Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:36

General

  • Target

    2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe

  • Size

    216KB

  • MD5

    8ea0dd1a711c9c10168735d32e4aa174

  • SHA1

    25d038f82d14faf3c2911dd41ed978c86d838ae0

  • SHA256

    dd45da4ac9e71a521959ca58a588567054e9cdcb884a15dfb0699bf81045c02e

  • SHA512

    25b011767726f66f55f5e1238de4535958536fdef94ece48267afae0bc1ff0e5ccf9963e073dd30ed47a765b5cdf23c3341d1e85d195c4daec3699cb2a33533d

  • SSDEEP

    3072:jEGh0o0l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_8ea0dd1a711c9c10168735d32e4aa174_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe
      C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe
        C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe
          C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe
            C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe
              C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1248
              • C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe
                C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2824
                • C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe
                  C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4308
                  • C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe
                    C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3820
                    • C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe
                      C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4036
                      • C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe
                        C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2484
                        • C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe
                          C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5000
                          • C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe
                            C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D63F2~1.EXE > nul
                            13⤵
                              PID:2540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD4A~1.EXE > nul
                            12⤵
                              PID:3216
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA15~1.EXE > nul
                            11⤵
                              PID:824
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B97CE~1.EXE > nul
                            10⤵
                              PID:1988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{80D81~1.EXE > nul
                            9⤵
                              PID:4916
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{74B5E~1.EXE > nul
                            8⤵
                              PID:2072
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A25A0~1.EXE > nul
                            7⤵
                              PID:2840
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{12C40~1.EXE > nul
                            6⤵
                              PID:2572
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BB533~1.EXE > nul
                            5⤵
                              PID:3420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A45AC~1.EXE > nul
                            4⤵
                              PID:1948
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{918FB~1.EXE > nul
                            3⤵
                              PID:5060
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:5076

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{12C40225-1013-4415-A568-FB02DB725901}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  543893a0a858923956e345f39ee6b4cd

                                  SHA1

                                  fae3f9e9617a4624b0ebb360fc432480e85bafd1

                                  SHA256

                                  b883cd5714ea5d62f99bd498662407c7e26636631be5ef052e2364499a18ed02

                                  SHA512

                                  b34192ccabb1e9364916546b9526401461d2331398ebe19f275950f87cf49b8334fa1ee9b28d642d2fee948895062e4a57a7b74b9e3476a013fcce11f4a94078

                                • C:\Windows\{2DD4A9AB-3883-4bd3-81C3-7B636D56728D}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  2455b9dfa3240f88e4cbd906dba88ef9

                                  SHA1

                                  0f3b2dca4bf8ec6b0134560ab0ad7fb4f248b6cc

                                  SHA256

                                  c232d63ec482c0eba0b58a3e661c36c7136e599400ff1ce05c9089353c3f16d4

                                  SHA512

                                  ae8d03b44698761f868e67e3eae557c07b2e04e4ad735c6c6244f7099bc7b8e32f8c165fd7d6bf4428af85cc35ab366e62b0067609a4734efb827059af428bce

                                • C:\Windows\{4EE23A6F-85C7-41f0-A344-CA8116409042}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  55c75934c745647e28b938043b65779e

                                  SHA1

                                  856d147aa1951aac8922f44c3a12891fd582caef

                                  SHA256

                                  aac89ad9247e50b74f968f5789f7a8c783e85b4dc49951ac730a2f6341fbb247

                                  SHA512

                                  2c87a626c0f2fb12be9a4be2a6b2057a0717423eef739637b1f658c52af3ef5a8628697316744713d9a3d7acbf7e9a194673549284612bbee5b5f7066c80a61b

                                • C:\Windows\{74B5EE71-1CDD-48d4-8B11-F68767E5EF8A}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  6366bf3fc3e0af6785e1d8c6227d95f4

                                  SHA1

                                  59184270f232e71a531f23ddce24b644256aff57

                                  SHA256

                                  7267b9f9eb0b2fceb21a29e1d02a592c5229e63f103f2e98223d4091bf8ccd33

                                  SHA512

                                  68851e88870322242d73b28299b852d03c3efa9f9c220762e94c11cd8c4d151e5a0dfb235347f18c89f05a2796d99d95df1f81d64329140729d2ca1a909eba80

                                • C:\Windows\{80D812A7-C614-4f51-9C74-610C39DBF4F3}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  b113dd50ed62f2aa70f0cfd611994d54

                                  SHA1

                                  677b424659d090d1835671b58c745721b742b07e

                                  SHA256

                                  a0db00408000e8d03d34550f1208a50f1d5fa28a8374f397d30c6faf0f00e795

                                  SHA512

                                  e7677f57f494919a4f7f1b65f8c8561f7b1241ccf5964254801d1b87ef3e1c0afb198f6594f6aadf3162890c1fbfd0ab6b8c7f1fa3176a851a955079005f74ee

                                • C:\Windows\{918FB280-112E-4283-97CF-5681231EA6BF}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  cf085e698cb7b788bfb5cedacefe0257

                                  SHA1

                                  7af13fead39d1826f6daea7132ed1badaff46447

                                  SHA256

                                  99715c049e6336d7f2d9ed8b4921bb6e04d529bbc3332ff8f02a345a1fdec323

                                  SHA512

                                  1e5984877c22d225ef2c7097599980b7f0589a5fa06ab410878cac7ecbded4d9682d007e0f6cc1094819dcb69f1325844363e3ee8be5a08c005983cae25ec0ce

                                • C:\Windows\{9BA15531-A12A-4272-AA7C-2956CD817667}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  ac9fa2a4221bd749f9a6bca8ab88d62c

                                  SHA1

                                  9bfc78a4d4ef8155080e1691c65162a35f15d6ea

                                  SHA256

                                  12138fbde420804b2b037190fa83532b8a711e49fdaf5d18c4cba5a1aebc94da

                                  SHA512

                                  560058ba482712ac3704c7bdf16354f6fdb8a4f1bcab553dc5cdead85550c3a8ee9cfb5053e7de0d8dca9abd33a4e3baa9f47b68123e1c01fab1bf4a62d9dfc7

                                • C:\Windows\{A25A01A7-2E01-4d23-87C9-C2FEE46290DE}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  2f29dcd67ab25a1d8b66f256e08a0ded

                                  SHA1

                                  b82cdf48cc058b387f0b9649f83ee0fdfaeb97e1

                                  SHA256

                                  9dd1fcbf1040e2fd54ce547064d0bff3c1202c2195acdfe29f558fb3666e4589

                                  SHA512

                                  610a77a11582cd3724de5a0e49fbf55e6e1b7cd28ef64c3543a252782352fae346c4c696b37828e30a1afa1d8a2de81310f739ac76c95db452776287788cd7cb

                                • C:\Windows\{A45AC08A-24A6-4f07-8BD6-F0ADD00BC5F9}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  dc588700cb292a8ad17c88f572b97dc5

                                  SHA1

                                  5006a6dde1252f87f1cd2cb3b0d2013eaac448d2

                                  SHA256

                                  fc0bef8ef2348fde23cfd4bd301a7adae9a40e87a21b61e1655931f90f886ee6

                                  SHA512

                                  4067c53d1d0ecc97dd1ad83177bb3e34de03ba467f01203f654607d7d639313ab3953f81c484b10f3b735b9bc0409abd78a925fbee0c30d3b0c2f0e89f933f10

                                • C:\Windows\{B97CE493-16F8-4140-884F-15FB1B237A16}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  b0cadd284e6475b0da7670031c563dc2

                                  SHA1

                                  cab84a6856a5b94af73972ad9338d94d43e01dcd

                                  SHA256

                                  5afa4c830ef87b7d0436448918353e33a53ce524a2f03556f1f21fcfb43a3f93

                                  SHA512

                                  d24ad3f7acd090a7ecc1deab194fec5165a299b65e85bee0a4745b7bfcacdc9fc6a69fdd49f2ea7c7f86b481700b22bd7cee14cf62bb743da31b6d4d8256351f

                                • C:\Windows\{BB533CCD-0C97-4751-BC4C-F246376E0600}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  c19eefde76eeb805a99f9ef9971f6483

                                  SHA1

                                  83757c1587687cd7ea30802d52c1d5578ce8a996

                                  SHA256

                                  d4193ef8d13817bb4a15f2500372c39bca26771fd26834bfd7d6bea43d36c282

                                  SHA512

                                  c17facf5f765dcca748b2b65e3123d36931ea9b184b530881772db7588bdb4784a499e3644af170be6f5518eb883ea5d843911a07836db44337dae946130e257

                                • C:\Windows\{D63F22D9-9ED5-4316-8767-821075F36FAF}.exe

                                  Filesize

                                  216KB

                                  MD5

                                  96da12da75a15b3f6b308bdc66f535c9

                                  SHA1

                                  89e8e5fd6e0b1fa378fb844919d94adbc05645b3

                                  SHA256

                                  c7fd2d257f25b00a5b6177ddff56fa33d6e49006289bb5e854c4875cf8351a0a

                                  SHA512

                                  c09bfecfe3464618cc6e173e2744b0ae633af80b21349512e48105b1ab8323dfdce4099b4a9dc02aceca564b7e2594b32119e04135958115933853e4fead26db