Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 04:26

General

  • Target

    2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe

  • Size

    380KB

  • MD5

    886c0ff26e3a5079f29bc8a6e2c25646

  • SHA1

    61538066cc38d86ffd79c935f8054fc33923ef3e

  • SHA256

    32dc77046d1eb839d21503392b7bd9f2f81f4c0cd25a4583a04dbc8c931a0abd

  • SHA512

    a5db5a8ea4985a1ead82537b16c1daaac00c315b1e7ed9a84743edec07c33a2515d794e9ba67b5f888c0db1c131dd02cf93d00c462c208a444ce7d050ac72061

  • SSDEEP

    3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_886c0ff26e3a5079f29bc8a6e2c25646_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
      C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
        C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
          C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
            C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3680
            • C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
              C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3092
              • C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
                C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4892
                • C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
                  C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3744
                  • C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
                    C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1708
                    • C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
                      C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:112
                      • C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
                        C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2636
                        • C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
                          C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4056
                          • C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe
                            C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA2E~1.EXE > nul
                            13⤵
                              PID:1728
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{06DB9~1.EXE > nul
                            12⤵
                              PID:2604
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E6109~1.EXE > nul
                            11⤵
                              PID:4856
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0BAF~1.EXE > nul
                            10⤵
                              PID:1888
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{129BE~1.EXE > nul
                            9⤵
                              PID:2612
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{253CE~1.EXE > nul
                            8⤵
                              PID:4688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F50FC~1.EXE > nul
                            7⤵
                              PID:4224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E8825~1.EXE > nul
                            6⤵
                              PID:3900
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CD4CB~1.EXE > nul
                            5⤵
                              PID:2716
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A68~1.EXE > nul
                            4⤵
                              PID:1636
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F0104~1.EXE > nul
                            3⤵
                              PID:3196
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4444

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{06DB9891-8343-4caa-822E-60B5E012922A}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  52a6508c83201961279cffdf15166ad8

                                  SHA1

                                  687a35703df12796f771fff8871ba46448c24078

                                  SHA256

                                  a413c57847b54e725f79c6ef322f32472c6cd044d2c915ee7005db360dab5638

                                  SHA512

                                  e3d1f2288733650e712f227bbe6025d3ac2dca8a517291adb89ae7b7e3273478be631a27d32cbd5a779d75ed04370035db06340e8494b53556323b392020805a

                                • C:\Windows\{129BE98C-B259-4ae0-8C01-0C29B501F704}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  4c9fa31fb9b23340cb293ee6b19fc12f

                                  SHA1

                                  d5615a2162383b95855c0aff123f18d9fed1cd0e

                                  SHA256

                                  fc1dfe89163ec96026341b5b996383eae1657bf4382b49ecd3a0c846850dbc99

                                  SHA512

                                  b17ab89450460e92c85ab5a67b63fe803faa74ee344f4690c9c81e31a2ae09633f1f1ae09dc6b2b1652bec46c5c6306b3400e623fbc3be923b4ab52ac3ecb3a4

                                • C:\Windows\{253CEE22-2A53-4b91-B0D5-899E5784A7D6}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  d91e159db83f6e991d2edbc75100c43d

                                  SHA1

                                  3becb2fd7b4f4a141f542daec824c05c799cadc0

                                  SHA256

                                  e288847f94b9561f60b82b35856a51caca76ad381baf38afd2c75d49f3e72d71

                                  SHA512

                                  5e0cfbdc4f45a1b8329fa76946931d32f2f4a044f1b97a8513f9f4fbc51dd9134c7491c2c29433e15da9f2fe979d4cb956c8d198e91de7fd0773777209eeb7e5

                                • C:\Windows\{6FA2E466-D066-4ab7-B525-6B96CF35ECD9}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  849aafc33d8e9e9f802ae9635d93271c

                                  SHA1

                                  f9431ed1c778401aa507d428a490da841c6dc935

                                  SHA256

                                  cc61ec33126ff3adcd4c6000bf49c7efe0ed19ce92e56c69ed82d1da0eb25dda

                                  SHA512

                                  d5f3669f7639ad4cb4cdc8fe59c60fe6308a080cfd4132337a9adde3f79030ea7e636bb409e17fece7e77a7334e882ae0af92d8081b8a70b7e634b875067740b

                                • C:\Windows\{74DD85F7-C2E8-435f-B411-DD6C180CE5D2}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  6620dcf96063862d0c76038b19b90ce8

                                  SHA1

                                  9b459e3c57b50816220ed43c35dc3ba366179de0

                                  SHA256

                                  4ac32cc2406c9d8b7c7686654c0a89968412a4f588c76b61e2f3f7ddf59a5180

                                  SHA512

                                  708230c1661ed1b7acde2b33b48423d3cb2eaeef7680b1c8c83a710064ffa9a03952bcb0c1dcbaaf1b439556b264ac13b27cda04fbbd47d450e4b595e5d971fd

                                • C:\Windows\{C2A682C2-D169-481e-A7D6-B54D0D4E62F1}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  e01abea8d50e1c91c18d6887bed33a29

                                  SHA1

                                  ff616546bee9aa5047a998dc5cd65951ce4d113f

                                  SHA256

                                  025fda0d9a27a811ac20b7a46f664103039557180c09c3789e4ed8e3e04218ff

                                  SHA512

                                  fe79362bcf8c7850f6b0c757a34cee48012cc90801dac27d37e173be234b32a156338fbb903f38473b14de02f938d41f654eaa02bda29fb208a8d821cb97ac68

                                • C:\Windows\{CD4CB6AC-ADB0-4c9a-9860-8CB09A1120DD}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  5a3c70114c8e0edc502fc16b02391be7

                                  SHA1

                                  33840bb2840bd2385a6e789a7a1849130732ec3f

                                  SHA256

                                  285d27c2154ae895a14f7a2fbbd2c748fec1eacc1ad0274f316979b81f3c0d3d

                                  SHA512

                                  3168e07d23932c7302f7d8af9b8e3fba7317f2ccca7e8252b8b98732eb7add542173e41fab0d4bea8ad1a38569455ab0b0eec2ca285a7103c7ef17c10d42ab4b

                                • C:\Windows\{D0BAF376-0BA0-4a30-8EB2-895B4927877E}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  cb56216678cbe1c8c04bb174cf61b548

                                  SHA1

                                  270bf37f78b17bce6a4879f44c8a77a662ba98ab

                                  SHA256

                                  210e1065f01360794b86cf66364007d4fd17d48c9881d8768d52ab1da28a0e75

                                  SHA512

                                  78b46053e59fb442a1cb7a51bad0e9aa6c8cdc992a54fd5d0f41e3152cc23810c584a9e164f9d81bf848b521b65a1cc5976db02503e1c4d9c099021f82629fd3

                                • C:\Windows\{E6109D2F-6362-4280-9F69-8D09CDA2408E}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  4b8cb53c1cd076eaf9f05ac1e4e3f397

                                  SHA1

                                  2abe56f609844b6bfea3922ad253c4e76eb61b80

                                  SHA256

                                  0024cb315cefe4140677100db5468c87557aaa9715b268e8f91a2201aa12f708

                                  SHA512

                                  1867f03639a99b6a8bf67b2e1626dd40ea2b73ac52ff6c65c1a544d534254d6c9c20d19ed3e3d4041228d464ffada615d18056e9a6c3faea96a1e3acc33c59e5

                                • C:\Windows\{E8825FC7-BA48-402c-8E75-3D2646FCB0B9}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  63496a663cf80c04bd1a8013932051db

                                  SHA1

                                  cabef2e745be4f0bf42dd6e345c0fd3d9b9d958c

                                  SHA256

                                  76121bd0b5afc4f021707461b552c137b6c628d33bc2e5ea9a47ef317811df93

                                  SHA512

                                  9273206fdfaed99724beb9396188de24d15bba788e4df1ab22e129cc6449a93da22add947aa67029dbf7d281e8ab67b2cba19d5cb507e9b55f31c118eb568a54

                                • C:\Windows\{F0104825-97CA-4d65-9868-E9DD53927D31}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  d2b566b208dd8db8a9d12bc97169351f

                                  SHA1

                                  29feb60c0598ada5572c70ea3084c66ff1935519

                                  SHA256

                                  142899008b4852574767770070a70ff208310acf32cc381a43dfce5ce67b734f

                                  SHA512

                                  95fdc3806e0ca1a089df41227f87cfb321d0fb3fb861786ee90aac7cf7ac835272bc979ef87dbd85232c7f91e3b95237d134f6143e062fbf3b1e297649439a1d

                                • C:\Windows\{F50FC2B4-EFAD-47d7-9CBF-7233FCA4A811}.exe

                                  Filesize

                                  380KB

                                  MD5

                                  2de345ffaa5fc9a54cf8d203651457d3

                                  SHA1

                                  29649874ef298e5977266d2172bbffc344274e61

                                  SHA256

                                  015ee27a72650314b90084ff0b97955f1d80b864728390b3d93477fc7bd413dd

                                  SHA512

                                  529381786394afc1d7c71ef8058a939e7ea3c1c3584c4836dd2b02ade2b8705362015a22eb94638dc06d55e6b5f667057a0af1086aa329b4724d88a6d1152fe4