Analysis

  • max time kernel
    149s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 15:08

General

  • Target

    2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe

  • Size

    168KB

  • MD5

    f844085e931ec6f32dabe71e5314e933

  • SHA1

    975a67898eb5efa008571b050e6f3b0c9df5f42b

  • SHA256

    d49b9fdfde116b0d01978bdc33e847c319f68683a0d905d269a9ab0d08246c25

  • SHA512

    62210862a1cfd012c0d6f237696b7806f4beb44591d175235876e4a30ec01c208d19c8e7535b5c3a9aacc386df2f0d4941e60b413481633c966b5d9e9bd6e808

  • SSDEEP

    1536:1EGh0oWlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oWlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_f844085e931ec6f32dabe71e5314e933_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe
      C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe
        C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe
          C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe
            C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe
              C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe
                C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:936
                • C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe
                  C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4912
                  • C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe
                    C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1992
                    • C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe
                      C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:632
                      • C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe
                        C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1948
                        • C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe
                          C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1480
                          • C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe
                            C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1648
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DB8B4~1.EXE > nul
                            13⤵
                              PID:4748
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3A0~1.EXE > nul
                            12⤵
                              PID:3496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9627D~1.EXE > nul
                            11⤵
                              PID:4128
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{764A7~1.EXE > nul
                            10⤵
                              PID:3876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{34963~1.EXE > nul
                            9⤵
                              PID:852
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB61~1.EXE > nul
                            8⤵
                              PID:4008
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FEC~1.EXE > nul
                            7⤵
                              PID:2668
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5A167~1.EXE > nul
                            6⤵
                              PID:5004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B2818~1.EXE > nul
                            5⤵
                              PID:4372
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6062F~1.EXE > nul
                            4⤵
                              PID:2404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AC210~1.EXE > nul
                            3⤵
                              PID:4884
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2588

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{2F63595F-6305-4aba-83DC-2A2F219295D6}.exe

                            Filesize

                            168KB

                            MD5

                            f5d20c83b101abeccce972148c8addc3

                            SHA1

                            8cc7b18f818d9d3e8e8d91ee9c07b502ab17f450

                            SHA256

                            b89404662b87a445894d339c294b6a8ad282728630650c91f4004e4d4e58f17a

                            SHA512

                            b83b49452d3c9fd3e2add3b56a2b4e1956805930d8c3bdab14b398fe87050b7cf4f40f31922752b44e04e42542a92bfdf19c51943fa54f99f1000a1c3c0258f3

                          • C:\Windows\{3496395F-CA8B-435a-9524-70995A6FE94C}.exe

                            Filesize

                            168KB

                            MD5

                            69b218057d9b389cacd6114acf67bed9

                            SHA1

                            3d95ad8c2775f79ded6737a08be9caa797e305b6

                            SHA256

                            b7c6bec42e76a653b75d9aef53fc3ffeee12f22d029e828e35fdc35fa1a7284a

                            SHA512

                            53c8c4b68f68e0c2a96c9f5b9920ce6e76808294b86c569ff72c27cd3285f06eb45960f32edbb02b80f8284090fcfb7779b11885b818c9e507a6ea0eecd77b89

                          • C:\Windows\{5A167D6F-3850-4c96-9765-BBD0608B61B6}.exe

                            Filesize

                            168KB

                            MD5

                            05087ea9588fe9195b60934b94b3d176

                            SHA1

                            83b52108e04d4b6b25acb52c6c7f1dfb5792a018

                            SHA256

                            1456d8003b3427021167eb08db2a56026723ee6bd4989e252f04de091c090119

                            SHA512

                            f49724ad66072a0703706118ded2203c3235692be1a8b092ee787f0c5a0199633f405d98c7e0e9bd979f9195187c80cc6a8d888e61656212ee1f8e356d0d37e9

                          • C:\Windows\{6062F3B3-C015-43be-992C-64699251F174}.exe

                            Filesize

                            168KB

                            MD5

                            3e8131b48998aabe5a1fd4e9c05f4cbd

                            SHA1

                            73132e63dbf6334f2f1e9937006e1a1f9f0f9795

                            SHA256

                            6640775106cdc9d27ec3bd976a30776762f6dbd2dcdfa978a68c46d79d27f91b

                            SHA512

                            aa81f34e1b2e7370858a90f24fbff3eef7d30a35149d81a891c08d28817bad2a94301341f027a26ece55987be4d5cd6e783e7ffa46cc5b4fd28d427503e16a18

                          • C:\Windows\{6EB61ACF-6A57-46de-BFE0-33F5B1BAFEC0}.exe

                            Filesize

                            168KB

                            MD5

                            5f1ca619e93b29551179991e94680791

                            SHA1

                            46f63d97b3319e6f2114d8744d257ea94719480e

                            SHA256

                            08263f012108e55ff2ece7e1c68978749ec736e357905572d382787ea69e517b

                            SHA512

                            9be65e23105946f9a60e5e06fea5befa7d7e27742af452bb86b2c7e2c5786dd5c65a88c5d6276da9ca6aaaa7bbe795fffa3807299f878d1f8c99654f140c1dd8

                          • C:\Windows\{764A7453-7E3D-4118-9362-B820E09F31D0}.exe

                            Filesize

                            168KB

                            MD5

                            925b95acfa0fbfd4a98fcf78862fcc9d

                            SHA1

                            2dd267475aed9239910d67ce01a4c149b4862c17

                            SHA256

                            7332967736e398452fbeef1e0446fa1ed17d57e1a8493e8fe93aee8d48338571

                            SHA512

                            9092be452605837addf16ed3164476c6ab9e4f9eed86bcf24e7089ebf2ff09f351cab1089d1b6c60073b4982c2d64ca56ca44b4f1661afaa09067db3cbfe276f

                          • C:\Windows\{9627DF8F-2CCF-4352-821D-8BF728ECEEA7}.exe

                            Filesize

                            168KB

                            MD5

                            e1c50ce7815060a6d4d67cdc1ebe741c

                            SHA1

                            62e0ea2036b085926585e0005dd25a597f11a850

                            SHA256

                            4cd2daf4807ae9796dde5499470c59e6130def4c8b863b4b8bc25bccb1157c43

                            SHA512

                            774155704f091bb9d0627529d6ffc3b52a6edd1af51f7ff6d6d145e3fff853e0c43b877b8e5ead5f8b3a58503eadfbc5306e4c6d769b6c40c7f0c3dcfc255a54

                          • C:\Windows\{AB3A01C3-35FB-4895-B380-BE75925C9A81}.exe

                            Filesize

                            168KB

                            MD5

                            999bc602103e596bc62ef02dc244e756

                            SHA1

                            ba48e8c8793b84974298bd08d4c185235c497d8b

                            SHA256

                            bfb2d9714ca08d1036d98cd5e37121c60136b042f45b0509b3b2b97ad96804fa

                            SHA512

                            4237d27e82b4a5227145f857a04d4c67891da623d9948cda408b73991499b720480adf893c29e3f12f63da481b5027ad15309efa4be14efec68fa8671c0a1776

                          • C:\Windows\{AC210350-E339-49bd-B050-A142E5950595}.exe

                            Filesize

                            168KB

                            MD5

                            6c54c6a52015c2f05385ef7f5f45ed72

                            SHA1

                            1da4daf60fee16a301b9fa45e871306baad98d6f

                            SHA256

                            9314eb643b0b657f796faa9d5f1825134d2e77bdecc9ab1235e628c75f7dc00e

                            SHA512

                            7bb671613476a06c7afd7e89cfb9eacdfcd7607609f866b134b52f337ea633a77e03857fb2e7d16761f39ee7001314de3ca3fc6c3509864c455a5f0c8ba16d58

                          • C:\Windows\{B2818130-F0F8-4d85-A72B-DB24C1A4AC59}.exe

                            Filesize

                            168KB

                            MD5

                            386dab9a669f45835798823a0fc5bdac

                            SHA1

                            a03c2f8c4fd7d0b919737df3bd7d9ce90a6822ee

                            SHA256

                            d701ab229765308b29c6ccb821a023b6a96a522b30bddf599d5e6f1824f4cdf4

                            SHA512

                            1b8994d8746ce9849300b21f27c44e6b2b03a332971e8deda45a915fdf6a05bae11d99e86df92501ed1e82e7f16c8caaef0b8be92bc8c606c3fb574690cd3dc9

                          • C:\Windows\{D7FEC74D-4C6E-4a42-9C07-DC9320843F2B}.exe

                            Filesize

                            168KB

                            MD5

                            33e54f31b0366ca0c464b4ee20a74179

                            SHA1

                            7350e81d602520276f6f27c3b2af7280c62002ea

                            SHA256

                            66a5d2fbca5b26981e5890a6b2e9e5cf5be0ef3b1c2326719b138ed3a56c3a5b

                            SHA512

                            a8accebc39c8c0a594f9f92c176c48dc7b0d56bd87bf759cd9e870c6944bbce51ea974b5e06d22bb7c816868ccb64469465b354adfb5c4209dee25a53b9d020c

                          • C:\Windows\{DB8B4BE0-3473-4786-B512-76BAE17D8DF1}.exe

                            Filesize

                            168KB

                            MD5

                            454cd84b8be4da2d7641ca9dfe92c086

                            SHA1

                            509afe27faeda789f96f8bc526e5ca2a0019779a

                            SHA256

                            00a99635c2cbf4c3bdb54ca64e27991ab81605c60d97144934cc0b3393efbf51

                            SHA512

                            b567527d6b4f35ac4b601da24e72915565a0abee232c8537e034b40ca881420ff918103254d7ba5e47fd783815f9a5098c1ac9fa75654d33296a6648fa428bc0