Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:46

General

  • Target

    2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe

  • Size

    344KB

  • MD5

    24eadd4d609b1d0fc674c021cf1144f9

  • SHA1

    82d210e775bab311ee3214f13bd6a18dbcd46ef1

  • SHA256

    16c8741c332d24feb1e8bcdd9d90a7ce4c0d6b168a091e716dabaa1fc6ae8175

  • SHA512

    785456e14279dcf1192070dbfb4e06fe7904377e501a314e42987a3766991a4ea9d3b91a9dfc2f6a5b2105654eed3c6ef12a2159caeb5578e705f1260bf71bba

  • SSDEEP

    3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGtlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_24eadd4d609b1d0fc674c021cf1144f9_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe
      C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe
        C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe
          C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe
            C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3476
            • C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe
              C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3368
              • C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe
                C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2352
                • C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe
                  C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4320
                  • C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe
                    C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2468
                    • C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe
                      C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4464
                      • C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe
                        C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3420
                        • C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe
                          C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2320
                          • C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe
                            C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4804
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56808~1.EXE > nul
                            13⤵
                              PID:1608
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3AB~1.EXE > nul
                            12⤵
                              PID:4644
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{481C7~1.EXE > nul
                            11⤵
                              PID:4412
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1BCCA~1.EXE > nul
                            10⤵
                              PID:4212
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B4F22~1.EXE > nul
                            9⤵
                              PID:432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4DF9E~1.EXE > nul
                            8⤵
                              PID:3408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B06BD~1.EXE > nul
                            7⤵
                              PID:2772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8BAE1~1.EXE > nul
                            6⤵
                              PID:1680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E14~1.EXE > nul
                            5⤵
                              PID:456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{53C0F~1.EXE > nul
                            4⤵
                              PID:4404
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{46848~1.EXE > nul
                            3⤵
                              PID:5088
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4264

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{1BCCAD1C-7D6E-482d-802A-F4376215EF34}.exe

                            Filesize

                            344KB

                            MD5

                            89bc1fdc570ddd668954fdac05fae0c7

                            SHA1

                            bdfcb5fc2071b8be252bf70ea4286abdaf26f367

                            SHA256

                            4c64e535c7ec1778db20433f798209525368c5f7d7c870b687a3bff27cfe7430

                            SHA512

                            f72aca269bfe99cd51177da17fb5c34592c041f2ac820fd2106ee2cbc06bfc93e59a2f1cd2e2f48881f4a862f1b6536a85538eed71698e8b45a74ff1fd937d8d

                          • C:\Windows\{46848500-0E00-4449-BDF7-A66C703A28F0}.exe

                            Filesize

                            344KB

                            MD5

                            6330e82b17dba974b7da345b07b8eb9d

                            SHA1

                            90bff3b8cb6b75426d9587133af92e7350337016

                            SHA256

                            6bcaa6a1a93d769946638dee71a51c791d9e5095dba52a708bb8360bca50a9ae

                            SHA512

                            6b03eddf2a5f1f73ddda8699253af825fe9478cbc34938a53f9f64e14f19385834bbfc0846759c38ac7e4b39f06f5499b0466f184adec9c21623fab57e73a783

                          • C:\Windows\{481C70F3-8DBC-4a4d-B218-8944C058DEBA}.exe

                            Filesize

                            344KB

                            MD5

                            d3696475b1bea8af8ae23b281a9fba38

                            SHA1

                            cec6c6f87f1a011c6e6ed882b8fa62d9af9eb376

                            SHA256

                            598503bd08ee9a709f6d7d338b8947f5cc70a1620d7bd61f1ddb20f00387ca5a

                            SHA512

                            715dd4d7aca7161f70c71b421625e4d8533e2b25c6ac831714a010c2f0397d91fe452ebcbcc8c6183e4157219fe7eb5a353e708a3e83bf16e23be1ca21a9bea3

                          • C:\Windows\{4DF9EDDB-FD46-40fb-BD7B-E6ACD0384476}.exe

                            Filesize

                            344KB

                            MD5

                            8c410f82059069f48c5d8412f3d1ff6b

                            SHA1

                            5311c7a63b716e7ec7dadab5c70553aae69f4889

                            SHA256

                            639f06c6cc5d3f8cc5774fa515f54f52a1e1ee682f916d587ea265dff234e8dd

                            SHA512

                            b221455b9165ee45c41d89c09dc0ad68f2eda8839ec48caf710d41c566806e7474f738d83f0d9d431a916564adec80d2d211704d719b668c9ffcf30764bf15ca

                          • C:\Windows\{53C0F6B1-090F-43e3-99EE-48F6A2704EF9}.exe

                            Filesize

                            344KB

                            MD5

                            b18394bf6b68e3bc4951dc885d9389e4

                            SHA1

                            566132d2844982f4f45ddfcbe25a364cddc4e2e1

                            SHA256

                            3cae102e44729c752ae612a837abe95d703df08cf82e32f3860f01d6d6f4d3a1

                            SHA512

                            139fc49e0bef6aefeb2077d3855703f0d93016494643831f79668081ca79dfbbdf1c99f8bf0d3906ec4f088f6a6e1b705019ea87b914ecb1ac6519638e04ae21

                          • C:\Windows\{56808A0A-68F6-47b8-9246-2767CF8C15F7}.exe

                            Filesize

                            344KB

                            MD5

                            fe0744636adf1b2d83ca574cff49393d

                            SHA1

                            2ee8880c3e08124e15c5eaaacc825153c4d74041

                            SHA256

                            4427e477161a3a56cc340733ddca46c2c96a2610d722fbf38b73fc52090c8ff3

                            SHA512

                            223fa35598639c4a16287a66e8730cd32fca82bdd5dcbec751aba66ced86470713ac3d2c202db9a816551c025893dad74810c9bf48a91443752b5795b52cbecd

                          • C:\Windows\{7DE2271D-99BA-41a5-8CA8-522714A8D969}.exe

                            Filesize

                            344KB

                            MD5

                            c1a96e40801bcc856fe401ff5a3edfa3

                            SHA1

                            b5b952378ecef2cc0e5c57bea030c96584cadbf3

                            SHA256

                            167af03c569b595cc015a2af6d5efd1cdc37573520b9aaade1aa1ba60b86a191

                            SHA512

                            d3d79d7d670f5fcd28a40f6ebceef270faa38c8e824eb91060800186a00be1d18868ca944897fc575a82c7ab03c9751c78e6aaf548ff33f7c838a8ab6d5c84f1

                          • C:\Windows\{8BAE1876-E743-415f-8237-B09D7EDACB1F}.exe

                            Filesize

                            344KB

                            MD5

                            52818b3ec6105da335c74ed4583ef945

                            SHA1

                            2899a4610b90acf422bc6c563fb307ecd650c3cb

                            SHA256

                            113143a3bf4f2cab5c14210ffc823c5a6b65ea668f7e1a0670be2bcc71165579

                            SHA512

                            42433027b6684ed811006451259673197d5369b5639cd66b905f146da2455681d7c1641e19e82a651e5f70bbd30ca13658d1c24844a260ed08ae7f038e2bd022

                          • C:\Windows\{B06BD1F7-41BB-492e-9606-6C40580821F6}.exe

                            Filesize

                            344KB

                            MD5

                            d1561b08d909bc5a8ae5ca232e2a390d

                            SHA1

                            9b3458caaa276aa77e45a9ce138cf9e72e9b239d

                            SHA256

                            7e6f111c6afedfe9cf2d562e01d4afa3c60ca2eb1093b462a3f5a06517305abf

                            SHA512

                            7a1ea5e424809bb9925755e2392bfc09a18dc22bac2848e9df1c71932ff129f9cff6f1f4c70c5fd108490ad6330d1c4327306163757d6b4494e72d0474cc4d9c

                          • C:\Windows\{B4F22BC1-8921-4322-A9BD-D9731D705996}.exe

                            Filesize

                            344KB

                            MD5

                            2ab91ea56329d55276ddbdc2dddae5f2

                            SHA1

                            9029a23e6c049bccc224c9fd9d833872ae086f0a

                            SHA256

                            0d3b0626e425fefb3b792d65f5b6325640ed3ee3a7338035b3834eba87b7d45e

                            SHA512

                            37906f3e5a72ba3b3cb74b80a8512b052624c1fb650b219dfbd3023a6d4147b1178e9fccf050047ce20d62f53a7d89dff06a16151ca488cd33017dfcbd3d29ee

                          • C:\Windows\{DB3AB642-9FAA-47e7-A9D0-C6275B62F9C5}.exe

                            Filesize

                            344KB

                            MD5

                            0851e42f69a0cdd92b311181b1e83f86

                            SHA1

                            eda6f27da237e41114ccdf41889402b7c24425be

                            SHA256

                            6e08abca14bcdd3e6de675159b6494c03252d32de1ca354863caabdfeb7680d5

                            SHA512

                            7524aee80b418f8f50782c1086dbe96ace304e6f8d0b7d6ec0a6a4da9b8ea49af8a6169b67a540eba9f8e0298e878610d4f1b2d716e00b087501a80668d69a50

                          • C:\Windows\{E8E1456F-6660-496f-9657-416278A0ABCB}.exe

                            Filesize

                            344KB

                            MD5

                            5d8a60b5e2d25aae3ab95d664964346a

                            SHA1

                            730733ae14d90d6c0501f2ce9827680396ce2b27

                            SHA256

                            73bc6a740c5c5ae48e18ce6c7b3d7a04017ec1b3c6e4e7635729fd15c0120632

                            SHA512

                            1663d34d89a8fad5aaea48869a93c2ae0e922c4627b1c313f6300df488cf9c6fc9e1a2a604dad06a257035fea482b649fa4c5aad0d2d9f7828660f60a2b40ca3