Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:43

General

  • Target

    2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe

  • Size

    380KB

  • MD5

    050b37d7510f8a8ef9f98757c220251b

  • SHA1

    8c9c533b59ff94f0b50103a37bb32804f74b4868

  • SHA256

    a6a9bccdd59afea874a4d7da4f11e95a5b58e652c88b5da4b31d4cf38932eb7f

  • SHA512

    9bd18744772cf7edeb21d0f44711e110724f57194fd556d50365ee233d53e8fd98ca8593072042cea34f166838519e0a9e6972645d231623fd26244699c0bdce

  • SSDEEP

    3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_050b37d7510f8a8ef9f98757c220251b_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe
      C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe
        C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe
          C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe
            C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe
              C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3664
              • C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe
                C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4696
                • C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe
                  C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4616
                  • C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe
                    C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3732
                    • C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe
                      C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4952
                      • C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe
                        C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2844
                        • C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe
                          C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2436
                          • C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe
                            C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4900
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F41~1.EXE > nul
                            13⤵
                              PID:2356
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE3A~1.EXE > nul
                            12⤵
                              PID:2128
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B660D~1.EXE > nul
                            11⤵
                              PID:4316
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{90095~1.EXE > nul
                            10⤵
                              PID:4464
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{04265~1.EXE > nul
                            9⤵
                              PID:3616
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7C1~1.EXE > nul
                            8⤵
                              PID:4048
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EE8~1.EXE > nul
                            7⤵
                              PID:5032
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A3029~1.EXE > nul
                            6⤵
                              PID:3476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4B168~1.EXE > nul
                            5⤵
                              PID:3124
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4244F~1.EXE > nul
                            4⤵
                              PID:1528
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AF216~1.EXE > nul
                            3⤵
                              PID:1912
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3020

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{042651AD-36D6-4fd5-8F1F-B34B992131E0}.exe

                            Filesize

                            380KB

                            MD5

                            06237ee806ce922031c1070c3f0e149b

                            SHA1

                            ee0d5f7437581f107c5e81140656d7454d84a641

                            SHA256

                            51d4121b82969e15d423056c94bf55ce648d01d35fc8f864529c8f79eaae5783

                            SHA512

                            300e1e491565c03e00bded5190c62e61c6353bdda7d53d27d19470dcf5e82a1b256e488b3fdaca854e61e235f506138ef8b51fdd02994611e67325b714d83e25

                          • C:\Windows\{4244FDBC-15CB-4241-8D0E-9E776E61580C}.exe

                            Filesize

                            380KB

                            MD5

                            80b1dccf5a3880b075b42fa587acd58e

                            SHA1

                            484845ed9b565137ed69473f76012d32ef5c32e9

                            SHA256

                            c911c1ef0c416cb1c2b671806000f1304b3c4746904e7f3367151d99de94b227

                            SHA512

                            64f4172978934c628d6741137029ed97035b24978a54dab80a4d94eee7805b609c1e7ec6a49f60b35b02cc2d5cc67c47332181e641bfab948f527d50e8d1936d

                          • C:\Windows\{4B168A32-DAA9-42ce-BA20-A01A5D5257D1}.exe

                            Filesize

                            380KB

                            MD5

                            a30d2a948a1a25871f3a8b0751a47483

                            SHA1

                            8a073df53d7a67553900a8a733c5786d58fe9784

                            SHA256

                            16391069052c280220145d37784192f9034136fb0ce387c87f0036c25d9ea59a

                            SHA512

                            f878a629b657b6431572cc35eacf7d04637193ce71048834f73695d582613f6af5a91d7fb7efa325a7ab027c85fa98f736d0ff00d8a7f520ab3512a4685efbed

                          • C:\Windows\{8DE3ACA3-82C6-4a82-B779-20640363C2F9}.exe

                            Filesize

                            380KB

                            MD5

                            f1cec4e92653c69e8e28f28a6307ea8b

                            SHA1

                            f086c9bd85f06fd71c8f9516977fe75f15836159

                            SHA256

                            5266e7680713e7d5af19c75defad94be5a89c4baa00358bc6a2b971e51226f9c

                            SHA512

                            e24be535eb4aacd879126ce19464e5c9adacf187354ce4a1596a090d6c287c02fa2a63ec0cc91135962dce665eac0e17b5aa1796808d61d20366def49f338347

                          • C:\Windows\{900951C4-A370-4c61-A8C8-75CD5528D398}.exe

                            Filesize

                            380KB

                            MD5

                            9427269a112e23fc510d45d280bde90c

                            SHA1

                            84de051a2c001ed70863cadf1d590f13080e7c3e

                            SHA256

                            e24a2af642d83eecd396ad95a885864c58cf29154966ccb80d1d2584b8bbc032

                            SHA512

                            4dc43c2f2a1262dabb658a7cab272964b8d11956f3e954d1cbef9b0f089d5a634e92437878d8417ce2fc5072bb2e6e52a30f9084d37c2059bb9d6917f9abccaa

                          • C:\Windows\{A3029469-3CF9-48ae-AF7A-85929468A5BD}.exe

                            Filesize

                            380KB

                            MD5

                            a344ee53899d3203ed2f4b790cf83494

                            SHA1

                            dce69d1f0a03484f93f5a696bcd2f7af7d72fd78

                            SHA256

                            ed8d0a037b87556fd2af1506395a9184643efed2b16dfcd281a014986c96d8a6

                            SHA512

                            c003a9c93e460a4d3afae9165f6465437e4975a4288d4e0a3efee8fa8ee71cd28c077820f1de244b17a48db10d8710ed5422d67200817b76d0f61be892c760d5

                          • C:\Windows\{AF216A8E-6648-4801-8188-C43F8AE53620}.exe

                            Filesize

                            380KB

                            MD5

                            c4aff1f04f302c6b3647866a1916d16d

                            SHA1

                            446ebff989a5f4760a605eee840be146abd1e3e5

                            SHA256

                            8a4fd84f848a7fce182786d88af05e059a15c72c666775c259171c4ea27f2b1a

                            SHA512

                            92fd8438362f1d1d9908a3ef05c9a6cc5a21f8b4bcfd661d9b95f2fbdc00ac94745760e663f843443ddae7aca21db998cb58965981add00349d6e11770647adb

                          • C:\Windows\{B660DD36-227F-4aa2-BEC7-833B5269AEFF}.exe

                            Filesize

                            380KB

                            MD5

                            d410cca892a5f5579f4211be0e35b250

                            SHA1

                            c6e3393043c80b8b86d95bb1af8ce4bc266adb22

                            SHA256

                            55d1a7508d5d56acaa8cbfa7d3277b2e04eb09fdebadf337d923e394b82d52ba

                            SHA512

                            2e5f335afd6e4475eb2df36651515104264d1b2e89520e493a2282fb4eac9eb7a1a42b6b8544eba52c97fd77819128145d63ca0886911a8ac937a008ae8f7c56

                          • C:\Windows\{B7F41826-941E-47c7-A1D2-705271882C58}.exe

                            Filesize

                            380KB

                            MD5

                            3ee5a03464a173929a4007599b041735

                            SHA1

                            782b00e3c3ec3072234ab4a5c78674ef22940be2

                            SHA256

                            aa66cffc663d03edf403c3b262338ecdf3360d976cec5875d6a50379fee18e68

                            SHA512

                            3ee2f35759d47b08f33a3fcb1b6a5708d3ae9886914c954799604aa80493f65305267f4b3a0ccb503e5aafe4320726f8644bb57aef6f88214a2d18a84064b92b

                          • C:\Windows\{BC7C1863-535E-4e86-AA06-A3EAF27B7562}.exe

                            Filesize

                            380KB

                            MD5

                            9cd1212f74caa727fb870a10162edf94

                            SHA1

                            8c1e44fe7195aedfb4257dbb107e2b175d76ecf8

                            SHA256

                            98b1a48762c70322281d3144ba53b1c48d1fc68c5e3a90788f52562bc70b9386

                            SHA512

                            1f456326065c5017c23bf6b035e9ca01c66cc3b060c85776c1210350fda2fb58cd96a986cb5251c38c339fce2e77502904282d9256221315408dbfde8b25d2c0

                          • C:\Windows\{C4EE830B-2C50-44b3-862B-DA04E37C7126}.exe

                            Filesize

                            380KB

                            MD5

                            bd6c11a34b10c48ca647b7f83aab694f

                            SHA1

                            cd97876954250ceb313669f24720c47b98257943

                            SHA256

                            e7d2481cdc7690da97df636d38495c57dc5dcc19a317be1bc9d18dde808367a1

                            SHA512

                            c73e3dbb7e664ee91adcd457ab4b7b79a177fae1358d231b52bf2d4a96edb6e9f4f76dd944c0967a32a172ddc69d9fc2b0bbd294a196c74ba41fc553fab53dbb

                          • C:\Windows\{C7787983-2EEE-4e24-BCBC-14D4D35958AF}.exe

                            Filesize

                            380KB

                            MD5

                            d4c746b63547a1e06e396422214997b6

                            SHA1

                            47e413f4261bc31e858485060fcf6e83f92607ac

                            SHA256

                            fa27dd9c4038cd9b92a9cd479d982aebdd790f8acd78ce85a9f82f8b06a0d987

                            SHA512

                            1f4a9828ccdeafb7093fb03f8b2207cc3282b1d94b51635e0a311230412da838c0c46be9d13b0865d1fd74e8827bfba248e3b3805d197cede407952a3783e2af