Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:51

General

  • Target

    2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe

  • Size

    380KB

  • MD5

    639e527998e0506714a7a8d6506c11da

  • SHA1

    a776bb9887b916beb52ee968de4d82b1dd300acf

  • SHA256

    b56cff8022659e2c0d5276ca259b67efe56c4e36c126c83ab95a739d30f62bde

  • SHA512

    aada1a38ed5946e066fe98ac664c9e4f73e9a1a9dee4eb70075e729d667fa1db13b0451f31559103746e98457789a31e12ab686f0756321945bf541509823296

  • SSDEEP

    3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_639e527998e0506714a7a8d6506c11da_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe
      C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe
        C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe
          C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe
            C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3596
            • C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe
              C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1544
              • C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe
                C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1880
                • C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe
                  C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4424
                  • C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe
                    C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2124
                    • C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe
                      C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4332
                      • C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe
                        C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5028
                        • C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe
                          C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1212
                          • C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe
                            C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2220
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{00A1D~1.EXE > nul
                            13⤵
                              PID:2088
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{64BD1~1.EXE > nul
                            12⤵
                              PID:4820
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6A9DC~1.EXE > nul
                            11⤵
                              PID:984
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DFE61~1.EXE > nul
                            10⤵
                              PID:4440
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3AE9F~1.EXE > nul
                            9⤵
                              PID:3524
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E0FD9~1.EXE > nul
                            8⤵
                              PID:4284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A0682~1.EXE > nul
                            7⤵
                              PID:3672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C6140~1.EXE > nul
                            6⤵
                              PID:3544
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D80~1.EXE > nul
                            5⤵
                              PID:2984
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBB1~1.EXE > nul
                            4⤵
                              PID:1380
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{231B9~1.EXE > nul
                            3⤵
                              PID:3224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2720

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{00A1DFFC-1605-476c-A93E-8129AA56AF29}.exe

                            Filesize

                            380KB

                            MD5

                            3c0edf1105696366387247409c66cc39

                            SHA1

                            6b7e3fd367840fd8a76b59ad931552f129501b01

                            SHA256

                            41aa5c602ab07d1bcf25844dc44c2c977c73f7645d3b5cc309d1333f7be355e2

                            SHA512

                            e9b7d9c353bedc2f1a431d82aab6c28285c4908357de6b368b2edbff3ff2ec15cc59ef27419acafa2d69534d8859fa0fd3a0b00f4b348698280f78d40214d239

                          • C:\Windows\{231B97E5-3155-4a33-91FF-67B9D6BD38B2}.exe

                            Filesize

                            380KB

                            MD5

                            410af7607bfc3432230eb71a982d8404

                            SHA1

                            c7c510cf47a19f3c15831eb224d5843561da6725

                            SHA256

                            3fe948f4e7efb35eb9b4414c754c50c43e13d341dbe0bfcc769fda16f4f82326

                            SHA512

                            13a8d2c151594c925639f2875c8373a672ebb89316f832b2af4a8f906f28ef0629bc5873cab62c53e99fc33d260f09e0931022217570518506da0aeb3cf6b8d0

                          • C:\Windows\{3AE9FFBA-58D0-40b4-937E-AF8EDB309E4A}.exe

                            Filesize

                            380KB

                            MD5

                            9c3bc8f82589bc9860c847dc8b80ae3f

                            SHA1

                            f342af00ab44c49848aa4a8878702789be39ab00

                            SHA256

                            d9c1810759063b4500b4fdbd3dd78dc960b1078110f896c7f429ccc2bde44ba0

                            SHA512

                            2ba8c8fb1b3e0fd6b62102925fe808968e3366c1a99ac259a0a74042444e842e41bf6b9c043db72b8220f854675376ed70d7d0e500b388cdad24cba2649ce128

                          • C:\Windows\{64BD120C-1179-4046-8CFF-8F510F97F13A}.exe

                            Filesize

                            380KB

                            MD5

                            b94da8d8f6e3ce00e3008980150cad83

                            SHA1

                            dddd806e4966c20fc0739b90b56ef372d519b9cc

                            SHA256

                            31bedfb5de2b7fb88d0af6812f0b0c512b7d4962eb85f5869b288c0e01e94336

                            SHA512

                            93fd2395eeff00026cf2e69466eaaa0e5e32eefd9742076f672b76a17885d43494b649be129723bcbcc76a1d959dcbe39ee79cb47397e071739390e5bfff71a4

                          • C:\Windows\{6A9DCC0F-B53D-47df-AB74-651E2B6BD412}.exe

                            Filesize

                            380KB

                            MD5

                            fdf85048a2ead13d006f1753aa771e6e

                            SHA1

                            c8a49d429e02dcce8874c4732d2df45b88be3fe6

                            SHA256

                            8c0b7ae850d1f061e48be7e30593d58cb0360845935f15a319987bdb11dc70a2

                            SHA512

                            4a3c64b342e04202ccae6b2a0842e89e6f3a61d77503ea0e85895ce28d99b968ad8cc125f8af762e51f39975b6a3129be8fea0f470c8c4482ad4d1bbd9456bd4

                          • C:\Windows\{9EBB1FCB-B5AD-4668-A7FB-F11764560E54}.exe

                            Filesize

                            380KB

                            MD5

                            cbb2d351da7ed421c24fb4106c7cd5a0

                            SHA1

                            3495402f93b920b42e44437981d28b30651207c9

                            SHA256

                            2d567a891db89a236c4d49ab6dacf26b1338323816bfa4818a42826efffd3748

                            SHA512

                            0b22cd2a95b883a2c5613f4e0a611aeeeaf20dbda4b19ab6c96764b32f4071bfe748d7e20dd29515afc8ce9586cc85a422dec33e1a97cf1209fc811593dd8582

                          • C:\Windows\{A0682648-5076-4a18-839D-42E038D33B6F}.exe

                            Filesize

                            380KB

                            MD5

                            9a8e7d304a80c819a1241abe1fbbcca2

                            SHA1

                            724001a55cf61088f6a548df0644e8d829491fd3

                            SHA256

                            b2db87a72f4761be2a181a3ee5abc5f3c5e6f1799aa0b757153a4e8031124c3a

                            SHA512

                            507014f7c9bf55cf05c4560afe09097e4687483906ea0cdd93fadebe5cded46249427b1d54a6362a0ae53dbbd208bdb6cd278edd7ad6e587dc369f37beffbdb4

                          • C:\Windows\{A727C33E-4FDF-4de3-AFC0-3F73366A649D}.exe

                            Filesize

                            380KB

                            MD5

                            d855b92f1618fdd920d58541811b81c8

                            SHA1

                            09a3ca856f2a8eb3aa92af329a645392b1df926e

                            SHA256

                            68ecb3eb5bb6d7299f85bccb6881d84fd1fba931f0c809cdb2a4702f10368660

                            SHA512

                            9de1ea190dfbdf229b6a0fecd3996207d5706dbd9335ece9c599d6da64be5d3f8667ffe568ea7a1b0c8a0f8810ad718206ab94c3b8ae0f0651cdd7fdfaa0cf03

                          • C:\Windows\{C6140BDD-BC7D-4e98-B9E0-CFBB41972453}.exe

                            Filesize

                            380KB

                            MD5

                            e99553f009dbe58e3b40fd1a4f1d487f

                            SHA1

                            842e152258612bf8e2bf5fb6267b65115ef5d3b6

                            SHA256

                            f8dacba201525994d53287d68102478ed857b5ea011366ec7c4914e0f13060bd

                            SHA512

                            8de9acec0b9fe33171189371998a15375ecdb343b73fb43f445192a5ef7bcc360e4bbd77a7d172a1f5e29a66e03a8af59a3f0194f889bf0bc68004bfcd9669f3

                          • C:\Windows\{DFE61D8F-C2A4-46d0-A65F-0087705CF4E6}.exe

                            Filesize

                            380KB

                            MD5

                            bda2d5eee7ef400a496c69bc489ce46a

                            SHA1

                            58d8730882a53c906898b72b7b39705a43082e75

                            SHA256

                            9d6e3f0cd7074ab75a120f39590e15f26f722b22d8d1974cb7cb37b86c92c688

                            SHA512

                            45dbed3121d5321c35f6d223a4601229067469c77142f33f0dec30cb9fdf75dc9d42a52965b85b35a582647ff4d18d632b5b6ee2ea202b73e410322b178a399a

                          • C:\Windows\{E0FD9FF2-EED9-4305-83F9-7551F00DB565}.exe

                            Filesize

                            380KB

                            MD5

                            4982c143e36bffd74aa5ac747b167b12

                            SHA1

                            d12e649b71b25e8b1bfd602f9705d4b5944897b1

                            SHA256

                            07a8b77cc17512ffbd04305883d1b89d216ed2b16218aa05d8f0a72d53b7da08

                            SHA512

                            fae561d1d28bd57a82f01409a7ae1c805163d6e1a80074889779d96aa95dae432d97e405e995784aa94fae96aaca3d154288f071cc412a642a2e1ca2c4819f61

                          • C:\Windows\{F4D80C1D-625D-4779-BD67-C9132DB7AFA1}.exe

                            Filesize

                            380KB

                            MD5

                            950068227f4b7f0bb1f0fe4543163683

                            SHA1

                            e6268f5bed7e8a1c64dd99c94130690f5cff746b

                            SHA256

                            3cff5306dfd71e587771f1dc608457d0ca9847de894fda26d3f6cf08f8c95980

                            SHA512

                            dedeba053fd4ae7355ed987ca5f3eb17365a7967f56875fac31dc1d705b8d3f8b638e43097980ec818bc7df2ea38c490af6043d4b43ff19195089cc4307a028b