Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:40

General

  • Target

    2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe

  • Size

    197KB

  • MD5

    7ab09cf27c3f40c2dda8d177614af4df

  • SHA1

    c5641c003869f3c35b8c35158bd902d77481dcc6

  • SHA256

    9f5cb290f246ab711516464b106d16d714c9b940d450a6efe4d4ae3d170be7cd

  • SHA512

    989f7d057c91f946c0e4d195d04c4abf65487c2b509332ff1c8657df5df078bde4e952cb0e2697211887a29453c9d51d82d571df9025b06aa4ca95c5eb9a4964

  • SSDEEP

    3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGZlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_7ab09cf27c3f40c2dda8d177614af4df_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe
      C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe
        C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe
          C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:632
          • C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe
            C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2504
            • C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe
              C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3112
              • C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe
                C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1872
                • C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe
                  C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1348
                  • C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe
                    C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1156
                    • C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe
                      C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1200
                      • C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe
                        C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4328
                        • C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe
                          C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:376
                          • C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe
                            C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D6E14~1.EXE > nul
                            13⤵
                              PID:4652
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4E005~1.EXE > nul
                            12⤵
                              PID:3984
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{03295~1.EXE > nul
                            11⤵
                              PID:4512
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F74~1.EXE > nul
                            10⤵
                              PID:2032
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4A02D~1.EXE > nul
                            9⤵
                              PID:3672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AC90A~1.EXE > nul
                            8⤵
                              PID:2256
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7E9~1.EXE > nul
                            7⤵
                              PID:4788
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0CBC9~1.EXE > nul
                            6⤵
                              PID:1620
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CC762~1.EXE > nul
                            5⤵
                              PID:2628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{57E36~1.EXE > nul
                            4⤵
                              PID:1092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CF42C~1.EXE > nul
                            3⤵
                              PID:3988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4676

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{032952EE-4F0E-4c62-BBA7-1E84A56CF5AF}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  22c1485c6fc717ead99f12b5f324a805

                                  SHA1

                                  7dd4aad0516ffb0006615251eb072798fb4a7363

                                  SHA256

                                  ecaeb6925371736ddec78c2c89f5e34773a83f977800e18bd78302ac19c6a031

                                  SHA512

                                  f2fcde8c2666bcd01c58c9f8e5f42f1461c71c0f1bee98adb3852b90070d29eb5ee2fc8ed679fb89c87baa0ef9b5d87c26b3de541794b35f8297d803f4bb7de1

                                • C:\Windows\{0CBC99A7-0D2A-4500-B867-6273722B2ADA}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  73161a6d1079fde1e41dac6eeee25af8

                                  SHA1

                                  7ff92e3401a82219538c4796cd2b3958f22d9c41

                                  SHA256

                                  61f0334531ffa3ea7fb69fbf6759537b84dc445d484fb02b4149126d82aecc98

                                  SHA512

                                  0e0f4f7c1a15ff791bde019d9336649d42c2397839f5104b9351f333357cf161dbe62aa5db4b2c39a1dee8139f2cfb29172e6e38be9b54b2fa34e2be98d4eee0

                                • C:\Windows\{4A02DF97-FF65-4909-A883-144C95653DBE}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  e62dc7dadab2112540e858782dd19f3e

                                  SHA1

                                  81442942cfaad4e200da3039877e29382bbd20b7

                                  SHA256

                                  2f0dc54ef2c912d479d9325ee6c81c2a79d2ca13e1268588f0f611e338b02844

                                  SHA512

                                  7afecf91a4f726cd07b239e35692c2fce3dce184a8b4d4b2551388516ac329c0218e508b82b3a374eadbc7980d985a27c415631030b322db33c6d61f17d8bca6

                                • C:\Windows\{4E005216-E643-48f2-97EE-350E040BC522}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  1738696c634dcfc09e5a0ae2d69523fe

                                  SHA1

                                  3951dae4354b03633e64d0d0639f9f699b4db50a

                                  SHA256

                                  271d15e1c7ece342ab79a92c4134432eca8a57bbe017451009967b30d03b6e46

                                  SHA512

                                  a33c805d7ee42cf1ec85108dfed0eb80df8c15763068d3b0d45995188b0de34b859c0b782eda35d364c90918fad4639615ea7f1029507a34a9055d93d733dfc1

                                • C:\Windows\{57E366FC-EB05-4056-8BF6-AC4B5290932C}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  de9628a5389c09fa3456d7c9eb2279f6

                                  SHA1

                                  50b8f3cc0218f46e94228a6ecfb9b55022e17450

                                  SHA256

                                  b772303edda7d7ce24b77328fc0e24632333561fedfba2d4187a4afe17f87e08

                                  SHA512

                                  41c6745fd120fce89db2f6b7c653ce561472086a3e377acb0d9f95807c2997aa6a14f2d3f85ff0ccbf9d20213241817667978833cf865beb863d9b02ff517f96

                                • C:\Windows\{6D7E978B-B0E1-4a6f-87D2-13EFFD515E41}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  be27b62d4c28f50ac0d884dcbc59bdb6

                                  SHA1

                                  2159d172a71470cd4cc30ed878e679ea53bcd507

                                  SHA256

                                  7d6238257a54d453c18d19f77196193c29190affe292e002312f54725e9ebdd8

                                  SHA512

                                  e749006b5c74ef3e89952de7842ec6d77cd691d2c8adb781b71a53bf1671b0c4ba39477eee1042d54e44152c4b464199199b388b3a26af14204e0312c1652637

                                • C:\Windows\{9FF67798-A358-4aaf-9B7D-6D50B04D3D4F}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  2da41137f2853677c6f5a9c92772f9aa

                                  SHA1

                                  a8773c29957e049c31c8618993be3bdf1bdf0ade

                                  SHA256

                                  ac2f27fb695d6516f22dc3f6f1be11766cc1d64c682a274410fdcc0ae1ce9a5b

                                  SHA512

                                  a377f5e977e0d17bac3878e0c17e2494533d486325b7eb245027778c70ac856c1e281469b5845a5ef05f63400277d84bd5770a7f0bc2dc605fa7b1ff85c7c1c1

                                • C:\Windows\{AC90A403-C3EC-4c4e-83F8-204E07142636}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  ee35f6f09751ffe038424c2bf4b257ef

                                  SHA1

                                  9b97846314a4f425f17e477fe9921347b7944da4

                                  SHA256

                                  aa9b172ce361b78fcf3be4a3701878efad0522527ac8f7eb6dce3e0383ef211d

                                  SHA512

                                  357a28e8f659326188768af7a9a785f09ded536a56d5532eff506595718f577234c86209eee6f833aeafebaf39387217665a3d62f549bce60abdd59fd07764c4

                                • C:\Windows\{B7F74C34-5E87-47d2-81C2-BC939C416253}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  9142706754f7c376f04a289ce74658b8

                                  SHA1

                                  f2e440548b6e5de69ec0256f4c126a593c5a3d59

                                  SHA256

                                  8495f01f4b13c00ff0bfc97375278533454407860364b60f91e475ca1dcd4a17

                                  SHA512

                                  ed3a90c768e9b04c63a39e6f2e43993ee5149fa24026a3b4a93d1cac581f89cc6594e2a51e8957daee62e6ca04c0ae86432b2f8adcf2733c75d001d0e6505681

                                • C:\Windows\{CC762C9F-B672-45eb-B51B-C46ABF197EF6}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  e3c957f7d6edf60e7dd9b00c7f739e57

                                  SHA1

                                  c3e5bf5c41334167c290b54af29c207837695e76

                                  SHA256

                                  67a380c9044e30c6a084f6ef86c8e1d6fca4fad8b791e4fe4d6d898d020050a3

                                  SHA512

                                  342ffc2333f43bd4e22ec3ddc443af51f0058ed8df83e466dec120d743b46203fb03782855f3605473dc9a738b6ee1761cab662885ccfeb34660d62c9f1de873

                                • C:\Windows\{CF42C359-D683-4e51-B245-1A35A7545B1F}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  bf2aca766e2fd0efb855d0c20db24e77

                                  SHA1

                                  b5770f95e66ee1d59fb6281bd4d9c6aeb80e0bed

                                  SHA256

                                  42d07d11e7736abc37f9b4d172ff182a6ef6a9b37a1235d34307f821d087015d

                                  SHA512

                                  6e69285aaa032ad96e64395540eb147fc4fb6fdb23d3224c336eeeae93a551b90817288fc301dee8174af0f64a14098283ef2849097bba71320f7bb49663acfb

                                • C:\Windows\{D6E145EC-617A-4364-8079-41BA74D37EFA}.exe

                                  Filesize

                                  197KB

                                  MD5

                                  7923f6dd4a07f9c8f83e5d82316e6048

                                  SHA1

                                  cb898f6b588f970fe271a7b571064f757900d157

                                  SHA256

                                  313b3cf4d51d1dc664fab4ce7b1bcb6359fbf0bf68626bd4231014245998e168

                                  SHA512

                                  9665594602a129b7280521dcb654b5cf80368896b310e4ea723df147d2e4aef970af4b00a595566156240cfefa8e979c9c7814c88c5f423dc6e21e404a5b6e7b