Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 11:51

General

  • Target

    2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe

  • Size

    408KB

  • MD5

    a88c678467be4c4b663e3428ad3d1070

  • SHA1

    0bda26dd5b0abd8d177e5bd8561f9651141fbf9a

  • SHA256

    f6cf2feff6978c3e63c9c343ecf87d42d279cf95d6cf3010b8507bd9ad02e33d

  • SHA512

    6e2a1bd160a8e5e3fa226d7fb313963a2d80800a1d222ca347d717598db9bdf79a9f00789aea651fa56829c76ee4fd9be2aa9f699be7227f94785fd4091eb458

  • SSDEEP

    3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe
      C:\Windows\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exe
        C:\Windows\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\{1B474D77-B42D-4177-99C7-898073405DE2}.exe
          C:\Windows\{1B474D77-B42D-4177-99C7-898073405DE2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Windows\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe
            C:\Windows\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe
              C:\Windows\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2360
              • C:\Windows\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe
                C:\Windows\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4516
                • C:\Windows\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exe
                  C:\Windows\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3252
                  • C:\Windows\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe
                    C:\Windows\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3564
                    • C:\Windows\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe
                      C:\Windows\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3748
                      • C:\Windows\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe
                        C:\Windows\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1212
                        • C:\Windows\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe
                          C:\Windows\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:224
                          • C:\Windows\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe
                            C:\Windows\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4076
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{52878~1.EXE > nul
                            13⤵
                              PID:1472
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9F006~1.EXE > nul
                            12⤵
                              PID:3240
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7C4~1.EXE > nul
                            11⤵
                              PID:4600
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9DA26~1.EXE > nul
                            10⤵
                              PID:5028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A8919~1.EXE > nul
                            9⤵
                              PID:1164
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4E478~1.EXE > nul
                            8⤵
                              PID:1096
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC8C~1.EXE > nul
                            7⤵
                              PID:1032
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4450F~1.EXE > nul
                            6⤵
                              PID:3712
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1B474~1.EXE > nul
                            5⤵
                              PID:4936
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E123F~1.EXE > nul
                            4⤵
                              PID:3320
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0727A~1.EXE > nul
                            3⤵
                              PID:2484
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3680
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3628,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
                            1⤵
                              PID:4868

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0727AEF6-2006-431d-8FF2-08D6413AFCF3}.exe

                              Filesize

                              408KB

                              MD5

                              125665738a3bb9be5f58e75d2e1cbef8

                              SHA1

                              391aac03cd27be32e04d6f013b9b13088a1361b0

                              SHA256

                              688424dbf856960702125983934bba8f0f5efae8dffb3c02bd81c99e818e16b0

                              SHA512

                              6dea41958c22480f91c4487aa10079fab94a8937cb706636ff1f939de0386b2033e8a076f03ecccd2b000fb24b6fc36f68721dece6e010c646b0465036be04f3

                            • C:\Windows\{0BC8C383-4983-4dfd-9AC1-A54B32806CB6}.exe

                              Filesize

                              408KB

                              MD5

                              865714edd091a588fef4ba1e76ea4148

                              SHA1

                              26753b2e9d4786ac8cfc02d8d63e509089bdb50c

                              SHA256

                              2d7408be6b3590049e25ce38586febcae86294dc8fd8e7933ecd823cba336ddb

                              SHA512

                              bc34b35f15000b032d0c4749d19ab61ade69ce2deffb6afca0c53bdbfe05ebd5b9b6f886ed7c085097039b6796cd290f816d5a6cbea594658d90325eca9c8a71

                            • C:\Windows\{1B474D77-B42D-4177-99C7-898073405DE2}.exe

                              Filesize

                              408KB

                              MD5

                              4fabccad7c0cddc59355a28920d20151

                              SHA1

                              de59b80ca6a15e533bbbd2c354ba2af4db15b51c

                              SHA256

                              cc3642ede63aa79a0400bec8d612e7603f1f28482fe0a71a549a59bb64c04f56

                              SHA512

                              fbd6f0fb35c1da23e64ccd29ecf0a0cd8060d26b816d01e3907c5f6c28ec138b83369c510a6d88c7cb30fd091152ee1a7e48ed9efdb5dfc70856301d7ff04a05

                            • C:\Windows\{4450F73E-4A5A-4364-8846-DB18D03F9A9D}.exe

                              Filesize

                              408KB

                              MD5

                              b273c4deacc84d5adae7a007e32db81a

                              SHA1

                              a431bed8865594e66043893f0e0c2d22966689f0

                              SHA256

                              bd65611108c664928c8854410d4a0f4c362b5b1ba726bff657e5223c2550f76b

                              SHA512

                              77c245a8135ccf5deaca6aa26d18fa97ddf1bd433d5b1b378db926f7141e861079e2e52e19272b6556e045d5195b57b5e94ca2f6c0143e11f568b1e543e33623

                            • C:\Windows\{4E478E13-82E3-4ecd-82EB-C9E4F39EE464}.exe

                              Filesize

                              408KB

                              MD5

                              732a1d86cbfae1dea8327b0325036ef0

                              SHA1

                              ab9f8259c2c7d44edd1da0cb43e0055c90873d93

                              SHA256

                              4bedf0da2d6a08ae7512229c7f4cae3b6cd846055b56d4d56caa6a0ac7ccae70

                              SHA512

                              9169845d04d93b2d6abd5e77ceb51375e4c7ffd5c1e7eaa7330f3c7d222d59ae065ac994e1136c4d4b15a8d01915fbbb8e7ebd346ab70f49038b5ddab7eb2eb2

                            • C:\Windows\{52878C40-96B3-45a0-8DD0-C5DB35BAA561}.exe

                              Filesize

                              408KB

                              MD5

                              9a3e0f0b60b2f2d37650a5d65b230f4b

                              SHA1

                              fed2cbefcc7ea314e7bff8d4cb562b9d1107f74b

                              SHA256

                              6327842216a626b9527ec23e1dae99afc4c12f69718e68519d989e59a61add4f

                              SHA512

                              7812c329b034c4a95852ccdaa2a98498e2c04d29e998ab08486f5588872026031f6a23e7d3daf424bd67594294b0049256d64220f8566f6edfb997aae4605e18

                            • C:\Windows\{7A7C49D9-7FB8-49df-AC36-FCF9DF148C6D}.exe

                              Filesize

                              408KB

                              MD5

                              462d65d0a59201d241df78637eccc577

                              SHA1

                              8a05f61a1d9ff124c613b5857900f62e5eee1d32

                              SHA256

                              e53796f1c5d851ef618fd0d4b91c4cac0ee75b7dd97e3f918915bf4578869772

                              SHA512

                              757c09d244e150a0960b1689cea9d9cd57407269de00ad3f0cfe32ded9334d94f0f8cce487aa082010327694856ce25999d4910b777f8e6173e27a986fc0baa6

                            • C:\Windows\{9DA26EC8-2835-436d-8FE3-B07FC6AB833D}.exe

                              Filesize

                              408KB

                              MD5

                              173856c862bcb9e0679124a101e9dbc4

                              SHA1

                              cd9a6a2d256aee97499e598bfd2c80199983220b

                              SHA256

                              2aa25ba3ba0a73531c489f2447568888da2c374ba482d687af4a014dcfdaa647

                              SHA512

                              fbb186896ce240bcd361242c9eee23389b4b39bf82a10fc4d9cd8c4a4d81c77126cd52f5c871d4954518c8884fb8c633db8c60b28ddd8b07e0f6d175c72533c1

                            • C:\Windows\{9F006C99-CBC0-4f0f-B14C-280FAF87AC86}.exe

                              Filesize

                              408KB

                              MD5

                              2848b45c47fc759a3e4c0bc34c89c14e

                              SHA1

                              8e935b3f0dec74294ddf9a4e2ed0143273335b52

                              SHA256

                              fadb8f38a0ba8f3258e86d87caf94db755af8dfa991c99531f88758d7574fb44

                              SHA512

                              26f4034dcc8165adebcd3ff1f1059902dc4ac338e4e38349fb28796a65b015de4486eada535c173f9896ce1c5ef22ab85ad41ad8953b73924d2afc48935bdc13

                            • C:\Windows\{A8919068-EB43-4cc9-8571-9423EBEA5251}.exe

                              Filesize

                              408KB

                              MD5

                              6a364a2a4b427a92c7be2e3572cb3199

                              SHA1

                              43961cfd84aea75c4f0e481d8b66226e820541fd

                              SHA256

                              7bd3b0b0e361ad2d6d09f35010417083f42f95844958e334ba7132873042b3b1

                              SHA512

                              4c8ad17d1564d6ca902cf7c35f6e42c5c3c423b47c22688909ebfd37d0af9930778e5c5aa1520b9a178d173150323370f55f63ee1a8920c264d5dc348abc6668

                            • C:\Windows\{B9DB8BDA-7E9E-42b1-9626-E5CE650124B5}.exe

                              Filesize

                              408KB

                              MD5

                              e88646964794e9e544c911b68bbff935

                              SHA1

                              5fa561dc62f7efc30a138769505dd21b505b9035

                              SHA256

                              60dbbc56314f0e2106866671120b853c66eb50e36103f1542a3fcb1cddc82d89

                              SHA512

                              4c109f9edeb390f028fc1097d175e9e787b0b75c40b7eecb4f4fbd756b4aab37eabb8462325c967a98247cef0667a0ec8dd8242e0f5a1b1fed207aa6cbf286af

                            • C:\Windows\{E123FD95-232A-4d22-8658-F6CE94C5A234}.exe

                              Filesize

                              408KB

                              MD5

                              f7c94a1ca82af1f5c22901562ea0e2d1

                              SHA1

                              3d55f2ce6ea56eadab8e82707e1904cf94abcdfc

                              SHA256

                              10f7f9343dd202d78fb71061e09d0ea5b4b6377ba0ce8f02306e9ebb2109f358

                              SHA512

                              81b6edad9b685f6d7a9be5486bebe8e2792d57f2bd72a89e7cf083bee2852a70fda20934d501ffd90810db42c659e3724e04ba70bc0ba9eeb8a007e8038aa97f