Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2024 13:53

General

  • Target

    2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe

  • Size

    344KB

  • MD5

    d2870f7b5a459697e1b6a421e12d8a50

  • SHA1

    d33410acdd657f540f563698f5fbb9a2aeb911ab

  • SHA256

    ecbaa4fe41e85e722a341cb586ad28a7f5daf6c6f2b9ef03cea5d60d06404ed5

  • SHA512

    9d5722d807eaf8ec7066ce749a2d2d05f1bf63f9f32b463c9da48420d3c9fcd775f3261680add1db79d45760533b52320357dd3a8c1dc5ae9dca607e5cea7fbe

  • SSDEEP

    3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGElqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-18_d2870f7b5a459697e1b6a421e12d8a50_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe
      C:\Windows\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe
        C:\Windows\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exe
          C:\Windows\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Windows\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe
            C:\Windows\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe
              C:\Windows\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe
                C:\Windows\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4288
                • C:\Windows\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe
                  C:\Windows\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3532
                  • C:\Windows\{22930C02-6C4A-4e3e-8906-563C59296853}.exe
                    C:\Windows\{22930C02-6C4A-4e3e-8906-563C59296853}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2444
                    • C:\Windows\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exe
                      C:\Windows\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1788
                      • C:\Windows\{F4181357-336A-40ed-A226-F5AA10FA273E}.exe
                        C:\Windows\{F4181357-336A-40ed-A226-F5AA10FA273E}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1640
                        • C:\Windows\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe
                          C:\Windows\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4356
                          • C:\Windows\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe
                            C:\Windows\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:644
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7641~1.EXE > nul
                            13⤵
                              PID:4188
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4181~1.EXE > nul
                            12⤵
                              PID:3248
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{37436~1.EXE > nul
                            11⤵
                              PID:2756
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{22930~1.EXE > nul
                            10⤵
                              PID:4264
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D6D~1.EXE > nul
                            9⤵
                              PID:1004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4C9FB~1.EXE > nul
                            8⤵
                              PID:4420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4F7CF~1.EXE > nul
                            7⤵
                              PID:3992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE000~1.EXE > nul
                            6⤵
                              PID:3244
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC932~1.EXE > nul
                            5⤵
                              PID:2748
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4771~1.EXE > nul
                            4⤵
                              PID:1012
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{059ED~1.EXE > nul
                            3⤵
                              PID:2260
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3244
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:1996

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{059ED1C0-71E2-427d-BEF3-89328632CF6C}.exe

                              Filesize

                              344KB

                              MD5

                              12aa3d86dee22f7e9ac4d3be2fbb0414

                              SHA1

                              a9b451724b0f492d8157e54ecd6c7aba9845684a

                              SHA256

                              6d811f878a772fc57d1010b8fb1cb89db38b2a23dce061af6ed2f9b13502a67b

                              SHA512

                              c8ef420acb591857b1035a00a37de2d9bb68d82c90aa0ea828c5e13aace00e819b4ae943c3711d1b10152f0b30039f97b1289aaa9cac03385acf107d45e51dfe

                            • C:\Windows\{22930C02-6C4A-4e3e-8906-563C59296853}.exe

                              Filesize

                              344KB

                              MD5

                              ea58f82c9cfa68daa8eef10b894e3bb0

                              SHA1

                              abd519451ebcd1156f7938048123dba91ab4cf09

                              SHA256

                              2db677d6863b54bb03d79cc95a6223a61e512e7d1f6073396f5502d7cf7cc5c8

                              SHA512

                              d425ad536fce977361c6844a388ec40fb2f79f6bebd38fd4d76d6c2bab0d0e2c265758c4fe221251f4732ed85f26fce24c0d9c111fb737e8501d62cec90b4ca1

                            • C:\Windows\{374360A8-4E51-4934-8C9A-72A94CF992C2}.exe

                              Filesize

                              344KB

                              MD5

                              89ab7538529653dc721bd20d80ec65b6

                              SHA1

                              e556da648927dd816675b14b582b65ab4b95fedf

                              SHA256

                              2e41163e1dec094a942e78ad7ee57120d77f99f995e586b67c30259615460df1

                              SHA512

                              f8a37cb370317a74e0164638e4961c4594abe5d4de1c323520005ff296caf8ba054092037f0f8b631cdf12ea303be4eb94edbb35f6a7af2c0d027ff6fca2cb67

                            • C:\Windows\{4C9FB6AE-D1A5-4167-8A33-463BD41E6324}.exe

                              Filesize

                              344KB

                              MD5

                              f866b6e71253523a4f45c9487cded020

                              SHA1

                              f2cfbbd803d3af94394ad29944f5fc062f6f01f0

                              SHA256

                              4dc7cf830d202e25c960abf84e02b09eaa1576b36ba7a9b07bdeb93c0ab245f3

                              SHA512

                              1ac2d6f014459c7c785900041481ff4e132d0578891073595362e9cded4ab94af82ad6cdad92c71c5a0f0f95bab9a2a316f582463a88eb0f7d8a0069ef5874ad

                            • C:\Windows\{4F7CFCFD-8D40-4a70-A869-00D573BA9A5B}.exe

                              Filesize

                              344KB

                              MD5

                              404594b3e0282c633cd9e915d3866f6d

                              SHA1

                              17ed548a18d1adf2577a4f52d4050004c14eb9e2

                              SHA256

                              976480a57e78cef310d0ea42189fcf94a6a3833394e7ec47a1991d0974bb3d9a

                              SHA512

                              d241f420422c2b7df8fc278f60177550af81013560a1dfe3876fdf0802df1f4c8100e12c67e0f0a41231e57f233457e4756931bda4a709a6ff4271121db5d08e

                            • C:\Windows\{B764134E-4BD1-4bc5-A2AA-56DE8BAB78C7}.exe

                              Filesize

                              344KB

                              MD5

                              199cbdfa26d904f0a2f5f245dc5f688c

                              SHA1

                              b8dc7aa4a6f46695c55034b6f0d6f8620afac4eb

                              SHA256

                              3f9a905ded11765293e7f3dbfcc78498b0faf907af757c37f54ce2cda6e77599

                              SHA512

                              827eb1169f3a9f23a1a00f23f562a67bc84ed01bd5eb8ceba0b671a5af7ca77489c8a95c5b1b6e0c61370f4c122efbbb33548d1c370944ea5934aad8ef945396

                            • C:\Windows\{BC93223E-897A-408f-8ACA-0F9F0402C698}.exe

                              Filesize

                              344KB

                              MD5

                              e7146a894dd9675e1995cfa9fadce451

                              SHA1

                              3978869ef1e6a62d155e9f098739c58eb9704989

                              SHA256

                              4d2a35a951eed6ce40efa0f60afe7ecbb7ddcfa265336ba8e4410f4fd8e09680

                              SHA512

                              54483e9cb64043e0162efa019537a4b30691be643651daba3d5019f7a37eac0c0461492228cf6b51ac5da51c42025c69305e5d85bbde7ce2f006c028f8bc940e

                            • C:\Windows\{C2D6DD20-36A1-4ff4-A251-91DF5B95AC10}.exe

                              Filesize

                              344KB

                              MD5

                              830a31ac96453e7c51b24c44aaac912d

                              SHA1

                              c00aeecd42f00b2a42b5be1d796f28774fd7644d

                              SHA256

                              98d25c338cdf6ab1945b82382a7a579504fb6cbcfaecbf4fc9a5f4c39fdf308d

                              SHA512

                              7ae2b8c480c5089b9329d6b77391774402a650e916fd23fa7a99f4dfffcdc70f4c86c6a6c92d00a18368c374e4fbd3429b6fcd3732d1a4738ecf29d604f4d7ca

                            • C:\Windows\{D47711A4-5305-4d34-BAE8-0EC8CCF5140B}.exe

                              Filesize

                              344KB

                              MD5

                              9710caf79e03b903309cdf7b6250f19e

                              SHA1

                              c7d11332963b1125f370e65d28eb7d0625414164

                              SHA256

                              4618fcae96ae6e4d8e75954a147620580ae25026e281d8dbe38d299e66cfe802

                              SHA512

                              2151324768eaa5c8eef90ecbca74371a7e0a39f737250d02943308e0d1c534695ac194e2553bf5c24433c4d08adad2bf48936976aab198bc57026a9c49ce8152

                            • C:\Windows\{F4181357-336A-40ed-A226-F5AA10FA273E}.exe

                              Filesize

                              344KB

                              MD5

                              f147a0b0b431e88f53899bdb99981426

                              SHA1

                              217ddd1e4e71b11947060d1c8b6914a9db4913bf

                              SHA256

                              b6ebbe75e10e51afc5ffb3c3433875c82019b141216c1e0a123070c846108573

                              SHA512

                              547e75fbcfdc646a88f727fc8baac14c488846404b72e8ac09a8a533e22c3cc3daf4abf32739f1de16d73319e084878035150e34bf396b74b45c91495133e344

                            • C:\Windows\{FDBAE889-8276-4ad7-AC3E-1DC20BE923C9}.exe

                              Filesize

                              344KB

                              MD5

                              e14149bd8ba788a58a1671ca36e7cf4c

                              SHA1

                              c8c8275c4d1296597ac3f187218a55dee3a7eaf8

                              SHA256

                              6a9b68a888cadbd464da475e65ecd481d493f5fb7dbe40421cb7f4136096e2e2

                              SHA512

                              a59d11474dd06901380651a1d2f8c844e71e3a25825f7735f7bb9b32136a9282ad89c38b5865ad572d64e06a98e8f6371d73f9929e7e9160dace66d0b0856008

                            • C:\Windows\{FE00071B-04A5-4caf-B26E-2C430F6450C5}.exe

                              Filesize

                              344KB

                              MD5

                              7f97bdc980fbec6ad9af3cd9c8adb5dd

                              SHA1

                              562e209ed42a48a8ceda5c36775bc23454f01994

                              SHA256

                              5480809f464c61206f6d7412287331542ba0f1a1d95f504bf31dcd35480cf733

                              SHA512

                              fc13de3b60bb0b7d5a69fefb55e4e8fb5bed724b2b5c43a100be1f0f059eaac84ed12587023786c36e1269a1820a19a9c72b1b965a57c0635389bd421ed27297