Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:39

General

  • Target

    2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe

  • Size

    204KB

  • MD5

    75d172b074cfb2f8092b21b0cb1417b8

  • SHA1

    27016bc58f7ed03a6a012f653f84282547c89a03

  • SHA256

    a640cd5774250fc10b40ac663eb8f85bac0d6fc61c3241bec84b210afbf774fc

  • SHA512

    2561cacb93cb9dc2976b4d0f808fc957efc7df9f46acbcf5e7816b0e38e2fe124a5c57752c8b400508c4626d4ea2b69bd8fbc4cebfe60b39e11940311b6d0705

  • SSDEEP

    1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_75d172b074cfb2f8092b21b0cb1417b8_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe
      C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe
        C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe
          C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3268
          • C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe
            C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe
              C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3796
              • C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe
                C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4180
                • C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe
                  C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4720
                  • C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe
                    C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1400
                    • C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe
                      C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3396
                      • C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe
                        C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4484
                        • C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe
                          C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3712
                          • C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe
                            C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2384
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CC496~1.EXE > nul
                            13⤵
                              PID:3708
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{134EC~1.EXE > nul
                            12⤵
                              PID:224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3273E~1.EXE > nul
                            11⤵
                              PID:892
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B29A6~1.EXE > nul
                            10⤵
                              PID:1952
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{312CE~1.EXE > nul
                            9⤵
                              PID:4320
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A6E48~1.EXE > nul
                            8⤵
                              PID:3392
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{89503~1.EXE > nul
                            7⤵
                              PID:924
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7BB~1.EXE > nul
                            6⤵
                              PID:2872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{58713~1.EXE > nul
                            5⤵
                              PID:4204
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B2A7F~1.EXE > nul
                            4⤵
                              PID:3396
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FABE5~1.EXE > nul
                            3⤵
                              PID:3084
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4012
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:2452

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\{134EC873-14C7-4224-A6CE-00ACF8741AC0}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    67a9b676c2a33d31a29b44294e841505

                                    SHA1

                                    768ef1b50fd193f1d1170e448da0139f1b964127

                                    SHA256

                                    c0bd39f11f9d3a568c107094a6804a5b0eca2274b079313c911593c9c205f8a2

                                    SHA512

                                    9738ce91a09f65f433e2f459eb61cb189e4e1f709827c6a059a383794f5637d05a0c11ee94f5569b6c933bf72a57f985fa96fe07584b3e05e98aac6d52399fb6

                                  • C:\Windows\{312CEC6F-501D-48a4-9CF2-B8FB40EE42E0}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    ec4af289c61c289d6098753668b2170f

                                    SHA1

                                    228774804e1f74a660dba9107f337448831e1df7

                                    SHA256

                                    6475da04b8bbd6a0be87c4cc682b499f18f2c5bf32d2e0703b39f9f87c7296b2

                                    SHA512

                                    7377b3c2adca235c404645d767c43b5427d9a06c3281745d4e1e75727a8bb2e0f47525264cb4abd9a29712ed38fe07e408606bfe0b80a80c53487fe9fe8a343e

                                  • C:\Windows\{3273E874-44BD-4edd-B26C-2744E3FAB38F}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    407110a478ef158962a99ad11c8b4a2a

                                    SHA1

                                    3af48962c5ecc0e2321ae388d0c8203ec13bfcda

                                    SHA256

                                    106c6c418a4ffcce6443c673994765c56b9713b79b4d18684ce8e7ebab6f7f05

                                    SHA512

                                    465773220871c8b207bbc7c643eddafe52cbf717d603deaa3463577018e7f4f0563b89b61fb270964f8e08b3605010f55e2208f393f5bd1e5e8dcd63fd9fd42b

                                  • C:\Windows\{51CFBEF9-AE19-4f07-A4CA-7FB909FBC436}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    b328a2946e09bb4293f535fa4c86db4d

                                    SHA1

                                    6a29e7fdc13c2e799e70d311a2cd3fe393770325

                                    SHA256

                                    e83368b1da504eefb132b35b615b56fad788fc8dc0f55df2fc21d528a92b8770

                                    SHA512

                                    5f6049be238773536e409566f7c69d202562a815a073271f19c8693cf9e9e2dba638949569e8f92d3ce39cde3df5436d1e79e0ea379662a9824b04934c906ac2

                                  • C:\Windows\{58713D09-73AC-4eda-A452-AEC46CE74E13}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    fb286c9ab84cea71bf8f7782df0c2786

                                    SHA1

                                    d27aeeb9165a88cddf33cd522ec24d8b17e50f39

                                    SHA256

                                    4dcaf0464314cdacb6a0fc0329a01008e8acd9c8f4739add2d7efd76ef41630d

                                    SHA512

                                    a7e2ccb4b6995c76eb83d92ae2b7a5e6ef2fc450cf239f1c93da8e92d80161e5f1cab9daec2c9f529ec6703cbd2a38fcbb6a51ad6a23333b0534b5bcadf86739

                                  • C:\Windows\{89503AD9-6E16-4fab-B5CD-5405CBFFCD2B}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    4ef4b1bb048e2366cca9888888845065

                                    SHA1

                                    fd90bca1781a8ab43827d38fb63b4104c0a38f85

                                    SHA256

                                    8046e03a15521890fcfde48929dc5d1bcf42df6ec58ebb3eaf64c032b1a26c64

                                    SHA512

                                    4b15f79cc7abb515975593ee701d6166e2feea69cec07dea7cf8a14569efeade836de844421c78c938267400ccec77a3b8322fc27f4d2033ed37e675ebd6d058

                                  • C:\Windows\{8B7BBF34-1979-4a8f-A7E7-073E461DBFD3}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    9c23c000ff24d2de75f109d08b7b5717

                                    SHA1

                                    9ccf169df18dd046e2140d13861eadbf6672fe9a

                                    SHA256

                                    e10d42099f1f2162fc42d3212295334a3580a81ba9a9835208c40cf1cab8a235

                                    SHA512

                                    cc1fc7ee863521037eaed556b33f2d5df935485073d7112a3ded7fce848488ea191abc0f6fe10c0eb97298976a7defb3b2d13b44e8112def89eedd61371b2c32

                                  • C:\Windows\{A6E48A4E-3B89-4fbf-ACDE-70925D5F65F8}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    efdd2ed4c8eb69b467fe63489da18f7c

                                    SHA1

                                    d00006428cdd92377a94e7b3ddffb3efbc4a0720

                                    SHA256

                                    07a130aad3469a8fe520a963409f04d0d2c741a1a2e0147a8efd775051f848be

                                    SHA512

                                    ad6d8811c55c35d0c76d1ceb68e6d335503e83be7ea7231835cbe56ba62ff3381e582324ffc913c27ad5f7923abc19656368a2db00cba7568693025181a4be17

                                  • C:\Windows\{B29A60B6-4A70-4c08-9EAB-9B89A863D987}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    54f891e79fb1113bfafb9a7920f58f7b

                                    SHA1

                                    cad301e4ad54bd74facd6305b1346725e6a70500

                                    SHA256

                                    b664a416a29b36a123dd8e3a2c60c81dd7f5c6fed8fe47adcbea0625715f3f92

                                    SHA512

                                    122edeb009466bb45036092da15a72765c8fa903e577516fac1e075cf24efd88aa566b0616c3ba8cf129af40497d87b8c53d47300365c37aabda6931d558d337

                                  • C:\Windows\{B2A7F5F6-7E5F-41d4-9F15-35797C80D352}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    a2b469acc741ff446ed07b19c9fe2086

                                    SHA1

                                    9ebaca265e9a8079971731d103405817c96dc5f3

                                    SHA256

                                    5c25a4e27277a720be1c29023447bec5bd576a2e34220a59680512a8f8f56afb

                                    SHA512

                                    12c24b7063f373aebd8456614806e8efad6f41be8b79daa641cf839a31596b172c9fcf906e07ec0078abf7e7d13167fe57dbbcc4ef3691d780f06aa1d5f5a8ed

                                  • C:\Windows\{CC49627F-2E9A-4d49-BFAF-235B2C826019}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    1accfb19b813188153da23bf2eb1fd36

                                    SHA1

                                    4bacc4e3faadff2dc8ed75a7e9cc87b185ced2ea

                                    SHA256

                                    60546a252eb2dbb75eee4c638236b8d743142519cfad6288b8bed3d383ec1177

                                    SHA512

                                    04197b451cb32c357d60f2d82345912ec1d21aadae15826cef023e9b27b5056b7e9f54c249d2710470a5467315423e46d53f7d1cdda5abfd8702568335f9eb4b

                                  • C:\Windows\{FABE5D89-D3C3-4e2e-9849-9FE6415E6493}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    7fa99a1b13dcfdf38860fe66096360f5

                                    SHA1

                                    c5d6f11e99928902aa2efa8794ea0c7930809ae3

                                    SHA256

                                    0f49c54332066c3fbbfa36e8c6e9561877ebb1c4076eb619172dd6120a5fdf60

                                    SHA512

                                    dc34abf652e104d42cdea2e8393f2d9d62e41410f92ce725541f378f26b1b1a7777de402c92ca3f143212591f64d857123e651b38d8113f20c336cde47c0ddff