Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:55

General

  • Target

    2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe

  • Size

    344KB

  • MD5

    808dd2fd506c4d92529be8ef0b673040

  • SHA1

    183ed54749759b2c0bd66ef19e1b7eeb5b87b8c7

  • SHA256

    572fa7e5bc407aa57cc5d75092843b5552b40ef7ce6cac2138d7c9ef69bd62ce

  • SHA512

    93daf1fbf909e3967c6c9171ee2abdd699bb5a1a5dd1f24deaa6b3c273fef7c0f8b353e225d997f9d3553199104a7cfd72e7e962126eace0084d8d146a304f4b

  • SSDEEP

    3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGelqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_808dd2fd506c4d92529be8ef0b673040_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe
      C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe
        C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe
          C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe
            C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4904
            • C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe
              C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4128
              • C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe
                C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2436
                • C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe
                  C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3336
                  • C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe
                    C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4020
                    • C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe
                      C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4336
                      • C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe
                        C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4788
                        • C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe
                          C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3848
                          • C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe
                            C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4692
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1B476~1.EXE > nul
                            13⤵
                              PID:2016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E63EA~1.EXE > nul
                            12⤵
                              PID:1912
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5837A~1.EXE > nul
                            11⤵
                              PID:1688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBAF~1.EXE > nul
                            10⤵
                              PID:4512
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{81D11~1.EXE > nul
                            9⤵
                              PID:1476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8D1FC~1.EXE > nul
                            8⤵
                              PID:952
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B4AE8~1.EXE > nul
                            7⤵
                              PID:4552
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{60436~1.EXE > nul
                            6⤵
                              PID:2796
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD5C~1.EXE > nul
                            5⤵
                              PID:3156
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{45CC5~1.EXE > nul
                            4⤵
                              PID:2612
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B27C5~1.EXE > nul
                            3⤵
                              PID:1484
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3144
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4272,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
                            1⤵
                              PID:632

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{1B476960-3C08-450b-B0C3-5552F3692FE5}.exe

                              Filesize

                              344KB

                              MD5

                              dbf7461fd5839cedb9405c47c9f30e46

                              SHA1

                              32b5da2f00b239e1e386e18918bfea787a7286af

                              SHA256

                              4c2ead10aa02b2be3cce00f2de29558c761fb3148bfac2d0728ce49d681e343d

                              SHA512

                              5c6b55d2e035aa1d22e677374ca608f509c83bfe2063a3500ea412c1f48d47ecc767c64b3256e61fa5d3d3b404dba3e6b749db10016021d59cff6193733a20d7

                            • C:\Windows\{45CC51EF-594A-4e1c-8E9C-4DFDDF776D52}.exe

                              Filesize

                              344KB

                              MD5

                              59ef2810097875e233b0ead9b40d23cb

                              SHA1

                              166503cec8a4e77cdf7ac0729389243f6eae4afb

                              SHA256

                              7c47687f0f97147f63905518c78d6708fcb4463e95c44fe0566f5a42bb0a1992

                              SHA512

                              4ad9a95e53282df49885263f57ae8dff21ba07e4e888fbb7f95368fbb3579d344f8a19b0e67779ff515afd91079ab5be82f20af0cfabc522ae287ab814c09e86

                            • C:\Windows\{5837A597-461B-4a8f-A9D8-49D44A9311B2}.exe

                              Filesize

                              344KB

                              MD5

                              3924b39d3adc7612033ffcd312c3d1e2

                              SHA1

                              045551653c42c327cfd03f0c26979e13e2bf6cdf

                              SHA256

                              ef17338a4ab70d428f5fe17be422b123490833f7742f1d1a1ec12fea6a4456d1

                              SHA512

                              5da9a8807197660678590d8ccb9ffcaf51646c4ae416117e69694e80d5e12d15a67542f9e8aa1812c1a9b7e5b479a3402c5e6c111f80025e8dd37b3a1c539fe6

                            • C:\Windows\{5DD5C137-36C1-41ac-B9FE-18A316C3608B}.exe

                              Filesize

                              344KB

                              MD5

                              166b5eaae9d5b3756cd28ed9d9b3161e

                              SHA1

                              13e502dab36c34ac18a20374aee82cb205db7aa7

                              SHA256

                              300734407bc65bb23b8c6adfebf2006661fc462b0b3af2e748e3911b7a35c313

                              SHA512

                              43d78a4e7a97b5d3029de4b2d02241edbafb391761273b87bfb1b8fb0527be8908adf50e0548808081f2191c18d6bab376a9ecbf5aa777147c6e8c8c21144ecf

                            • C:\Windows\{60436E5B-62E8-4d58-A140-EEBCBFBB1AE6}.exe

                              Filesize

                              344KB

                              MD5

                              ae4ba5c8ce27e086ca6a7a8f65776171

                              SHA1

                              cb6d8a28fbca3a0c3b8d2502a2edbaf501f3506a

                              SHA256

                              946c0bb531d095be4bf7f30fb98c1fb8ca7611e0cc5aec011f4055a5e53db76a

                              SHA512

                              10c9f81fe0c388430063b840b9024240e30fe08c2871382bd9ed86cad6ce893b2ab73695851151cd985fc592dcdad8a4f4908262ba625f79f9c136d155e797ad

                            • C:\Windows\{81D11098-9169-482f-BF38-52CEF81E2947}.exe

                              Filesize

                              344KB

                              MD5

                              a81a71b2f0d83401f9e8b7e590d077fd

                              SHA1

                              e0d72060eb651e02901e5d428bd8f8644961a510

                              SHA256

                              2a46a6e2c4b3032f7baf56c665a08dbb73de0834f5eedc3b2240d352c09165cc

                              SHA512

                              2242d365e9262fe2c3a4324db39b1dddad95c3b62d35e3957e0a61d25589bfb561fe3d947e968d77ae659daef54d4148c3438333848b7a2d21e02b9c9c9a62e9

                            • C:\Windows\{8D1FCD4D-ECC6-4487-80EF-55C5573675FE}.exe

                              Filesize

                              344KB

                              MD5

                              de046aed84640e0dc35ff53bb273665f

                              SHA1

                              e7fc0e5f270db3461040bc7b46c1f3763ea25e6f

                              SHA256

                              56a82456cc39f240b3dda2173328190e289b464325483d5d7c9f44188a430ea3

                              SHA512

                              eeb310dffb88037e92793bd9dd5314e4d09e4c29c90c9d0f9fefae960d1b42a971d13fc9ca116491719034aeec4a001953975e11d9e3336f26e2de3a5b14e2e5

                            • C:\Windows\{9EBAF336-78EC-42c8-8F6E-5B48DDDE8D12}.exe

                              Filesize

                              344KB

                              MD5

                              cf16d470f24707bdb25b7015564dced8

                              SHA1

                              aabbb4333d2c2a05a1b90ef272511be90b41e807

                              SHA256

                              a4923e55e323ed771a26136404378d85e823b42004d9d66b53d611b5b4803f36

                              SHA512

                              aa6b1ae44ad64620719674beda4418fd4fd9dbfd5a3759888aaf0cbb631aa4d476763a572a07275a802506b2c026976341fd890d01d6fe601e0c18a7f6bb2011

                            • C:\Windows\{B27C587A-1F18-4f2a-92B5-37E0C89FA49B}.exe

                              Filesize

                              344KB

                              MD5

                              8d2f52f913abeab6c755be40f125a396

                              SHA1

                              e27e83c5f427fd226aa6d93f7173ac533e2f7852

                              SHA256

                              0ff46febdccf66e8da26a47ee734835512b144227b776214f06c49f3da06b2de

                              SHA512

                              3270394c6722fcab40674c5090556d97108fe26bac915e13bb891c1a72b4426318970e3380d3dd9a7cd1e70dc0f50f108fea5b2871cd51c1e719bbb59a1e8f20

                            • C:\Windows\{B4AE891E-3A43-4164-811A-D03F47D183E5}.exe

                              Filesize

                              344KB

                              MD5

                              ccde5ac447ac759ec753fc9edb3ca7a8

                              SHA1

                              89e06dcd329dc797b82defc2086073915f66f624

                              SHA256

                              dddefa08c82b94f2b5fef36183fff270cac12e6648e6b25f48f1416fa07a3649

                              SHA512

                              b8458f4462d8c7e2e28c18b9823c43b58a311c59222c5d2c286eee9141932ce47e60a792a0ca4dbef6070deb2bcaad4eb1d3fdef8ea8eb76fab080f864708808

                            • C:\Windows\{B851E686-75BC-4092-BC1A-2433BB1F0176}.exe

                              Filesize

                              344KB

                              MD5

                              0a7060902691fd20bee43ad7a3e519c0

                              SHA1

                              cb90eb0d935cebfd85380cbba717c4e1a71feb06

                              SHA256

                              24c81bfaf6eec2a2dc80a05ab870508b7a193d40ba80a1075d441e1fc3f6876a

                              SHA512

                              b211439b1b3ac8c8ed99cbf7ab1e950bc2a58aa91c7a42b047bbc16daed6a270b121d635bcda0f23e1f867c4120d55792420ee8e569464ab6ea1c5a67d775aeb

                            • C:\Windows\{E63EAD84-7173-4299-AB65-6C900D8DCB73}.exe

                              Filesize

                              344KB

                              MD5

                              7c4be8786c00c05681b0925e7b208d77

                              SHA1

                              b365df9469965472abd06ae6e04fa6e3316e9d4a

                              SHA256

                              31b1f829e8c982d9cd79f4422c925807967a8d9c93602aeffd381b06e0603b15

                              SHA512

                              872a2e3f5c147925391a8baabc508c5bce81bf413e2143f6471441420c959f9c2008f5ff7c1eadd80b484099f7c07981893603258ddd70bdd45717dd52249c83