Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 05:49

General

  • Target

    2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe

  • Size

    344KB

  • MD5

    be846c3f6acf2fab3192cdc122e35a47

  • SHA1

    74fc9fc49b650a1987babe47a65df7288df1a69e

  • SHA256

    ac82d9ed35eb5b8d86515b3b02e3523bc79b4907ced33a7ad99f0e5051276929

  • SHA512

    61f44853bbd9853de66d2bd0f4b7d36d005d9c44e55bd81c09545126f605123f0f9c57eb065cc22f3db1bb055f74bf56146c8a75ee964d02a142319ace4bc13a

  • SSDEEP

    3072:mEGh0oFlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGHlqOe2MUVg3v2IneKcAEcA

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe
      C:\Windows\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Windows\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe
        C:\Windows\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3856
        • C:\Windows\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe
          C:\Windows\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Windows\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe
            C:\Windows\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe
              C:\Windows\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4108
              • C:\Windows\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exe
                C:\Windows\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1376
                • C:\Windows\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe
                  C:\Windows\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:760
                  • C:\Windows\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe
                    C:\Windows\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1368
                    • C:\Windows\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe
                      C:\Windows\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4600
                      • C:\Windows\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe
                        C:\Windows\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1624
                        • C:\Windows\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe
                          C:\Windows\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1748
                          • C:\Windows\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe
                            C:\Windows\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{14AD1~1.EXE > nul
                            13⤵
                              PID:4508
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C83~1.EXE > nul
                            12⤵
                              PID:2204
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5F853~1.EXE > nul
                            11⤵
                              PID:3396
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{580EE~1.EXE > nul
                            10⤵
                              PID:4612
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8D9A7~1.EXE > nul
                            9⤵
                              PID:3344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{68549~1.EXE > nul
                            8⤵
                              PID:3496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B6393~1.EXE > nul
                            7⤵
                              PID:4340
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{28BC0~1.EXE > nul
                            6⤵
                              PID:1936
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{50C81~1.EXE > nul
                            5⤵
                              PID:3876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{635D8~1.EXE > nul
                            4⤵
                              PID:3532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0D18C~1.EXE > nul
                            3⤵
                              PID:3476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:2536
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1008,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8
                            1⤵
                              PID:1680

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0D18C774-7F8A-4102-BA99-3B7E78DAC13F}.exe

                              Filesize

                              344KB

                              MD5

                              67941803da5b3969b915ead4f2a62662

                              SHA1

                              5df55deffcb66cb7e4fbcd1f7ab5be20f90ac38b

                              SHA256

                              cfe3cd586719c60fb7e99817807050d4a7645ee433f2ab8550023e25b39c6102

                              SHA512

                              e44b33809674ac25f8595a836ece1a6e7673bee4cf0cc4d6bb42ba85c38a2cda519137ab7e3603ba59cf427868557abc1195285d780519bbaeae6d6c5c4d6262

                            • C:\Windows\{14AD119B-23D8-4d38-92C0-DD3C64AA39E0}.exe

                              Filesize

                              344KB

                              MD5

                              24e149a634bf7b1526c9aa52e6f173fe

                              SHA1

                              583c24990628698944be8c4c86b1f7ff432879d4

                              SHA256

                              5ff8eb670be892198e8c0b103911c85a6d78be522fbf56d58dddba806c058f35

                              SHA512

                              f1e5018b13b47451d07d6114a59a675c28bacb887aa74f5de2869c219f5d1a55ef0948f875443686becf923b9db245a01de15a38cedd79f28fcae8fc1d295a2f

                            • C:\Windows\{28BC0BC7-C246-424e-B4C2-92AB222EB60F}.exe

                              Filesize

                              344KB

                              MD5

                              d8c5c5fd3e202467755e19405b0a5e48

                              SHA1

                              66a89a0a8aac288a7fe2ed842e7a9a6a27d041d0

                              SHA256

                              f62e8944003bd580be317da592719f7e21e3357e36caaeb97f96f9dd93ac80b2

                              SHA512

                              a57c003dcbe8cf0a78d2c6b0f295cc07620b78f7594deff343148290fb6bdd51fceb70eb7567145248e3f54e71775436f45ec8328623fcdd7833382d26d7faf7

                            • C:\Windows\{3C5D8A84-2D67-42e8-AE3B-637C247A1099}.exe

                              Filesize

                              344KB

                              MD5

                              0cc55712b7bdbebcc95e44a28c2c701a

                              SHA1

                              96d876c3f7595f7680a195cc09ee0aefb79b7b0b

                              SHA256

                              f55ea4f62377df54f05806acde9900daead317fd98861865f1ee99a3fb50e06e

                              SHA512

                              f91183078a978fd3826e2941890db63ee22449db46fda9d335fff9e23683d22c1317fc6f7d28a00433c5f168002338971048376d0227ec08e3943b4137d7802d

                            • C:\Windows\{50C8161B-B9F0-4ec9-98EF-A9D4364764C7}.exe

                              Filesize

                              344KB

                              MD5

                              1178842d53413b2ded51f6533d80c9b9

                              SHA1

                              f30587191c05dd6bfaf57573367fda797b17448c

                              SHA256

                              8ab1e71d2cecd13b9a3f55ef1bf1b1f789e399bb321da57af6795f25dcc48c95

                              SHA512

                              794b829298111ace0d9da4e9db9a9766697890ba5b1aa329356ca9b585b1acac686012ac1baeb608901a07bccdb15392ec33f5b6ca96779b3491d7973d47978a

                            • C:\Windows\{580EE2EA-1726-4e23-A380-6B5DF043CA52}.exe

                              Filesize

                              344KB

                              MD5

                              2e1cc328a7a8553e6480d804d0f48440

                              SHA1

                              ee76969c85591e4f01509862e135597d6e4ce5b8

                              SHA256

                              667fe57cc48ceb144ce361808d50ed060681c53cf8dba0b855dfff29814d89b7

                              SHA512

                              6905ffdb858031c889d1ac554b6f819a77d073032fd4f5b1348d0b67e1c5886abd6d20dcfc3c4b0501f8ff6baf44cbf6b79705cc9a973f1cabac066e8edafa5a

                            • C:\Windows\{5F85363B-E707-4c4b-96C9-785B4C79ACAC}.exe

                              Filesize

                              344KB

                              MD5

                              d8d4b15449e687b1348e6204dfb85009

                              SHA1

                              7096a713f2bce3579a5b8d82e1271da3ffc808df

                              SHA256

                              c34529157654d780e9df2ccd994d4e513aacee3b6036003115cb3e2e601e9d99

                              SHA512

                              44a32cfa1760298b11e44f4483e20dd66bd749de43e226bc294f3fe06b9ea0f8389db3201475e7d5f760a9a6a5799e3c7bcf446c6ac9415c186909343351e935

                            • C:\Windows\{635D8E1A-87C8-4aef-8C52-5CDAB79045E7}.exe

                              Filesize

                              344KB

                              MD5

                              a0936d97a84c492130bd31cd9aa53777

                              SHA1

                              43bdd3fb05c90ca56667ba06ba88503c01c8bcf3

                              SHA256

                              6e3b0b0306e0195426acc9b13284de598480309d2ec80681f97a1491796149f2

                              SHA512

                              7f1ac23b79076c7e7fa5c777a88b5161daee891718faf23ea086a4db9155df335d746a01a27f61ad05a7e67ca21b5bcb56a33a9c2c3d8dd757767eeaf3904c4f

                            • C:\Windows\{68549392-BD97-4df2-94C0-C395BA4E57A1}.exe

                              Filesize

                              344KB

                              MD5

                              35f2a3b2948feb56838df5c20403f3c0

                              SHA1

                              eba6bee9771d6f8085702a195caee495d55a7c74

                              SHA256

                              d5384e9554c0277f4e6e66012e538030cf3b4ed93f250e8e98af3fa258cd335c

                              SHA512

                              2e676b93281b53871e7116335af20b5b506710733a7847c794f422d735a57f93364084fb12e76bb2716fda829aa821b48f44b65849130d9f07306dbece7e5206

                            • C:\Windows\{8D9A78AE-AA93-46d2-9A41-094B44CE9816}.exe

                              Filesize

                              344KB

                              MD5

                              96a7d2e9c0bb0dcf61eb00fcb94aae65

                              SHA1

                              e7a0bd6d0663654d038bfe366b6ffcec36eedf5b

                              SHA256

                              965e6b9bea4b322aaea5f4f19212009e5100b09171ad6a0d57335e5080052adb

                              SHA512

                              25d4ab11ce7a1293b5801c6a8445c3690dbf862027b3468fa04709deec0c722b0e3a65ca0b616a893056b46dd8f8a7bbbfd881bc84b11bf31e0cd89ebd5cedec

                            • C:\Windows\{B3C83BC6-0E12-4287-8DE9-0C271F637851}.exe

                              Filesize

                              344KB

                              MD5

                              a50a10b91727eb9645fd8ca3da2cf70f

                              SHA1

                              f998343b85b43ab254bfe09c95532ca6480cafcf

                              SHA256

                              a9a7b70acebe05f2f4ad8d6bda7522af6fbdbb96a2146718a37ab1c53ff3effd

                              SHA512

                              2f0fb52544b101ca3c89262f6497c2386c1d21b1e609add66d7b88fb0f8388250d61e15ae7b7c766f454b1c9d964d6536ab944620ed4ceb062d8644dd1e8ec38

                            • C:\Windows\{B6393E71-6FF3-4cf0-8A43-A03B613DEBBA}.exe

                              Filesize

                              344KB

                              MD5

                              00abfb36be4b4fad503a9059377fb378

                              SHA1

                              942196636d849036aafb7ff17fdc671d6004eabe

                              SHA256

                              f145951ad369a077b904f5cd80e62514f7c638880c8d77de01768ca81d106902

                              SHA512

                              3108d1a69052a2fba7610c13b814b349b704379422d51644c9a015c67359bf44be2c57d5b003a19120028deb3e7ae69ef0a20d00adc98adb3b161a86473fbaf1