Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:53

General

  • Target

    2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe

  • Size

    197KB

  • MD5

    7301feddda6b25fa3a7b33330cbcf8a5

  • SHA1

    9b609736c4b860903ce25b43d2cc8558ce5e5dd3

  • SHA256

    a8177f1a02ae27411c3159ad5289da8b29017045f942d5311f915d3f4db22dd6

  • SHA512

    673df0ba7a4f69b842599a0d4f3bdb72c8984afec15c32ce5a02ed7c751838c6debc3b6b547793c310e09176a44144b4a0072fc956e85d6455a1a93941f53f30

  • SSDEEP

    3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG3lEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_7301feddda6b25fa3a7b33330cbcf8a5_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe
      C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe
        C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4172
        • C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe
          C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3220
          • C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe
            C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1384
            • C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe
              C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2448
              • C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe
                C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3608
                • C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe
                  C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3484
                  • C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe
                    C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2228
                    • C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe
                      C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2800
                      • C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe
                        C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5004
                        • C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe
                          C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3132
                          • C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe
                            C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1812
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6AACC~1.EXE > nul
                            13⤵
                              PID:3204
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D8280~1.EXE > nul
                            12⤵
                              PID:1884
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A5BAC~1.EXE > nul
                            11⤵
                              PID:1116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3B5A6~1.EXE > nul
                            10⤵
                              PID:1992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2C47E~1.EXE > nul
                            9⤵
                              PID:3540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC37~1.EXE > nul
                            8⤵
                              PID:1716
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3A6A4~1.EXE > nul
                            7⤵
                              PID:3932
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B54D7~1.EXE > nul
                            6⤵
                              PID:2952
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C85AB~1.EXE > nul
                            5⤵
                              PID:780
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{745A7~1.EXE > nul
                            4⤵
                              PID:400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{40816~1.EXE > nul
                            3⤵
                              PID:1132
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4580
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
                            1⤵
                              PID:1992

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{1DC37446-A826-46d9-A9D5-7BED0927E3A8}.exe

                              Filesize

                              197KB

                              MD5

                              1c225a8e30c24c177a42dbab35099dae

                              SHA1

                              f360de89f0134703cb8c73405af13f3090bb54fc

                              SHA256

                              430351d777aeb1a634f2ccf707a2436ca67f4a56d3c4eb2e1422609116a6f8ab

                              SHA512

                              cf2ba9abd27977f84e64bf1a98285fd4a107d459c7b304e7601a2c286fe6b9b6f4b5dc7d55061509295e8745f8fb4ee3eef745d531709f96f33d746796af8dbe

                            • C:\Windows\{203CB95E-55E7-403e-86DE-B31D77DA65B9}.exe

                              Filesize

                              197KB

                              MD5

                              295a4d9fea30d8fec0781c449055b887

                              SHA1

                              c8ea3984d8418df944753efc66109ce2488bbbf9

                              SHA256

                              0a5ee3395a0b588c0c38ec5e341b5f33dd6708625b1eb06c83ca73c3d5364956

                              SHA512

                              3c4781bebea903b065a0e376ead21464b61e74af428bb46abcee65922f2f796eac62b16cde7228b161884c01c5778205a2bc81ec3d25bacbc7b50b387aa924e3

                            • C:\Windows\{2C47EC50-6B8F-40ee-B50F-FBD4D0BB6207}.exe

                              Filesize

                              197KB

                              MD5

                              b7ff04d1ecf7739b4593fe4402d76940

                              SHA1

                              65bd588410af4558689c5da2d578af2045ff7fa1

                              SHA256

                              1c3b48cfd02eba2560857467f8d6a69fad18128ddd77f5465f9d5eacd6705787

                              SHA512

                              5808c73d113705c397e957c1845532b353a57879b98f4ec62dac92f24b9cfb6102877943e0946807b33d88101252e443d4b6d642ea5f8908b8c65c44c46f71cc

                            • C:\Windows\{3A6A4427-3EE7-44ba-8A45-7056AE3814BE}.exe

                              Filesize

                              197KB

                              MD5

                              bb0d7dbf70fcb3eb7c2aab1910544c1b

                              SHA1

                              f7f79bdba230bfb424d1b78bb009c381f36c51f6

                              SHA256

                              82dd2512b9531a82a1667c5527653b3ff9a5bae4ba504321053c65affe2aaa7b

                              SHA512

                              b2e97388d8300bd38c1d1dfc7b0db1e4ed8f065831ba2b597e542ab40063dc58a4c7c5e3c7e45a89550d1066d53289473ebf9a1db82eea517ad75f8e73c319d0

                            • C:\Windows\{3B5A615D-D3C0-4e3e-8D52-CBF71DCE1AF9}.exe

                              Filesize

                              197KB

                              MD5

                              01fac01c77833bd82e7445f312315e48

                              SHA1

                              d9c44f78728ae715433f26dd1601e1056604f72d

                              SHA256

                              5c2304b380a30c52abd02d435bb1e5c94074fd1f5ab3841d3dd14aca1d1c9901

                              SHA512

                              ccd58cd150913cba37b75919f8739dc3c0b1034149859ebc4126d8383ad19c6c6827228c11db64bd939ecfba89087a976d7209ce2a184b68f583e08ad287eb4a

                            • C:\Windows\{40816058-FC3B-4b2b-9998-C3C35FF02714}.exe

                              Filesize

                              197KB

                              MD5

                              8bab5288e28d67b1c98b12c26d18aaa7

                              SHA1

                              f251f0800f3e5249de34ba817128035e4c4ab8b9

                              SHA256

                              f09a1dff2659c4ba32bb90209718996eddc5058d92e836587939677c48a5953a

                              SHA512

                              228e5923396551da85e6e52ff5f573efb3222b633243cecefe7343c3d98db0e89be0a3d597a48cd85500a137101134eceb926c46dad40ee913a89d49f9f6b55f

                            • C:\Windows\{6AACC7A4-AE4D-4cb1-A476-A7ECDB7790EA}.exe

                              Filesize

                              197KB

                              MD5

                              9bc42c076954695fb15dd6d0503cac2d

                              SHA1

                              06d20b5c9cdbdd700d92cd99328f6286c3e38f5a

                              SHA256

                              1968c6aae22c19b23b0066b5e783bb646eb739c80777b58f859dd752174d3a35

                              SHA512

                              28e994732161bd9f1b87800d355fe464aed37dd696822ab931e269143f538882ee1a22b50e947b3818aa169fbe85dec4208328fb3708362b990e9b7bd90332b3

                            • C:\Windows\{745A7151-D33A-42d6-8100-84C40E16808C}.exe

                              Filesize

                              197KB

                              MD5

                              560f3773250f57a82e78bb3d693d3fee

                              SHA1

                              cdb02f767cfbf083000a2e92a6fa4cf91e0efb4d

                              SHA256

                              966666210ed4962cddaa2afba0d0311817040591e85d6ef760a35950bc2cd8f3

                              SHA512

                              65a8422fc6ea4e742bdaf9a00bcf4eee5b0abb2ea98e83fa1569ea46144df29536d8381359ab88d12ae881f8feab270e2f0a134c48c667be4b948a78466f5506

                            • C:\Windows\{A5BAC9A3-FD65-442b-83B0-69CA7A5A36DA}.exe

                              Filesize

                              197KB

                              MD5

                              b08ecfb098d70aa9fc7f0715193384e2

                              SHA1

                              b1253f1c7a427629a172b31f06c53a04687bcb24

                              SHA256

                              7cb446dcedd5b6476f37383596c6d3002ee808b77ac65a267778853936766b61

                              SHA512

                              c1e6816f8ee0c5d27baa1555bf589eee95eec1df51e18ee38faa40a51285ff98dc3d4ad2253fc96b8626b663ded00b3ef41a8639105e7e7f1587473341b3a46f

                            • C:\Windows\{B54D74C3-F42C-43b4-A0D4-720E7D846D5B}.exe

                              Filesize

                              197KB

                              MD5

                              c0023af99790eb659bbc943690811a1a

                              SHA1

                              c87423a6c86833052a1018a9b54e7f5b862c4ff6

                              SHA256

                              92dc5ecb773a66f3ae79a15e9458104eb07fe28c1c4c48b8f8f771b2c71d9ae3

                              SHA512

                              6a92a4943b3ae9edc78e540dd263896256428d99ecc242f74deebdcfa0b5b3ca59b69f2abb55751f049de0a6e472fd0ef4ae5475d0d6f40014d6bb83077d71ca

                            • C:\Windows\{C85AB625-E491-462d-8270-736D06A74AED}.exe

                              Filesize

                              197KB

                              MD5

                              b188edbb6479739588ca079ba1fc1906

                              SHA1

                              794e84f9f49f0beb3a62a66d61c639ed168657c5

                              SHA256

                              4366eb8132ba93034efe7c0c830510e14338044dafeed1a36ce2c872d7d553e1

                              SHA512

                              67cb3e1c83160054d4634cd9e25871a63b634c5e15e3b1be6ca1962ba4f458498d410cd31b036fce1b8da96faf9f31e4955f0ee68f506b6ac662fc43931bee2e

                            • C:\Windows\{D82807A2-D1FA-4700-B5A6-8137FD08D78D}.exe

                              Filesize

                              197KB

                              MD5

                              7ebc1dd71550ffb5ceff19135ea43cc0

                              SHA1

                              121e975c1ec13ae8bd5ef1e464f1de2a6a48c13a

                              SHA256

                              cf46f1c071151757163ca2897ad7db84222b744d8261630e4709ccbf626246ba

                              SHA512

                              612c82f5ef01e72ab5e570ffc41c2394d3815953fba27ec2288c5050a65132d86c4de0b6fa8e03dcbeb6bc139c327c03b16766ad05fa86bfc5be1edf5f32ddf5