Analysis

  • max time kernel
    149s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:41

General

  • Target

    2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe

  • Size

    192KB

  • MD5

    b74120f39986ebaf4507dd39d76c5a14

  • SHA1

    f5ea0ec84e6830c1044d993559b1b8a5f1935a55

  • SHA256

    21a531c3306520a16e04aa7a4f24c5aab801c790525e46256fbaaf7665da9291

  • SHA512

    906e42a51642a1a0c3cb94383ecaa6e5bea2761a61f7d547a4e4e806c8e138124867d103fb06383fbbb3740b3ef18811d3f374ca4dbd74773550b88b3d5e1607

  • SSDEEP

    1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ool1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_b74120f39986ebaf4507dd39d76c5a14_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe
      C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe
        C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe
          C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4280
          • C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe
            C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe
              C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5000
              • C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe
                C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2524
                • C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe
                  C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4372
                  • C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe
                    C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5060
                    • C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe
                      C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1988
                      • C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe
                        C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3892
                        • C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe
                          C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:808
                          • C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe
                            C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2960
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{34A09~1.EXE > nul
                            13⤵
                              PID:1496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{223B1~1.EXE > nul
                            12⤵
                              PID:4876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BB799~1.EXE > nul
                            11⤵
                              PID:920
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{651C4~1.EXE > nul
                            10⤵
                              PID:4908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{42723~1.EXE > nul
                            9⤵
                              PID:680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F6916~1.EXE > nul
                            8⤵
                              PID:4972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0E5B9~1.EXE > nul
                            7⤵
                              PID:4360
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1913E~1.EXE > nul
                            6⤵
                              PID:5040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF826~1.EXE > nul
                            5⤵
                              PID:4788
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{03EF5~1.EXE > nul
                            4⤵
                              PID:3468
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{75034~1.EXE > nul
                            3⤵
                              PID:5116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4040

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{03EF51D4-610B-4cda-9DBF-C369D2CB81BD}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  632f5de6ddb7cbc1e82fe3da2ade607f

                                  SHA1

                                  31fce5224d4856f7ee5bccf3a6132fd069b5d92a

                                  SHA256

                                  54209f59ab57303331dbd9a99b489ef09d3d32654fcb1ef87add45a34642ba39

                                  SHA512

                                  096ab142941158f4f78f28f5a3761b7a5787838251e32af2aee8b09fdfec569f9a8d6d35919cf8a1ec1f5d7027093164b90e364fbb9c115b70a39de253abdd8f

                                • C:\Windows\{0E5B952C-BE16-4f99-BE36-ADCB87F925AE}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  a61a7b5724d714d412c42ef5fb25486e

                                  SHA1

                                  42050b0cc2efaebefb7d90e3a4998ba07eef4c0c

                                  SHA256

                                  9e920232f3d385fde2f4a58d63291cf240a5ef3a4a72103af901a050c700f62a

                                  SHA512

                                  ba63403c11aac59bc96874e2d73a4d91a9af7698bea3c7c513582313f7df4b69c9ed9b739d08d2544ca732b834a7c1d4f335c3d7d4eba2c1b9e7028b6b8ce68d

                                • C:\Windows\{1913E57F-A12B-4755-A932-D2AA5FE221C9}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  d4cf6e476c25122f0ee3761484378300

                                  SHA1

                                  4d0c6b096d1217efc8a7dd06c7ae0ccb117303e6

                                  SHA256

                                  37f78c040f4cefa089991f19482978c6eb9ed513286eb1a66096c7ccd93193e9

                                  SHA512

                                  8756a473ac49ea04207e33f1d551e2248b822948dd8b61521a3dff566a858bf16e43a4c3a74029641633343deb0d2721a5318d4728ca893fab5c93209119c744

                                • C:\Windows\{223B197D-6314-4ab8-8D61-AE16B275A698}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  595b4204ed87a8db4c3623006798240b

                                  SHA1

                                  437b00e026289aefa36fb53c4801cf3bae0846f3

                                  SHA256

                                  ee9b9a46652351e3b596975c845d59c051468ad2b4514096c7a843e3767632cc

                                  SHA512

                                  dc2860bec17b724164a433cdd6b60fcba5cd2848adac3f504dfe6be38c0ac3f9c2a1e34929c0557e944de337b7f7290f4bdc26e7f5c08d868dea507f6bd45d52

                                • C:\Windows\{34A09CA8-12FE-437f-AB8F-5037A14D8DE0}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  04e541aad12a58dc156a1bce222e5bc6

                                  SHA1

                                  42380d837f4e5a1dafefaa75fd7f0ce766b62001

                                  SHA256

                                  b39a7c41df2ca1281b103baa0f237bf0a2d86a4fa696cea3a386bdfdaaf653e4

                                  SHA512

                                  c84cf5b5cb62095a3797b9fca6da18198ac56f2dd62dc241e1adc6516d25d342e6dbe02588b4302017bb3c13e9f594f9d01aa8d91191e6881be26ac4100fae2f

                                • C:\Windows\{42723B1C-F75B-4464-931B-718D61F1FA72}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  4e3dc5fe20190afdad7d051e0e422306

                                  SHA1

                                  02e55184b6662327e0e6af6c6a8be8cc4746420f

                                  SHA256

                                  dcbc5ee52f9589526e9ec5a2f8057a8260586f3105e05c44d9cfce9f8eefabb9

                                  SHA512

                                  f5e1fb2ad3adc47c52fadcee8d42059bbfe0018b66d01f86bed97f1ee37b05aacd40c7641ec26fbdd8de26ad17c2df8fdbc44f9ad50a5476f44abe26d8438556

                                • C:\Windows\{651C47C8-01D7-4345-91BE-DB021417A092}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  8a6dce3283331245a56854c6e67cbb06

                                  SHA1

                                  47bb21c6e5b54f0dabca3acb4001c6f172f06a25

                                  SHA256

                                  bcbbd2793472c371106195af3e31df5706bcc437392a4e999e6f6a68820928e2

                                  SHA512

                                  6141031aee3d9cad3118cb5df2de257a765a762d4576e44f381d3f54c8426774cee5c23652f2900b4e7a3289c5519e49cb9daa7c5a150dfa30aa79fedfa75303

                                • C:\Windows\{75034D37-7304-4983-AFAD-141DC02D1E5A}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  694c9e86cd85f7362dd7e6dc514ec0b9

                                  SHA1

                                  0ad1fe62854aa38c5539c2e7b667cebe44371823

                                  SHA256

                                  8fc2bb0cf6eab93b131f16bdf0180f61b580375333cafcdc4d26e0a1db8704a4

                                  SHA512

                                  286dec890858a91b0fc06cd31eceba0ae6c2cf96faf637e3fb0685ef25cebf682dae916e40d4f8416588aece5ac533fff733652d9594cd35c2a733cd81f6ce91

                                • C:\Windows\{AB18EE09-3F82-41eb-993E-4301F2707232}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  9ee357d65edc8a7c3ae4f39cfbf89ac3

                                  SHA1

                                  2a988363797ad20b9805de80d376be4481f48304

                                  SHA256

                                  76aba62559a520c35fdc2614ba5b2bdedd236e18671dae0537b8f47201a5c222

                                  SHA512

                                  fe80712d34e53b1dcd4dadaa57ab7c7728f39a18ea35e179a33f7d5d0db51497e5be003d4f4a40b73d426aadb16d8290454d3181e685ff3766b57af169e92134

                                • C:\Windows\{BB7991E4-3E51-43a6-ACEF-2DEC9C75BE72}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  ebb98166aae649d0dd74f655b105b9a3

                                  SHA1

                                  e35846e2addabba2926922bad1c30a13a7068e1d

                                  SHA256

                                  15d72c234daa065e8cecc0d78473d504ecbe6bad2a7c2862aa8507fedd090d48

                                  SHA512

                                  a9aa41d3721aa6d5eb0eef2dad636471e5f1b0154f8f38d5e7fde1b388108e1cdbe42ab48f22f9be5e21dff1a99f485fae020099e58677900c445227883e04a3

                                • C:\Windows\{EF82682E-7377-4a09-948D-0DB6CD97A905}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  226cfbc1f59376911d164a505733cc9b

                                  SHA1

                                  2eeba35d1c79d21d5da6ec75d6c11f09b5bb3fdc

                                  SHA256

                                  df2690b448d26da7ba3c6a691e61efa49224034bf290e26ac7be28ed5b640ce4

                                  SHA512

                                  534b9685d4c94eb458b086634b90beeea85b8bb179a28db8dd036fc3e084cb7181c19f5d624fc2aaf90a2ae59310bcd230c93fd0fa7f4d0f7d4fd863693a3c80

                                • C:\Windows\{F6916BB1-1AF2-482d-A48F-866F5CF633AC}.exe

                                  Filesize

                                  192KB

                                  MD5

                                  f3d37850bdd8a7e308af3129584aed7d

                                  SHA1

                                  e5bbd744d06f6bbf9b6c75652f60f3ffa7df504f

                                  SHA256

                                  7f31fbbc2d9f61fb0871aca95ea4a1ce048f788ad8c7001417afb71837debaf6

                                  SHA512

                                  1441a8c9bd0b3c74e4ec2e395700717964ecf7cac5fa7209e28021baecca30389823eac581060ca2259eefa5ff9479a1b7582f8a1f5892025bbc55014f5861f3