b1381233bc4f3ff60461dfc17874f542c4c67f8f0caab795418326c85632e43c

Analysis

max time kernel
63s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe
Size

168KB
MD5

3c0f37fbe92f9447985b4205ec7b3682
SHA1

fac0322594d53a80069f567eeb804ed398ca16c2
SHA256

b1381233bc4f3ff60461dfc17874f542c4c67f8f0caab795418326c85632e43c
SHA512

c233a9515a462376ad4100f8a9ca95d1f376f9489c011674d780cb0940214a3a06c6bb8720b3dfa1825d898ec29f24f5fd7231efff5237f71f61144079f7abaa
SSDEEP

1536:1EGh0oglq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oglqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5225ADE5-446F-4051-9B57-700A2C63D88F}	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5225ADE5-446F-4051-9B57-700A2C63D88F}\stubpath = "C:\\Windows\\{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe"	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{543ED1FE-FFB8-46b0-A102-083C68600073}	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAF726A1-6A13-434a-B500-5F5EF831F178}	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAF726A1-6A13-434a-B500-5F5EF831F178}\stubpath = "C:\\Windows\\{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe"	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDEAA26-C654-4a3f-A639-363603AECAC7}\stubpath = "C:\\Windows\\{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe"	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDEAA26-C654-4a3f-A639-363603AECAC7}	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{543ED1FE-FFB8-46b0-A102-083C68600073}\stubpath = "C:\\Windows\\{543ED1FE-FFB8-46b0-A102-083C68600073}.exe"	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}\stubpath = "C:\\Windows\\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}.exe"	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
4956	cmd.exe
3352	{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe
File created	C:\Windows\{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
File created	C:\Windows\{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
File created	C:\Windows\{543ED1FE-FFB8-46b0-A102-083C68600073}.exe	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
File created	C:\Windows\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
Token: SeIncBasePriorityPrivilege	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
Token: SeIncBasePriorityPrivilege	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
Token: SeIncBasePriorityPrivilege	4956	cmd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2512	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe	97
PID 2908 wrote to memory of 2512	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe	97
PID 2908 wrote to memory of 2512	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe	97
PID 2908 wrote to memory of 376	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe	96
PID 2908 wrote to memory of 376	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe	96
PID 2908 wrote to memory of 376	2908	2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe	96
PID 2512 wrote to memory of 4472	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	100
PID 2512 wrote to memory of 4472	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	100
PID 2512 wrote to memory of 4472	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	100
PID 2512 wrote to memory of 3932	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	99
PID 2512 wrote to memory of 3932	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	99
PID 2512 wrote to memory of 3932	2512	{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe	99
PID 4472 wrote to memory of 1972	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	103
PID 4472 wrote to memory of 1972	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	103
PID 4472 wrote to memory of 1972	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	103
PID 4472 wrote to memory of 1576	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	102
PID 4472 wrote to memory of 1576	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	102
PID 4472 wrote to memory of 1576	4472	{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe	102
PID 1972 wrote to memory of 4956	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	116
PID 1972 wrote to memory of 4956	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	116
PID 1972 wrote to memory of 4956	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	116
PID 1972 wrote to memory of 2024	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	105
PID 1972 wrote to memory of 2024	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	105
PID 1972 wrote to memory of 2024	1972	{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe	105
PID 4956 wrote to memory of 3352	4956	cmd.exe	108
PID 4956 wrote to memory of 3352	4956	cmd.exe	108
PID 4956 wrote to memory of 3352	4956	cmd.exe	108
PID 4956 wrote to memory of 3652	4956	cmd.exe	107
PID 4956 wrote to memory of 3652	4956	cmd.exe	107
PID 4956 wrote to memory of 3652	4956	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_3c0f37fbe92f9447985b4205ec7b3682_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:376
- C:\Windows\{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
  C:\Windows\{BAF726A1-6A13-434a-B500-5F5EF831F178}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BAF72~1.EXE > nul
    3⤵
    PID:3932
- - C:\Windows\{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
    C:\Windows\{8CDEAA26-C654-4a3f-A639-363603AECAC7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDEA~1.EXE > nul
      4⤵
      PID:1576
  - - C:\Windows\{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
      C:\Windows\{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5225A~1.EXE > nul
        5⤵
        
        PID:2024
    - - C:\Windows\{543ED1FE-FFB8-46b0-A102-083C68600073}.exe
        
        C:\Windows\{543ED1FE-FFB8-46b0-A102-083C68600073}.exe
        5⤵
        
        PID:4956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{543ED~1.EXE > nul
        6⤵
        
        PID:3652
      - C:\Windows\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}.exe
        
        C:\Windows\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}.exe
        6⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\{32F99CB7-EB4D-4850-B1DC-693661541937}.exe
        
        C:\Windows\{32F99CB7-EB4D-4850-B1DC-693661541937}.exe
        7⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32F99~1.EXE > nul
        8⤵
        
        PID:1388
        
        C:\Windows\{05534F79-A746-40de-9B09-8135CC2B7952}.exe
        
        C:\Windows\{05534F79-A746-40de-9B09-8135CC2B7952}.exe
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05534~1.EXE > nul
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{24E4C394-6EEE-4982-BE1B-687A6AD72AB0}.exe
        
        C:\Windows\{24E4C394-6EEE-4982-BE1B-687A6AD72AB0}.exe
        9⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E4C~1.EXE > nul
        10⤵
        
        PID:232
        
        C:\Windows\{0E964B81-8E3C-4adc-A2CC-778D87A687C8}.exe
        
        C:\Windows\{0E964B81-8E3C-4adc-A2CC-778D87A687C8}.exe
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E964~1.EXE > nul
        11⤵
        
        PID:2024
        
        C:\Windows\{8596232B-9DD3-41f0-B76A-B9581F07F5C3}.exe
        
        C:\Windows\{8596232B-9DD3-41f0-B76A-B9581F07F5C3}.exe
        11⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85962~1.EXE > nul
        12⤵
        
        PID:4268
        
        C:\Windows\{4D683B8C-8D09-4184-9663-41539E8B9961}.exe
        
        C:\Windows\{4D683B8C-8D09-4184-9663-41539E8B9961}.exe
        12⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F5AF~1.EXE > nul
        7⤵
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24E4C394-6EEE-4982-BE1B-687A6AD72AB0}.exe

Filesize
1KB

MD5
b228397504b8fc94b59ced1aa1106388

SHA1
ae8b4968e5f828aa7b8f4895a9ad359b0f7ba1ff

SHA256
10c558a88626acfc67baee1f538772c101dfa71d0600a9d08841878f906a835d

SHA512
007e971715f32664e618c6ee7500bc8befcfcf413d9b900eeeb14c2e8cebb65d2f96d271882541fcfc540f1e53f6414c4073b0858b9ff7ad9b64de61fee22ec2

Download Submit
C:\Windows\{5225ADE5-446F-4051-9B57-700A2C63D88F}.exe

Filesize
168KB

MD5
f807b586c847fc667f9e81095024cb4b

SHA1
f128e0db53c1669117de0f6b29a0117e9b1f85e7

SHA256
613632a0a7ed27049c6c7dce8726d7018307ad718e985c4f98db4235d9fdd135

SHA512
87b20783f84a71bcbf537d6da9c336c7c3a2ac09576a7506ba5b93cf4348f476ca03def444ee0d66aece05a2e15fe3165c2538b4e38aee65fb40532f54505e5c

Download Submit
C:\Windows\{543ED1FE-FFB8-46b0-A102-083C68600073}.exe

Filesize
168KB

MD5
7095b57b2f0addecab27ca68f34f3113

SHA1
84793993daace09601cd5bd6ebaf30ec7fe13abb

SHA256
0b54ec49d5b0ef74a4d683bb216e1e892a77c4332fd34bad6868f03d510cfb7d

SHA512
27848c7f21237389cc7c650c8a07aeea491355de6ba00540d4c077d5974517dada48c262de60359d1e08fc5be46f581ba02c269a3beaa236633a44f28831bdf4

Download Submit
C:\Windows\{6F5AFB0B-FE1B-423f-AD6A-FF4FDCF04EEE}.exe

Filesize
168KB

MD5
4483b1feb35fec0dc2102657b5727e7e

SHA1
53d60464d554a8947c9927c01d9d8c737076d9ae

SHA256
ef69cd232bded2b7d92a19dd7e277ac52cd441a94229fc2699650a80db842cfe

SHA512
1627a5d5cf3bfed5c498c5e5fad10ec33e789d0ec4de170084eb6fb5209a243d65c4943244294382ee569fbf0d76058f27dc2c72d6161004e78f266a80002c37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads