Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:48

General

  • Target

    2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe

  • Size

    197KB

  • MD5

    e4d2a0c0c33dc92bb5245ec3f744cdbf

  • SHA1

    3efb34fc084ec2a81d56a8253fe55a2245e969a3

  • SHA256

    2489e2760ad547f24841cca1879a74d5d47ca8083c53eb86fa73977edcfefd5e

  • SHA512

    ed6b4ebfc4e272740d4eb36f8ef6906bf29a6579a80fbad88414d9c3b4ac01839ee609a710d9df1a66708d0329c5df62fe74d9a930a1eb2017b4922618d75a17

  • SSDEEP

    3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_e4d2a0c0c33dc92bb5245ec3f744cdbf_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe
      C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe
        C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe
          C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe
            C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4944
            • C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe
              C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3416
              • C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe
                C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4624
                • C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe
                  C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:992
                  • C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe
                    C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2944
                    • C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe
                      C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2044
                      • C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe
                        C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3784
                        • C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe
                          C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A3ABD~1.EXE > nul
                          12⤵
                            PID:1624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{912B9~1.EXE > nul
                          11⤵
                            PID:1844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD2F~1.EXE > nul
                          10⤵
                            PID:2208
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1D7B2~1.EXE > nul
                          9⤵
                            PID:232
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{54370~1.EXE > nul
                          8⤵
                            PID:4384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EA1~1.EXE > nul
                          7⤵
                            PID:2304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9D3F1~1.EXE > nul
                          6⤵
                            PID:4516
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{58C4F~1.EXE > nul
                          5⤵
                            PID:4128
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{92B78~1.EXE > nul
                          4⤵
                            PID:2300
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD30~1.EXE > nul
                          3⤵
                            PID:216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:4996

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{080B4434-0C83-440a-AB17-6F320EFB129E}.exe

                                Filesize

                                197KB

                                MD5

                                3113041443b5fa15feddca2389f5302c

                                SHA1

                                993c0ec28cb2f49d2a5172b5b1df86a6cf78558c

                                SHA256

                                40adda4ee5cc4c6a6a588cf818871c3279ab7b19a542618d0cdc5b66f46e864c

                                SHA512

                                d8a565a0e42b8b177533314a67169b4ba13acfd2daab51498f006cd7d037fd195a074762631f098c515f66bc19bcb313d9af8d36cd15b6e668b33985257d8d96

                              • C:\Windows\{1D7B2012-539B-4fd6-B920-4609950626F9}.exe

                                Filesize

                                197KB

                                MD5

                                877e2b907394a94b852541b3d039815f

                                SHA1

                                5810bdf516621dc478431278bec8f0cfe94b2417

                                SHA256

                                392110d4cf24075af778d012a9f1ccc0bb00603d492f4399fb4f1fb65842d1ac

                                SHA512

                                343a3536643eb57814137885be7492c65f498bc64f9d73242beafb84e419f4578edc9ae5553b81af399c12ab3645a176501925d65d81851575f125f43e6ccd92

                              • C:\Windows\{3BD2F4EF-AA28-43a6-990D-17A1FAA2C762}.exe

                                Filesize

                                197KB

                                MD5

                                b9f992ce548a2c7350fab4662303dede

                                SHA1

                                2000a837191879d92c545f4ef3e28292b49593af

                                SHA256

                                f5c4a7629469ffa1c0273376afe09b0450a0871f5e5abf2e311a9ccd36ec1f95

                                SHA512

                                68efd942a2d5e73aeaedd777c4b3f85d0a721d935f4771f3c16f86a056de8c701d21a58d04961b8c2d207dc2f49f9da43be2f7ec37c21538fb9453305d3a5684

                              • C:\Windows\{54370453-3C4D-4bb3-9D78-10B68D041334}.exe

                                Filesize

                                197KB

                                MD5

                                031babf7863ee2fc22edcd65accbdf79

                                SHA1

                                e50d10b75b4a312cfa51521c257a3deb435b2b37

                                SHA256

                                1acec7fa5fbbbd7e30484ede202a70a9c97a4e859729b02b0747af15b1f958e9

                                SHA512

                                72173a4e48c1aa81c9891c57429a52056a9fd79f8ffaa9a4d5ca52d97638ab2efb7e709f18b3cc024c03cdea4d19d346e2d47c7b2b5583b862cf470c0a7ea90a

                              • C:\Windows\{58C4F985-777B-46a7-B1A5-A98752F5E3D5}.exe

                                Filesize

                                197KB

                                MD5

                                40e1f0c62392e3cffe6b4b08a05c6d3d

                                SHA1

                                f12f5e914b40c720ace215311626891c30399f0d

                                SHA256

                                a0102928968a94ca73b71ab999b58771397be1af60479ee5bc31f2f2902ca8cf

                                SHA512

                                7c9e700f527c2a44ddc107ac0cc060883aa3a1775a8059df8468832c5bbf57c875ee8aa552e142fca11b88f1a90fe87e7a162d76a18efb712babb558200ffec6

                              • C:\Windows\{912B9C31-DCBC-40b5-85BE-42289F29373F}.exe

                                Filesize

                                197KB

                                MD5

                                b2c2cf23a68a0520455916dfca50e23f

                                SHA1

                                a1ffd6782607ba0aa7412f0ba99a6165d46f8278

                                SHA256

                                a66b758d375f0e40e918dc82d3ddb8f4784e30bb790d65a9a2cf85ce61893716

                                SHA512

                                cee7c740034b2846b3a5761ed0d04ce667e682ea49b78ffa120fa836ff6fb06b7b3db54b4b4bbf7248241e5220eed1b247706c087c48726cf1e52ff76d9329b8

                              • C:\Windows\{92B780A9-7AF0-48aa-8192-CD9B28E03B3D}.exe

                                Filesize

                                197KB

                                MD5

                                901847d0005cbc3f64d86eb79d01649f

                                SHA1

                                284b12f3e49e288f3167058caae96c3ac85d24a1

                                SHA256

                                f7770328c79c1faa491ea895da274863fc4bdee6df1bd8198822f12c872b47ca

                                SHA512

                                53efe621dc3818a18c4301c54d3a03c6d21e96ecaed6e122e1f9bb767d20a4c8661dd121b79b2960f24331f89f29934d5a9a645d06a90df423ab1311298b2b2f

                              • C:\Windows\{9D3F1BD9-B1D2-4eb2-8F38-98E723724462}.exe

                                Filesize

                                197KB

                                MD5

                                3ca39dd2213ab7e93fef7183bb8fd091

                                SHA1

                                b9d663fd31330fe964347fd5b9be43894c61b8ce

                                SHA256

                                951b86b9c332cbe2c11dc629a4ee7370a4715881e6fac691353c32fe2d152850

                                SHA512

                                0263cfd644a3362cd72c1c2c8138df25ea6fe63c59f5d010b72e79bf2285192fcde981ce7f6dffedec912bcb39d1463488a4035777d2b89c9449cc5989df33d9

                              • C:\Windows\{A3ABDA9E-D244-4092-B6B2-24ECF5C06BF5}.exe

                                Filesize

                                197KB

                                MD5

                                58079788461af6af7fab24b296b65ef6

                                SHA1

                                121beeb5cc2460ef60ba99e5d993f377bc2b1ec0

                                SHA256

                                952d52d6527e073c5bf5663b9e05bbe39aa2bf3bf8f9dc188b410863f6f35aab

                                SHA512

                                2db75c5e58b1036620b171176ebfbb7214734e1181ceccc0da1f1e00871ad87815650ee21072e1b8dbbb8dbe33681438a2778ac05a00734627c2784ccc2d17cc

                              • C:\Windows\{E7EA11F5-0AB3-4bc2-99D6-72F6E330DB25}.exe

                                Filesize

                                197KB

                                MD5

                                becc6d8af59879aa5eaed6c1384fcf07

                                SHA1

                                e87d94a33374ad7ff7cd33fceb46e1629ff19270

                                SHA256

                                ca5bc898bb06bf35e23411ea66acf242c17d79c555a3a2e6bf70fa695b34a774

                                SHA512

                                5b7744ee2b1a79b5cdd22137614b2c215a88eac9056355906fc707b0fde021b49a3d21cd3bae7ce28886756be9b01c7c38bfb8eb881b3cdd9c0fb6f5cea570b9

                              • C:\Windows\{EBD30523-A3BE-49cb-9CF5-6B1CA5874BFD}.exe

                                Filesize

                                197KB

                                MD5

                                9b86bc58f5ae0197a04832b9067a984f

                                SHA1

                                0a5edfa9c4ab43fd2350baba7c74c3c15badc93c

                                SHA256

                                742167644596edcbeefd0ffe035a364554cc3c1372f9bbb1cde838d96e79ea9f

                                SHA512

                                67051a14fb20ae98fd09e3072c88d0a6a702e599310aced9952c5a1f1cd7dc01caeff9537ad4f852abd19f7b01806a8553b4709f5330e6f1cad640c40e9e4ecf