Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 04:41

General

  • Target

    2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe

  • Size

    204KB

  • MD5

    97860f63b56a11a2225fb7e0eae2928f

  • SHA1

    2869cb06f8fa1d11467034ee6d8ff34961169169

  • SHA256

    0793876b8f6eb4d121477510e83e4c88fdea6c79093fe95d4ee99c7396bf39a9

  • SHA512

    471d03f24bee300bc67bff010241872d5a2c7b33276bf764107d3ff377f110af5357f8b30f0cafd15d1b08c18d0c4c6de59656a71b2c9ab4528c1fc2ebc35ff4

  • SSDEEP

    1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_97860f63b56a11a2225fb7e0eae2928f_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe
      C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe
        C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe
          C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe
            C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4920
            • C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe
              C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:840
              • C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe
                C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4716
                • C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe
                  C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1580
                  • C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe
                    C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:464
                    • C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe
                      C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3640
                      • C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe
                        C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4544
                        • C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe
                          C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4344
                          • C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe
                            C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4868
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC39~1.EXE > nul
                            13⤵
                              PID:2092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{637A2~1.EXE > nul
                            12⤵
                              PID:4104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B66~1.EXE > nul
                            11⤵
                              PID:4356
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF4D3~1.EXE > nul
                            10⤵
                              PID:4656
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6637B~1.EXE > nul
                            9⤵
                              PID:3136
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E246F~1.EXE > nul
                            8⤵
                              PID:2724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9DA~1.EXE > nul
                            7⤵
                              PID:4972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3B0D9~1.EXE > nul
                            6⤵
                              PID:544
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0616B~1.EXE > nul
                            5⤵
                              PID:4560
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2B4~1.EXE > nul
                            4⤵
                              PID:4800
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3CC0F~1.EXE > nul
                            3⤵
                              PID:224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2312

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{0616B9E9-57E0-48b9-8B57-580031C8D141}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  75c59107af92dcf89165c131ce744329

                                  SHA1

                                  75cdc91b01093ac07de1f45873d28db8710ac647

                                  SHA256

                                  dd7505560cf1c8d31ae177731438a95710b40213279a583df6fef509139de6a0

                                  SHA512

                                  03c94d15306bb7567191a65edb35cf57e03897d7dddc9e17e9ec1e2775dadaf3bb554c8b5d702971ed17ac89a5171c3647683ead90935c3fd195b3a130341ac2

                                • C:\Windows\{3B0D99CA-2CE5-4eef-85C3-A88D2E93C57B}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  70a5a8c106a0413b101f09a0540f6c58

                                  SHA1

                                  3b82e1b13539786c1f06897d915bf42ba07d97c8

                                  SHA256

                                  afc38917ab9e8c32188e4dadc125c3fdf8457848dadf61f14f154185535cf8e9

                                  SHA512

                                  e2f0120d3450cef209df2a8aede7341c487738d0b214a7f4079081a29e6208a79a6f1c1be649f43da0aac69cdb7f6c11481d3a652b93b5f0488c82714b57b06a

                                • C:\Windows\{3CC0F43F-57FB-41d8-B729-39A3E98E98BE}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  4a9f295f12361b31a2be8d9e1874ba6c

                                  SHA1

                                  fdad61ae6432bfb98103f158afb2ec34b6869d52

                                  SHA256

                                  5cd30a713122bd08c173a59f5d46e11ae7a96990fa115257b24f06d1d80220db

                                  SHA512

                                  b3181e6058e9aff2c3bb4dd30f471b6e4605890bc176be3632fcae3990df483f967b219c88ef806e536ef91982dbfb85c3dc8c51a70a3d0f83142ede0db88ef1

                                • C:\Windows\{5D2B49C8-FCC2-4e49-B94A-AC544F7295B5}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  54c49d60d7db3b5adbe0a228f8e4544e

                                  SHA1

                                  606d64a86f5ee780e798b076188cd39c797f9de9

                                  SHA256

                                  abbaa5d7a02b4edca40d8c68e69fb96aaf9ec2c31b24b18e95ec1b91046f4042

                                  SHA512

                                  8b3fcd20fd018ac95386062e4e60d1b4408609f8dc0d0884c0029a8ba34633737f26c45d4a94e8d47108a51f7cf1d9ba410387f2167c1e74144eec1d3d136c91

                                • C:\Windows\{637A2255-BE5F-451d-AF77-820B161257AB}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  dac83364b9dc8f2a6c4903af5a5fd70d

                                  SHA1

                                  1c10aa8798ca717e160fce55ccc4e80d913e66d4

                                  SHA256

                                  c4a7f7e5b104ce8c58448da18b79224dbc1f6d0110dbc6be6d23b9e922e3973a

                                  SHA512

                                  ca1ab2e46816c7cff05ab076f391e7d496946abbee1e4f89f2980171c0ba599ab8a6a985235c1371a1e03ab88e58fa5bf0dea11cf3b0aae830994eacbb300fca

                                • C:\Windows\{6637B389-4DF6-4011-903A-9067E6D3537F}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  ff393d52f8fb0c76737e38d234ec86f1

                                  SHA1

                                  5055310a968e21c205e51d775dc4b6987f29e78d

                                  SHA256

                                  95d81901257aa1779a1d6333b639db7483934042d3be474f311fedbc738ee1c6

                                  SHA512

                                  a70c8d77b70d45c29d063de796205c08bbb05ce4559f951167ab27d5e5139d37419aa134d4a4cd0ceede56800a650bfa889693e6080ce06882a5e5a02066f9c6

                                • C:\Windows\{7DC397DE-0841-48d1-8751-CC0E16F24771}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  4e8cbe8777372e30faa652861db31a0e

                                  SHA1

                                  fc8016316acdee379902c555be3d5b846cce02f4

                                  SHA256

                                  becf8d4df316bfa5745344ab15d64b8153c9eb9097317fa9486a773eebc3863d

                                  SHA512

                                  06a8a6e1f38e888a7e9031438cb668e18a8ff47c0d1655bf2551267f2dfa14b86d4fcca780cb923f44b4edfa606918b334e0f87cffc1a07ae4f0abe2b779ff94

                                • C:\Windows\{C3BA756E-3FA1-472d-83DB-CCA960A2D447}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  8d88eaf96f85c6740be57c213c610769

                                  SHA1

                                  2e88adb866f12e14d743c370a4565bd3be8af96c

                                  SHA256

                                  c9478e768a735b5bb33b64ffaf4119e7c296d7e21e01f61891b14566b1ddb7ed

                                  SHA512

                                  810278758452830e4e96e1e08e1e3293c48a32e6a5c1c6ca5b418d06fe46d958022c480857d2d0fb6cd7f30f4c05b712441c7bdbc8d4b69cbdcf5025cca00903

                                • C:\Windows\{D0B666C7-15FC-49e1-8874-D6D0BE5C43CD}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  d7c46603a6f76f15955d4ea38b504dab

                                  SHA1

                                  32a00578fd77278bd9b6c7597707d4c8efbab5a3

                                  SHA256

                                  1ef87b990b6c1ed496161fc6142b1b1051436a66bfa8823be0fb3f7f8d2a78da

                                  SHA512

                                  d03d866c6e3772053dfb1c0d91ddb85507c2f3fc9db242760067d91562568bb16ff9b2e3637f47574dd88b6a312beefb70abcce1c3d496c944f04b24f4917c29

                                • C:\Windows\{E246F3FF-1943-42a7-A797-C3A54A99D3DC}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  35940dc33e05c586e209f0aa0c5b53e4

                                  SHA1

                                  99af0e8808164db6b99231b37e7139241821a028

                                  SHA256

                                  2c62ec96836f6ceecf118774ac83fbe2270a89a08d46ac4e83c84123cd8460a9

                                  SHA512

                                  a66fa9bce69ec36e6a5902bc831c8644c44d2941e00fb0cd88d5834021de20aff759ab8dca3dda288fbd51ce14be9fd7c31f58086f7d2e4966fc886cc84eb5ac

                                • C:\Windows\{EF4D370F-EF84-417f-A850-C48194A23B68}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  72c6d65afdb9caa5c2371709c2cbb292

                                  SHA1

                                  b7469549f81ee1d6d4fc0e783b2cf1cff2791852

                                  SHA256

                                  dc999c0ad01083542f5a4c1888daa8444dd2c61f907ca501fcd3126acaa11ea6

                                  SHA512

                                  085727ae3be52eb8bc9594bbb9f33c5eb34929fb53610e85b79baa5ee433049e85b9349a724ddec6da8f41db215b2231877906af1d0c5c20b999ef0fca7a223f

                                • C:\Windows\{EF9DABE3-3AF2-4b9e-94FD-B1CBE25A965B}.exe

                                  Filesize

                                  204KB

                                  MD5

                                  1a19e4de92906450edb23801f7d77d91

                                  SHA1

                                  52127d6dfaf3a065c83b38bc8e609724715d9eb8

                                  SHA256

                                  4166747fe72ca40f3f0a407157ee2c7e8d348391b3ace545d2ff232a01ece2cb

                                  SHA512

                                  6b806c89f7a588a16ea787793fa7642df00e95d1813157430757fc650509de88b5c1595ae882fa6070a724f914d950710ad94f51abe694013d03c81f7f07ab9f