Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:28

General

  • Target

    2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe

  • Size

    204KB

  • MD5

    14f5b92fdb38838cf5a78fa932e15e9e

  • SHA1

    c3337c6cdb30205cc2af4e2d63a50fba1ab65a80

  • SHA256

    9ae334582da93f547d84f738b8d96fdae5999d61459a2c8a1b7213aff0c7466a

  • SHA512

    ab99fbcaaa0e3966e0e1c6d2ef6c1fefad08ef18a330e1f815d0b3629f07ec097c53a29131e59f72ba6fc9e9ed0b94f57adf725f98bcef7754e6a4dfa062681a

  • SSDEEP

    1536:1EGh0osLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_14f5b92fdb38838cf5a78fa932e15e9e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe
      C:\Windows\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\{9873B557-5F84-4067-BECC-4D078279318B}.exe
        C:\Windows\{9873B557-5F84-4067-BECC-4D078279318B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\{16F6CCF4-7BFC-406f-9966-51706500F890}.exe
          C:\Windows\{16F6CCF4-7BFC-406f-9966-51706500F890}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3156
          • C:\Windows\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exe
            C:\Windows\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3212
            • C:\Windows\{EEB675F2-3449-4623-86F9-98030183B8BE}.exe
              C:\Windows\{EEB675F2-3449-4623-86F9-98030183B8BE}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:960
              • C:\Windows\{8555BFAB-8489-43b9-9215-B6A70703C756}.exe
                C:\Windows\{8555BFAB-8489-43b9-9215-B6A70703C756}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1516
                • C:\Windows\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe
                  C:\Windows\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3280
                  • C:\Windows\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe
                    C:\Windows\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3340
                    • C:\Windows\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe
                      C:\Windows\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3460
                      • C:\Windows\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe
                        C:\Windows\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1788
                        • C:\Windows\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe
                          C:\Windows\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4828
                          • C:\Windows\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe
                            C:\Windows\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1824
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BA485~1.EXE > nul
                            13⤵
                              PID:4176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4A491~1.EXE > nul
                            12⤵
                              PID:4156
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2711B~1.EXE > nul
                            11⤵
                              PID:1564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0E1CE~1.EXE > nul
                            10⤵
                              PID:2928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDE0~1.EXE > nul
                            9⤵
                              PID:1324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8555B~1.EXE > nul
                            8⤵
                              PID:3116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EEB67~1.EXE > nul
                            7⤵
                              PID:4404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{65837~1.EXE > nul
                            6⤵
                              PID:1196
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{16F6C~1.EXE > nul
                            5⤵
                              PID:864
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9873B~1.EXE > nul
                            4⤵
                              PID:4324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{19319~1.EXE > nul
                            3⤵
                              PID:5052
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:5032

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0E1CE916-7E0E-49f9-8D74-B36342E50FD9}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  8326c86edfa2f92ec039afbd10c41acc

                                  SHA1

                                  e01d8d1d34f307057bb7b61fac9a66d68c13c2d7

                                  SHA256

                                  bb7c6e51279ba03a6994684ee7f4989bcf03999797712f8829e89d45ee995108

                                  SHA512

                                  30c05da4ba18e031c52202d908900df1b32d752bb5721e9e798ecdd7ced7f8ace44840ccfda9db032c6831622b4d886d1691188799c237046db383c6dcf8e468

                                • C:\Windows\{16F6CCF4-7BFC-406f-9966-51706500F890}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  782feeaf14549278d6b67c6aae225505

                                  SHA1

                                  f1a9d377d36a107279e3c433eb38157d21b6ebc0

                                  SHA256

                                  0300a1c0dbccade6b7b11c1a7b173de91076472f50fb28d41e2e96f43c46dc61

                                  SHA512

                                  aafd5b44881495ab66451f38af53433194b03495e4655bead0826e7b9fe858e421ce76845a62f2de485a70774d6da2ef30d3f0b476c218d99051dec90915f680

                                • C:\Windows\{19319331-2D65-41b5-9F3D-DC5D53B3FF9C}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  bf3944d79c533641f472a67e1c3cded4

                                  SHA1

                                  15a67a057bbdc63e9f01e125f74bebce91f2742f

                                  SHA256

                                  c33671345dc129a49326d2ac9ebb406622c9d3990a7d5e479f53f7973e4edff0

                                  SHA512

                                  0bf16a387e8c797eb17f0e19e507dac34efd35e171e8d67e98d959323c52bea1ede750d1c43ec23461ff9d61bff7cd770c8bdc01afa24e2882fe1c6d36fab0fb

                                • C:\Windows\{2711BB1E-3879-43ac-B9AC-DC08CDDEE8CE}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  785de830219f036c4d25d356a70e9db2

                                  SHA1

                                  594133632194e4b7a448931a4edf4af781a739d5

                                  SHA256

                                  b3face999cf2103c2c0cef0f5f22bffa02e85530273984e8a0d9f689037fbae4

                                  SHA512

                                  6a010f253dfe52ec4197d984c775487d3e45577542d27d5e8557a4532ceea9d3be780295db0ae3edfe0b0ff5077c3627a05864c984758daa514091dbd2134a1d

                                • C:\Windows\{4A491B1C-D9CE-4eef-AA18-CBC83FA41C37}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  bff9696e205d7d6e375ed63289bbfda7

                                  SHA1

                                  3d8725b1100b59fce0afb78dfbbbd12270413abb

                                  SHA256

                                  0a6948ce8b9346084e6423406fca482db9365c384fb4087ffbc647de70fee324

                                  SHA512

                                  4eaf57c8c1007efd94103f730f4ebee66e9fe578a8d6ed499f329653c0f40d0e203d0ea98491a05bbe868ad0f5b9fcb5df2ba551938864fd687164a5c0c86666

                                • C:\Windows\{65837DA2-5C01-4209-9ECB-740A0E066B86}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  04fc6040d06e73f4b8097113ef271c97

                                  SHA1

                                  9ef832ad1bdd147dcb14bbe57234d4ff80617b7a

                                  SHA256

                                  938f43e602e76d99d35b4c28de17f6a342836483ed5adb8b8c9ff6ae1687573d

                                  SHA512

                                  b4d4941ee2eb7cce0b07df2ef12a59160f79b19e5c2a070304af541c8a4b6b6a61193c2806d287e1b8fa021d038ef2fdf5f853b846be9692364d7a41b40a74b0

                                • C:\Windows\{7BDE0B4A-A0E4-478b-8454-E5DD049C6081}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  819658b8b59d3e1af28967b624c8066a

                                  SHA1

                                  39619b1c49ac1d68100a7f1eb3c24e94a1c0c0f4

                                  SHA256

                                  652ba381267b314e30e59b4e3940ee6208a3a7036f2adc91dc6e55eeb754b81b

                                  SHA512

                                  3d372051251bdde9e907db5dcb29b75eaaef9de18ccca754ed9cd3739b9c31afb2b9f35ef12e993c004157bed5e3127d14f4b00d9149cc1bc95ea18d7044da4c

                                • C:\Windows\{8555BFAB-8489-43b9-9215-B6A70703C756}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  af785546614f5e1ffd09eb0fccf4632c

                                  SHA1

                                  4150caf0c9db071b2cf17ca07e9fe9e8d02c6263

                                  SHA256

                                  8ad519e8a30dca113cae61e61482a567bd9803b062cc82a09216f3306dffca5e

                                  SHA512

                                  e2d26bfc877482fbec84ca3ac5b9745d64b2fb087c7ce77000782168928130a8b8d3410c4851b05d8a7e8e2db910bf2b2f098cda6f7254cacb681a035201169a

                                • C:\Windows\{9873B557-5F84-4067-BECC-4D078279318B}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  1ca058c88acc64ddefaaaabb10225440

                                  SHA1

                                  0fbab38ce08dd5685abcea0ae57f30c7eb2bcbab

                                  SHA256

                                  6b2eef1e34c3e5912ee6f0b9a408b47f1d260eb8ead03c919fb937fd33dc994c

                                  SHA512

                                  6b3fd434b25a8ee40230285416abb7baa0ffec9f4d89a5b0b0fa6a571ee58e3d1d63e87343dc1dc6c17ecb3a2b445be82f63849bee717191eb4c65356f878415

                                • C:\Windows\{BA485FBD-4481-46d0-AE22-F2962B1948F4}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  fc9e47e93d3de3cbce4c283c9c5e682d

                                  SHA1

                                  3ff2d9df653f8cff8552388fe31c3198df868660

                                  SHA256

                                  bfbc3b382388cd11c9f3aedd26cedf6b2b43b8da855128a36c93f74e04252e31

                                  SHA512

                                  b888d344c6242c5a0e93ba7425f738cca75136f6626289609c57a8dcebc738c7e7cd3aff0ac26305087666f31bc18180e242e3431792db03466b7b31356cf814

                                • C:\Windows\{C0C0F86B-A3C9-4269-8729-50F3D2188815}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  3fa0a82e4e4d708e647aca3edf172fce

                                  SHA1

                                  4919dc9486a35cb32bd489df3f84b9ad114cd23e

                                  SHA256

                                  4fa0180d4bf7026950b0a924a8732068b2a0515b13c7fdaa2f561e88e0434eb3

                                  SHA512

                                  a3127c2d2a1aec0690cd5a6b76f1e4c5e91022d8bd4dcbf554d8e81aa2b305417730e431321ac4a6beb92fa8779fd74eadb45a280985c0f63b98a03f31b8bce5

                                • C:\Windows\{EEB675F2-3449-4623-86F9-98030183B8BE}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  d17eceb6ebf8c197cf2d384a49687c7c

                                  SHA1

                                  d7a0980913b70052ee1194b895d949f8ebed74e1

                                  SHA256

                                  ce350b5ff85601fcebace0e0efa5b02f9933ebf70657920cb3077ea00a63385a

                                  SHA512

                                  9baea24195c90608e131cb7646cc3549a55c47b251b0f27615050ea686bf5538664df208d804f561ff16f817044bafceca58e0d755f15834d16876df3f1b8737