Analysis

  • max time kernel
    149s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 04:36

General

  • Target

    2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe

  • Size

    204KB

  • MD5

    9261f11bd165c8f1c19177f14d3d1f64

  • SHA1

    20d8d65589d8bc640fac5c60cf03667f68ed14fc

  • SHA256

    217ad59471ba98885cc8a3b4f0a8bf890d0082026ba6e92db4ee83db29dc3f06

  • SHA512

    f0cfcb28883bfb32c5efeda1ff5f41b9213c3b09cb901fa0c2ce2a2f8d04ff5e5442952aa3e1199dfdaa796807a605673b8343910767a009fa20f2285cb8f9da

  • SSDEEP

    1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ocl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_9261f11bd165c8f1c19177f14d3d1f64_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe
      C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe
        C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe
          C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe
            C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe
              C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4376
              • C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe
                C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4600
                • C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe
                  C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4804
                  • C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe
                    C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4772
                    • C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe
                      C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5040
                      • C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe
                        C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4856
                        • C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe
                          C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4944
                          • C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe
                            C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1888
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E3C6C~1.EXE > nul
                            13⤵
                              PID:4908
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B280F~1.EXE > nul
                            12⤵
                              PID:1112
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8EFB6~1.EXE > nul
                            11⤵
                              PID:2972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{870D9~1.EXE > nul
                            10⤵
                              PID:628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9C7~1.EXE > nul
                            9⤵
                              PID:4540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5FAED~1.EXE > nul
                            8⤵
                              PID:3580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1D082~1.EXE > nul
                            7⤵
                              PID:3784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4BD57~1.EXE > nul
                            6⤵
                              PID:1968
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{17765~1.EXE > nul
                            5⤵
                              PID:1544
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{71861~1.EXE > nul
                            4⤵
                              PID:2324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C0C09~1.EXE > nul
                            3⤵
                              PID:1548
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:944

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{17765F30-865E-4280-81CA-1A2B9BFA3BCB}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  ec0ddafb0dc5d6d36ebf1e13e7ab8d49

                                  SHA1

                                  20109b1ad05b0899d77fa10867b576a80db82e65

                                  SHA256

                                  66b4d9c2fdf2c4e726472c92c715c171ed6fc984700031526d3fca7d5d99957e

                                  SHA512

                                  6bdccb429ae951e4f920fb385540f7a14bc0cd4d2cb54d33a903ef36c6765cbed4761cd8a9874fe0ecb0dee595b3f81054ae9537256177d1224b4777488c1154

                                • C:\Windows\{1D082B3A-FBA5-4547-9657-F137337C4BB1}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  b0e6c82c4aca7d40dc66480c2ef252b5

                                  SHA1

                                  3a29562f24a913be23a87146acf16028e8f73a68

                                  SHA256

                                  d3d3870dd4857a9e61f97c18077b1c1b7ffa41b0361440d86bf93495219e4a9c

                                  SHA512

                                  9f2074c3ff8ce282c4df3607e4e3cd3a604d756a057e1986850ed334c2b644091da4bc3e0f24a6e35c7101c4cc14444f2a816fb5b3289e93b78becac983e9715

                                • C:\Windows\{4BD5788E-F672-4914-A220-0F7D214265FB}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  60c5ca33c809537254bce118f01f44b4

                                  SHA1

                                  0506c984c999cca3e828fb812df0d84eec68cb7d

                                  SHA256

                                  53d6098ac477fbd0ebaf0811c0ac21c24ced2f741b0b225f9a0e406230594063

                                  SHA512

                                  69b165e45c1c19bffbc58137eec89cbeddd4df037fbf6e5ee0e48a102d51ae9d1d173faf85787f2fffa3bf69c8e8c8f6bf1436ea5eeda951d058823dfeb815b9

                                • C:\Windows\{5FAED625-28E8-4ed6-86D0-09B21354944B}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  0830fdd3f0c7fb64b0e4ce0a24239db6

                                  SHA1

                                  d89be98f4dbfe7c7ad238f1cdecacc450b7474b4

                                  SHA256

                                  ee578b4ffe0f835683980a239fac2fda7f6ece8825901e8134eb460cad3b5b28

                                  SHA512

                                  5e6598c477eb906a1ecae5332beeac0b27a79fb8a48b3878326c7b953a8fc40a86fc0acb1884a56eb318bac0745d20c2e613c87898254c41e69f68081a6c5f82

                                • C:\Windows\{71861140-3D32-420f-BCDB-976D9D8786E2}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  566002ce1cc37feda46f991a088c5705

                                  SHA1

                                  7cf852a1e01e88adb47247d4ca7ab11ec9b91b7f

                                  SHA256

                                  6822c9e708329ea2a506e35ceb5445f0c0fc02f814d1c86d9ab7b1bcdcddd12e

                                  SHA512

                                  aadeefda1dce920782cd264624b0894bf718b847a25c412ecb8ef56576de407ef5116cc3704e86a8881bff4d54aeac348243cfbb202a65d7b4323142bfc0a41e

                                • C:\Windows\{870D9506-2B8E-4fd3-94A0-E4B21AB7C6B9}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  673ba67fcc04d970e1598453be0585d3

                                  SHA1

                                  57d84d21b033fed4d40ed94439b2202e77bef7b2

                                  SHA256

                                  484dfe549d38679b24d4e1b46b1006a06a4e1111021f58df06bedf761744df79

                                  SHA512

                                  d6f44f21df28aa355183e88fe17f7db1e72847d96ff99c9494e3c63084f684a33449afa169f35d8646dd96ce2a6726224a8dc44366d13525ccea2d76592a5a22

                                • C:\Windows\{8EFB68F9-6B6B-4ec4-8B53-C47A38E56877}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  8a0465d4d15eb29937b79bbef8821aca

                                  SHA1

                                  b1bf83b3a25f29bd2d098c20719c1b3e99ad4943

                                  SHA256

                                  7e4f1c54d77abf019e4d399780702155faddaf9f0866c4c52c830529273df4e4

                                  SHA512

                                  ecac6993d2ce71c0df09650aedb2ae24803ba1e4ad997ef5565b3e2a471a77a7b6c9f8fee5e722a5212f5f5a83b3b9ea51625ee65ca25ef51e0cfe6d893ad9f2

                                • C:\Windows\{9E0651DD-81FE-49ba-9DC8-BA855CF42D12}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  a8148d82f247fbbd4c0e911fe02c4571

                                  SHA1

                                  7684b0cc7afc227faa70a3773775795a20870841

                                  SHA256

                                  0a2b4387212addb43087d27106ac0b69bde961fe504ba8bfe0b72b892f0c7f87

                                  SHA512

                                  b820da41546ea1e2dfcf2db228fc464624e9d15b8b1986d55d3080fba6d884986b47ed4095222664fed3efe4d9abc1e9ab32cb6462db432841f87d5d204b0062

                                • C:\Windows\{AA9C7749-C8A1-4578-925D-7BC41BCD7C7E}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  6add06e35dbab36d94e88668ec23d48e

                                  SHA1

                                  6184b0635e654efe933638d37eb43b853964e1b4

                                  SHA256

                                  02b1c25e0defe87a2e8d011947756e1b42f9785b59909bb36899c8907d40e028

                                  SHA512

                                  9c2f121dae1c4a8ec479e82102c3553d37aa9f2ddcfaff7f4e65c93a82f6e9043c3eb6030416523eb19ff206caed248a5c40fc8ccb349161fa47cf50b33e6ed8

                                • C:\Windows\{B280F1E1-4A8B-4928-BC61-0FAA850CAEC1}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  054ceae164d6c8a641efc5a169cf7d20

                                  SHA1

                                  57c6a886630cfc64fbe0a7076915b0912bb275bf

                                  SHA256

                                  0bc1fb0e2be107fcebc053b02a49fb99a8a6123c1a924e00062605b2afb40bf3

                                  SHA512

                                  3d2831e2ec0a134ea2081ec7fba2147d7dfd419945187233a3b0e87691e139215855f7a9ff863d7add1d9783a67f93554de4e78d94b1f6cf87bf6071a6e74fbc

                                • C:\Windows\{C0C09A38-218C-424a-AFE6-93E80DBA1D2B}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  f525c457fd36e3daea2c04c5d583f9de

                                  SHA1

                                  d806961b706b1d9fa312c7ce93f1cf542942303b

                                  SHA256

                                  32ae747aa704f83b21e32aba3d92c344c0eaec0d686d536fb0f7b4578ae783b9

                                  SHA512

                                  15b3f9b2f323f8756d6a291f55f8236fa6299c677535a8bea7b4bd9d8261f80d94a5090553f2b7c6f5ed8941a4ea504f1f5dc7dd369ba16da5c639dc700b97f3

                                • C:\Windows\{E3C6CA15-E29F-433f-A59E-3255A81E6483}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  1f508a1a32aad5e17d8b7149eed768e2

                                  SHA1

                                  024e5ffec8186ac6792f8f8c4dcc44734ceec6bd

                                  SHA256

                                  748bb46cd687e1a265ffbdd734ab5637487fa8ee22be6b832d5cde1875455c41

                                  SHA512

                                  6446bc486df39b2a390ad2db6f7edf397fcf4729da6b8170973648cc1d31edd642c18845247bf4d5e00ae4b2e6e0d7e0e578ee7447b733f10bead4a01889d34b