Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 07:25

General

  • Target

    2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe

  • Size

    197KB

  • MD5

    2faa224e3327af62f250a59a467a91cb

  • SHA1

    d2458ccbe522ccb358310c13485b6c22320017da

  • SHA256

    bb6845faa17cb36a5403418e9d33ff8d9a9f9aaeef15633a58181b5aa9d44ca0

  • SHA512

    abcfc2945f230ac342e42397c1808eea8de931932a421d5e4326449068157efd59ca72186afe769d7d249af14643e6635bced65038e174e1cfd2d73915fdb884

  • SSDEEP

    3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGQlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-12_2faa224e3327af62f250a59a467a91cb_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Windows\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe
      C:\Windows\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Windows\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe
        C:\Windows\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe
          C:\Windows\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe
            C:\Windows\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1816
            • C:\Windows\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe
              C:\Windows\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5048
              • C:\Windows\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exe
                C:\Windows\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3980
                • C:\Windows\{CABCC722-865B-4b76-8909-708BECDF697D}.exe
                  C:\Windows\{CABCC722-865B-4b76-8909-708BECDF697D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4236
                  • C:\Windows\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe
                    C:\Windows\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4240
                    • C:\Windows\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe
                      C:\Windows\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4372
                      • C:\Windows\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe
                        C:\Windows\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2704
                        • C:\Windows\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe
                          C:\Windows\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4300
                          • C:\Windows\{BE440C22-78EB-4086-8F28-3FA97E062610}.exe
                            C:\Windows\{BE440C22-78EB-4086-8F28-3FA97E062610}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDF1~1.EXE > nul
                            13⤵
                              PID:2584
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{94D8D~1.EXE > nul
                            12⤵
                              PID:2628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F8548~1.EXE > nul
                            11⤵
                              PID:4264
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6BBAC~1.EXE > nul
                            10⤵
                              PID:4092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CABCC~1.EXE > nul
                            9⤵
                              PID:2872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5640C~1.EXE > nul
                            8⤵
                              PID:3320
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE9BE~1.EXE > nul
                            7⤵
                              PID:2844
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56BAD~1.EXE > nul
                            6⤵
                              PID:4456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C224C~1.EXE > nul
                            5⤵
                              PID:1324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A94~1.EXE > nul
                            4⤵
                              PID:3436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E73~1.EXE > nul
                            3⤵
                              PID:692
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1180

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{5640C511-AB55-4267-8BCB-D14723AB4A46}.exe

                            Filesize

                            197KB

                            MD5

                            5211b5cde6f58172a576b18583de3f24

                            SHA1

                            b1b92c937b5b7aadea3411bd16d51f0275e1b793

                            SHA256

                            b68657578eea9317587c4983a65a0e5f77a1dcc5d358c16829276a675750f16d

                            SHA512

                            d925b675e5e5db6d3f1ac65e8eddff5e1dbf1ccafdd4691600e6ab12541364ee556290ebac62c5597829f810a4aaba4138b008dc70fe0704d54a9995150a2a24

                          • C:\Windows\{56BADDCD-1B2A-4078-8692-79C22A6F1DB4}.exe

                            Filesize

                            197KB

                            MD5

                            d5156224f1521877d99541f1af283464

                            SHA1

                            eaa77f6282d60e0a3397e10a70d3f7204bdff2b0

                            SHA256

                            ca0ba3979f9d5e0568a78e895f879e70bc44918f98611e0fc1dfa372c5396f2e

                            SHA512

                            926d9871d0daad9e349ad5d77af105420ad808e37fdbcdf6bf69ad88f322896d58e2e13877974c90a353b562422d2ebab51cf62287f0ab4598b3f3a4eb42846c

                          • C:\Windows\{6BBAC1E9-2063-42b3-8EF0-C6C30FACF93A}.exe

                            Filesize

                            197KB

                            MD5

                            de1691862467e26341ada6f642180afd

                            SHA1

                            b224d1f5359b88b82d3eeecee1c37a51dfb40150

                            SHA256

                            9db187a20b9de4fcb58e94f427e0dec5e1eaed362ad8532fb91530a38e923e5e

                            SHA512

                            645dee001dec8d651515a10ab952b7dd314ed99fcf9f3e8bcc9567bf2025572d59e1cc2dbf8b73e13493831cc6562f9a94725fb199da606f7c35eca26f74fc4d

                          • C:\Windows\{7BDF18BD-62DC-4f23-A795-1AEC821FB279}.exe

                            Filesize

                            197KB

                            MD5

                            23744d271dcbc05156b5aa3d6d4646f8

                            SHA1

                            89f9fdfdf41366ebf33ba01a36a351569ea9b6fe

                            SHA256

                            a78c26a83bfd66a2c963887211d74f07f966ee8fc5365565f02871589286a68f

                            SHA512

                            20ab827e3ea43b548a4f1a3b5888114f87d1cee49904f4f0dca5f10c7465fb6a1ee588c87e972d15e93cc83499c30514bdc9504c3f5c7d8b064d0d504a33a918

                          • C:\Windows\{94D8D699-04CC-46a7-820C-EA57C7AA71F0}.exe

                            Filesize

                            197KB

                            MD5

                            705cdc7affbaab8cc3d6fcc4e0093674

                            SHA1

                            548c9d8f70111680aa7b751d739264978ca86cd6

                            SHA256

                            6cbe56c9e44b2aa96b4d8550f8ee26588578449fe3b402c7a39a7cbe400bd61f

                            SHA512

                            1ab83a8839c26499fd53a0f48cbf5f6d3fdb05abbd81e14dd9462be6d232ce5514860b2b0ccf424918a15a77f41188245fe503400a906a1279c093d88f9e7707

                          • C:\Windows\{B6A94C27-12C7-49f8-83C7-1750ADEC42D8}.exe

                            Filesize

                            197KB

                            MD5

                            f3cd4e931f6973644fa0445f10dd3a5d

                            SHA1

                            c0f4e1aaed0f1f19ce537a8e59c57b9bc572395e

                            SHA256

                            3dc14b21f295fc83b4d6b8fca5742d44a298e6f812af328cd3b2f39801202ec5

                            SHA512

                            e7e64a480f1872b77b9844ccd6a4761a5c0545253a70c83b0d4406b6123aa5f39fe2a7b10a1594bf017fc69b3ff2a1e2679adb06a9978eb94b3a4a8557e6051c

                          • C:\Windows\{BE440C22-78EB-4086-8F28-3FA97E062610}.exe

                            Filesize

                            197KB

                            MD5

                            3c97554d6913230c35fa21c43f049407

                            SHA1

                            dd94a315c00a1ca307a35a700efa857899af9863

                            SHA256

                            d3c464961d5a2df174b638389f91f74033140a11cd39ea057db538c9c45d4769

                            SHA512

                            9d383f6cc9690a9641d1648dc3a5bc3a869acf5a05ed9f2c24e5637e0a852fd872fa5e43fc1002adc1894fbce1645ee7e2393cb19e312c7dcd48a505abdcab45

                          • C:\Windows\{C224C20C-E4AE-41e3-BCCF-F1BD1A5FB9E8}.exe

                            Filesize

                            197KB

                            MD5

                            46d55680240018e578e45393604b305f

                            SHA1

                            8d5095dc8bb447a3575efd1053de3a9917184610

                            SHA256

                            b4407e07c30c3830edffa5a62a55be85ce16db3f4fe53c25af6d0a298aed9f92

                            SHA512

                            29e745569e15641c63e74d3c88f966a115dea4c6d3328f193c4d8335a403519c25656ea042499abf4a5db048f5afee0f81d5f82e51acf8e4419c444f4dd074f0

                          • C:\Windows\{CABCC722-865B-4b76-8909-708BECDF697D}.exe

                            Filesize

                            197KB

                            MD5

                            5f7b95b0d467fc7ce096a42a43f2b066

                            SHA1

                            b5e8abb0b9f207604e003f9ee9803ad097bd38ba

                            SHA256

                            b0e36ca6654723ebc05fb4f511fbf2a77bb6d5cba2ce1021f374cc952f39f6dd

                            SHA512

                            5c0bcb9ec8a74506d459959d8a28d309610a7f3f1ce6bf4146b3a9d7101d4efcae19045f0da8359a7c54f3056981b358a4cde369ae9e3d9e9d9852ab06e5ef7b

                          • C:\Windows\{E7E73D38-33CD-4f35-9007-EF02046A0B9E}.exe

                            Filesize

                            197KB

                            MD5

                            84a096adbd83377a1a16acaaccb1e887

                            SHA1

                            6b828463b3f14016ce752579062cfd182c5ef263

                            SHA256

                            ca74232b19f12bd0597ccac4d1bb9565bfaeaf7f339912631eca2a4f9605ac42

                            SHA512

                            8f293b1614155456709cb378fcb1384939d3b67b0fede0750ff58fc834e9a1cf634d195536c9c0ea11674b7f1b9a0efa197db5f181ab0cd19d388b9e3cbec3bd

                          • C:\Windows\{F8548683-CBFE-4718-A9E1-AE009955E9FB}.exe

                            Filesize

                            197KB

                            MD5

                            ba3406c872c806c5104fae8270998b2e

                            SHA1

                            ed66ff1f750d66e8ca879d66ffb62b494de11b62

                            SHA256

                            72bfc04c89e7c4a4b97e844cb5787d8dad0b3fb05dd7a5be21b4e7373a2ac1b5

                            SHA512

                            8e1c85d1a952223b695ea87a9613ad2691ba228f542c4eae580ba3849db1d9038f386d21d9776c6117c864e8f112152ebb1a2a0a9c1afa340e02d7c1753aba22

                          • C:\Windows\{FE9BE3FE-1041-455b-90F0-8BD68367050C}.exe

                            Filesize

                            197KB

                            MD5

                            f973af790ed6ad1b0e83c3aa645082e9

                            SHA1

                            62c8f90b04c3098303a6ff709e7e7f54cfc6be12

                            SHA256

                            64d91c5c4dd350d48ec19c8db98bb8f7043cf28f01b83025c520408f321ebf31

                            SHA512

                            de60fc7e91c85b106ca3bb33a249c9a81e270d39ff9ed41f13a8e5778e7bcb5176d986809544ea034ec4a410611646529c95934501a719bc5e48c6a6a0da2959