Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 04:41

General

  • Target

    2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe

  • Size

    204KB

  • MD5

    956e79eb73c9143bd4d4050b31e4b8fa

  • SHA1

    f793eccb9add50c4d1708dbfe061b12808c5c07e

  • SHA256

    dd304a280fa670f746cf662faa1075faba580015775820450a813f17a9e36735

  • SHA512

    74ef24b0ef1bb0b79b5c1410ec2471e3723c152236c65849c0251adafa4245f022fa741112a5503458cc0325fe7108233a8598fffce9d72a2581cbaa00742e11

  • SSDEEP

    1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_956e79eb73c9143bd4d4050b31e4b8fa_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe
      C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe
        C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe
          C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe
            C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3664
            • C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe
              C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:672
              • C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe
                C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1208
                • C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe
                  C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1796
                  • C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe
                    C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2272
                    • C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe
                      C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4680
                      • C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe
                        C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1476
                        • C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe
                          C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          PID:4264
                          • C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe
                            C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe
                            13⤵
                              PID:1768
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{C6195~1.EXE > nul
                              13⤵
                                PID:4604
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{EE611~1.EXE > nul
                              12⤵
                                PID:4424
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{41C3C~1.EXE > nul
                              11⤵
                                PID:4528
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{3E46D~1.EXE > nul
                              10⤵
                                PID:3248
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{899B4~1.EXE > nul
                              9⤵
                                PID:2460
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{DD088~1.EXE > nul
                              8⤵
                                PID:1012
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{1D018~1.EXE > nul
                              7⤵
                                PID:1612
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{9791B~1.EXE > nul
                              6⤵
                                PID:4560
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{ABC31~1.EXE > nul
                              5⤵
                                PID:3700
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{040B4~1.EXE > nul
                              4⤵
                                PID:4088
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{49496~1.EXE > nul
                              3⤵
                                PID:4360
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                              2⤵
                                PID:3520

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\{040B4ABB-671C-4e34-BC97-8CEF2D607407}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    e57ea85cbf1d17ea7be0c49c5d039c6d

                                    SHA1

                                    1c0bbab0b2a01ad1dea1ed3afd9e798dc63afdc0

                                    SHA256

                                    e1be7697b9c7952fa040776a4f2bedaa7b5aa48ec6ef8c3adbb608b60fcb062d

                                    SHA512

                                    0fe656a879d67c5c37c52a294ae750e3212ac0e2239f590b8abaaec11abe157f395738f04d7d3485d574ed959999bb8250cbad910cba58f675f4bef427f662a5

                                  • C:\Windows\{1D018DCC-20B1-4859-8016-A6A8A570A740}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    bede3e0ae9c12d211e91b980474195d4

                                    SHA1

                                    69046e0a21b64b9003c651c4f36e46868d60bd43

                                    SHA256

                                    4539c18a48ff8013a24f563817d86e789fdec4e2b95b62e356fb8a111700a816

                                    SHA512

                                    3231be24719f41e596f1df564ff7354c8b213fc07991e36a48ca48aa6dcaa091399bbafac119466d990233e5428ca55c6b823f5a8c1db2ca32d1d6754f5900eb

                                  • C:\Windows\{3E46D709-0177-4623-930A-519CE3BF3E17}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    b7a5849516ebf596a8968519f434dd04

                                    SHA1

                                    ea7f786e125337be151fdf2846f0f1a2072ba985

                                    SHA256

                                    6a5b6e360cb1f4e734d92194878630f4a702303eb665bc549a71401df21ff6fe

                                    SHA512

                                    b597f29ffa0a22780f6e5ebc6a4ccf50b812c4a103776654798e7bc1448c7cfa1467db7359ef3c61b67c5d072260df5fbc74e64d82a9e6c1d7e9683b6ef2caca

                                  • C:\Windows\{41C3CE43-5EDB-4392-886A-9C8E850710C4}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    8efcbd69ffd5aaa08efd686662da4aa3

                                    SHA1

                                    90610c5802b4b88fc3c948d5b73ceb0013af350e

                                    SHA256

                                    2b4695b9ca803d2c6126f7f3b4924cfbd0a8f5cc6fc265c81229b7e2f798969e

                                    SHA512

                                    bbc69c6962b7ebe93a13b00bd314110d706ec2a68a72783d72e87cee542bb4e275aa90d24979634f2447cdeba3aa59cce843dadc93862cb35d7086b7e6d8326f

                                  • C:\Windows\{49496341-2A68-4c9e-85D7-C07D08C35280}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    ba89e21ddbf956b4410b215cdaf420a2

                                    SHA1

                                    0c5853b5ef41a246ff1276d3628ce907091d833b

                                    SHA256

                                    05bf3f70a9a371e7d19a649e3953c4b97559bf9ecf9b6be084dfd39770ed6230

                                    SHA512

                                    8da89c432d10b1788b92e80462f1e17a52f103c3eacaad172b4cf17ff5b43e9e2ed0d685dc948dd8f7337dd724f5efa61f2328486e05e484cde54c3fd5cd702e

                                  • C:\Windows\{899B4096-D491-442b-9141-37C67BC4DF16}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    696da16c0744330c710076b5fe8a5ca9

                                    SHA1

                                    e13c9ed5be10cc8b88010593680fa4bd4e71f4ea

                                    SHA256

                                    db4c58591993c1b1776d1a68d239a9397d85f36bdb3d5b79c43dc63c4cb61912

                                    SHA512

                                    c3b3db2f2b6b4afea948debd20380b2356ffe28043ea17181baada05b62f22bb89b2621d7e234cf0ffeeaf4a1bb47aa1262c7ee6696c1546dcf4a1532cde74f6

                                  • C:\Windows\{9228E9CD-38AB-4a31-BBB9-C2044F80DE4F}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    8a169f855fb37098aca2896d4a104a56

                                    SHA1

                                    84c1a5cae26fdfd02f71373e3693163de7db118c

                                    SHA256

                                    b7fe7f5b89e5ba5c4c6eed4913a23a3d8e58f94480941eb018b2b9e57a1367f4

                                    SHA512

                                    fffca775c11e6294b9715089ab8aae3f8d65754e449913b443c31e4ea61d98bd8763b82a77d188ed60991cda79d59287e5d8f209f2fad840cc3ee78375985fb1

                                  • C:\Windows\{9791BA93-6E33-40f0-A5FB-5257BDAF337B}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    a12990cd6df11e77df25d0f3d13d18ee

                                    SHA1

                                    609d2ea5b3d646b302c961d286188b7cefb6ba72

                                    SHA256

                                    01c0c9d3201a8cf64f05bfb94337ff9a6ea6d1b19fb62d9865fc6f46330dc7dd

                                    SHA512

                                    24038e8d09674c8006336ccfc13134f54a41c06472fa27055ad083c029ecb0f251879b80bdf97947055990d6acc727171e2943c33a7724ac2cc7c14459ac2d0a

                                  • C:\Windows\{ABC31D9F-7EDB-4959-8FD6-1EE4BA436880}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    b4e23f2f31ee913c36b87665710e748e

                                    SHA1

                                    fbd1223adacc06aa9602cf87368686887b9cb75e

                                    SHA256

                                    1b72edf103965667a2f918901052bf1a714a91ea48779ee55edc3bc5788341a9

                                    SHA512

                                    326c9749d94adcf7f7883cf69f9043909d2728742adb626a2d63e5a784dc9c19c34865eed9dbdafefdf2f45024f1927aff869364b120b89805fd266990132d36

                                  • C:\Windows\{C6195716-AE9A-45f9-8F48-C1D4AEE70017}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    89372dcd8f842643ff47feffeef2fc57

                                    SHA1

                                    2b562a7ebef95c1caf88bd26f7d61e92455f0bde

                                    SHA256

                                    fc3fb6c61573409fa15d6ac0e39b3e1d617ad6338fd288c44a0afd7ec998edc2

                                    SHA512

                                    ad7efeb592bbd9a399c4bf3029adea9f61d53e3cfb582a5c3c7890c0dcfa6627992932e1d62d66461a2275e2c398c51ae69d3aea433d2b4e0d90f5e4a55b3d32

                                  • C:\Windows\{DD0883C9-91F7-416e-8D41-423E7FECE663}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    34a80bdd54c8eae4ecd64c6fe76a9f30

                                    SHA1

                                    8bdad8e1836f41727afbe1645ef07a8410907c69

                                    SHA256

                                    fadae684c495841f6ab9197aa72872ff9f7fb6211e2187dd2305d018ee24ceb3

                                    SHA512

                                    01aa638582380f1df55c355ccf5529a94703035f0a86d83b808afb4e9c4ae963a30ce0e519457fa2536f5c00fd4eef388d349b8d0161d6e7a00cb92cab3a1c0d

                                  • C:\Windows\{EE611F99-0E39-446a-8918-AE3DC8D61DEA}.exe

                                    Filesize

                                    204KB

                                    MD5

                                    c00874c804063598462f2db14c6990a4

                                    SHA1

                                    c52eaf0cdc62d7457f9681f403a80a03f212a73c

                                    SHA256

                                    495d50eaba92c93e8e962fecce442075dff12da0b16f72dc66cb40e333104c02

                                    SHA512

                                    db5a2987147a1c0985fd37683fadb8100467b9c4df10a67be22088c3e84cec79c557f8d41b7458366506118b81f0a0158539479244c18aa7ab2bc7e98fd94441