Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:35

General

  • Target

    2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe

  • Size

    408KB

  • MD5

    47ed00611fc28276ac7279e5a85a003d

  • SHA1

    675b6f8ff31f6b6324a58637c101869979de4217

  • SHA256

    fc23cd1c6f90f1a907c08e4fff0cf46e7d6552264201caccd9423bafde233e33

  • SHA512

    adee5df07e61e158d70f43fc4faf4115a22d1a231f91101d7a77f56e1cc828d07aabbaab5988a469e41d1ad4ad12052c3dabb923c32748165658a0e8562bba83

  • SSDEEP

    3072:CEGh0oal3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_47ed00611fc28276ac7279e5a85a003d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe
      C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe
        C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe
          C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe
            C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe
              C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2864
              • C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe
                C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4592
                • C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe
                  C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3044
                  • C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe
                    C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1684
                    • C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe
                      C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4420
                      • C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe
                        C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:376
                        • C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe
                          C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4724
                          • C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe
                            C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{963A8~1.EXE > nul
                            13⤵
                              PID:3308
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A667A~1.EXE > nul
                            12⤵
                              PID:3300
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F355A~1.EXE > nul
                            11⤵
                              PID:2276
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{76ABA~1.EXE > nul
                            10⤵
                              PID:4264
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{65715~1.EXE > nul
                            9⤵
                              PID:2896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{44AD8~1.EXE > nul
                            8⤵
                              PID:4812
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ECF79~1.EXE > nul
                            7⤵
                              PID:4556
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3B01F~1.EXE > nul
                            6⤵
                              PID:3172
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{14D8D~1.EXE > nul
                            5⤵
                              PID:3684
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F9913~1.EXE > nul
                            4⤵
                              PID:2312
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6DB9A~1.EXE > nul
                            3⤵
                              PID:2856
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:624

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{14D8D6CA-6AC3-4346-B364-87F34C77C723}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  821674d0454023c4f4f679964ee62cfd

                                  SHA1

                                  953f0280f756a5e19b22db5a4a6b36096de6db3b

                                  SHA256

                                  2d3e0817be10b06331154e004808e8332539a96a64743b8d96eb56bee86890a9

                                  SHA512

                                  90e287fd5664a35651629f65482ef43355ce4a1c207d011c5cdf25aff407ec6eb34e6aa78193842b04a051a0bcca6166b3539dcb14cfc71b24b87129b48b23c2

                                • C:\Windows\{199D00EB-7ECA-4605-A153-FAE4DC4068C3}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  c52472e2a98cebb80da79306d259e400

                                  SHA1

                                  cf8a7ee686b73594226d87dccb456fdda88ed659

                                  SHA256

                                  2539cf392c02958463726181830960f6bdf4c188d363058874a2d19b63f3910d

                                  SHA512

                                  79393e0c9c74c5ed0511d21901c0653ef7bfe4ae87e313594b5a5d5738430f93581e4502322a9b8de3a99f27174ac062353b4492888416c0798c2359fbed3258

                                • C:\Windows\{3B01F3BF-099C-44f0-BD8B-B6B5C513EE11}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  e8c2e77fb2fb532915d00b3373b29bee

                                  SHA1

                                  a097e32a4a500cdfe7cb132b3173c6d15425b7bf

                                  SHA256

                                  90f8adb215f3bfa7573b901970534735cadbd10a0d5c5942fb6e20337adf4060

                                  SHA512

                                  2aa4da78356dadcb943d4e4392be51ffe7f94995a583773b952dfca20f786ef5b65786a0fbfc1afb7b6af1f3cb9d821d7faf033de34c33b7f6a73ff340654ad0

                                • C:\Windows\{44AD80E8-3627-4513-B8CF-07F1779EF0E1}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  d174c64fc77199f704e18588543cfde7

                                  SHA1

                                  20b5bd68d5e95fda9d9257c4a3c34567cf0a2a16

                                  SHA256

                                  d91eacaf0ecb50c417a05b8d1b9c09cedbcf46c334e20b94aa6341d997fb8ffd

                                  SHA512

                                  068eec547574438e315325b799bf8740f9938ca2b7efaf089418416a8e5fc52875be68571879d5735c31502e9dd17785a02543974599327ba1c3c4e4ac2cb072

                                • C:\Windows\{657156EC-8D0E-425e-862E-0A58AF8D6176}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  2ab59873d513e0492307b146a6010def

                                  SHA1

                                  3de3db02e28ff2a26021669002e1354b421a449e

                                  SHA256

                                  55747f8936787e46e3d60f5f9709c13ed5eaa7f26756500ded2f811508ec3442

                                  SHA512

                                  f36751ab7b99b6666ed03e0554c94ba4bdb5638eb874259176a91115fae8f99f7a539fc82b0e1cd1f4e0b824f64b146e211ef81bdc74ca5392810c9f3cd83240

                                • C:\Windows\{6DB9AC69-D5FF-4da1-BC28-8E88DC11C446}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  32651d41a6a2bf57dd4ce64474a1e4af

                                  SHA1

                                  19961b60b30281704f185e8c63cc812efdd613f4

                                  SHA256

                                  2df4c15dbac32a250f88ea08c6bd9b85b1e2eabe2bbe39a87b98588735abb523

                                  SHA512

                                  edbf2939a4f5c8d55d6e7e920d16056d650293ddfa7a68f4ac00b812116e43818a1e290b65982e42b0aa486711fb343a44a9d5577920e4318872c3ca616950e2

                                • C:\Windows\{76ABA466-0AA0-468a-A776-F8C11C0A3BAD}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  601287cc2d2e33a297edf35aa26d14e6

                                  SHA1

                                  840b545ae2253ee07bc95c02d3175159072f23a1

                                  SHA256

                                  e6fa3f7779d6e6599057082273ced9a4e799e177061243843573721cd6e93f94

                                  SHA512

                                  d44d1126202433e6aaf9bec71b41bc88d0d1853ef2686d5cbf0352faf55b8f049f921d701939e7f13913511c7ecd6e33a9c65a7e9c4d2338ae8e4255b10e526b

                                • C:\Windows\{963A86C1-70B3-429f-9E73-D400E033AF37}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  e52cb39e5576a05a0292f2ca8e7da159

                                  SHA1

                                  1e404747b71a69e2065f573dd9e93082570223ed

                                  SHA256

                                  574aa4ef5b86a3a075e1bebbe152ba17da6fa0d0930227493f1961eb3ebc4fe9

                                  SHA512

                                  69347722bf38350b8e0537ceb3d41ce446a2d8c1dd1506c6ec182076df1f4cf5e4616041c3f4ef42acfc4950527278dae4c6a6fa2c4579f76ba9d3a6a707a55b

                                • C:\Windows\{A667AB5A-9E89-46dd-A6A3-BE39C8341433}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  7f62503c9619f4636ffe863a1cbf0175

                                  SHA1

                                  bf6837a400795ee472ae49ee2a349a36114c2b66

                                  SHA256

                                  58ec75fa61468938d2685e2cfc7876be7bbaffdcf4d28f35a3261d2d5ade49a9

                                  SHA512

                                  2084736a65f94fd9f6cff19c31af6ee5598223776202b9ffa162274b5f566c41dec762939052e56ad886f7c3f9106c126fe25615010e142e097a7856bc5606c6

                                • C:\Windows\{ECF79E3A-7F93-4439-8044-011398DEF3F3}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  4db616f2bf5c550bfc27934a4fec9de3

                                  SHA1

                                  48ca0f4d254832f2a9defa0191fcaaea8ea26bea

                                  SHA256

                                  bbee10a408520e3e97608fe93b95e4e59e48bfe87691ec648277714fa108f3fd

                                  SHA512

                                  6c3de249ebd338c65ac3d66ba4167cc41fb855594cc191af0fbe838454a11553c153e8b543cc72a0c924f1598cfdf7efc7a4e081894071035b35084ee47fb0a5

                                • C:\Windows\{F355A6B2-ADAB-4eb7-A8F7-479363A4FFA7}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  8b58a46ade66528664244579aa6cbef2

                                  SHA1

                                  057ef6c0f472a2408bb94645fe67329c64a707dc

                                  SHA256

                                  834b4479cc78dbe21d919e5debc7c2f14e3e256fbeaed1801641f1fa7643447c

                                  SHA512

                                  cb50b937711e58907b905e0f815b77bab3a9614b4ad9032dcd742a15b34a8743cf73cd2b844e8e44f2aeb5fe856b8ea31b7fc191d3c81cb65fa1db31bcc17971

                                • C:\Windows\{F9913C8E-C158-4373-858D-684241B83347}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a0cb047d09d4cd6e80deea341b3ca5b1

                                  SHA1

                                  44d96db58ca5ca3d421572ae85a85e99ca162b7b

                                  SHA256

                                  ea9cb02db62e5df17d11091ab3fb8933332cc7c43d9d8803bbf804dfbcfe46ac

                                  SHA512

                                  55b2f854daca938032236fb1775c6e98e0dc6aec6bc728c14b39cb0045a2ad8d1c4b36626d22d22e46422ccf402e5bfe0ef146f0e07d178e97ea518332a26215