Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:27

General

  • Target

    2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe

  • Size

    204KB

  • MD5

    1116de28e782e197373277782dff7273

  • SHA1

    f31cbededbc7ad1476d0e3e7642708139e64cc53

  • SHA256

    361a5c5515731c012a1197cfa311b2d02c2ab9f8148727e129d4edfb7e4d890f

  • SHA512

    e5ea98079f6e1066c24e16fa0489e1a4a0ba9f960006170cbbb841499112c68f895eb6e54766d9e6c280ecdfc35b1bf18e88935cb38d3e9ab774fd16252603ce

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_1116de28e782e197373277782dff7273_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
      C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
        C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
          C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
            C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1844
            • C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
              C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:456
              • C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
                C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1596
                • C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
                  C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:212
                  • C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
                    C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3800
                    • C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
                      C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:920
                      • C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
                        C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2512
                        • C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
                          C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3196
                          • C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe
                            C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5ADBE~1.EXE > nul
                            13⤵
                              PID:1448
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{52E86~1.EXE > nul
                            12⤵
                              PID:712
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{71881~1.EXE > nul
                            11⤵
                              PID:1684
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1EE20~1.EXE > nul
                            10⤵
                              PID:4276
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1F495~1.EXE > nul
                            9⤵
                              PID:4432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F6B8F~1.EXE > nul
                            8⤵
                              PID:2400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{43A2F~1.EXE > nul
                            7⤵
                              PID:1856
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{99A38~1.EXE > nul
                            6⤵
                              PID:1376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{98564~1.EXE > nul
                            5⤵
                              PID:4736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{36A73~1.EXE > nul
                            4⤵
                              PID:2540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{81D0F~1.EXE > nul
                            3⤵
                              PID:2592
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1340

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{1EE2030C-0E41-4686-AA7A-76E8BDCA6FCE}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  2e2bba62b4451cc670e9919c952de48d

                                  SHA1

                                  edff1b0919a4641324bc8f7d1abfa6b393815124

                                  SHA256

                                  7c6b96e73fc0474c89deb9500c826ee7f7dfbb179af15c174a7b505968032cad

                                  SHA512

                                  5a0cdde408cd4242f291285ece3932115715b4e7972c66a42371c1b02feafd997a74fa68086e41d4aa6215445be00bb14fa514c8bd17e75b204034e5a83bff5a

                                • C:\Windows\{1F495BDD-C9F3-4b89-89C7-A728F5C88BCE}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  c9c4229ea6e87758e93432969278f9de

                                  SHA1

                                  e8e671545a90d5ca4f467d76085a55a7c6d1bd8a

                                  SHA256

                                  1a65373e9e7a6355753e681bf16d328bbd62c2cef5fcbd313d175a429c7a037f

                                  SHA512

                                  971f9bcbd52ea59809e9a0a0b2824862fe345a0f536298d9690c824a0820180eb9a92ed2aca4972e18f087a096fbd44f5d4f985f730677239609b1744d43e137

                                • C:\Windows\{21A848BC-2053-492b-998A-52E0BB9042C5}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  da427f7382a7793f80af76bdca4cd642

                                  SHA1

                                  1ad7ecd90e2401c795910d9273f21df929d44d7f

                                  SHA256

                                  83d10ba3a26650dd02e6ef5c96faf2fdcc6086845b32bdf7184b69c4c5731344

                                  SHA512

                                  cdee2f2d99d5b50ca0f5645473889979a4af2e7436f7e7067f7e8f815be1a10cc5feae2b25d4b7b2cafdc133b25634ab48493d9388a09c937438a66a879e9913

                                • C:\Windows\{36A73FF6-F7AE-4c3d-8B5E-A6018EEA5D44}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  177bcf7b542648f46334093f02604971

                                  SHA1

                                  4ddb1f863ac94a00e6b86fb2ae75c1aa2560a1ac

                                  SHA256

                                  247b7f4bd0828cb272330cfbdc7aad6fe220aeb062308104039107ebaadcdbf4

                                  SHA512

                                  12e211a187659c70be78fd7bcb267d57933c049ee39f3a3b03180a446373dcf501c9a38a2e72ef12e0c6fdca85b21868377687f72762e052d30853ce65fde0a7

                                • C:\Windows\{43A2F3DE-42A3-4911-84A3-A54634326D81}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  3e49f3cc3e16882b51b4ed7e29d0f692

                                  SHA1

                                  e04bde84ab7f23984e28e0a08ba82c0c22733961

                                  SHA256

                                  2578029062fa38711f27fc2422a382a7ccf789b91d13b09d7181987ec3a0b860

                                  SHA512

                                  eeac99fc5e6b200ca4db54c48b2462246d6d435c72feaf969d74638ba45ba498ba5d04a0ae5a126da1f359be1aa033e85fa62008b13ddb52bd019e0bee013fe8

                                • C:\Windows\{52E86B7C-CC15-40dc-8CE4-2571D7897254}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  2fed1986f077cce2c60ecfba09947895

                                  SHA1

                                  734f9664b779bde6169e74907027fc4105ec8f94

                                  SHA256

                                  2603ea77f63d120cb4aa9fda850b1d5dea2bb0b639b29aafcde626e34b163a34

                                  SHA512

                                  54a3f21a8ec13534312a922c48ea3e52472f21c80f1ba0397348ea61ea1ee3c4bbe2001b045adb1d72922a6bd55d2909e989a779ed34df8d87d3cc9b3afaa42e

                                • C:\Windows\{5ADBE231-48FC-4882-9EF8-9EC9E3071D49}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  a89acaaa4612e88c4e886713342399d3

                                  SHA1

                                  f1581092fed960e1590226b924e518b6b7d9b653

                                  SHA256

                                  124fb829a4ae16eb3b74d3af6c6bdb0deb5210f8b223cff41fb2064a4de86602

                                  SHA512

                                  247f09729ee83561ef9adff76094828a118f35f2c00923305ef0212e3bd16794528c307e24e89964af83b848756b989032ae5a45e5edc3faec2b4755c5dc1d85

                                • C:\Windows\{718814DB-6EF3-468b-A50B-C828095FA8BF}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  3911e221ab26f894d39e85e4c3dc7071

                                  SHA1

                                  aa5262371674129aea86f735f011504d04474fb1

                                  SHA256

                                  c689166d01078a3d486d8c5192cc4d6e5476f4d09f9ff6596bf84ceb8dde6524

                                  SHA512

                                  ec7e0f079b952fbce8750427caf79d6b5cde053c04f4eef130b44f1543aa4b134e52f034a137156f58a9f9bd5d313cfd916339f029c8604da631fbab1a9de210

                                • C:\Windows\{81D0FCD8-4EDE-4e44-916F-9A54E98B72F9}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  37cffa0494c1acfdaab59db8bf2abdf6

                                  SHA1

                                  ceb79398fe061e75b147df206d0c8931b87b2f0e

                                  SHA256

                                  d28e5a7dac2c92f01be36cd81226ef3da23cfc1b381256f9d23d3b7a75761a90

                                  SHA512

                                  969bbc0283170e3be1fb13c172e1af39e59204b15b6440129fc1d9ba8da8ec31b6eec78fc650dea4959c22fbc9ac1924999bf660119b438921fb23a8d95fe305

                                • C:\Windows\{98564B2F-D937-4fcc-AD6C-E6034689A485}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  6176220e2dab4612004bc65e96766a9d

                                  SHA1

                                  d4c619cc039bfe99c504aeb093d939109d56b699

                                  SHA256

                                  c4cd918cf112dd65ecb51ad39b2372a934232f225cbc77f8f0d83182cd107642

                                  SHA512

                                  ce81154903611f996ca598fb90701a3a3a97307f5d1fb73b6c8699c9f28acb51a44c3f236e25f19937b35b2fa058a5342a1e73bc66aadf4ebdc4dd493051278c

                                • C:\Windows\{99A384EB-6FF3-45a9-BBD5-72302FD8018D}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  d098339f19c86500aeae7ea4af4fc413

                                  SHA1

                                  2ff38fe36fa9b011ea3f17dcef08e23ae0c9e254

                                  SHA256

                                  74ac4b21e59f3fdf6b7607f66b73d7a99dafe784449849ee1de4d6a614a17122

                                  SHA512

                                  de1e1925f5d05ee14f23e5148fb1d18999bc43d061ad7a3c6bda041077c7f0d137711662985be782e9da68a0fa3167198df2665bf205d2b01ea83b6f2ce93ffa

                                • C:\Windows\{F6B8F26E-AA3C-4643-95E2-2774FAD332F6}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  5f348da000176e032dfbfd0b310821aa

                                  SHA1

                                  1c463992f6606494aded81f4bd122fb703cb963f

                                  SHA256

                                  d40bbcfc67a2f293651098b3519920a60fd844631bc9d7288cfc2f846ee2a6f5

                                  SHA512

                                  5164611f29d55548aceaae2dfcd8d3d1bf2e63665479500694c47972b86d84d4ec726f7a357ae6fa288b95aebc2d2be40470351780597ec6dd5527b1fcd5e182