Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:37

General

  • Target

    2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe

  • Size

    408KB

  • MD5

    63674177d321bd82d8149f48e69fd53a

  • SHA1

    d0a3b27b8a3d3a82241d7c13dfda65cbdcb8fb4a

  • SHA256

    9235dafa5d7eeef3a72e666e239a5c6951f1fe1815be71898d8e6e1aba87e15b

  • SHA512

    b8fd7f95eb163002cd765f4059122813ab7193a0c6cda577b9e6cb97e881c001767e71005c76f3251b68509304f762f7e04f63f679855ee39b33d2601194fada

  • SSDEEP

    3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_63674177d321bd82d8149f48e69fd53a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe
      C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe
        C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe
          C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe
            C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4172
            • C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe
              C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe
                C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4400
                • C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe
                  C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:400
                  • C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe
                    C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4832
                    • C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe
                      C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3768
                      • C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe
                        C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2668
                        • C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe
                          C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2504
                          • C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe
                            C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2448
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{18CB1~1.EXE > nul
                            13⤵
                              PID:4308
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA9E~1.EXE > nul
                            12⤵
                              PID:1028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{46D3F~1.EXE > nul
                            11⤵
                              PID:4980
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E97B0~1.EXE > nul
                            10⤵
                              PID:2168
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E2CEC~1.EXE > nul
                            9⤵
                              PID:4324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CFEEA~1.EXE > nul
                            8⤵
                              PID:3356
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{38BCA~1.EXE > nul
                            7⤵
                              PID:2056
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{45D87~1.EXE > nul
                            6⤵
                              PID:1012
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F85~1.EXE > nul
                            5⤵
                              PID:3400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{49C48~1.EXE > nul
                            4⤵
                              PID:680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A9FFE~1.EXE > nul
                            3⤵
                              PID:872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3472

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{18CB1547-B572-45f8-9406-159F82C674BF}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  9015a189a2c9209eb3cac4c88bace808

                                  SHA1

                                  88738743a2164dde6e3792ef7a12bdfe3bfd89f3

                                  SHA256

                                  16bb6b6c39c58c7c977c71cdd5f25b73f1bb0a9c0e76a44db754d4f22f6dfa18

                                  SHA512

                                  3acc57a9cd725d8d0e523e1fc64ebece16371ac2ea8916737d2b4d1cad56bd62a2bd96aaf01d84aaf78bea9ddf5a4fc3e16c604f2576f48f8ccef9d272f5c9eb

                                • C:\Windows\{38BCAD47-C4BB-4d69-8FFB-F214A52D512D}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a586f376f66a51ce3a5df320aa88fe91

                                  SHA1

                                  1999eab26f7a6341127ed6e834171ee2d94f5c10

                                  SHA256

                                  23feb323c0690bb181cf9881bcf53b8599e981e83964191a76ac78083a767929

                                  SHA512

                                  c9971f38b7da2a6f5b58214466931dc814166d2c1c006b9b0588a007f7c94ec42db880c118833e4f93e981b688ae24d746e8259938b74dd2a4f664f5589e3054

                                • C:\Windows\{3EA9E892-03F8-4e26-A4C5-F564798DACD9}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ed815b92164f512a165474248b68cbd5

                                  SHA1

                                  6743c9a8095776e228270f297efee01a80d3ed7c

                                  SHA256

                                  bffb20c14c55e6a6a502e512b97497d956d2131be4eee4f3303ac1be981c9b4a

                                  SHA512

                                  d53af2f2739787c0f5b2bf5d7f68e66a133d7e74c060f9fdec7fdbcfbb5e9bb69b69fa1b014600be6d4e745c61340d20335bcf0d02f04ca15643cbdceda6ade8

                                • C:\Windows\{45D87DDD-EFFC-4ec0-96DA-B0A323A051F6}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  d96d6e0303a8b12143690387ab509f40

                                  SHA1

                                  52cf0707b9466e592d8ecd2781517a1b7b26aa79

                                  SHA256

                                  f7bf77c8763af2f3af4919fd772895d57f31386dd9c5a7c7975ad9ddbb02cdbb

                                  SHA512

                                  dd39e2443ffb810c0ce0f90d6b692bd96a074f650218deac413569a21c85dbae32a47fb02c2ac142b5b7d27d218339ce24ac018cc047ba819b5f49eb793d3543

                                • C:\Windows\{46D3F62D-3199-460e-9EEB-D130135ABDF1}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  35e03af470e05036187935b09d6872c2

                                  SHA1

                                  2c0d880eb44475b8c82f3b65aab7c894028a308f

                                  SHA256

                                  d58202711d6dc54f9dbca6c178033b59890ec7193b09774cc0bbc473dd1e3daa

                                  SHA512

                                  13e681a7aa6970ae52092ea978075582734c0519355ea1ef901a3bf1065c72f73ad5473e026a852761ca93731eccb7274af090037386a7280b1705da917ae2ed

                                • C:\Windows\{49C48CEE-A853-4c9e-8DCF-F016D15D3A1C}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  41abaddbe122caf9d89cf44b9faddd29

                                  SHA1

                                  ef97b0a981120981b7c1bcecd5505cb4406c73cd

                                  SHA256

                                  f1b706c722e58810795a2e37d9bea13b20437dce9640438558843f72213277f0

                                  SHA512

                                  69d097ae22815aed606cccdb227adc083129bb4fec3cf056b4faf02a1261ce81eee595a1b1beda38c00e7852c3819c0c649630c56552b7b9d23f60066c946e3f

                                • C:\Windows\{A9FFED92-301C-48d4-B6B6-1B0BB2335FAC}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  55556e162fec5b2baac0e2b2abec3536

                                  SHA1

                                  98cdec607f1be48561b4c3b8dd13fc5395c65fd5

                                  SHA256

                                  3c2c0707201e587d6d3be7a88f8dd5395dfabe369202312adaf7d5ebe32ca1f2

                                  SHA512

                                  2126cbf2805da9acc6f100701d4d87a72a69d91234749c353c2f882a1bbde5ec76689c93bb32322fd768acf7db897f5b966e725c4cc8c659730bbe64ed14144f

                                • C:\Windows\{B745DFA7-CC59-4f4e-8987-ABBDA38BE15B}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  7b81fdee2b0ae4184841aa56bdc551da

                                  SHA1

                                  1e85ecac4fae1860a0e4397e0c5ac69d1d400b55

                                  SHA256

                                  b1d9f5a3137695c84051168e1b56d308989be8542e4821379151e68932088a36

                                  SHA512

                                  7c74f39ed2ec6ef8a6cb51bcbb27a40e05d24f874d0bc53251d500bdca057f78afe2a20f96781db575d027b8304588b65e18e23e104f96ffd5bd7fbdac6104d1

                                • C:\Windows\{C6F85873-4E8C-4d26-B2CD-75526F5E50DA}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  ec37941a1f6f4c73308eec43bf5b2b63

                                  SHA1

                                  a84a804e0103dcc7fa31494a3c4d6bacc68bd197

                                  SHA256

                                  52e01ac0e00af9cdad1ad05910ff7ac2a33c79e656a76fe1f37afaadcbad6447

                                  SHA512

                                  30b6cb8d1adec4eddd36c7596a8504f03c0d1118d50872e1f67d5e5e592f933988c3c80cc88830658020316f5d3ca089f52ed8e173d3ef556506eb8c7279808f

                                • C:\Windows\{CFEEA11D-39D9-4441-B980-B7CBD9047A3F}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  f641110b9e2a9d1ecf636d46ede57924

                                  SHA1

                                  347e56cc4c368e4427b9ba6fc78fd82c7cf86b0d

                                  SHA256

                                  3aa89df73bd9f5736d21b382101f37debd1a510f08324a3110e7176fccd6186d

                                  SHA512

                                  00a55cefff25212f10e3d18944cec4fc712c38016be49e334709cd325e77ca5e90247a88628a8ba1dcdc30c24c623c8ec45c50564d3eee9ee06daaf0956150b6

                                • C:\Windows\{E2CEC314-6E5D-4b12-8B61-8165BB8DB89C}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  c8360b1436c2b0047e2c25b7ad72870a

                                  SHA1

                                  ca8330b9fd785edd2a6a0b16bd827b23fe0c2037

                                  SHA256

                                  ec85f8630387720b9682a3962b84ae0ef37313019a8ce596af352d24acaec793

                                  SHA512

                                  c0bd7a95061183a9d8a95340b839ef81794691e3ac53dfde7629a1d1c37a6fc1052d73e47c79c4a82d88a197caa7f052b1a7c6ef8f164bd86b35a04341de8e6e

                                • C:\Windows\{E97B0985-0F06-4b52-992B-F31C88FB01B7}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  d7ce8c90469ad670259beebebf291545

                                  SHA1

                                  f49cbb10de78b4aacbe6186b98224631b50e9059

                                  SHA256

                                  7dc41607f57490a1b289fbcbdaa2e89c001497589a23ab545bb88815703438e6

                                  SHA512

                                  ef97a7aebe9c0d88269bd17c8490b5996cc9977c0bdaac1cbb7c7f89b6f98a7b208eb75ef6e73c9ef410b7fa0067bb92bfc208b793635a3a4dacba615fd70de0