Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:43

General

  • Target

    2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe

  • Size

    344KB

  • MD5

    0a755e821f5f8006a843b9ec0878c779

  • SHA1

    4a481c3ff19aaf6c5d2f00654cee5c0d06a87184

  • SHA256

    08e176d28691fc2e5eca6d6b5709f56f60f1ff0109e7e3d9a78e361a99fa6818

  • SHA512

    d792ed635304e7be64ecb6134df83f52a9168ce60af2a63da4e25b2dc680d6a59daa7d791aa6de902d5cc4969c1fc47401f7cc6f66a52e38fbae1b01abe10f0e

  • SSDEEP

    3072:mEGh0ozlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_0a755e821f5f8006a843b9ec0878c779_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe
      C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe
        C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe
          C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe
            C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4680
            • C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe
              C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4520
              • C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe
                C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:228
                • C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe
                  C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3424
                  • C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe
                    C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3680
                    • C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe
                      C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4412
                      • C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe
                        C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        PID:3380
                        • C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe
                          C:\Windows\{D0EE1678-47DB-4127-B95E-B3C0C59ED000}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4744
                          • C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe
                            C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:5008
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0EE1~1.EXE > nul
                            13⤵
                              PID:2616
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB76~1.EXE > nul
                            12⤵
                              PID:924
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1968~1.EXE > nul
                            11⤵
                              PID:4424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D42~1.EXE > nul
                            10⤵
                              PID:1912
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6DD~1.EXE > nul
                            9⤵
                              PID:396
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{31C8E~1.EXE > nul
                            8⤵
                              PID:3444
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4AC6~1.EXE > nul
                            7⤵
                              PID:3116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{934F6~1.EXE > nul
                            6⤵
                              PID:4620
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56309~1.EXE > nul
                            5⤵
                              PID:2744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{43AA1~1.EXE > nul
                            4⤵
                              PID:2964
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2860B~1.EXE > nul
                            3⤵
                              PID:1384
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4808

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{2860B56A-FB95-4d6f-B663-F5D79F1DB9EA}.exe

                            Filesize

                            344KB

                            MD5

                            fb3df0518d8a18c1af948f8f89649ca0

                            SHA1

                            8c60a1fcc96eb0d8fdee6fb91f8c804a8b76ded0

                            SHA256

                            96da6fa87153eb42d7d69c2e9efd738ebe530b383590a616cfb152c0fde59fa4

                            SHA512

                            6e4d6a5789aa2422a7c0faceaef7a4dcb9434615defb82a6a44a2a8e795f7b6748bd040dc51a7d76608caf9e14324bd350a8c6767cca105baf77b6f0072def29

                          • C:\Windows\{31C8E61A-7B9D-427b-805E-0C4C36EF45E7}.exe

                            Filesize

                            344KB

                            MD5

                            67e34111094de90c4494b766d030be72

                            SHA1

                            923d4593162cde0aeb1adec433f8a2f580f430e0

                            SHA256

                            6f28c17c97a02d7c56aa42464b462c6a53887d45d5a3ab63a65e34cf4410b812

                            SHA512

                            820b42c3453d70b2f548c8d30e1c029d4685a31517af8a827bea24c80d9f777524bcc9949475259b63a605e0906667ab635b840e77ac380caa8be04f8b0906e6

                          • C:\Windows\{3EB76C3E-F20E-44d6-A520-0AB4630C9D59}.exe

                            Filesize

                            344KB

                            MD5

                            0cb814b990523afa7f8dbde2cd3886c1

                            SHA1

                            f3efdb7851867dfe2095626769e71570f0a28350

                            SHA256

                            7a8a0b9274639c250da0c79a7cf10c5ea3c1bb2528fd01fa1b708f42e8ae91eb

                            SHA512

                            6c9964b4c4fb74e3bd525b31b49dd584b23155aa5e8d83c7f5e3f9308d1e88da0dcf230b7818496b44fe426b7388b57f6d70fb4b6479071a847d110128a4e292

                          • C:\Windows\{43AA1FCB-A6AC-46b7-BC43-AA7E7BC5DA5A}.exe

                            Filesize

                            344KB

                            MD5

                            7ae5641a859503f68e53b8214d59e167

                            SHA1

                            662035c52b43214a48b18c87ce333086d290ac0b

                            SHA256

                            8efa056dd48560133ee96e0eba15ad3f3d6e203fce7803eecd3de6e7b83268f2

                            SHA512

                            368212d6d6b3b680457becce7ee8f6922141192121d99bbb2e7c72dad14f142e164468e1940c1fdfb8840222acfddabf8c418f1fe1dca3b665ddc5c0d6ad876f

                          • C:\Windows\{563096DA-A26F-43c1-8D39-1A21628BD1CC}.exe

                            Filesize

                            344KB

                            MD5

                            9920f034e1716ac3e57b936e26175dfa

                            SHA1

                            0d23da044db24e3c457d2f6fb6f3bb3464443f66

                            SHA256

                            17b592db16327d4060aef985a6b813da0231c6de8b9411fbea3453b5743e481f

                            SHA512

                            e4cd7d34f8789588dab78be95848b99d5cff971bfb4ad963996b15c89c20f2c3076af5d4b7af56fde95f43bc5cb319396c764f762183f8146f5900617fd0a059

                          • C:\Windows\{934F6EE8-5665-43b3-8D74-74B9F40BD2FD}.exe

                            Filesize

                            344KB

                            MD5

                            99f31fa3f09e3e43d31abb147cd76c67

                            SHA1

                            a2b8e2b135fae3c2f3ed3146dfac5524c9ffa7c8

                            SHA256

                            9af42b747b9557ac1d4080ca540c81357b4620d6d71bebd84c99289ad6526e87

                            SHA512

                            95edc5c15c07ee088608d9669b18773dad4280d0364e1161b826ee61b760ef05db51152111b63d4f4c35fa2b61679fe9d5dd359b9ed6cba153a1d508a819dba8

                          • C:\Windows\{C2D42483-BDF3-40cf-82A9-CBD8D46F8F53}.exe

                            Filesize

                            344KB

                            MD5

                            3f8eb29480fde8db52871375b41a16c4

                            SHA1

                            b55ed6de288b54127bcc41063cb43e85b8d9ccab

                            SHA256

                            099bf060ecef0b60aab531695820cac264295477f16cdd8ce77fb009ecd2ac0c

                            SHA512

                            5f1b7a20e63a63ec66cbb344c65015c00702b2a4fd624d65fcb56bdc494bbb0c4ba2b71653a3cba8e691fdb544b0dbeba5808bc74b1bdc33fd500af6ec31f92a

                          • C:\Windows\{C5727686-89AE-41a2-994D-5C5DE0A6DF51}.exe

                            Filesize

                            344KB

                            MD5

                            4bd3071b52f423e6a01b3ee8803454e2

                            SHA1

                            14a2a6ba6fe54c2898dc135f9278757ee1c5acb8

                            SHA256

                            a10edd37e0a5d1d7937953f77745ef3cc8a9e168674c3c84851cd73b2619f30a

                            SHA512

                            d2824fc47069f289887cac96dfb53b243a3a2ff565b416cb5a4cb9b26b2f91ffcf52a8f69336c78424ce47c005ec15d8d2bbc2d4753f1d4371d3c7986ff02e62

                          • C:\Windows\{D4AC64CB-3E15-46e5-BB85-CE6B2FD9DD5A}.exe

                            Filesize

                            344KB

                            MD5

                            d11d9d6c3844442a6e6fe8d483a53503

                            SHA1

                            56d99ebeca3968f679daf2ff9a5e96ec6ed1b0d3

                            SHA256

                            a43e4c43eb94086c4fb9e1b2d6b0bc87befd1f1f5162fca162b94b9f459ac742

                            SHA512

                            6f7b62a7a3c202acb4aed9373de979b57b5a99f6bbd8e1e2e3882d2d9669d4709cdb4cbcb7cfd11f1595661f5704a43bf0c9b09a044b467f8a8f17135fee6259

                          • C:\Windows\{EF6DDA32-A32C-48f1-B396-F10578B85F88}.exe

                            Filesize

                            344KB

                            MD5

                            13036470e6262b0678a48e5aa22db949

                            SHA1

                            467d366b6f81d161baa862e1f614564b08c13388

                            SHA256

                            db91de036d9d8282e55d03d658bc34ab92988d8bbc2bfda925be4ebb2f6f83ce

                            SHA512

                            b3e2df1c5d8cc3c35cf9e881616b53d380d23f11a68a60c3a947a15b834757fd4c52a5d3ad0c1ca1e9886c7ee0dbeb4f5f85fb18ede818dde2643baf5807a1dd

                          • C:\Windows\{F1968C11-8F5D-4b34-9BDF-9296CE594F97}.exe

                            Filesize

                            344KB

                            MD5

                            da47fd70ddce133256948ad54a162788

                            SHA1

                            e211ad6c02b9a89fb3df37624c0c53c68e530288

                            SHA256

                            83ca8cbd823cb92492d448a6b4db5344378593fee45a521cc82585203a452872

                            SHA512

                            e82257081d50c26236caacd486fa363a8c90a396059db9be9cea7d4af30d1cbb2dcbe1c19f7288ab32de9cd3aff29d5790cde4becfaffaf57d90a93839568bd6

                          • memory/3380-39-0x00000000038B0000-0x000000000398B000-memory.dmp

                            Filesize

                            876KB