Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:49

General

  • Target

    2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe

  • Size

    380KB

  • MD5

    f036fbd260dca5a72a2b761714835ff7

  • SHA1

    fe5480d67ab5bba2aafecee3959c00bef49081ed

  • SHA256

    c5f7588ba2df97c916346dd82a407fa589dff4e935f3092eb6419f10527892da

  • SHA512

    d6bdbbc62a92136599d9d31defb0dcd369f91902ff2a48cad8cea1ad9e8adf3b436f43df659a68a0570f895547e7d6558bcd6598f78456cc0e4a77bfc7579aba

  • SSDEEP

    3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_f036fbd260dca5a72a2b761714835ff7_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
      C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
        C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2320
        • C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
          C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
            C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
              C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1740
              • C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
                C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1464
                • C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
                  C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4704
                  • C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
                    C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4328
                    • C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
                      C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4652
                      • C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
                        C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1124
                        • C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
                          C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:556
                          • C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe
                            C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2196
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B797B~1.EXE > nul
                            13⤵
                              PID:3664
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B899B~1.EXE > nul
                            12⤵
                              PID:3464
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF021~1.EXE > nul
                            11⤵
                              PID:1876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0E4C~1.EXE > nul
                            10⤵
                              PID:4344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8BD~1.EXE > nul
                            9⤵
                              PID:5092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9838F~1.EXE > nul
                            8⤵
                              PID:1484
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8C4F2~1.EXE > nul
                            7⤵
                              PID:3772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{749A5~1.EXE > nul
                            6⤵
                              PID:4976
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CE503~1.EXE > nul
                            5⤵
                              PID:2624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{47626~1.EXE > nul
                            4⤵
                              PID:2124
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B06E0~1.EXE > nul
                            3⤵
                              PID:1016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4884

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0E8BD6D4-D267-433e-8071-5F03696331E8}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  2af684362148e8668723d9f866d8eda3

                                  SHA1

                                  e4de2164d0df780cafe97296e9939435af71d784

                                  SHA256

                                  d35231bb1bc1ceb5549cb180ba3769ec43cb19dca93230e63cbe57f9b2573d9c

                                  SHA512

                                  028dd2fbfccd3f60de3cda979f7a485db8780eca2617ba89ec0d2ce03f0c3cb46c41f531a8f82144e67dafd79ae592bb9dc49524040a42369c92e0332eec12f1

                                • C:\Windows\{47626205-076F-4679-A319-F56900DB60E2}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  3a0ba1bb161ac9b5a21e1284868c8906

                                  SHA1

                                  0c8b1791729ec52dec422df49bcee41802ac9775

                                  SHA256

                                  a55fd6b732eaeb577c8e8a1404c7fdf3ddd2e7542e5ab9ddfbbb1a5e9e19c8c4

                                  SHA512

                                  152910767439e1ccecd41a57205b96a03e9a7496bfb7d589463be7f26974e0e3de8f5a93af6efc9a18aa23ee0eddb78894744ad0535c68d834a8d5069079d5cb

                                • C:\Windows\{7327239F-91DB-43c0-8952-30548D4F149C}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  c3698d11005c279eed9cb1e1cbd22c1d

                                  SHA1

                                  f7560a045e60567a39de102cf0e7e772c3cebe2f

                                  SHA256

                                  5bc9a3ca9e861700db6614edbddb0f2c4834b7e1cacecc87a2ad482969ad7009

                                  SHA512

                                  b8534deaeea5084dad30c019856c4c629f2c8a5baed0f743f706a7965459b674023808393d7010ff42bdf405dac7d49def616065c96926c4996fe9765d69b456

                                • C:\Windows\{749A5034-AE0F-4a76-ACBE-90BBDE243E38}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  266050b0429000b5c7b46ea36a48ea56

                                  SHA1

                                  cd61a72c78cabf3d567e6764853999ab7175794f

                                  SHA256

                                  1ea58499d6c5f746b768041f7e7c1135f495a34cd53a10c3e58172984f94d98a

                                  SHA512

                                  393c7d913207b9ab53c88964af7e335a84755b59a6cd571ad3b8135e03c283f4d8f8ee2e03ed6f4bf5879cda573e48e15fac82a07da7147fe8d8f06cde0d13d9

                                • C:\Windows\{8C4F2825-2B7E-4a58-B284-188481186536}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  7bde490f92506b270207842ddd9b50a1

                                  SHA1

                                  4870d1bf313f422a979ac980e69413f762626ea3

                                  SHA256

                                  f768a2fee3859324d2b4f97e9aa6945c6795e9ff787384b4add100d86d1f49fe

                                  SHA512

                                  4e8ad0721515b218573ae87dcfb55c08a7afbd5fc41948bdec6c6bd27434a798c77faef29e7ce9cc9b90cabc7dbde3307ff3dd6006630e11b332bec2f63d202e

                                • C:\Windows\{9838FFA4-080A-4be0-8855-B9EADB6606F8}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  496d2a05ebfb3c469ebb8f7b1ed09a8c

                                  SHA1

                                  64f9955dd37dc487cc086e1f64447896483f3c96

                                  SHA256

                                  f61c5fc72399b1a60924503f3485288399f988d740eec8d47ab3f3839f500113

                                  SHA512

                                  3f0969103ecf51969a1d9e89be69d9044bd700341b2d5dc85a00579d4240968a7d2e679776e02ccfd5531fb5e06561a94e619c251b9b3741e3b4124af8069103

                                • C:\Windows\{B06E064E-D60A-4e9f-93FE-BCBD2604CE4E}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  bbeeb1fe07132072d41e48cf20d5af1c

                                  SHA1

                                  4f72a2e1832643cb51f0fe3363c4ec4d65716eee

                                  SHA256

                                  b10c769f001f108fc67ffdf3bbf639df68d5beec5afe04464df2cbd2b096d243

                                  SHA512

                                  4d0b6e869b3d77c9e57bc8bfd57dce70d3e0b6cd257c58c889aa6517a58b387fc9f2f2b5a3fc8c5b9a64c2f5575fa70299e35a8c0b842ee2cc69bb4a9cdd3763

                                • C:\Windows\{B797B3BE-F9F6-4f85-91AF-696809B0E439}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  6be44d31e500ba4d085abe3bf1e0cc39

                                  SHA1

                                  e1069ebd6712574841328017806c9c2d4792e613

                                  SHA256

                                  e97a73b971a4a2764ce0d89c03af68245d63451262ab1bd5c9dd798dbb018767

                                  SHA512

                                  5fd2d49296be3185c0f1f8ad70535ea978f58a6f3230f6a09c068dc2820f8cd97d261357c8ccda72d368fe623fcff512f72a35ae9d282367a6ee04b16a1db07f

                                • C:\Windows\{B899B163-A423-4dcf-A6A9-9DD2D01BBFC4}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  33f38b59f55e7a9b2abb800a0a756297

                                  SHA1

                                  12321646e8f9afac759520984ad4bd63e5bd9b76

                                  SHA256

                                  31d4f863a0ec42963782462e5b30cbd0a1ada48cf554d218913f79edd0c57466

                                  SHA512

                                  f25cddcab63a789531d050febf0e59fc95ba139616ff12335157ff08987672531211088cc03859fc05154c1ecef573ea5eb17a07a327419adcdcc19506b940fc

                                • C:\Windows\{CE503C21-AC48-48df-B94D-577BA8A2DFD1}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  8a2283a479a1a61e5f4c379a22347a04

                                  SHA1

                                  dbacf57cedb3bf50ddb68cc6d1b56104482a90c5

                                  SHA256

                                  610aec70006a57b54fb5c610242034563ff092abbd3dc81b4086eedc8479ade4

                                  SHA512

                                  cb01ab652a0cea1a4554aec1b230612d8362b561b8baf874e0152415f0c153c06eccb8e1270200aff7cf4a0d716a9b6c288e291728187aaf2a38c34445c99e93

                                • C:\Windows\{D0E4CF73-AD21-4566-B1F8-9F828B671581}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  dadd9905d8d1a8a1d978ca571124964e

                                  SHA1

                                  3967a07404972c490968704715e8b55954fdf8ee

                                  SHA256

                                  ed68b7363b5d45092fcd99e5486e98fa4eff55bd71b383953d9a91d0107e7d3a

                                  SHA512

                                  d6482c02e20a3be4fa566475d6fb3a7cc427ea40f7cb79e47d5290b10a26fd30fab7ff3f9b90930fe236a6c60ed32db250c86da9af9c987151fc232c63aafaaa

                                • C:\Windows\{EF02139F-3ADB-450c-8D89-47157CCB2810}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  cd7a50628e66e4596dcb0f9ba10e43bf

                                  SHA1

                                  d7c22edc336f57e834d153de73b5f904ec2c84db

                                  SHA256

                                  a7fba4653fd9d9b6da899775863468a91d79d46f68e1b840190ad689c41d89c7

                                  SHA512

                                  d21f615501c0f8adeedb9487f65078db19720eb83853d5e5b4e7e97cf8c97a2354ce71999acc4bb7719ddf59b6ef3be970b6ecb2635aaed76a31458616f70fb4