Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:33

General

  • Target

    2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe

  • Size

    408KB

  • MD5

    7c79d857b718bf5a5838505d3dbb615d

  • SHA1

    2ac8774151e05d71183cd09b9435ca32a3d543f7

  • SHA256

    8bd06ed0f125f4b50da63906bfecb187873bd82cb3d6ed64c5190e17642a23a6

  • SHA512

    f00d505f2d255864a4332affc6d8c9fb83aa5501625ed0f2473d96c52cc121d37bcdb7b826299376f993d410c63df93f96d752ef54efaee6ac02b8165dbed84d

  • SSDEEP

    3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_7c79d857b718bf5a5838505d3dbb615d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe
      C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe
        C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe
          C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:684
          • C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe
            C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe
              C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2260
              • C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe
                C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5060
                • C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe
                  C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:228
                  • C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe
                    C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3224
                    • C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe
                      C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3948
                      • C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe
                        C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5000
                        • C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe
                          C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2804
                          • C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe
                            C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1244
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{66AC9~1.EXE > nul
                            13⤵
                              PID:4540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E10~1.EXE > nul
                            12⤵
                              PID:908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AE339~1.EXE > nul
                            11⤵
                              PID:2612
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{667D4~1.EXE > nul
                            10⤵
                              PID:1464
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CE3CE~1.EXE > nul
                            9⤵
                              PID:3528
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5D979~1.EXE > nul
                            8⤵
                              PID:4672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EE9B1~1.EXE > nul
                            7⤵
                              PID:4084
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6A4E2~1.EXE > nul
                            6⤵
                              PID:1696
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{057AC~1.EXE > nul
                            5⤵
                              PID:2304
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{93B49~1.EXE > nul
                            4⤵
                              PID:2328
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C9C~1.EXE > nul
                            3⤵
                              PID:960
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4496

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{057ACFB1-9401-4e4c-A1FE-ED340A38F90F}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  b812e8c07891bcf8e6705946fa913d71

                                  SHA1

                                  c5b3b5ca65024da265a08dfbd5f459f37d45d55b

                                  SHA256

                                  bf05ce008809de972af858d4b64500f910da2aabfc93b97f1d81e7ff1d7a3978

                                  SHA512

                                  c2b0522d2a784151c21b6e930caf0d65bdfb483e0e4aea6f40325a0e363ccff2d0e331abe941e011f6309ae9689fd7e255b05a8dfa7541fff26201efe7e243fd

                                • C:\Windows\{092E74B0-8CA1-453b-9474-C9849FDD04D6}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  e3e4ca8fb903d13c21b49504eaf95157

                                  SHA1

                                  4357b3d701f20f7657c71e775a31d00229b05a22

                                  SHA256

                                  6dee847731881d5e9298879cd535f7758862e28b67530a81675f4991b69a3f76

                                  SHA512

                                  1b6a9d5fbb965dcc96bf32de25c66acbf63e823d892f2ce76ac961c7555041dd276e46a25e021f398830639ce889c23af57f06158c24c00810e515eccd32b733

                                • C:\Windows\{5D979789-F38F-4b5b-BC2D-19478E84D207}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  4dc2ea789329ad2178234de573bbef84

                                  SHA1

                                  a71e9af490b9e4439d3e1058fabcafb2b39fac0b

                                  SHA256

                                  25331edfbccf181ea520d2c986808f5515c85e176429f2f10498bdedf2ea9582

                                  SHA512

                                  aea055da68103b41f868e6416035d3e6965d9fe8f70880fe58f846fc152755ec134882474bef572039ef02f8d9241d7179c0c88d16c57aa5c581b773f5daf06f

                                • C:\Windows\{667D4632-5CD2-41af-8AE4-C3431B1C70D5}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  817cc53b342c9a1ec5fd9fb343d3ce8c

                                  SHA1

                                  e429828629e60325dd34e9356dba54f52d8ad0d1

                                  SHA256

                                  4f1930a2e1365fbf02528f3451062647333384394dee2dffe0e2544bf56f4a49

                                  SHA512

                                  a2a029ccdef36704cabfb2aea835bdce2ba2eeabd65baa24fe7adca14a021f8323a8230ca0cffb683261da7cb188bb549098e661052808fde6546e8e6a0e605d

                                • C:\Windows\{66AC986D-ECF3-45be-B750-D3D1110EDD66}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  a4d3e2ee12857b7b662be60653af74e9

                                  SHA1

                                  11e1ae4ab46a9890bb58f374c41750edb812cfe2

                                  SHA256

                                  f3e36653fe43082bde45f0c7b511e793d4ff73c8fa5ced1d1f5f53a744b15d29

                                  SHA512

                                  e236e1cf707f3ea03b88e30b199768fdbd744ce4c4d37a4faeec3a4a792913ad9a0487546e4785f6ce77eeed617709151a3e831e4426c98dfb1f4799951cf907

                                • C:\Windows\{6A4E25A3-21D7-4ea3-BC64-346FEEA12F1E}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  0e49ca9b2454e613cb41cde232c23b32

                                  SHA1

                                  10e8f4ca83f66e85fc14492d9fceb3dda37190f8

                                  SHA256

                                  cca1e922da4c1a962a275d39dc5410a2a0f14382f40da40ef497d78180159d44

                                  SHA512

                                  0da03b67de79a6f67efd7d567092949bb8fe33485f43e18f679fc27b8ec2c5df81e2e79266c0ffbc519140b1f525d6e3e3126721395ff9dd42f970262b96e136

                                • C:\Windows\{93B49C12-D985-40ae-87EF-8C9DB894EB6E}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  b26f9d0cc20f089e6a1dd999b421c11e

                                  SHA1

                                  d44204abc6c5e8e38ce25de210b0ebfa58f36123

                                  SHA256

                                  39595f1d295f80908905a670a20252cd621e123455614dd367d6c1ec5756eb97

                                  SHA512

                                  7d10856eef38524a06348701ebf494079849865f2af2ccfa4e07313f49f6e9a321d43f9b7e14b20341d4a764ec1aad0c4e7a23ac3eaae901d09cdb62ca7079e5

                                • C:\Windows\{AE339AEE-CDC9-4a63-B253-BEA89D3FAEDA}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  aefc4e8ce9a560a9b3f7be7cb8a5ed9f

                                  SHA1

                                  336ebcc8e16e5ff458879f0e5e1e6273688e2fd0

                                  SHA256

                                  43c7ab22ed6db1c732cb02112473a323b1f713d1c12786036e0cb24740e565c0

                                  SHA512

                                  80da9337350a1b2804cbef69f0a3612fd5fe3ac4c683bc95ee4b39524e2abab735508cd83cd326d767ac1cc6f420742eb870ca4ecdb24a96ae4f2b2d782e5485

                                • C:\Windows\{B8E10020-54FE-4ef2-82AA-528F280B51B9}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  140ea78a1743d77d052a2b424df28335

                                  SHA1

                                  ad2ab35bcec072709eb9cb2648c7628c9dad47b7

                                  SHA256

                                  b2815ef9ae13c1494a68dcbf7bc99863c423980109c970f938e0b0422a89d869

                                  SHA512

                                  a313676fe14dcb1b4435b18eacba68cad8492591d1ca9b08f378d24e0b8e722a0903f073f222a85180c35de095376e7ce6baa80933bca4a6f4dd938d58ecbda9

                                • C:\Windows\{CE3CE716-1338-4ca2-A9AF-56151A556E65}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  80244c62aae49a587c36d162434a8faf

                                  SHA1

                                  2c9c0ee44ca9b047825a2ec72cfddcd49f6e3a21

                                  SHA256

                                  3c804664cf2ad066e0c4e809b6011f8c71c0065bcc3b03f00ca8c512fe7f7553

                                  SHA512

                                  e461fef0fa32e12e398b1e8bc499d81522ce44a0c00be32bc6e0b45af7dc7b994dadfbb3dc3ba9c3e44f4b9db98bc24c05f4f025e5c3ff6214364901597539a5

                                • C:\Windows\{E7C9C5FF-1503-4c9d-B779-F8BF771B9182}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  955ca86c0b5ebf9a90e7af5aa77918ff

                                  SHA1

                                  3a59ec0452d0e4e60b376c3a74281a2d214f15c3

                                  SHA256

                                  84f1f15d00a4dfe6c7575f1eefb3373b8462f855ed85a159547d7850668454d4

                                  SHA512

                                  edb78c2fd0a6393a474ad92fc22364dcb36b76fc87f04a01873febbcf4a5226b369e051ff6db28157d08b34cc1cbcfe93094c0990dcaf8905258b7d2011c1d08

                                • C:\Windows\{EE9B1EA3-258E-47e9-9482-F33E461A8426}.exe

                                  Filesize

                                  408KB

                                  MD5

                                  2db6cdfb9b530e7f031d2d559c812d6e

                                  SHA1

                                  f94b2d82c451fe7bc0e4136efbe059a1ea689b3d

                                  SHA256

                                  f5520f710cb388d1e8113c359e8377f427454eb51630735982285ea3806985cb

                                  SHA512

                                  79160371e35bab305822b3204ebb1f0882dad8cdb1c7309c42b701539933d19d7862b07c4ad470bc2d785f821a1364f7e7a2a6eb4dff08a1ac9dec163fa955f0