Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:33

General

  • Target

    2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe

  • Size

    204KB

  • MD5

    375dbfc59e996eb9752cdbd68645f0a0

  • SHA1

    0ed548a9c92a86c6e89beaefeb934ba842afe498

  • SHA256

    28ed2df07c6fed10c0db88198033703b8d23b987bbb0ec0c83e087b5ac875840

  • SHA512

    30088a8564b7440e55653b2b15047fdfdabea143fe6aa1d696d2efc19f8729d88defef90124c764479b8013842cfaa69441a14a78c84ef5baaa7369eb5d49fc5

  • SSDEEP

    1536:1EGh0oMl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oMl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_375dbfc59e996eb9752cdbd68645f0a0_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe
      C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe
        C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe
          C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3116
          • C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe
            C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4024
            • C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe
              C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2336
              • C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe
                C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:364
                • C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe
                  C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4596
                  • C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe
                    C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1844
                    • C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe
                      C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3524
                      • C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe
                        C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4324
                        • C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe
                          C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5028
                          • C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe
                            C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3904
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6180A~1.EXE > nul
                            13⤵
                              PID:1732
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA21~1.EXE > nul
                            12⤵
                              PID:1628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CF96E~1.EXE > nul
                            11⤵
                              PID:1108
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{31B60~1.EXE > nul
                            10⤵
                              PID:5048
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E8490~1.EXE > nul
                            9⤵
                              PID:2324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BE86F~1.EXE > nul
                            8⤵
                              PID:772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35658~1.EXE > nul
                            7⤵
                              PID:1400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA4D~1.EXE > nul
                            6⤵
                              PID:3896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A25AF~1.EXE > nul
                            5⤵
                              PID:3272
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D74E~1.EXE > nul
                            4⤵
                              PID:4924
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{685FF~1.EXE > nul
                            3⤵
                              PID:3412
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2696

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0D74E14A-10F1-4a82-B628-C95754D6B2A5}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  f146143f2ef6021371270deef53111a9

                                  SHA1

                                  23bd8cca3e9237aede4b9ec330ff5e48c845b5e6

                                  SHA256

                                  e77d34eab745bb8d7bc9c2f3c84849646315bcb1c6df29242268d3aa76c54903

                                  SHA512

                                  1a1e823a499248024864d0695dfb9d3c920718219cc0acd85e106a3a016937e1f072c7e1ca9b1dc79533092e91b0584c48d10a36d180e85a6b9e99de940d1a2b

                                • C:\Windows\{1DA4DA3D-AD97-4154-A036-6311162F83DA}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  fafefdf99cfaa77daeabc2a6b2715962

                                  SHA1

                                  a43ae8a1da853dc7a44695ee4d41fa1ab636eb25

                                  SHA256

                                  7ebb431968c62e7651fcb582d3b4f5c2e2deff6f8274bf4b28d6e7bbda9893b2

                                  SHA512

                                  ca73e5eaa5ed7e9689212b0cb3209618fbf4933b7633203b3021c469d70fc005292b980114f1a2823c0d51e4aba966fa5be57cf4fda589226e01970a03d11959

                                • C:\Windows\{2F6EFC9C-5480-4c59-98C3-AA4AD1403F79}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  d657b61b37f6ddedf05c03215838e8de

                                  SHA1

                                  00323e974a8783bb7bb022c30f79890b6ecd7687

                                  SHA256

                                  3f2f53d8f4333e8a6efe69744d0f456d37478ecfb8c241a150d2a2498ab5a6dd

                                  SHA512

                                  c334d1f93162a2407a72f2abdef56ab1dfce6c08cbe1561de16e3c70a46f9c602e7722434122bfb3c9b4522d0f4259f4dcf8814892463ff1d13a3f872d7fea6a

                                • C:\Windows\{31B60D9C-91B4-4c85-9BC6-874FEEE13526}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  c4e344d3e94fab2741f5fa63b457510a

                                  SHA1

                                  86f25a0acb53669928accb3db26f3e891da9ba24

                                  SHA256

                                  4bd0f966754e2b8114684fb74f785348786b6d3304ad1dbbde778fc2b3f2bbf2

                                  SHA512

                                  e386f81bca0c04d6f9d0b9f6e6133b8ae1d824c0c97ea0338b7d134f4b496adfe363b0de3c1a87b427030a9ddea67146e435adb2359db09086e0635d8e122389

                                • C:\Windows\{35658802-4DD5-498e-A1B3-2A2701AD9A11}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  87ef0bc28a61ac359e56c5cbe9f5ffe8

                                  SHA1

                                  5ecf593999f0eb6c6e24cc78b5b112be94a6fbf5

                                  SHA256

                                  94e56d00df762168c6ab26febe3f8a1e1957835a4559d245374ed4a9d58a9fe1

                                  SHA512

                                  9415f6c3ca27a0e6740609d3cf32e8cea3dd2d681b8299ae9ec8b9276b4407398663207f81f6587d1f6ed3721e450bec96a50809193b5ef4f4914935bc472687

                                • C:\Windows\{6180A030-7BC1-4b24-AA14-8CD6F2B217CB}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  871ae90fe42404da8087759c20ce4639

                                  SHA1

                                  6f756ca0f21f818b3c5f1d770a6e13b7b2716f4e

                                  SHA256

                                  08b98c1056e88d94f323984d572b1088bc602d456ed7e68412df8772b82b49ce

                                  SHA512

                                  d3b2665ef0210e1e112d2293d1a3815a5cce3f8fce26c87f913bae2f82378a11a6b1b24b27f44fe97a46945a49a0e19e91c2143ce521175d7917ed5d6f28d8a5

                                • C:\Windows\{685FF935-5B69-47eb-BB41-062752329406}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  dadee5902bb19a0f906e4322cd5eafd9

                                  SHA1

                                  c7b2a67df809e9d77f38f665378b173d22be83f0

                                  SHA256

                                  ae82694a54fbd17fc5933c58f123a33e5e59ce823a96f34f61c573be1ed8b0c9

                                  SHA512

                                  cd4f96526d0b0cad0895109fb0b531852d76f4ec13e58ac9367684538a6215b847f0c0452b0942649ff29a19fc7b26f5566007d0bf627aa333145f84687d9e07

                                • C:\Windows\{A25AF221-709B-4973-B956-8CCD4113756D}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  811ba40cedac4cfd57256e9eb44d1b69

                                  SHA1

                                  015047263871b3feb0b27d0d32787f8315cf2bfc

                                  SHA256

                                  228119a3bf659bd8bc5ce57caa6191bfc1000d40f7d0d7a307c224de49867c1b

                                  SHA512

                                  b1607c2f43a2b54be11b8c5640a593505e12460092e9fab644a8bb726189da9c75be8a4a81760b429587be37b1920fca31c5e55175bc6d88daacab490ee1c4d0

                                • C:\Windows\{BE86F5D0-EA7C-40e1-A47A-C1D312A7B83F}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  60a69933a680e105860be1713da3f0e0

                                  SHA1

                                  4837af4ab057fb11dd9ce675a76f80bf69e5cfb4

                                  SHA256

                                  f2aad0027d12a27dd5d8002a36e2fcca7417508224dfc55636bd00ceee1976b2

                                  SHA512

                                  b907307daf1581d35248eb70c6207c6f21531a1f7c9c6cdaa4ec616c5d831d35374eb9e77ba2fdf57fa1090460616e53579c394b244f64a3a1d536e628c4d537

                                • C:\Windows\{CF96ECCF-DBA1-44db-AC94-5BAAD769B5EC}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  3cc74f982262b2fb2d450a5196681b37

                                  SHA1

                                  78e3be41e4e3675049c2d1ea665c6b947d859e72

                                  SHA256

                                  b825a35ebf4e65c7a353aad1fb8f0c97425cc7a33ffc99894f1c572452f0391a

                                  SHA512

                                  76d0ed7660d1b7aa17046b64d0861265cdfa3dbd4ce4dae975234c2aad8d89fbdfbca900eebc99022ab00f6b4f395175a23e7c062d5a6a3709d3949b34cc7c60

                                • C:\Windows\{E8490A6B-918E-4738-845D-083C6D5EF9BD}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  00abee47345ffdf7cf7703df02d45b4a

                                  SHA1

                                  3020a37efab8a9b375610e252a3d9365d62444d6

                                  SHA256

                                  bab173335d06915afc6464ef1693ee2173e4f0901c633a6a72ba92a7b68a5cec

                                  SHA512

                                  d2c7e818aa1d56e2e0d7659939c3499152f57cc8ee59573b5832f2679360ff70a399075502d91ca45d60f019ec060a3b8d0eeefa11b45d9019ef3d7004194463

                                • C:\Windows\{FFA21867-9A9E-48cc-B8C3-8A874040480D}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  658ff29c1d05e212bcc19b92a2d5db2b

                                  SHA1

                                  3a90dbe4fa9aba73ef16fdbcb27a73f1f880e820

                                  SHA256

                                  a8ec0a2b305673dbf5186c3276e639ae649ab6c91d0ea088bc17afc88092f3f9

                                  SHA512

                                  f459493be97eb1a0b657a8f2be36327b6e5287d6f1434fea7fdb5bd350e269751f4cdd933fde64f5e86611f84e9b0a31e24f93cc12f1e25485d10b025481d16e