269943018e3e3e58f50c214ae524708fefd02ae71edcd9164be25374fdd367a0

Analysis

max time kernel
68s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Size

168KB
MD5

2d276bfd3d0ac019ddcfb8813e1e9dc3
SHA1

0fe1c7dbbd12f18537aedc9094ee1ac7438e5c1a
SHA256

269943018e3e3e58f50c214ae524708fefd02ae71edcd9164be25374fdd367a0
SHA512

da0eae9f7fba3dd3d3b59a69138991504b90777e1fa243f2a94640174db51c67da5301ce5b1e12260d1fd2276536100e0f814eaab904d76cb903d26ea2abd4e0
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B609529-67B6-4296-A4EB-BB23F4921ACE}	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B609529-67B6-4296-A4EB-BB23F4921ACE}\stubpath = "C:\\Windows\\{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe"	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85154432-AD3C-4a2f-9AAC-D776140BBDA4}\stubpath = "C:\\Windows\\{85154432-AD3C-4a2f-9AAC-D776140BBDA4}.exe"	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}\stubpath = "C:\\Windows\\{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe"	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85154432-AD3C-4a2f-9AAC-D776140BBDA4}	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44235261-ABDF-49c9-B0AC-A559FACA995A}	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44235261-ABDF-49c9-B0AC-A559FACA995A}\stubpath = "C:\\Windows\\{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe"	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}\stubpath = "C:\\Windows\\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe"	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe

Executes dropped EXE 5 IoCs

pid	Process
3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe
1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe
2948	{85154432-AD3C-4a2f-9AAC-D776140BBDA4}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
File created	C:\Windows\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe
File created	C:\Windows\{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
File created	C:\Windows\{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
File created	C:\Windows\{85154432-AD3C-4a2f-9AAC-D776140BBDA4}.exe	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe
Token: SeIncBasePriorityPrivilege	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
Token: SeIncBasePriorityPrivilege	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
Token: SeIncBasePriorityPrivilege	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3636	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	99
PID 3552 wrote to memory of 3636	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	99
PID 3552 wrote to memory of 3636	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	99
PID 3552 wrote to memory of 3700	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	100
PID 3552 wrote to memory of 3700	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	100
PID 3552 wrote to memory of 3700	3552	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	100
PID 3636 wrote to memory of 1588	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	102
PID 3636 wrote to memory of 1588	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	102
PID 3636 wrote to memory of 1588	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	102
PID 3636 wrote to memory of 3656	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	101
PID 3636 wrote to memory of 3656	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	101
PID 3636 wrote to memory of 3656	3636	{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe	101
PID 1588 wrote to memory of 1440	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	106
PID 1588 wrote to memory of 1440	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	106
PID 1588 wrote to memory of 1440	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	106
PID 1588 wrote to memory of 4376	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	105
PID 1588 wrote to memory of 4376	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	105
PID 1588 wrote to memory of 4376	1588	{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe	105
PID 1440 wrote to memory of 4960	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	108
PID 1440 wrote to memory of 4960	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	108
PID 1440 wrote to memory of 4960	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	108
PID 1440 wrote to memory of 2928	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	107
PID 1440 wrote to memory of 2928	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	107
PID 1440 wrote to memory of 2928	1440	{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe	107
PID 4960 wrote to memory of 2948	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	111
PID 4960 wrote to memory of 2948	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	111
PID 4960 wrote to memory of 2948	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	111
PID 4960 wrote to memory of 4320	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	110
PID 4960 wrote to memory of 4320	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	110
PID 4960 wrote to memory of 4320	4960	{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe
  C:\Windows\{44235261-ABDF-49c9-B0AC-A559FACA995A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44235~1.EXE > nul
    3⤵
    PID:3656
- - C:\Windows\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
    C:\Windows\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFAA3~1.EXE > nul
      4⤵
      PID:4376
  - - C:\Windows\{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
      C:\Windows\{5B609529-67B6-4296-A4EB-BB23F4921ACE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B609~1.EXE > nul
        5⤵
        
        PID:2928
    - - C:\Windows\{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe
        
        C:\Windows\{2FCB366A-A932-49be-B0AC-B88B4C2BD4A9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FCB3~1.EXE > nul
        6⤵
        
        PID:4320
      - C:\Windows\{85154432-AD3C-4a2f-9AAC-D776140BBDA4}.exe
        
        C:\Windows\{85154432-AD3C-4a2f-9AAC-D776140BBDA4}.exe
        6⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85154~1.EXE > nul
        7⤵
        
        PID:4256
        
        C:\Windows\{861AB64A-2BF2-4358-8C63-5E05F866937F}.exe
        
        C:\Windows\{861AB64A-2BF2-4358-8C63-5E05F866937F}.exe
        7⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{861AB~1.EXE > nul
        8⤵
        
        PID:4272
        
        C:\Windows\{AB98678A-38BA-45d5-B101-055F3783FC14}.exe
        
        C:\Windows\{AB98678A-38BA-45d5-B101-055F3783FC14}.exe
        8⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB986~1.EXE > nul
        9⤵
        
        PID:3280
        
        C:\Windows\{C4E9169A-DB69-4c52-BBA6-95DC454BE3B0}.exe
        
        C:\Windows\{C4E9169A-DB69-4c52-BBA6-95DC454BE3B0}.exe
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E91~1.EXE > nul
        10⤵
        
        PID:2724
        
        C:\Windows\{C5981D8F-4632-44e4-A6F0-2A16DE15FF14}.exe
        
        C:\Windows\{C5981D8F-4632-44e4-A6F0-2A16DE15FF14}.exe
        10⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5981~1.EXE > nul
        11⤵
        
        PID:2752
        
        C:\Windows\{8FB09455-90FA-4aae-83BC-C1EFBF04AC0A}.exe
        
        C:\Windows\{8FB09455-90FA-4aae-83BC-C1EFBF04AC0A}.exe
        11⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FB09~1.EXE > nul
        12⤵
        
        PID:2176
        
        C:\Windows\{62C87708-D183-427e-9D23-FAF74B8D30B1}.exe
        
        C:\Windows\{62C87708-D183-427e-9D23-FAF74B8D30B1}.exe
        12⤵
        
        PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{62C87708-D183-427e-9D23-FAF74B8D30B1}.exe

Filesize
39KB

MD5
c3d71761ee56ec03f9f53d7045435533

SHA1
31468afe963cbc4c5316a371d9f3a5150541368e

SHA256
d4a81fffa8179b6e962ce4648fe5b1986a1949b0c31e4e86307e41218891a417

SHA512
b1ab0a5bee29402fdd30837dea1daf4576e4116c13d82be7cdf26e03580ef356ffb6f4729f52b658914d3734d1af32ddb0a944927b673eb75455e62dac08190b

Download Submit
C:\Windows\{62C87708-D183-427e-9D23-FAF74B8D30B1}.exe

Filesize
84KB

MD5
02e4f28d2dbcc8bd3b9eca80ac2e42e3

SHA1
534055d1fc77c97ef36d07f19769ba63796e45f2

SHA256
a26e238d463b79e1e5021bc8ba88ec62243513acf07962fd995c57e4cf96a722

SHA512
127c24f82f80766481b5c9c5c8d1b1cf1ef333d9664a6c6154c5f0324079654dc42a425690e3512bcbe6474d3c711e303133dd3818868ac5c0ec9465bab7df66

Download Submit
C:\Windows\{8FB09455-90FA-4aae-83BC-C1EFBF04AC0A}.exe

Filesize
92KB

MD5
2b689139b374503b34427a9837e73129

SHA1
e7dd4eacd9974832b2840d74e1ea2341741988f2

SHA256
d234f122c573094d25290440af4e72ae79ae3e44d177f9bbe6c2ea796ad0dc8b

SHA512
18cbf61611183cb192c4de8ec99fe40b752d41961cf2a727b2bfc5bc9c86b152153e234cbec0adab2be3b70d73fc9a82df5e5ac3ef5a5ee099b90f751ae511b5

Download Submit
C:\Windows\{8FB09455-90FA-4aae-83BC-C1EFBF04AC0A}.exe

Filesize
91KB

MD5
d264ff082eb090d8e88a59b37c3cddb5

SHA1
67cd43e3b3c57269c9285278089dcbb999573d79

SHA256
6f1ca4084ef1aebd0d5ef6190936662512030726cf11b51587fbd0797b84f298

SHA512
04bb92875b15bfbfd3dca0cb635702c7bc08014ef639c9d08ca715fb4d31d6e7cbe6ec7708044b36d9ae9c0ff9b68a79344ba46be8670f26c8b582bb3dab5209

Download Submit
C:\Windows\{AB98678A-38BA-45d5-B101-055F3783FC14}.exe

Filesize
19KB

MD5
e9844ba1d834b426bb2e301d68699b90

SHA1
c69c49aa75f223cffe0222a7e88323e56fae1b35

SHA256
2c1b9b177f291b402904a5d46ee3afdebd091f183dcc4720312972c2e517dbac

SHA512
74a83e59386c251b7f0376c7f37e884b4b7b162eded2eb1ed44eb1ef621ee12a5756c7840c066a2458b0389cb81d93dfcf76c9b674a172a75c48263458e4b8ff

Download Submit
C:\Windows\{C4E9169A-DB69-4c52-BBA6-95DC454BE3B0}.exe

Filesize
57KB

MD5
9131c3e2190eac0915f4ee179a52c12d

SHA1
e5f9d1807a110bda2f000c3720850499fff7baff

SHA256
04da5693ed774784954287b66f538e9481518b2b2672c4eaf9c6b069ab17c43c

SHA512
16c71a1ecdca8c6b6bd4240a9c5cd2fb9b6b6a84d142321cef7f0aae1c23788c5eba1041fdea3188fc5f474a477e139fc91bbc6c4b6b8b9e492bb62711b6a4bd

Download Submit
C:\Windows\{C4E9169A-DB69-4c52-BBA6-95DC454BE3B0}.exe

Filesize
29KB

MD5
61c8c94eb2be6e9571016c7ff7808e65

SHA1
24c820e81aa9d6b37bed7f477b019fec44f60fd4

SHA256
3f91173b62c0ca9bad7ead00e666208b56a6682d614bfa2b95d192e85d9eb98a

SHA512
3212a9fd31ef95e485669f87777e1618c9d6d6a7878449c4a86e3374403a59b30fd0bcc3279516836d5cca292cf6d56fe2488e7e7d858fc4d578b98829cfb43a

Download Submit
C:\Windows\{C5981D8F-4632-44e4-A6F0-2A16DE15FF14}.exe

Filesize
58KB

MD5
dd81999dc5055f9ef998d1b7df48c446

SHA1
428805027d8bd8acd4565a2affda940fc18a2681

SHA256
ed69a2d4a721f7ba453f4b786e934800567873297b8b4ead19c415e44193b671

SHA512
5f5d9406181079fa9d0bd34bc17e49253d4c1317fe8a713f33d400b5e5c773cb1d5c9035f7505749d36f236039b1b464ee8d8c7ed21d8b89608a0235ac41e9d9

Download Submit
C:\Windows\{C5981D8F-4632-44e4-A6F0-2A16DE15FF14}.exe

Filesize
36KB

MD5
23e24f554bae593700e145de5c26d3dd

SHA1
d27455abf9746e1ce944c16c60a4bd74a38363dc

SHA256
c38ecd97630fe05a8295e369e23d1d77eec1c472c87cb39dd54c3a47a94df4e2

SHA512
ef55276d2fb6056e5e98b3a0b1e3dba2afc70703140bc21cbb3df3f8e2b83b147c3feb7466695bd01c4e69c0877772a4d3c77eb49325e80bffbf9595fbe93048

Download Submit
C:\Windows\{FFAA3A9A-4A3D-4804-A4B9-408E1B277C6D}.exe

Filesize
1KB

MD5
b228397504b8fc94b59ced1aa1106388

SHA1
ae8b4968e5f828aa7b8f4895a9ad359b0f7ba1ff

SHA256
10c558a88626acfc67baee1f538772c101dfa71d0600a9d08841878f906a835d

SHA512
007e971715f32664e618c6ee7500bc8befcfcf413d9b900eeeb14c2e8cebb65d2f96d271882541fcfc540f1e53f6414c4073b0858b9ff7ad9b64de61fee22ec2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads