Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:39

General

  • Target

    2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe

  • Size

    180KB

  • MD5

    7797130fb4e98aab4021671402741353

  • SHA1

    4d73edec6762a49079032ecf3c4a1782aab754d8

  • SHA256

    8c74b39e1abe43c7e9774cdf80e1d441b320de635c37baa31c98f01586e57afc

  • SHA512

    8257b9fa76823847bdb0c7ac98ba5a9bcafd585a033d45982c4921df1b82e6e7f5cbe992e93de4fd1e7573e886d42989a66e971a6f9dd10e19187616cc8fb6ba

  • SSDEEP

    3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_7797130fb4e98aab4021671402741353_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe
      C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe
        C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe
          C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:444
          • C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe
            C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2240
            • C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe
              C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:316
              • C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe
                C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3228
                • C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe
                  C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3392
                  • C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe
                    C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1808
                    • C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe
                      C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1208
                      • C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe
                        C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4932
                        • C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe
                          C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1528
                          • C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe
                            C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1976
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3E952~1.EXE > nul
                            13⤵
                              PID:1236
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DF~1.EXE > nul
                            12⤵
                              PID:3104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6C30C~1.EXE > nul
                            11⤵
                              PID:944
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ED177~1.EXE > nul
                            10⤵
                              PID:3020
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6E3F9~1.EXE > nul
                            9⤵
                              PID:4100
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B80B0~1.EXE > nul
                            8⤵
                              PID:3280
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AE68C~1.EXE > nul
                            7⤵
                              PID:1960
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{98A3E~1.EXE > nul
                            6⤵
                              PID:3964
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8AECB~1.EXE > nul
                            5⤵
                              PID:996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{943DE~1.EXE > nul
                            4⤵
                              PID:1616
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA95~1.EXE > nul
                            3⤵
                              PID:1792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4996

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{2BA95F16-C0F1-4419-AD52-EC1BE237A4CF}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  66eecf4d401cc2718de59b9e225f164d

                                  SHA1

                                  20a421429315b8d67b7b516b82e1471f695063f9

                                  SHA256

                                  3037e2178f243b78f299e4b5f75781ec819a285c94c0562c641c1d30ce2716e3

                                  SHA512

                                  1c1934155138418667f456c4a89a1845284c0816faafabaf6613e16471206000cf5993599b8da8d0f204ad6c69d3931c90f0433beff52cb254eb5efd0daebfd8

                                • C:\Windows\{3E95282A-F3ED-4c24-86C6-D9CBFA6CE17E}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  e307704289028fb784de1db813f66783

                                  SHA1

                                  34e3932ed4153bebae990430b1003ed8e8d23beb

                                  SHA256

                                  3e1c608abb879529464271e94b5112b424fce00e803a6b3237f91ae4acc3bd7e

                                  SHA512

                                  369780a57f5f4b40aa6f3f553d59a250ae14571425ad1f1d6712b09c71626624f0b451ca4ae1978ad41a8f1fb782cec4000b444aecd54578253b606d3c454f2a

                                • C:\Windows\{4B8DB74C-D0FF-4507-86A2-350678FFB2C9}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  2531d19880f913c9921642937494bf0a

                                  SHA1

                                  d942afb92c4d29a91cc592e4fe79e590a788bdac

                                  SHA256

                                  485b6c9b4f4a3f4f05400905fdc4b401eba9ed143585a8dde92495006b8531f1

                                  SHA512

                                  21f38c05cb466e2127eaf4a1926253ee67f84a724d8205b8e7ab9d9c9ea23875fe3fd59d9fd6ec93cddd49762f128467924a2466d384ab02035d0e4dfbbde6e2

                                • C:\Windows\{6C30CCD9-7F29-4062-A0A4-DA5203A7DE07}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  a8d036e89feb6b0765a27ac67325dc03

                                  SHA1

                                  31b3d343f53b2e98fbfced37d2875d6baa9e21f5

                                  SHA256

                                  d3a46413b6406856a57d1a70aa5a1c58e64073057bd8327869dc05504324f9fd

                                  SHA512

                                  8df5769ccfecf6fab534f9188d3df089c6a3e35eb1308ae4a8d805cbeaa586a96bc222f7d50b92310fa644bfd1ca351a62775a0de45627cf021fcb81fe67def6

                                • C:\Windows\{6E3F9756-6101-4e5d-92B0-A173F53D34DB}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  d18737345fb01022d0a7eaae66263216

                                  SHA1

                                  a52d9a2b0cb5a58df0489fb39ff9c7df0e6142e1

                                  SHA256

                                  3344280daba79487c6994273cf4f66f46a11b11d4993383507d721370ad79435

                                  SHA512

                                  af826e2d6d2b1329a468c4bdd507e0a10b0b399424ec6cede32972c504fb1772f5e2d0d38b3d562db31700eb35ceb1583e187c3341ac735d2afc6824754d62f3

                                • C:\Windows\{8AECBE3B-7A34-4c19-A6C1-19EBE3FF15A9}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  e30828cefcb9c56b1c483c9bdaf13b34

                                  SHA1

                                  7fcfa18e0b17cd7046248a641158ef0a1da25c65

                                  SHA256

                                  227c87434478730831fc4b648cfe1cc3acd33bd97241025a1f8572dfd12b4b17

                                  SHA512

                                  0e04dedf1772715d5fe7ff96a024de1f3eb96d2c03974022825741e976f6ee9b862926a2e0b61cf6e7f8da1dcbc487386d3152ac2853408c7ce24783fe61d810

                                • C:\Windows\{943DE360-9E0A-4ce1-947A-CB6C9B63413D}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  af44ceec6e77a99373e44367a12a160c

                                  SHA1

                                  e898d18f9097495ed274dc9f33822de8175d2b29

                                  SHA256

                                  3df5dec7b25321840d6e85577c7a5bb72ddf206b43f3fc04dea9c90547967fbf

                                  SHA512

                                  1d01a2ce45edeaeff86c74bf4df520bbfad450638132597b3fc777888c6468d633609112641f2ec511e9c008385b33a6221d31ccba00a1cf6170b4381f2a96c4

                                • C:\Windows\{98A3EBC1-5FA4-4bb6-8E22-3F02B0DF7D83}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  cdffa5a0ded1161dd098fb6ea3702e37

                                  SHA1

                                  367b5561f2341c162bc1b3e14074f935f580b4a0

                                  SHA256

                                  f3697e35376252d73c4b701d79a98521ec8a6e2f7d1483c814f2fe6daf376c26

                                  SHA512

                                  622920ebf0202557e61027c5ee464a6727518a5919914769c63474724fc210e900b606ae2cb34d4dabd5b0a220ed1a8ad527f85400fe8a4135c48702ef037790

                                • C:\Windows\{AE68C556-2AA5-435d-A805-A18ACEA765AB}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  111162c84d901bc212885dc8f249cf4e

                                  SHA1

                                  9208a50843e3912ec6d85ca169bbb85e27d04f92

                                  SHA256

                                  69832c4561393c61ee8e18838c196ad28c17aceda0b98d2f26dafd5f4c2f85bd

                                  SHA512

                                  1e7974f7e35c98ef99d22ecd7f932d8edfe39511dd17e64cc2d2889a81a5ef589fa25dce2aa7e5b9d7f4ee9cc976fd934e9ebce5ab0e19ce9c59889dd1be4bb9

                                • C:\Windows\{B80B0CB7-6FE6-4650-B1C8-766FB1754837}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  b6088433a1e8736b2b36cc234083d9a0

                                  SHA1

                                  a8da3b01587d46be5fa37f05756da964cb9f098f

                                  SHA256

                                  f0d13d6787d356e68963a958c65975c39896496c951eff14548f8ebb650abbdb

                                  SHA512

                                  083f4a48073c3aed476d1eee438cde4567d22b41635b110a4b525cecd9061de6f5a419e65ce05e5dcb540129fa1bd0580417a79af915c4d7b89e4b093d462083

                                • C:\Windows\{ED177511-98E0-4335-9B3F-E7A560115E6E}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  3ae4ebd7b33f8eafb4ea748023eadd55

                                  SHA1

                                  4f9d0f146f707acb7af22dfe67579a9a9fc78af3

                                  SHA256

                                  9bd6c4e20f92720a9dd433b9ea370e9e3cddb939d8fed79692b64c12afc72037

                                  SHA512

                                  7eac2da62a105c16fbc905405766e813cf76a083a0916c2f58508ee6717d296926d4fb54d017616aa16a567e42755e10a1c47929c6ae9391587c8f8e6d2c69f7

                                • C:\Windows\{EF6DFE17-54C2-4fa2-A5C8-CCC1DAF8A2AA}.exe

                                  Filesize

                                  180KB

                                  MD5

                                  47b667981450518d2c8e9f0ff892c062

                                  SHA1

                                  504897c7fd300c4e466b684a8d53500aeb74eefd

                                  SHA256

                                  e5e921c38f39004b7d39312d0eb83753ef3558fcebde3e32eae656ddd8cfe742

                                  SHA512

                                  a3991942177ca9100aa0dd2eef0d16c1a6e52b219d482c7d4124fdc25208c65a6751569d8bc9c378e649147f955c1b51c0f717d008dc2da8b56170acf095b909