Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:43

General

  • Target

    2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe

  • Size

    344KB

  • MD5

    0274ff2311ae5e9f0eae93830e95841a

  • SHA1

    634acfa3b32020c9204fc0d8f9e292d0b9457151

  • SHA256

    ce8aef93e0582a35fb4c5a47cec3059b965dc8e08cf64c24a4e7144428ef7def

  • SHA512

    461bb60697f398ccbfc28003be77ea1332ba9ef1e60418a517016d51280ddf1ea399989dcff73c869dc8bafff4cfd60cab34f79cbbee9879f41fb2e3e5122299

  • SSDEEP

    3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGmlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_0274ff2311ae5e9f0eae93830e95841a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe
      C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe
        C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe
          C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:684
          • C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe
            C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe
              C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe
                C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2320
                • C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe
                  C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4108
                  • C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe
                    C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1760
                    • C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe
                      C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4044
                      • C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe
                        C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4316
                        • C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe
                          C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1500
                          • C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe
                            C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3720
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{61838~1.EXE > nul
                            13⤵
                              PID:532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1560~1.EXE > nul
                            12⤵
                              PID:4020
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3728D~1.EXE > nul
                            11⤵
                              PID:2244
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{498E3~1.EXE > nul
                            10⤵
                              PID:400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D6F69~1.EXE > nul
                            9⤵
                              PID:4716
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{39624~1.EXE > nul
                            8⤵
                              PID:4492
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{18C0E~1.EXE > nul
                            7⤵
                              PID:3576
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D642A~1.EXE > nul
                            6⤵
                              PID:3780
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD69~1.EXE > nul
                            5⤵
                              PID:624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{52677~1.EXE > nul
                            4⤵
                              PID:512
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA8~1.EXE > nul
                            3⤵
                              PID:4644
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4996
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
                            1⤵
                              PID:4176

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{18C0E007-6DFF-42ac-B040-B62DC26901B8}.exe

                              Filesize

                              344KB

                              MD5

                              3023096b3fe9dde77aa7d9cda9e7669e

                              SHA1

                              90d6ea6390f60d89abe56a43b6db672f88fadc97

                              SHA256

                              7a2840b653d54a74b1111d88445d8f901e755d58603251381d3b8337fd2b4956

                              SHA512

                              fe086ca31b0d35e017e4f399105f140c53c7ef16483c6802e851b6438ca45aa012cc403a3b69998c2566c9eb944f695961ed3df5d49c51dfdea9bfff490f3905

                            • C:\Windows\{3728DFA5-76E3-4f95-8CFC-99E647B8EF9A}.exe

                              Filesize

                              344KB

                              MD5

                              9c2aa551ed1e247fa0d43b124bbdf055

                              SHA1

                              d3a010baee2cfb38dd34cb8f298fb4b53bb76e48

                              SHA256

                              0022acc25e0f4bcacb62005377db4d0d0ea18bc561133599a50b9f72d2ce1f93

                              SHA512

                              07948a5910302abe89508e13d3b62d94cb0779e9bf503370c97e3638c2ce581c83105ab9be94d6e00aa66c7572adfe55009768c3057250f87bf467e0f23ef1fb

                            • C:\Windows\{39624838-6A19-430d-A8E8-0532DF60B7FE}.exe

                              Filesize

                              344KB

                              MD5

                              881f4f0d763622fd4b5700e5b4f22c8c

                              SHA1

                              b0ffc995913277dfe5419eecb643d61a8828baab

                              SHA256

                              c80b23b059368ec59c5e503a22ff538ad7bfb9fd33c70552768c4828b4cb4be4

                              SHA512

                              bb667fa6051c0ceca483616482471021e823bc954ae88246e5db043600ce842a8e1a67ec441c4ff6352c4a9bf4e31bffbd9d8701d770143ba21c60de76b182ea

                            • C:\Windows\{498E330C-5C31-4b57-970A-FB5D78B142E5}.exe

                              Filesize

                              344KB

                              MD5

                              7dcc0395ef3b72e02447ddec77b8ae9d

                              SHA1

                              a20cbc7c65cace112d2c4357920007cfdffd642c

                              SHA256

                              aeb42dfb444e91bf187f1ab8469d1d2e8bfa1202d76bd4e2a149c41cad0301db

                              SHA512

                              bac4e14b87b69b7459fe219ceac483695006cb8d033d6d1edbdfe88e4cc0375ed7c960d2fe6f1df25c0ca7201b44efa827f5336a023303a51b28f46fa8839dbc

                            • C:\Windows\{52677632-ED47-4064-A25E-FA54B0B2B3C8}.exe

                              Filesize

                              344KB

                              MD5

                              e2e51107d906657fbda7e7e72fadfe44

                              SHA1

                              6b902aff13bedfa071698eee7da18971cfffec4e

                              SHA256

                              496d5c6d4980acb0fe1ad9b4b8f69d78474b9b52d6a79c6b92575dfbc00fd796

                              SHA512

                              93ea8a18413b6868d92b8ab5f099fa232726aa2ee04d724ce009a1b033a82bdb7afc8bfd5cf0dbf71390ccf9063d18e6419533229180393450a9343baad13b22

                            • C:\Windows\{5DD69A26-F94F-4630-A452-954FC69F7212}.exe

                              Filesize

                              344KB

                              MD5

                              ee8d7961de30ce5658b6e18c4679f262

                              SHA1

                              579f35cf59a53fe1b96d2464dc223c556f75fe93

                              SHA256

                              06c69179112f43b5ae70c024d4eace70876f9f6b451adaa2d6615f837ab9660b

                              SHA512

                              1e929621356a7a135b371435d3746434870b3b4d2b8919b5ed7ad1b6956374769e3477ca5680aad9a5d2a90b09651d7d68b3b4e4e2bd00f56f802be22d7040a6

                            • C:\Windows\{61838062-CC67-45fc-84D2-1481564F0F90}.exe

                              Filesize

                              344KB

                              MD5

                              58cd0a45b21b2d06f0b8d285a2ec31c3

                              SHA1

                              004c4d73e3ab08a2f8b93d256bb41e9a0a63fd54

                              SHA256

                              0bcd47aa2c3afddaf8f66c99411eef958f00bb450e3865000c5c3011e4d4a920

                              SHA512

                              851b7d1381fdec8b14c25ed5c138e86147ff5d512d28de55661311ad2e7dccb3b82fb24d61d427b536f220c60c6ea5cfa1c33e23c5a73305bc948c4fbea9ce61

                            • C:\Windows\{6DB006AE-933F-4359-8C3F-F4F29C04721E}.exe

                              Filesize

                              344KB

                              MD5

                              8e3ce6da73c7ad2b679e067e9afe026b

                              SHA1

                              66553748a905d13e5a00e28947541686e628435a

                              SHA256

                              92e179326c4c0e6701fb7275a4e305fe98e600009529c4bc534c8460a2be50a7

                              SHA512

                              f05116ddadf78587d84b0466c1b4485cda324bc235cd42ca37da0518765f909bb4ba24a1496e3e078338ed7cea4a49fd6904189c4fb4c3441f6cd77b6baf626c

                            • C:\Windows\{C8BA8725-2998-4907-B91A-9F6518F0CEA2}.exe

                              Filesize

                              344KB

                              MD5

                              b8aa223fa794b14065d91fd978dee421

                              SHA1

                              757e0f9e33323e950d788d52b60dc038744cd839

                              SHA256

                              d8da933dd2a7c7db766eb6dce95ac93a29ce581ed8d6eaf968a6533dcd25a00b

                              SHA512

                              dbed7ae9782d2ab059e232c14442bf20c03c2d4af40ae9a66f0518035b75bf3dc459ccfe54e0bf2299716e7fcf9460def958809b496b133fe536081f06590b42

                            • C:\Windows\{D642A007-FD9A-449c-B528-A53A097A7BCF}.exe

                              Filesize

                              344KB

                              MD5

                              9f2c944a8e2a50c8d94a549f536d292d

                              SHA1

                              9df011f7940c9cac9fd1921c3d67e2d357302dae

                              SHA256

                              a62bfb06332e0e4b21d0d2ad6d3423b3462e5d181926a26f478f4d3b95581fcc

                              SHA512

                              9570bfc08eb41a5e9251672a26fbd145b025fb54b640fdad49843d9dbfec072b76e8cd8d4bb4a3041c490bd5e7823438b9cf8ebbd42967ea6afd2689eaecafa4

                            • C:\Windows\{D6F69D1D-596C-4bd0-9FA6-98D727359ADF}.exe

                              Filesize

                              344KB

                              MD5

                              2d4668b0602e0ffcf5f95bd13f0c8028

                              SHA1

                              ed2e461afe1a0faa19bc0119b5242ad352ac2776

                              SHA256

                              9f34256356399cdc571abce50bd8517adde5937a5dd7101ab09a6106f9129b80

                              SHA512

                              333a109aeade2918553673ce40f95a94bb0f73581d56c5330d1d7b5dd3fb38aee43830a01b62e59a03fa9f72db21711fbd956e7dcef78b7c983d49ce4e4c55b8

                            • C:\Windows\{F1560311-87D3-4cf0-93D7-E8265B722BA7}.exe

                              Filesize

                              344KB

                              MD5

                              4a400717ae300b7c1f5e1526e2e117a3

                              SHA1

                              26fb48a7ca969526a7f297a4478b771bfbd42a55

                              SHA256

                              e88f6d07475cab9ce1d000a19459afef520e6f392e7d301becf48dcffb8b98d0

                              SHA512

                              524bf5562f279cdd90bd3ded6d5959df9f2c6869972263def43389f0bca067b2302639c468ee5ca37af9c71e727fff530088bbfe99bf8b29a4ea961d56ad6022