Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:53

General

  • Target

    2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe

  • Size

    197KB

  • MD5

    75395c7cde9cd0b4183be94570719bdb

  • SHA1

    dde84cf6504ae75e56b7e939ceb0025d9670ee6a

  • SHA256

    7b46eff9608adc6d13237c8516edc6e511b2b2fa079a5df130f4cda58d71e46d

  • SHA512

    12d896269ddc038a6089207b88e872116a3dcd4b438b71c25fbd6d928478b7a7dd928e5423bdf4457171f66dca794c83f98eb260d31702787bba32a9aab44289

  • SSDEEP

    3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG+lEeKcAEca

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_75395c7cde9cd0b4183be94570719bdb_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe
      C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe
        C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe
          C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe
            C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe
              C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:544
              • C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe
                C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4940
                • C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe
                  C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:512
                  • C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe
                    C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4908
                    • C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe
                      C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      PID:1696
                      • C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe
                        C:\Windows\{493E33C7-AF64-4d04-8B56-BC710E57A240}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2904
                        • C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe
                          C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4460
                          • C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe
                            C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4F529~1.EXE > nul
                            13⤵
                              PID:3776
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{493E3~1.EXE > nul
                            12⤵
                              PID:4476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{869A8~1.EXE > nul
                            11⤵
                              PID:2688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4497D~1.EXE > nul
                            10⤵
                              PID:4360
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{78EC4~1.EXE > nul
                            9⤵
                              PID:4520
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3189B~1.EXE > nul
                            8⤵
                              PID:4420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD68~1.EXE > nul
                            7⤵
                              PID:2080
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{420FD~1.EXE > nul
                            6⤵
                              PID:1520
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{48BBF~1.EXE > nul
                            5⤵
                              PID:2344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E3F~1.EXE > nul
                            4⤵
                              PID:988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{100F4~1.EXE > nul
                            3⤵
                              PID:2996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:828

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{100F4665-7F28-414d-ADDC-60DCB318D02B}.exe

                            Filesize

                            197KB

                            MD5

                            33778b645d30e4dee875f05d00cafcef

                            SHA1

                            7353c094549e041842c8a7a461166b949d739705

                            SHA256

                            dea0a3496c37d7f6677e567ed864e5d440abf5a070407ea1a2261169265a3ed1

                            SHA512

                            bfe48d6087ae0da11cd64e5383585edd4af713994b665dc849ab29e005e69107af7ad6d74cdcc7363079313d1125d0c63ae855d785ad889eb36797a80822ef9d

                          • C:\Windows\{215468D6-31AE-45cb-911F-8F8F97A4CF97}.exe

                            Filesize

                            197KB

                            MD5

                            afc36a5a4da48b39e2d66f60cdfb6797

                            SHA1

                            c3370e29fc613aafe44097bd480472e6ea10b24e

                            SHA256

                            c9c047863b6cb8f501c4e9f89adeda1e4cd4f6b6d7872613019540d9aa196c29

                            SHA512

                            67d9d6c85eee826bbf05e2e07a9604224998c59decebe6426db02e59691427b3480bc39326159560f195fce285e83762561ab2c616b9731b55d9f7da8d974b1a

                          • C:\Windows\{3189BD62-AB9B-4e07-B65F-C6961B2227F9}.exe

                            Filesize

                            197KB

                            MD5

                            717f90b1c55d77cc6ed52e7191dab2e2

                            SHA1

                            fd60a5eab5df9cb179232844aaeed70001ec49c7

                            SHA256

                            6bb64aac0c70451f9ad361a4db3fa300ff361cd53c5f26d2dd36efbaea0cc1f2

                            SHA512

                            81685fbf1993f5e68d595f7694c22f0ed0d1ddd1bd7e1d3004f5d5443a4f5dc5f09b9bc44606baf0c59cb74dbe78cd5b2c5bf6b18466d483ce3b1460e8c7c8f1

                          • C:\Windows\{420FD274-6BF6-4926-93EF-BE40A10BF37A}.exe

                            Filesize

                            197KB

                            MD5

                            31f6b71a54474b0b001324b6feaa05dc

                            SHA1

                            89e0b1e4e4af58f612c33e5bd84fca3e958893a4

                            SHA256

                            f10812bad56747d7b250a208d199fb1a0e3a97f8e7ff19dc462133e21757e7ac

                            SHA512

                            bf8dd1d2b9ad016ba5f0a76928e09304da82469b819c8b3754013ad4b493af4cd78a126b8441f038879de9bf16c2893d9391a2ae27f9b76f44ec9840448ac10f

                          • C:\Windows\{4497DD96-613F-4683-B791-26AABBD308A3}.exe

                            Filesize

                            197KB

                            MD5

                            8426f9694edc965508d0903084ef30be

                            SHA1

                            bff4fe4b49462c5cef709f5ca19a0394273abed4

                            SHA256

                            4e33820d5fb1e8990b070502003a80cfef3bab1c2d514a943ae219385c9cd95f

                            SHA512

                            9f99604b8c18c521e5329ffd9fd343fe2c0fc4181d107c64d134b9ec65f25dcd954ea0e476c5da23064eb195925cf77e963c4707c8831af92d6e333fbb40f704

                          • C:\Windows\{48BBFAC2-C4E0-42e1-8968-44E0AE758B59}.exe

                            Filesize

                            197KB

                            MD5

                            953032cc38b0cf9b81dbd6b0108a6c18

                            SHA1

                            f59dc7b23875cbe3a51541db6bee15f85ae654ef

                            SHA256

                            1259b158f20ecbadcc679c9f704e6bdbc3473bb9f2dcc2e855d639bb3ea5ffed

                            SHA512

                            a5185bff1b255003e251d9e98a2ed996f07f553620b6d461650a43faae46535771d14a57372ced738fd4237e8d5ceda325b8ddd9bbbcfa47ce482b119e03a72e

                          • C:\Windows\{4F5291FC-BE4A-424a-8E89-47E30EE4CAF9}.exe

                            Filesize

                            197KB

                            MD5

                            125e7043c78e9e94ab727a8ccef3623c

                            SHA1

                            20448975b13a62338c4b80755afbfd0f2fb80d78

                            SHA256

                            7659099761a479d038005bc983e2f4a22f61f6442718276bf06948763206e139

                            SHA512

                            a68a53078b91ef1fec273f6908261e819cd7bde9415fed3c955696c08baef0320c6f2d1d2b5e574ae269b420e5495096753bfc612f6ec4cf42b763b9bc4850fe

                          • C:\Windows\{78EC474C-029A-49b7-8DFC-7AC012A953BA}.exe

                            Filesize

                            197KB

                            MD5

                            eec71ed4802f7ea028b9e2d9fca07efa

                            SHA1

                            4ea8e74e3183491d53385736030af78aad1c3f8d

                            SHA256

                            aa1a246ef18f08ffaf26080e15d9dc3cd365292bcc8cffdb03b6fe66ac5ddd01

                            SHA512

                            fabc907d9ffe5802189c5ee28441f0dcf778e6ae7d2e7af0a0ea05a46460961f2aa79b8b56e0e7969ef96a9b27c55fc660f9b31dee3266dceb6b4c22dd3dbe4b

                          • C:\Windows\{869A875D-2E95-4c32-83B9-65592F397DE2}.exe

                            Filesize

                            197KB

                            MD5

                            587238fb405c2ac2a2f18b0deb7e05f5

                            SHA1

                            0a68bfa1c3d63974aed39ef5734ebd7b285efac0

                            SHA256

                            00a7bb2ca45abf40bebbeaf1159c93dc5e773db5c3882792eca17ff49f206672

                            SHA512

                            2c37ff03b21f9f7ec7f1e90e8fe20bb87e03776d2f3656d5d7c36c61a615248205b1d1b5490febec1fc03299270a096d47a8a718229d583008b0c7b052d55a18

                          • C:\Windows\{CBD68427-FAE6-48d1-8EBA-988322A5BB9A}.exe

                            Filesize

                            197KB

                            MD5

                            04147b8cd39d9c0c324945be70731686

                            SHA1

                            aa8f2231edec70ccd243046d6902f09ebacd6eec

                            SHA256

                            26352eeb72bd38338a702ad5d59635d4e65da143a87b101b7ee9cf5e97065cd6

                            SHA512

                            b588b4acfd100a42cfd2acb126435c4fb5bdf101a7fdfd26caa56c6d63554dad31e35a6daaf5a3ac55e05cadbbd2d38a39d03beb9e87d8a3d280924a54b15a78

                          • C:\Windows\{F2E3F101-3DB2-46bc-BB29-42469A568E9A}.exe

                            Filesize

                            197KB

                            MD5

                            7b8441a6077d80921c9abeaad9165dab

                            SHA1

                            52dd526f0faa57dc13573812fbf9858902019ca0

                            SHA256

                            fca3235efc51dd43bfe3e05e5df05309a3ad811291549a47cffeb54f1ad0e6c1

                            SHA512

                            320fb067b29e5ab95da1baa42bd719ea8c0dc472da39383595e1adfbf1c991dfdb4ce2280080cffe849756c1f26de754a018fd3d058b11afcd9fee2c3a3e6006