Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:34

General

  • Target

    2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe

  • Size

    408KB

  • MD5

    37f14fbc75ba06a427b0a6e6bbffa3d1

  • SHA1

    c99c0798797da7dcb3bc89e8d096b51b4c334912

  • SHA256

    0b0777db0ffd874117d99e8b6c058940f53a70c0368e7aa64219fc4ee584d285

  • SHA512

    012b98d01a2743d78daa3722e8aa8db7c6ddebf887f257e640e5c48c75c060d78bbf96b66ae88aca34a56daa27d0627f66cb4c4637026717ee915a9a4b5ac13f

  • SSDEEP

    3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGHldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_37f14fbc75ba06a427b0a6e6bbffa3d1_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe
      C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:716
      • C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe
        C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe
          C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe
            C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4704
            • C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe
              C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4144
              • C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe
                C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3760
                • C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe
                  C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4868
                  • C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe
                    C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:832
                    • C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe
                      C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4476
                      • C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe
                        C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1984
                        • C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe
                          C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2984
                          • C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe
                            C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:868
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2A21B~1.EXE > nul
                            13⤵
                              PID:716
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AEA53~1.EXE > nul
                            12⤵
                              PID:4952
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0805~1.EXE > nul
                            11⤵
                              PID:4180
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DCC26~1.EXE > nul
                            10⤵
                              PID:3196
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1CEA9~1.EXE > nul
                            9⤵
                              PID:1404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A2295~1.EXE > nul
                            8⤵
                              PID:3584
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{548D2~1.EXE > nul
                            7⤵
                              PID:3516
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56BDC~1.EXE > nul
                            6⤵
                              PID:2068
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF1C~1.EXE > nul
                            5⤵
                              PID:4352
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{58209~1.EXE > nul
                            4⤵
                              PID:3116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{902AA~1.EXE > nul
                            3⤵
                              PID:1956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4316

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0AF1CBAD-A25C-43b9-86C5-1ED5682184A8}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  2640e945f1ab332267dc03dd264bbf5b

                                  SHA1

                                  d8e8e2b9094208a008653800a7aa8893f2eba5c7

                                  SHA256

                                  f106f77dbdba2b91f65152cdfa083dc713e547fc1b7ca0f1ba6b64bf79a698af

                                  SHA512

                                  5713ffc950005feef210b1e9d6091456502dd530d03973b30cb384e76bc5d37aa0551adfed33275c87e692ef4e380962f36477e83a43d9f361ccff40c730b237

                                • C:\Windows\{1CEA97D4-2644-4964-A3AC-75EF54C8E72A}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  48b93c069cb8b65de95e7bfc7c8bfd45

                                  SHA1

                                  72d5c048d1cb2b9bf61dbf9fc897e44012d38739

                                  SHA256

                                  9b00215f4d5a1aa13118680d076bcc687dd5cb15ac9d09c28f3166c35a9f41eb

                                  SHA512

                                  6b612b7ae8da146e57985233b4e2958d4707324cc78019cfa69b07ab09b110eb0a98208e658fd4c73566ad47f0d5aaea99f7567d35c600d4e39116010d0c7d82

                                • C:\Windows\{2A21B419-79AF-4538-B643-83E7C65C1CB5}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a8e7e63dd2e7cdb3337d8818ad61f465

                                  SHA1

                                  09c232a7ebbaf4a7f93835d4aacc47413746f6e3

                                  SHA256

                                  a7292be80d9a57a60ef55905f9be44f5ba0d9ddabd26276b69f5f10f1039bbf6

                                  SHA512

                                  279fdaef1093854e80bedb4310555257f6a4c78d5f99b155d35342a32ea13f9b21056608aa68f9dc12778fc23789f45c8ab058cd5ae0a0809096a42d72887554

                                • C:\Windows\{2B2A3036-98A1-4f7d-9186-7339DAA62DE9}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a8f266f091a11853ec78930e1eb125f9

                                  SHA1

                                  9f9a34165c568e53ecfa9039edf8d92a04b11cff

                                  SHA256

                                  5d22c6265992fda014ebb3532a90c972bf2f14e94b145820d3caf3bfa32d8bad

                                  SHA512

                                  96ff3c659d6beb82f5632b2992f0adb086230788be679a5cb42a6a978527d59e5250f73ac5349ea2ed9ab91e2fde7100fc8bb6403a5611140ef56ee6c26e5a98

                                • C:\Windows\{548D2A58-2777-4aee-8D81-6656009C40B0}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  da40be5853bc60ad215406d5cd94fd3b

                                  SHA1

                                  0d35259c7f7c90e4b85eed4f3b2808318792b5e2

                                  SHA256

                                  e22a5f5e0c6fa9d72dcb958ca855683359a4146586e5720e99d985469fb7497c

                                  SHA512

                                  7dba0e477ae44ef13894de78f54c9e987eb0d17746e3b1ffaa196f0c146a7e48f71b3c417b107690d952095dfa5415bbd0ec981fcd9d346806a1139367a83796

                                • C:\Windows\{56BDC5DE-66AF-401b-88C0-5AEA219A3D88}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ded34ab414e98684a678de6aa638cd84

                                  SHA1

                                  28cbe97c92f43a4bbdfc90bba35fe4a4b2c89a34

                                  SHA256

                                  844c133a9db791837bd96a87fb909aafb1f0288df88cae983592cbdfd72854cf

                                  SHA512

                                  4e7ebdc1fcfbb6b56fe066d36d4bb653c4ca31a2303e53e3b8a69cfb70793e9f943dc8536e06c0301192c45ab367607562b34633274ce9a02afd52bd7fc0cc9c

                                • C:\Windows\{582093A3-ED38-4802-98BE-9BD36E38E564}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  32ac4ec35baf5cfa3a5900c79d00a036

                                  SHA1

                                  73a4465a66ee096e05ac60ebd0240a2628b8aec1

                                  SHA256

                                  ce7953372321a2c164c65647b1f5ad6787f7ffac883bd3e767f29567bd7a94ba

                                  SHA512

                                  9f7e3fd0adb6dd8870c9c0289413e65eb34b1afe35870d5a2b44ea6ffba06611e7440eece48ecd0157b7aa558c3c889c8a63c0cc4bd3a9b2e2e9567328916284

                                • C:\Windows\{902AA2BB-3774-4f1e-A002-1591C8266969}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  16a7b73d2c73fd08215e90727d29d38e

                                  SHA1

                                  e63c99a592bf630e5df938ccd009b66dfb44d589

                                  SHA256

                                  b5ddc3dc92e6da2f370c8ffa00b049f12900edba3bce7379974ebe480553022f

                                  SHA512

                                  1dcf6fbe05ea1ab0574475282a751af96bcf7231c9240fcbc8760563c8804c783d09500fe738e27900e8be4a840f747ae1e034fe3f1c2984f0c930273ba11f4b

                                • C:\Windows\{A2295CA9-35D5-4a5e-97D2-71D8AC3EA54C}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  235e803a92d9a27b636e61f08e0bdb3d

                                  SHA1

                                  1541bece82604eddc1a7f4bd8a7a65e014ae3d13

                                  SHA256

                                  91e42240aff224ae114426cb7cdfa0dd167f345503e52419ae5ddbc637f2512c

                                  SHA512

                                  f873851a88ea3fc71ad2d46bf40cc5ac3b5749fe6fe44cfd3bd129814a2029d299bc35ddebc72742692d00ff357f400aa70625b76bdcb5d93e93e63033d9ae92

                                • C:\Windows\{AEA53100-C6F9-49ce-AEF0-6E1FFC5013D9}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  15cb0337e01710db1c895fa861c5111b

                                  SHA1

                                  f1c4e0e8996f9aa89c85283a14f3c2e8543c814f

                                  SHA256

                                  61dcf5f83c78f60cfe1601a3f628f3547d88b7735f40959fa6ff2524021d2ad5

                                  SHA512

                                  40c47650ebadba4f21616e37f954a9989a9c6bdd3041ed484ff8ff6762762b810f998bd3e8cf59bcb02bf22abfacdf635ee66f522435c947a83e36887b80786b

                                • C:\Windows\{D0805CE4-B146-49b0-82BD-44D9E3444EAB}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  460bf4434d28eb429bdb61ff2ea043d5

                                  SHA1

                                  5e8c26fdda90c6968bbbb619b7ccef3c1c71db3e

                                  SHA256

                                  62769621c703e1144f8f6bc63d77afcafc0d27280a1e527f834245bb30f6ac3d

                                  SHA512

                                  1aa74921404cffbbdd700d5a3feeb2b63a8d07438af14c134bf6f7cabcefa541a10006092adf7d8d2fbe52ec18b2678f3f4332f10ead349935044739ad5450ce

                                • C:\Windows\{DCC261A4-B43A-4615-A7B3-805B07F6E4C0}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  814b4b91ecdb0b335975a70ba7e7cc7e

                                  SHA1

                                  35c99d1226a74711ecf85c529e071a9001ae5624

                                  SHA256

                                  090554f10ae2b8bb34f0f3a5bfe2067cefbe83c74ce4b40341e41cc4f39a080c

                                  SHA512

                                  6287f56b9e9b8b9608d02d54ddf23061c834d10b5cece2577d4e474a019ff22abedc1c7c6fb0b20a947a311ee5fd7266225a0c6e861d544e2ff67c2b38841eb4