Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
GoldenSpy (6).exe
Resource
win7-20220414-en
General
-
Target
GoldenSpy (6).exe
-
Size
366KB
-
MD5
b363e855f613233848a0a89216488bfb
-
SHA1
c897972dfd26a07591cabbeeeeeb1db18f2f21d4
-
SHA256
20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
-
SHA512
47d65f9d64e2d9fd5fe78731d990dadb6148240477dc20ef9305ae5d32345ef2d28e82a10d40e2139141bf0c25556eb633b0c7cf1139989ec0bf0a610d6efeda
Malware Config
Signatures
-
GoldenSpy Payload 8 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload C:\Program Files (x86)\svm\svmm.exe goldenspy_svm_payload -
suricata: ET MALWARE GoldenSpy Domain Observed
suricata: ET MALWARE GoldenSpy Domain Observed
-
Executes dropped EXE 6 IoCs
Processes:
svm.exesvmm.exesvm.exesvm.exesvmm.exesvmm.exepid process 5104 svm.exe 3168 svmm.exe 1832 svm.exe 4456 svm.exe 2200 svmm.exe 4516 svmm.exe -
Loads dropped DLL 4 IoCs
Processes:
GoldenSpy (6).exepid process 4284 GoldenSpy (6).exe 4284 GoldenSpy (6).exe 4284 GoldenSpy (6).exe 4284 GoldenSpy (6).exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
Processes:
GoldenSpy (6).exesvm.exedescription ioc process File created C:\Program Files (x86)\svm\svm.exe GoldenSpy (6).exe File opened for modification C:\Program Files (x86)\svm\log\20220707-svm.log svm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
svm.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svm.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
GoldenSpy (6).exesvmm.exesvm.exepid process 4284 GoldenSpy (6).exe 4284 GoldenSpy (6).exe 4284 GoldenSpy (6).exe 4284 GoldenSpy (6).exe 4516 svmm.exe 4516 svmm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe 4516 svmm.exe 4516 svmm.exe 4456 svm.exe 4456 svm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
GoldenSpy (6).exedescription pid process target process PID 4284 wrote to memory of 5104 4284 GoldenSpy (6).exe svm.exe PID 4284 wrote to memory of 5104 4284 GoldenSpy (6).exe svm.exe PID 4284 wrote to memory of 5104 4284 GoldenSpy (6).exe svm.exe PID 4284 wrote to memory of 3168 4284 GoldenSpy (6).exe svmm.exe PID 4284 wrote to memory of 3168 4284 GoldenSpy (6).exe svmm.exe PID 4284 wrote to memory of 3168 4284 GoldenSpy (6).exe svmm.exe PID 4284 wrote to memory of 1832 4284 GoldenSpy (6).exe svm.exe PID 4284 wrote to memory of 1832 4284 GoldenSpy (6).exe svm.exe PID 4284 wrote to memory of 1832 4284 GoldenSpy (6).exe svm.exe PID 4284 wrote to memory of 2200 4284 GoldenSpy (6).exe svmm.exe PID 4284 wrote to memory of 2200 4284 GoldenSpy (6).exe svmm.exe PID 4284 wrote to memory of 2200 4284 GoldenSpy (6).exe svmm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GoldenSpy (6).exe"C:\Users\Admin\AppData\Local\Temp\GoldenSpy (6).exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\svm\svm.exe"C:\Program Files (x86)\svm\svm.exe" -i2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svmm.exe"C:\Program Files (x86)\svm\svmm.exe" -i2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svm.exe"C:\Program Files (x86)\svm\svm.exe" -start2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svmm.exe"C:\Program Files (x86)\svm\svmm.exe" -start2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svm\svm.exe"C:\Program Files (x86)\svm\svm.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\svm\svmm.exe"C:\Program Files (x86)\svm\svmm.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\svm\svm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svmm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svmm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svmm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Program Files (x86)\svm\svmm.exeFilesize
504KB
MD5cf640636f3d85586607c20813884ff4a
SHA1484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c
SHA256d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb
SHA512a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5
-
C:\Users\Admin\AppData\Local\Temp\nsg5857.tmp\processwork.dllFilesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
C:\Users\Admin\AppData\Local\Temp\nsg5857.tmp\processwork.dllFilesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
C:\Users\Admin\AppData\Local\Temp\nsg5857.tmp\processwork.dllFilesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
C:\Users\Admin\AppData\Local\Temp\nsg5857.tmp\processwork.dllFilesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
memory/1832-142-0x0000000000000000-mapping.dmp
-
memory/2200-143-0x0000000000000000-mapping.dmp
-
memory/3168-139-0x0000000000000000-mapping.dmp
-
memory/4284-132-0x00000000024F0000-0x0000000002531000-memory.dmpFilesize
260KB
-
memory/5104-136-0x0000000000000000-mapping.dmp