35b4c804a259

                                • C:\Windows\{617B6C9D-4C78-40a1-BE24-0AFDF4AB2AEB}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  f8c6bfc1ca17850ab1e93c840b43cb12

                                  SHA1

                                  b28d58891efafc179e6c2dd5dc4391e7d1443f9c

                                  SHA256

                                  e8d0520d79cd021da29481539bfb060eceb51cf36f305355cfba58a48dd306f3

                                  SHA512

                                  b1b36fa6bad64c256fe12152355e41167fb60cd6f2ae2195a16e01bd4caf55979f63451c168f39ab705fc3a950ccbedf08a6ae22cad1c8dbe5713f82424d2051

                                • C:\Windows\{631AE0F0-C1B6-45f6-AB7A-39F8B3921BBE}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  71d7b31990b462bb393f2aecaea242ca

                                  SHA1

                                  a32c811de9fe796958490c9810d55057c1154679

                                  SHA256

                                  1daf8c3747ff15b89552892ee1e578fd91650468a00d71b6f8d5a7cf10673609

                                  SHA512

                                  1784ab495c6a52841a6fb6ece79189eb665b8ba3a415c185d6e14da0465675be4a031a9f7902ccbe9cdc5725f8568292a781b93829bcf1740e1ea0cc454673d4

                                • C:\Windows\{73C1A391-9417-4250-B837-D94ACF5F76E8}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  49981d61550d1aec9f5e9f95bf5748b9

                                  SHA1

                                  3d9050140d444dfbb9b22ecc205a62524a36ee08

                                  SHA256

                                  5272be0e013813e77e4c5e669052c9f07d520c38873bc2fdad5940d135d24a80

                                  SHA512

                                  c91cd8b9f3b108e251ff94b0153ec1d71f282f1a7d427335d9a6adffb2c73bd103d5b67b604f50bacd1f7840df7176a7320cc091c441490beb0b31d4786d74c7

                                • C:\Windows\{93C94FCB-2BA1-467c-8D4E-C477667EF06E}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  30e80dbf239022baa7758140027b69b3

                                  SHA1

                                  d71995f2fe021cb43223380e888f0db927df0054

                                  SHA256

                                  edc08cbaf3d253d487197c32435e239beb7f657fec5a62669c65fea90e713e48

                                  SHA512

                                  3ea61115282b0af959893450d8a013cebbf406d3f1aaef300ee4ac28715130237cc34cb17d406bad5014ae48f4b43c45f57c45234596aadf317e1a2da03e123e

                                • C:\Windows\{BA985F33-A890-4b4a-A3BF-ECAF2F340068}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  4a83304a2fcf1cf9f889abf336627014

                                  SHA1

                                  76c180301ff84936f432ed911433ce115aecf027

                                  SHA256

                                  0f2d9ce68653305ed3b62873b23e642ed4c88e46fc8c91ee304a1f0bcdb3f123

                                  SHA512

                                  a5c8967703ad1d4066751e6a693f7cb051fc2e841c9a5a72167dfa70ae69e6f5f8ee82fef4d19630a7143877ae0e94ca61fe1239437b9c4677d736e91237c9d4

                                • C:\Windows\{C6DD69DE-F0E3-4e73-8C25-A8A0A16D540E}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  bd8a36809420d2233a8f715b66cc6617

                                  SHA1

                                  a2f012e9d416d8258192d3278b81c4797c7ad3c7

                                  SHA256

                                  4aadc32865d6b031d939a549eb62300a0ff00f6098b191632b514d964513e1d2

                                  SHA512

                                  d945aed1344adfe5b7fe6124ea0e1a12003538cd36335255cc117afb385e7f6626d4e430c24ee92b20a66e0c43f2dab9d21981113ac50197730808fb4a1df8e1

                                • C:\Windows\{D9ACC443-275F-423b-8D22-EF92EEF3F1F6}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  747c3d1729a4c12f15cb6da39b9de5ed

                                  SHA1

                                  eb0065e3975ecb42d65eb145aa21adc630ba478b

                                  SHA256

                                  05846db44b80ed07decb1f7de7f4ded561e7b98cde5147505c4febb6894b0ff4

                                  SHA512

                                  796e48c210ae614c3a2265d5e5a98a0a0544153400d63608561f034d5ae8d7dee103754369bb374aec756dbb63dece689d12784303231f5d7e63558d8d18fc2a

                                • C:\Windows\{EC9D369A-FE10-4cdb-AABC-EF7C85673A09}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  eed948192399c02bdb84db40bbbcb8d6

                                  SHA1

                                  930020cf008b9f925eaf8a90b024711d4861b1b4

                                  SHA256

                                  ad3e996a28996afc9c22d1b441b5254a64e87bf122cb71a68ed5507120c26c06

                                  SHA512

                                  17642ff2c53ebb7498ff0c6aebd36b164051ea1fb029d620445f54d0140844fb01d4362814a0799d09b88cb2e93d4e66e0893023fb8622fc07258602a376eec9