Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:51

General

  • Target

    2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe

  • Size

    197KB

  • MD5

    50c172c6f6287f85183ca033525e3bd8

  • SHA1

    e864c4444e97779c074d08522cf8d39d351b9ea0

  • SHA256

    a165df81640d91fa0676d16d7c2e604afa1055dc5ae45dc6907bb79806be5bee

  • SHA512

    73d799742498a9bb2cea7af12c222fe7eaa214a5446e42212f7ede492a83094e25bf7084d2e449d651b1106cbb0dd9971d8843469c8e2440259ab1c649e9f765

  • SSDEEP

    3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_50c172c6f6287f85183ca033525e3bd8_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe
      C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe
        C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe
          C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe
            C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe
              C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4724
              • C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe
                C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4008
                • C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe
                  C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4964
                  • C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe
                    C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4252
                    • C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe
                      C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2264
                      • C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe
                        C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:664
                        • C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe
                          C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3552
                          • C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe
                            C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A7182~1.EXE > nul
                            13⤵
                              PID:4536
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{779DB~1.EXE > nul
                            12⤵
                              PID:2432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CA861~1.EXE > nul
                            11⤵
                              PID:4276
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA82~1.EXE > nul
                            10⤵
                              PID:3136
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{771A5~1.EXE > nul
                            9⤵
                              PID:2408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4FC4B~1.EXE > nul
                            8⤵
                              PID:2424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{34B0E~1.EXE > nul
                            7⤵
                              PID:4852
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D3FD3~1.EXE > nul
                            6⤵
                              PID:2664
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C5078~1.EXE > nul
                            5⤵
                              PID:3564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1AF3~1.EXE > nul
                            4⤵
                              PID:1980
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4F843~1.EXE > nul
                            3⤵
                              PID:4840
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2076

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{2BA82FB4-8392-4848-A949-93357B0D7EB7}.exe

                            Filesize

                            197KB

                            MD5

                            21befc1bafdc474d1ccdc5b1954c0d3b

                            SHA1

                            b839e4bda4f42963df81e03e81521e9414c79b5a

                            SHA256

                            8f2937100e3262a8e0e279db16d054bee2251b2e40aac91df7dbe4edbada6305

                            SHA512

                            3a6f61c53798f32e33e54a2b8575930d93821454ced14f965df903e6f344ebc2637e1185f5c8c3495e42cf6d379c8103b24902f3a564fd5f5fd3f00c157d438d

                          • C:\Windows\{34B0EF9C-25C7-4368-8DF2-6A012490CAB5}.exe

                            Filesize

                            197KB

                            MD5

                            06d32f774cb84196adbc72eff1f35b3f

                            SHA1

                            cd0ab5ebde66b86579772de54b439051355070be

                            SHA256

                            82c85e703eee45f47809aa4c075183c7de1669744e9cb86a50dce7b72aa11fdf

                            SHA512

                            1faccd294f44e6cd629854cd8145d2c65dcb85bbeb708d9417082605b92dde89fbb66b58f59b98f4fe1d9fd7c0477b927c6ab6acd71cd65ba7a2fb8958ff1ad0

                          • C:\Windows\{4F843788-F64B-44ad-B95B-6C670784A565}.exe

                            Filesize

                            197KB

                            MD5

                            b89657c7e702ef4d7a6cea1bec1169e8

                            SHA1

                            c23a69964dce154d4042635ebd08e446fa97dc99

                            SHA256

                            e69775230e12152805a9bcff09e72dd9d4954931791ad3f8455d5f6c72c73eb3

                            SHA512

                            c70a839cc31e26615c3569348eaa12b25d40800514c1726b27a6f7f98f77c2f57f7bd04879e20ca296c7b4885972f945886a03e937c9547582a4d241d9279573

                          • C:\Windows\{4FC4B2F3-C43D-48eb-9332-E6E1384B348C}.exe

                            Filesize

                            197KB

                            MD5

                            44f71f161c4e940ff3260d6198a2ab81

                            SHA1

                            3373ca01be9a271887e1b6a487ebfeea64a4cf3c

                            SHA256

                            dc848bb1146e07ee7b0785354ed269dab541802d0c53ea6c2bfee6809775ae2d

                            SHA512

                            0bc79a3f76aa3eb3ff75b44dc4ccc85aad3998d7b274bfde7ecb5678ce6308bfc444705e87811bc4d1ab8cfcb7c51dc0a9292cbbd46d8c6fb48335784150758f

                          • C:\Windows\{771A53E0-C418-49bb-B824-D572D968ABDB}.exe

                            Filesize

                            197KB

                            MD5

                            652d19dde2855a10bee674ef1677ac02

                            SHA1

                            ea945fab2b6fcfd3358bcd364e27de3bda452d00

                            SHA256

                            6ae55cc754cdb46a5a482c01507fd5ac391646e339c49811dd948d9301ec4322

                            SHA512

                            e773d84f42ccf2473918d28675b779faa1dbe65da3da1a46129f16531d0774364bca8f13b002f1197f0696f732a04314e6085258605fe96e6aa70efcafd8ee7c

                          • C:\Windows\{779DB1F5-A4F5-477e-B22A-4BBDFD501BA8}.exe

                            Filesize

                            197KB

                            MD5

                            7a1e886f5340e214e0905a0e15ce7b22

                            SHA1

                            3dec64c294ac0506f404a6a81b3a8b50080bad68

                            SHA256

                            63679f8e68e6b2a1ce7902dbb7c9f2779f225c424641f0d3f8363254cd0e40c5

                            SHA512

                            3c2796aad4b9521c4527484e1b2de199bf5e6ec4285e7b7bfe6e5989760fa0d9bc3c4d855f85b501efe8ae4797d00a5f4b13d65a5e371e25e612c377f399f007

                          • C:\Windows\{A718273E-E3E6-40e0-8A61-8B0BA487DABE}.exe

                            Filesize

                            197KB

                            MD5

                            3f22fb8492a9e69014feb5ac8bad3aba

                            SHA1

                            572b728ddf9ad05a818fe90fd139b2589f39c873

                            SHA256

                            5a3e75e0c9df5f67de888065d61005c1b5c3f3cf2c63eb21182c3a7a31fa0a99

                            SHA512

                            38fb19239de8af719ed3ad4549f1f07a5d1a3183d977a9b11943aeaf715bbf0277252940c151d5aac7d9bd9a1c71020ee56fadd6052749ae9dec5a848438098a

                          • C:\Windows\{A7F8CAB6-D8AC-4b5f-A101-74386E3F033C}.exe

                            Filesize

                            197KB

                            MD5

                            b4de64a21004a3388d1f6b02a2939cf1

                            SHA1

                            c1089455c38b20a1bd9aa4e0dddbe11ebffa5818

                            SHA256

                            b61e65584be9e2b55b1b68700626c6b7d86f269345009b8fbedac0041a5c1fea

                            SHA512

                            48c20e18d38a540fd127de5dee2512b89175f707883222eec7ae13c7050bfd256bacb2b6d173f5f9f75a509c281bd7539f70dafc25eaf83eacb17497a18cf5af

                          • C:\Windows\{C5078ECA-D536-43c5-80B0-7E0DD231F52C}.exe

                            Filesize

                            197KB

                            MD5

                            44a90b37638cb4171d3b0a74a77162c3

                            SHA1

                            310cc9eccfebda6570c2b03256914dcd9b9d6b6a

                            SHA256

                            5c5fc3feeda89b0e975e940128a571369b5d5f12d3a37343e9aee1e9fc2d5093

                            SHA512

                            a99f00afedcfa7921faf81ad96d398347e41a1325697576d249ec166bf6b80457aebfe2a7344226ea28aef6683ea9e262cd31e0655087294b09ecb33f213bdfc

                          • C:\Windows\{CA861259-F217-40a7-A2B8-0157213E5EAB}.exe

                            Filesize

                            197KB

                            MD5

                            8aef2c3b5c4c217a40ec4d7df533622d

                            SHA1

                            b832540f2b158c4c13ddd069f345d3b2193a5244

                            SHA256

                            d50223332e6450d3707cecade2b9be4af602394c1078f9b449ad2317fde7a367

                            SHA512

                            d2ff4f5dd5cb646108f05baa682aaa271f1705b080ccc8e148b07a01e1fb4da3d5a6fc04e8f4df03bdc70b0bd720f3f80039d60b1eee7ee0eaed219a5acd2c6b

                          • C:\Windows\{D3FD3DD8-321B-4a8b-816F-E68C5D1E05F8}.exe

                            Filesize

                            197KB

                            MD5

                            c9ada1c51fd7eba11c33494abfbac023

                            SHA1

                            4788d3da0342b2e356af53ebf1f38e29dd072fb4

                            SHA256

                            a84ca2fdb34453453429664f80a1712ff5a606d9dbd4b9937e2c3fa3ca0da339

                            SHA512

                            4399c1da324311a17d071f182ceeea994f6e3f0f8ef92cacd25a915a8a38bd1f97942fb60f0d45868fa44ed67c0b2d4466f311c11d12970eacb62083812dc364

                          • C:\Windows\{F1AF340E-DC64-481a-8A99-1BEB784648D1}.exe

                            Filesize

                            197KB

                            MD5

                            6db088a1e022df4c408a08db8f23ff64

                            SHA1

                            156ff8abe6a8f7b0b7518cb08641fd7daf81b670

                            SHA256

                            3f7d2df4413f5df0cbd97eb2b84059a524e1d9f67bd6c66963d7d43fee6a4547

                            SHA512

                            28191ef13b47c1507525155f0e0b734b9ac85529ca94c81b6865b72447486ce1a9aeb5de730fa3d1870e1d5844a0b5c727b0a2004bcaea045eabe2dcebbdb9d6