Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:36

General

  • Target

    2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe

  • Size

    180KB

  • MD5

    566aa4cd67f4c3337a1d128c0ee66d87

  • SHA1

    82125716a0fd42b24ac14bf8543439bd02b3cc6c

  • SHA256

    a4d353a50d90c5ee5f645e50e11954d7e4dbee081d95e4fa3fa51e857b192168

  • SHA512

    97123beefeeadfb7a7e2c09fdcfcfeb98246313bf4e3853c683403eeb158f37d9ff0b0962a5cb9f57dfc5a56e3cd89c63755a366a8b369626e30581d2c22c98e

  • SSDEEP

    3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_566aa4cd67f4c3337a1d128c0ee66d87_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
      C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
        C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
          C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
            C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
              C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1796
              • C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
                C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2072
                • C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
                  C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4924
                  • C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
                    C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1600
                    • C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
                      C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1832
                      • C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
                        C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4340
                        • C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
                          C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:8
                          • C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe
                            C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4820
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{55FB7~1.EXE > nul
                            13⤵
                              PID:3776
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9967B~1.EXE > nul
                            12⤵
                              PID:5064
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{65EEE~1.EXE > nul
                            11⤵
                              PID:404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C7130~1.EXE > nul
                            10⤵
                              PID:4264
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6B397~1.EXE > nul
                            9⤵
                              PID:4640
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{77B3B~1.EXE > nul
                            8⤵
                              PID:4524
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35484~1.EXE > nul
                            7⤵
                              PID:5080
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6E889~1.EXE > nul
                            6⤵
                              PID:1628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC3D~1.EXE > nul
                            5⤵
                              PID:4172
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{390C9~1.EXE > nul
                            4⤵
                              PID:1416
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C22~1.EXE > nul
                            3⤵
                              PID:60
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4024

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{35484110-B1A4-4d27-9253-3280CE901D5D}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  0fc5bc411ec863b8ef31b6105aaea5a5

                                  SHA1

                                  fb310ee022b23cbc48a7e7dde5834419aaa0ddbb

                                  SHA256

                                  c98f63875a59f1c63dd73bd0d0e1c0b10ed0d364b6562d3e8573de188cd7cc91

                                  SHA512

                                  a416e6f4036d1bb4ae13d1296f4b674a141c24f84853aeab059224f5490bb48d65dca0d0aba50610a88b863f7171a46a95b1e4a47604372e91d8442361c923f5

                                • C:\Windows\{390C9A1B-9B35-4239-A904-10A1964FE03C}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  e526e4a2593f59769311affc3b0b02d2

                                  SHA1

                                  6cd30dfb0653a25cc40c42e277f1a88fcab3d281

                                  SHA256

                                  0543db4016a12599366efb1db45e8ec74a4c9b7cfa327c0fa21a81492c9ec718

                                  SHA512

                                  6d98799e34814e9bb9740511775c99887deebb680db862516b9b6808cd99a0d1a7818f52fd59ff50d28a1de79655f12fb7ee47a8f6d01cbea3338d4ed373d1fd

                                • C:\Windows\{4AC3D849-FE60-4701-BD89-ACEB95804B63}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  844d50c4c89bede9dd276f51c24af53f

                                  SHA1

                                  965852716b051501f6eaf7138c1ff81a211e0288

                                  SHA256

                                  c91720460de24e0a068b17c1268527ee68b94a72baa343a77a8cadb81452d440

                                  SHA512

                                  d40600664461506fbe5f92c31828a17b33ef6247fc5e3007b7b283d3f9be7ba0803482ce3cff257131802d02e3683d3a5aa8df91eb6cebdcf6e7b9a55c4a075c

                                • C:\Windows\{55FB73E9-1C65-4546-AB2D-6009EFC63871}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  3d35c5ea4e2c7278f8952c282a3b946e

                                  SHA1

                                  955cda7fef39bece44bbb5ee4e7d775715928657

                                  SHA256

                                  a97378bafddac5e66e300a2f88874c459fa0aef360b0de4d4d079fb8fe464225

                                  SHA512

                                  dee3c78a04cad2145c8537e712541ff89e4c84e2f79ce219b11b89358a3f0a424470fe04a18befaa1dbb34dd548eed425ab95d5cb49c5e8cf37e42699ff27289

                                • C:\Windows\{65EEEF76-0858-4f6a-BDF7-F3C86003FE49}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  a94caab3bd875a3af5ee1ea3d0df44c4

                                  SHA1

                                  1241f19ddbe7907ba77aa5d87d3c03c9cb7ebb59

                                  SHA256

                                  5e25989b231fd4d3c3372b8c0f5b53883bb4212c108218a81263a7445cd0039e

                                  SHA512

                                  2dbcd8c870ee8289180ca8167b5eb9f4a7aec3cd3abc4ad37dfdc8afecc96af8c05602d3d6f458bb1bea0fc8df5e46034b95364af81bd67b6f610e39f7ccc17e

                                • C:\Windows\{6B397FE2-71BA-4ed6-907B-9C03DE349096}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  5ce82a24474f84095401df53af2c2f9d

                                  SHA1

                                  f7cd20893e52f00561e983d2e5cc7e2f43727f57

                                  SHA256

                                  f590d702b28b564c8f8163c4f78270b96d95afee5b9a400f0ecb6f98376c23c0

                                  SHA512

                                  15b91f48403e6ceed4c85d760c0cd7927f2952d2fc776da31917c4e6379262cb6517421df3701a8706aef3280a08ba4d7fae32b1fc07fa8b610c7692a5756a1c

                                • C:\Windows\{6E889AD0-C2A0-4ec8-8E02-F8B164BBD02D}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  35344cdd4fec8f2c620c6da727ed50ac

                                  SHA1

                                  1ac019fbb4242bd5881049b6333704eeb9dfcc49

                                  SHA256

                                  fab9206fc22ca16e011794b1b55d7dcf1fffe13004a1241156e8126009827910

                                  SHA512

                                  9006b18e4edacefc3eb56ef4442e4769c1064b1913f5500ae2ce31c584a5fdb1e30095b5a8de8103d8efd54718749ca579e37e3248ef7aaced72df04daf6ea38

                                • C:\Windows\{77B3BB85-6D3F-48b4-95D6-A98B9ED4A7CB}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  56136e7b56ee670856de4e9cb2190a22

                                  SHA1

                                  e09af0e74ce9936050582e981a2323232ad82917

                                  SHA256

                                  689fab017550d5934070365e508756dfe1363e4097f762f04661df00f298a185

                                  SHA512

                                  e0a6abfd52de2836dac9a77d669b832e68020fc26a8e6c0c638e1f7f944cd7a0bc56f90ceeb0c9ebedc71fd65f913f935466d45f0a54babd5c8013131847adbf

                                • C:\Windows\{873C61E7-5308-4f16-8BD3-2232578478D5}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  30f036fad0105ddd7dbbfc3d94e7be4b

                                  SHA1

                                  c3145437d0bd8253bfc0316992673d117098cb9c

                                  SHA256

                                  e5bd663b089d25e4d5022ab38afcc28d7f530e269e1e0b83947b013389d7574f

                                  SHA512

                                  d36685449d3564c720d6f9d0d974978e58fb2739ea7003fbe65c7f497e9fa30f6989bbe6a78be1c6818d38828e92aaca475aa77e0e7ee7fd91c4543a6e9b6ca6

                                • C:\Windows\{9967B6DF-6E76-4864-8162-FA5765D15FFA}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  179a47cd9d052db77702998b9c38b260

                                  SHA1

                                  c2166afb47f43c535cdeaeea91412730d48a86ed

                                  SHA256

                                  ab62e9ad08bda5ed2e7694e081bf7798f2e0c532594692359e35ed6b116a3f25

                                  SHA512

                                  6934cef31e3033f21808245b61ade6af6c698530770cbe8b18afe132ed2a278e40055be969e013f9fbda0cb6df92e12fb098c64481c4cb4bc7f3956a770771ea

                                • C:\Windows\{C0C220C5-781C-4bc1-9C22-BA1D993A39F2}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  8265fb2d362699c97111cff330ad8e99

                                  SHA1

                                  732b6e88493dfd42c8502a55a7ebd156d63c8d06

                                  SHA256

                                  d666db23ac50e90cb6c6e1aae3dd6fd901ef87cadcc1b6e9c9c1a26f28c53be0

                                  SHA512

                                  ee36c12d09b45ac823bb6ca59cd511209b1c0a8d72e28962acc02ba1eeef81d47892011fec4805b1252892692095d571af2c84c714b683617a5e9e2d692610bb

                                • C:\Windows\{C7130592-EB19-432c-8743-F6518207F74C}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  f2ed789e1fb177aab40e689a93be5694

                                  SHA1

                                  c87de8d8c8285906c23102853853ab87da2e643c

                                  SHA256

                                  1598692a5290601c6207a36251d20c67bd312e9f36a7d5f7b61a139ced3e7818

                                  SHA512

                                  29ecf5451ff7f358747eb5ff76fcaf14883f7ebef0f6cc9b2beea86f68f5eeea387b8420067b91675eaff965b620c4584b39e945ba3cf91b2f7f8d84b2ffeec1