Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:37

General

  • Target

    2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe

  • Size

    168KB

  • MD5

    5f0dc811482238f0932c7529f94c2671

  • SHA1

    d6e5550a87d5851acc0a5ad0ea8e2e3944c2382f

  • SHA256

    dc4d3c6adc73b6019c3836caeb4fb9c9591b51cf03cffe6f1d1008572ca0e603

  • SHA512

    c4bb9f4d54df43d7ccdac3e7808e2a5c773c380d9b098f18cd1e59f783859075daa25d219d268dce983a7f6c565cd6f95ba4c6edbb9353cec0354b6caae0ce11

  • SSDEEP

    1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_5f0dc811482238f0932c7529f94c2671_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe
      C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe
        C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe
          C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe
            C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1180
            • C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe
              C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1820
              • C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe
                C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2996
                • C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe
                  C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2240
                  • C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe
                    C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3384
                    • C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe
                      C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5000
                      • C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe
                        C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1980
                        • C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe
                          C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4760
                          • C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe
                            C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4240
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{781E4~1.EXE > nul
                            13⤵
                              PID:4340
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9D2B2~1.EXE > nul
                            12⤵
                              PID:3924
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{81B81~1.EXE > nul
                            11⤵
                              PID:1072
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{04D65~1.EXE > nul
                            10⤵
                              PID:2908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1918B~1.EXE > nul
                            9⤵
                              PID:2172
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9629E~1.EXE > nul
                            8⤵
                              PID:3472
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F00AA~1.EXE > nul
                            7⤵
                              PID:2360
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{53404~1.EXE > nul
                            6⤵
                              PID:452
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A06BC~1.EXE > nul
                            5⤵
                              PID:4556
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5746D~1.EXE > nul
                            4⤵
                              PID:2080
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F0028~1.EXE > nul
                            3⤵
                              PID:940
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4684

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{04D65A68-DCF9-4abe-84BD-2E378B4D760E}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  5503d5f3700cf9ef57f377d4bc48722f

                                  SHA1

                                  efea76922870236a26f1375ed07fbc1061193a6a

                                  SHA256

                                  69e599be5f867b97d069fe636bb9908b33518660f9bbd6904f16a209c92a20e2

                                  SHA512

                                  bb9a2a416bbba7f759e66ba0df6539c4d36d19228129d1ff848c1195a92e9b470ac64f4678dd3a8e4759e5eee562822ad97708e733cd8f8f4cde2302950b2f41

                                • C:\Windows\{1918BBE8-CB09-4cc6-92E1-D0887A785C23}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  937db7ecd920cc71be64d74b68bc523f

                                  SHA1

                                  4049ca279f241ca6cb40e78af5765b32c8e79e42

                                  SHA256

                                  5b30ded4e5c7192be22fab5c659ca2f6912801b5fb20db8714d6ade10a8127bb

                                  SHA512

                                  e9f4dedaf5c7b18c72b23836fabced5123764728bbb6d4a69260dbca28dc4f107acf55f2af7dc9708987bfb2897a89126ede7e7455b30cd823d31eb524516d06

                                • C:\Windows\{53404B33-473F-4be6-A7D1-D5DB573439F3}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  b9f4480a11a2b2058c4518d0609a59e2

                                  SHA1

                                  87c4fbb5a6e900104c5dd81709e951c6d27846b9

                                  SHA256

                                  f0cd7d0cd45762253e8df0b36c2a49dea9ab4931640f1f48bafce356b7e81202

                                  SHA512

                                  5b0dcab864e75b5a9deb6a6f3fa0880fca39ae71e827e12b6bd3837fe8ebf627261dff1a580c66c025867a173079f39980c64b34b88732006fb1569e87c31b35

                                • C:\Windows\{5746DB37-67C3-4e2e-9076-4C5FAC5C1C26}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  a2545b19f93d994754edf811546212f0

                                  SHA1

                                  94de568cb62922fdb27a416ec2e15a627df3ca38

                                  SHA256

                                  55f91a17e6455092ddf42e8c24d14e6678814e135194addcb1250dab0da2f729

                                  SHA512

                                  a51d50190283be94ef24b873cbe0909384a0d3bddcc45f37da7693272047ff145aa8cacce42efa904feb800b19a88242ea2f63d0d14e73231513af54541ae87d

                                • C:\Windows\{781E4282-4994-4391-B342-15B572088883}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  23c8650632b111ac326025c4fa49be96

                                  SHA1

                                  0561e1213302ee8242dc87069e8665aeb0bbb026

                                  SHA256

                                  7d883f07b0f9833e21c3c0d8100eddc31731116c6256c85fe1eb93c788e82bc8

                                  SHA512

                                  ce9305f14b0e5dd0072b15b445838d333510762e1c0c676cb86f9e545573bf5b0992fd0712d2bcf0507e9dfe05b985407d263e2d2c9ad8b1229e96fd62e90649

                                • C:\Windows\{81B81674-4271-4b43-A106-7F75F63955D7}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  16456c392ab1ac15cf3ea1eeb72b9227

                                  SHA1

                                  71b72d4e3d395b9c7489011dd31ad89d949d803e

                                  SHA256

                                  0ed847e66ec013aa65e177093696f4e63745f882a19b859a27769b2fd8e9158a

                                  SHA512

                                  ee069f6c7bc2b4514b981d9b60f7ef470bb04edd10b9f24619dc614868aeeebad0c50929ebe009296c2a25cec19c0d69448cdb9f26e5b6db078ec387f8e95132

                                • C:\Windows\{9629E476-A30D-4cdd-A735-B579DD2A307D}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  61b1e983912a7fb22b4e6bcc8a195514

                                  SHA1

                                  35800dc9e1f91d6e007a6225e29cacf1c33e427a

                                  SHA256

                                  de8849e03a90b14fdd402dba6caf6441cb08c0ffc546a2b31f792dbeeef5d290

                                  SHA512

                                  65eb4246899a1b521ada3d0bb4eae173fd6ffdb8c6c954e4ff02e3f35d29b8aa91210a25503af421902c8f7bd576eb11f3ff2e7e1fda63856afff8c3c7539b14

                                • C:\Windows\{9D2B2551-0A85-4331-AAA6-B34BAD220293}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  61a20dece937e23d96f1aa516302ffb3

                                  SHA1

                                  4a1881523e1532385369997a71073ff642f5f497

                                  SHA256

                                  69bfe42ef18fac805f6dff8652732142196bda7fb9735eff25a309a803eb710e

                                  SHA512

                                  7b619e82f44ff0c19238a1ab21035826c9cd5bb2f652705878e2ad781a53955ed13a33f9c43bfce862159fe2821a98196fa7bd1bcd050d57681154d423181656

                                • C:\Windows\{A06BC06B-4F29-43c4-86C7-AA55F106565F}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  38edfa87fccb3960a152c36502cfc34d

                                  SHA1

                                  a2f95c2795b0142da540b69f4b178b16a0e4acb9

                                  SHA256

                                  09647d3d07fe8b9c813f924a5187a00f9e765a6620f5ee1112245aa375a0dfaf

                                  SHA512

                                  ebdfa1fd858187c1b4a1a43d3c9c062fc7a890efe5bafd89d0bc24daa5a320d0aeb7759251d587e1152d3c5a425154a096ac079401abb6712c92ef4326e88050

                                • C:\Windows\{F0028D2C-C8C8-48fc-B227-46F3007D79FC}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  efd6d767e4f57454981d415a47670337

                                  SHA1

                                  7f97b0423d120fc070667c33915227a4629d7008

                                  SHA256

                                  c1d2738cbe617f84cb3e47967e8cd8e9cb93f58b27acbbdd88fb76842f9e3095

                                  SHA512

                                  47326d522833a0cdcda8f9e4226a101b3e120a0570ed075838bbdfa0619a56e54efdcab884ae3ab0049ce5e84273d5baccd62c40f433e5d6e83bba0772e0084d

                                • C:\Windows\{F00AAA7D-4694-4436-9E58-B37222213553}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  dd44912abde6bae5a8788a21ec18f32e

                                  SHA1

                                  fd951d9cd432c6de0a64adac38d5802909a1903a

                                  SHA256

                                  728ca5b32a4f68d428dfc29a5be763c514f492da43ad0870e4f8f14d1b26d138

                                  SHA512

                                  06ad759d8a94cffa8a9344083372a46219d6a19ac06da8b7b5f8db51ec5e997b23cba913ae2127912f6ea3fee5618768ffa84fbc8a5b16c396df630b402a394c

                                • C:\Windows\{FF39B152-4D89-480e-B0E9-02C15422758B}.exe

                                  Filesize

                                  168KB

                                  MD5

                                  c7f39e8aea732518075331a8772c1c33

                                  SHA1

                                  21719fa4700e734529936c598d9fcb0ae5afb43d

                                  SHA256

                                  1570ff7449c35e53b15e78481ffb88b5a6a1e93cb4a8444781c484a17e9a4a98

                                  SHA512

                                  43fc2691f9fb08599a6828da92dcd8b83efdf325004a3a848c2009f5e75e24a5203998ee45ccae2bfabec08e65576edd9084d1ae5845c37e4b70f2794a5deafa