06196c972124f66024aba11b68da0056988143337c3a61035f8fe163accd86b1

General

Target

2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe
Size

192KB
MD5

2c92aa4c8874584f14a58901c4e35ba0
SHA1

0e28a27f4076da9fb6a3076231e6b9718a855603
SHA256

06196c972124f66024aba11b68da0056988143337c3a61035f8fe163accd86b1
SHA512

e82598f888edebca054633cef75afe9596cbd254bf150e028bbbb9c6943692b08bf5a2fa94849bfc349ee4ab4c6e38655c1c8eba969aabb78a18758b36ac0371
SSDEEP

1536:1EGh0oZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oZl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49DAF137-6044-4587-9ACA-A85212018CF8}\stubpath = "C:\\Windows\\{49DAF137-6044-4587-9ACA-A85212018CF8}.exe"	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}\stubpath = "C:\\Windows\\{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe"	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7667DF1E-EB89-41f2-86CA-AD7B475238F5}	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7667DF1E-EB89-41f2-86CA-AD7B475238F5}\stubpath = "C:\\Windows\\{7667DF1E-EB89-41f2-86CA-AD7B475238F5}.exe"	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49DAF137-6044-4587-9ACA-A85212018CF8}	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe

Executes dropped EXE 3 IoCs

pid	Process
4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe
4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe
3364	{7667DF1E-EB89-41f2-86CA-AD7B475238F5}.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\{7667DF1E-EB89-41f2-86CA-AD7B475238F5}.exe	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe
File created	C:\Windows\{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe
File created	C:\Windows\{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe
Token: SeIncBasePriorityPrivilege	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4696	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe	98
PID 2996 wrote to memory of 4696	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe	98
PID 2996 wrote to memory of 4696	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe	98
PID 2996 wrote to memory of 4648	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe	97
PID 2996 wrote to memory of 4648	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe	97
PID 2996 wrote to memory of 4648	2996	2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe	97
PID 4696 wrote to memory of 4948	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	102
PID 4696 wrote to memory of 4948	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	102
PID 4696 wrote to memory of 4948	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	102
PID 4696 wrote to memory of 4732	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	101
PID 4696 wrote to memory of 4732	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	101
PID 4696 wrote to memory of 4732	4696	{49DAF137-6044-4587-9ACA-A85212018CF8}.exe	101
PID 4948 wrote to memory of 3364	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	107
PID 4948 wrote to memory of 3364	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	107
PID 4948 wrote to memory of 3364	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	107
PID 4948 wrote to memory of 2548	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	106
PID 4948 wrote to memory of 2548	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	106
PID 4948 wrote to memory of 2548	4948	{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_2c92aa4c8874584f14a58901c4e35ba0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4648
- C:\Windows\{49DAF137-6044-4587-9ACA-A85212018CF8}.exe
  C:\Windows\{49DAF137-6044-4587-9ACA-A85212018CF8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{49DAF~1.EXE > nul
    3⤵
    PID:4732
- - C:\Windows\{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe
    C:\Windows\{1D7C25D8-26FC-46c5-98F9-D01A46C76C20}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1D7C2~1.EXE > nul
      4⤵
      PID:2548
  - - C:\Windows\{7667DF1E-EB89-41f2-86CA-AD7B475238F5}.exe
      C:\Windows\{7667DF1E-EB89-41f2-86CA-AD7B475238F5}.exe
      4⤵
      Executes dropped EXE
      PID:3364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7667D~1.EXE > nul
        5⤵
        
        PID:4052
    - - C:\Windows\{69EB4AEE-9C30-48ae-8385-167BCF8F43A8}.exe
        
        C:\Windows\{69EB4AEE-9C30-48ae-8385-167BCF8F43A8}.exe
        5⤵
        
        PID:5072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69EB4~1.EXE > nul
        6⤵
        
        PID:364
      - C:\Windows\{56632442-91C9-4bb1-9F74-30A985B3796C}.exe
        
        C:\Windows\{56632442-91C9-4bb1-9F74-30A985B3796C}.exe
        6⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56632~1.EXE > nul
        7⤵
        
        PID:2400
        
        C:\Windows\{C3168816-E433-4086-B1A7-D8F64DFAFD27}.exe
        
        C:\Windows\{C3168816-E433-4086-B1A7-D8F64DFAFD27}.exe
        7⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3168~1.EXE > nul
        8⤵
        
        PID:4044
        
        C:\Windows\{C83AB358-4931-4db2-80C8-F15ADA335ADE}.exe
        
        C:\Windows\{C83AB358-4931-4db2-80C8-F15ADA335ADE}.exe
        8⤵
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{C3168816-E433-4086-B1A7-D8F64DFAFD27}.exe

Filesize
192KB

MD5
32c850b5c2c78f32826fdc2942f44683

SHA1
1bd77938e93a158aca72efc230091b0bc8a9a8ee

SHA256
4bf7bf3ffb3c62e6b1e736e3cd7eac38d7bfdfe0c6bc290625a97af034acfea7

SHA512
e88dd12d0da3c01d18bb878d8dcc10ed35c2c038c01733f437128c240802cd5faaf8917cf886f26f0803b6ee2b38eb421aff881ac224c17f781ab0592165b1e2

Download Submit
C:\Windows\{C83AB358-4931-4db2-80C8-F15ADA335ADE}.exe

Filesize
192KB

MD5
ef6ed89b8f992b7cd5d8181d800406d8

SHA1
45b3c736b7f11780787453c223a6618e501b454c

SHA256
973e75706e26ae8df91eb52bbca116296c48cdc8f771ec43272537f75d73d50c

SHA512
b2f15a7f6ef37dde703d732b0d4f2e4b502933b49645c2b5430c546a179a2d646c54d08dde3e313aab71aa98816cfe785ad4657d6b5847d79b8592071f3975fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads