Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:32

General

  • Target

    2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe

  • Size

    204KB

  • MD5

    221640e16ccbe316d47a545bce65c559

  • SHA1

    64c89a18baebfc0d26f7d03b3598ec9e14ab9ed1

  • SHA256

    c38bf4a6b3fe2b0cd7a429cc9ff76d52dab4b16d57a658e766b5084c90e935a4

  • SHA512

    afe12282d65791f3e2fdafcbe3d47758e1e38a82f7987e7bebbb649d554ec8971506b75a2d09ad2f9eda45304f51260867a75aeb40928384acc3462fd0c130ad

  • SSDEEP

    1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_221640e16ccbe316d47a545bce65c559_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
      C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
        C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4344
        • C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
          C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
            C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3092
            • C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
              C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3076
              • C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
                C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5092
                • C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
                  C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5028
                  • C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
                    C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1520
                    • C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
                      C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1592
                      • C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
                        C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2468
                        • C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
                          C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3324
                          • C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe
                            C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D24E5~1.EXE > nul
                            13⤵
                              PID:4592
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C39~1.EXE > nul
                            12⤵
                              PID:3048
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D66CE~1.EXE > nul
                            11⤵
                              PID:1236
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{74D5B~1.EXE > nul
                            10⤵
                              PID:5056
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1D39D~1.EXE > nul
                            9⤵
                              PID:4876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{731A3~1.EXE > nul
                            8⤵
                              PID:3552
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC00~1.EXE > nul
                            7⤵
                              PID:564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD47~1.EXE > nul
                            6⤵
                              PID:552
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{97DFC~1.EXE > nul
                            5⤵
                              PID:2840
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BE541~1.EXE > nul
                            4⤵
                              PID:1052
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6E611~1.EXE > nul
                            3⤵
                              PID:3972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3588

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{1D39DC3C-B103-4536-AB5B-8B08FB066B3C}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  e1ec5576b20a13658443e14c6c6adb56

                                  SHA1

                                  d94cd4c7f55dbecb2d8688778187296a0ffc5c44

                                  SHA256

                                  63096ba7627d00121ea67aa626f702c73cf5b93d327cabad82cba475b2c0919d

                                  SHA512

                                  f3f2e1e3fe0542eab8ae0f024563d1214d850fdac49488ddb0185cc92d6bbefb7bcd89a84ae9968f00b79667701ddc452bda520f8765fe4d7c5ea8ac391164af

                                • C:\Windows\{3EC004E3-E458-4e12-83FE-E40FDA8E77AB}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  5dd7407d6fae8ee099e912cf5740f447

                                  SHA1

                                  6f25130954f4e1ee37150f0916757b60cfdfcef1

                                  SHA256

                                  8c7e7d5928d73f09453f10f980293ba7eb100dc46824ad03e51270c27ed1ce22

                                  SHA512

                                  b723d0459cbdecc303e6c3f2e8e9978126ea6460776ba323074aaefcf2870c0cfa142472685170e2a04b05c0aee857ad7ab606e02296b85ed6e73a4953ee7534

                                • C:\Windows\{6E6117CA-4E93-4463-821A-17DBCE4325C5}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  aec8cf401e00a93dbac3ddccf835711b

                                  SHA1

                                  4befd17b1a0d5a0127d30764a1b951b3959bc4ee

                                  SHA256

                                  41c969952982ad9f5f319fdd5f53ac027a3d9c6bb16fa4982e01188201ce4dbe

                                  SHA512

                                  5d5af8424654e2b71b5e697cb4d7168301c0fcba036975fd9177b450ad5ba289c368d486ac4197133083137f5a3d28317daea74809dc20585425a0a0cf3b8d0d

                                • C:\Windows\{731A3A80-8F8C-45bc-ACB4-2F29ED1F2769}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  9dcec0b191d36bb6cd02f520357b2424

                                  SHA1

                                  fea7cb6f4bca9b889155dc019963e08d2c6ddd4a

                                  SHA256

                                  2177d5eb4a66271ad3c97e9ea70ae4dda82a743c3aabf4a01a0922e3abaac584

                                  SHA512

                                  a1cf968dadee6b7a510a4439207f7a97ec3dab5b028dc3309d0b62d1d67274e4b3da5099e352f4b5bb76789d52b7b7b5e4a579f81304bf5327560bc7341343cd

                                • C:\Windows\{74D5BCD8-4A15-4ba7-B133-96855A169513}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  b8563aee3afd588b58e3c7c4f326e0f9

                                  SHA1

                                  312845128d5790331358fdd828f409ea6f6aeaa6

                                  SHA256

                                  512b02fa0373f5b97ffc5bb70566b27815e6d605ae398d14c7c86c2b8dac8ea6

                                  SHA512

                                  0e04e599cfdafa8a890d5bcaf81e271eea2fe4532a0fde5ad5feea02ec96284e950cb2b1935c0737d4fb8ca28a18d3d458ceb2f350df920b294c9a79de382c04

                                • C:\Windows\{85F7C897-2E95-4ab7-AD3B-4D54D787AEFE}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  4fe93c9ff5ee0b3669367d86679eff00

                                  SHA1

                                  6eb824aa7671268b2ace0f77eedb2ae2215d8e48

                                  SHA256

                                  c90b92a3b8c4d4bebd166a0e9c56cd175116fdc66cddec7093ec7b1f058d3b99

                                  SHA512

                                  543aea64aa985b64d20351619f937f3af196a3b0cc3a3e671b0d00bea28ddad77d7e14974de3fa6dcbbdd4ab760f2d498acf9e4445b54527fb59f50421f555eb

                                • C:\Windows\{97DFC76E-43B2-4c73-A055-0D2F30AEDA44}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  e58f237c1885f63ca1ae73b28c25c4d9

                                  SHA1

                                  5c04a39b10544be8e8aa3ff793af9ddfeda7c931

                                  SHA256

                                  56b07c07a6ae7ef36a023bc1b0f6ece216ed0980746b0f24876cd430509431b3

                                  SHA512

                                  88818aac94ac07f69f7186705c800f42ce912876b46d4b81575afed84195b85ebba8bffa6e6a9d02c554a733317c38270fcb8fa172a89ce1b1a11e27c6c39548

                                • C:\Windows\{9AD4718F-DFD8-4e8d-A430-A5910225632B}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  e2907e946b074e715ffc35ada0113ee3

                                  SHA1

                                  2683ff522689464cc5951ebeb33994855582a906

                                  SHA256

                                  e4732e855cebd3856d0155e36531fef5afbbbbd50b25dd2dd17298710ef45704

                                  SHA512

                                  776a3ba089f7cd6d7ae1f5dded8080c54b6c6d3234d6bc7c17af18711238687460958daacb741aaaf60bf85f7f5c7ea5d451f58add373e874c9316a3ba63797d

                                • C:\Windows\{A5C39642-7E80-4915-9849-A1701B2010BD}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  28e8a46d7ef3af17b2e3653ee6904f58

                                  SHA1

                                  790a670d48ec99bb00a9118a9b7ad0944292a86b

                                  SHA256

                                  ef89305cd943a920bb7a739102ed0f1e609f86a19faca905aee7a22cabd97cab

                                  SHA512

                                  e1304a7ed071d97eee2256a08b85f196c6418f25d9caccd8cb8c9c85aecdd54f13e71831fbc39cd08918fe369620aea50d9eb2c96a3f9178038d566830c10337

                                • C:\Windows\{BE5418BA-A135-45eb-A083-2712413D9EB6}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  13259300e9740eadc52ed287d433ca5f

                                  SHA1

                                  d97c6382212103401528929d37ab21873dc7f785

                                  SHA256

                                  fc24549fafb70d1d56496b2c3b6ab9274e86e7421a62cfe96f3025ac9e5da8dd

                                  SHA512

                                  d8ec5147f5da1b16f64b49535628ad47c1e262b1b08acb08cd3cefc4d73146dc45ab0a700a6e93bb5a65dc65bab3edeb5f99ee89168cba328dce3ed563e699e0

                                • C:\Windows\{D24E5F35-436E-41cd-8F59-7A1DB6655D24}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  4c8a1541c140c78ec03c3babef52cb14

                                  SHA1

                                  aeb65bc977a08a1ac6b57ab0034b942e472eec28

                                  SHA256

                                  e1d49183187c66b37ce0b6398387dffa75d6b9db26f303d8acd5499e9d6ddda2

                                  SHA512

                                  931bd1d3aa9a85d19facb8da04d14e5406c2cf118465ef70e534ebafaa3dac2aa7b45b39de37004aaa2eec8284a7be4211a421ded4f4773683d781ef322e370d

                                • C:\Windows\{D66CEE12-FC33-4835-841D-BFF6BBEA5A23}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  f06e5fab6f63c8e7298173696f1f8477

                                  SHA1

                                  ae16f5021180860c1834bd17166990e6c3c648ad

                                  SHA256

                                  8913917cb2386c305c148a16f154d55dfe77af19a14e94e56c618256594f4c75

                                  SHA512

                                  516121830a46ddd8eb490f1f1057145f76ae7e1fa2116898704f2d72556125b4864c92891ed2a05b050b3382512fdcb639b89f901152ff4520602d31675d35b3