166762d8676a7268854f0ab9b5b832e6268a613e360837c33fa5bad552eff56e

Analysis

max time kernel
73s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe
Size

408KB
MD5

5cf7406861241710aed40c3f2f898174
SHA1

d4da06a93e9e9f6fdbe3f279451b1d78ca6dbbcf
SHA256

166762d8676a7268854f0ab9b5b832e6268a613e360837c33fa5bad552eff56e
SHA512

24696a26179c78730d04d7d54bca858c0506af125a757ae4afb5af7196949167492f5b76e2e460486ff2552665cf17c11db63d58c7d698315b585251de00f0a7
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F5A599-2241-4222-8612-907CA5465D06}	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}	{30F5A599-2241-4222-8612-907CA5465D06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141BE84A-7388-47e0-A109-6CDD342E5B48}\stubpath = "C:\\Windows\\{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe"	{371BABDD-D2F3-48da-81E2-46F555372932}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D78D4A-AFE3-442d-BFF8-6CF094847861}\stubpath = "C:\\Windows\\{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe"	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141BE84A-7388-47e0-A109-6CDD342E5B48}	{371BABDD-D2F3-48da-81E2-46F555372932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D78D4A-AFE3-442d-BFF8-6CF094847861}	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F5A599-2241-4222-8612-907CA5465D06}\stubpath = "C:\\Windows\\{30F5A599-2241-4222-8612-907CA5465D06}.exe"	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}\stubpath = "C:\\Windows\\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}.exe"	{30F5A599-2241-4222-8612-907CA5465D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{371BABDD-D2F3-48da-81E2-46F555372932}	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{371BABDD-D2F3-48da-81E2-46F555372932}\stubpath = "C:\\Windows\\{371BABDD-D2F3-48da-81E2-46F555372932}.exe"	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe

Executes dropped EXE 5 IoCs

pid	Process
4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe
4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe
4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe
2216	{D78A64FA-541F-4a41-A4BE-3633C040C7C9}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}.exe	{30F5A599-2241-4222-8612-907CA5465D06}.exe
File created	C:\Windows\{371BABDD-D2F3-48da-81E2-46F555372932}.exe	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe
File created	C:\Windows\{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	{371BABDD-D2F3-48da-81E2-46F555372932}.exe
File created	C:\Windows\{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
File created	C:\Windows\{30F5A599-2241-4222-8612-907CA5465D06}.exe	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe
Token: SeIncBasePriorityPrivilege	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
Token: SeIncBasePriorityPrivilege	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe
Token: SeIncBasePriorityPrivilege	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 4996	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe	97
PID 2884 wrote to memory of 4996	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe	97
PID 2884 wrote to memory of 4996	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe	97
PID 2884 wrote to memory of 4392	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe	96
PID 2884 wrote to memory of 4392	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe	96
PID 2884 wrote to memory of 4392	2884	2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe	96
PID 4996 wrote to memory of 4564	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe	102
PID 4996 wrote to memory of 4564	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe	102
PID 4996 wrote to memory of 4564	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe	102
PID 4996 wrote to memory of 1416	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe	101
PID 4996 wrote to memory of 1416	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe	101
PID 4996 wrote to memory of 1416	4996	{371BABDD-D2F3-48da-81E2-46F555372932}.exe	101
PID 4564 wrote to memory of 4100	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	105
PID 4564 wrote to memory of 4100	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	105
PID 4564 wrote to memory of 4100	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	105
PID 4564 wrote to memory of 2376	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	104
PID 4564 wrote to memory of 2376	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	104
PID 4564 wrote to memory of 2376	4564	{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe	104
PID 4100 wrote to memory of 4884	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	108
PID 4100 wrote to memory of 4884	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	108
PID 4100 wrote to memory of 4884	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	108
PID 4100 wrote to memory of 860	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	107
PID 4100 wrote to memory of 860	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	107
PID 4100 wrote to memory of 860	4100	{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe	107
PID 4884 wrote to memory of 2216	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe	110
PID 4884 wrote to memory of 2216	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe	110
PID 4884 wrote to memory of 2216	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe	110
PID 4884 wrote to memory of 692	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe	109
PID 4884 wrote to memory of 692	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe	109
PID 4884 wrote to memory of 692	4884	{30F5A599-2241-4222-8612-907CA5465D06}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_5cf7406861241710aed40c3f2f898174_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4392
- C:\Windows\{371BABDD-D2F3-48da-81E2-46F555372932}.exe
  C:\Windows\{371BABDD-D2F3-48da-81E2-46F555372932}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{371BA~1.EXE > nul
    3⤵
    PID:1416
- - C:\Windows\{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
    C:\Windows\{141BE84A-7388-47e0-A109-6CDD342E5B48}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{141BE~1.EXE > nul
      4⤵
      PID:2376
  - - C:\Windows\{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe
      C:\Windows\{37D78D4A-AFE3-442d-BFF8-6CF094847861}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37D78~1.EXE > nul
        5⤵
        
        PID:860
    - - C:\Windows\{30F5A599-2241-4222-8612-907CA5465D06}.exe
        
        C:\Windows\{30F5A599-2241-4222-8612-907CA5465D06}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30F5A~1.EXE > nul
        6⤵
        
        PID:692
      - C:\Windows\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}.exe
        
        C:\Windows\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}.exe
        6⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D78A6~1.EXE > nul
        7⤵
        
        PID:1376
        
        C:\Windows\{6AE3555F-B9CA-4ab1-A37C-398C94D42210}.exe
        
        C:\Windows\{6AE3555F-B9CA-4ab1-A37C-398C94D42210}.exe
        7⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE35~1.EXE > nul
        8⤵
        
        PID:4580
        
        C:\Windows\{3DCEB06E-E84C-4fb1-8E8E-84092CA8BC26}.exe
        
        C:\Windows\{3DCEB06E-E84C-4fb1-8E8E-84092CA8BC26}.exe
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCEB~1.EXE > nul
        9⤵
        
        PID:3708
        
        C:\Windows\{6F002300-EDC9-43e9-AC31-636855EAB8B7}.exe
        
        C:\Windows\{6F002300-EDC9-43e9-AC31-636855EAB8B7}.exe
        9⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F002~1.EXE > nul
        10⤵
        
        PID:1228
        
        C:\Windows\{BCC3D1DF-8C81-4822-A953-3AEFCD703CB8}.exe
        
        C:\Windows\{BCC3D1DF-8C81-4822-A953-3AEFCD703CB8}.exe
        10⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC3D~1.EXE > nul
        11⤵
        
        PID:1088
        
        C:\Windows\{D0067C2C-2F78-45f5-8B57-A4D4BE5C0836}.exe
        
        C:\Windows\{D0067C2C-2F78-45f5-8B57-A4D4BE5C0836}.exe
        11⤵
        
        PID:4372
        
        C:\Windows\{EF6C7AB4-C5AE-44fa-8609-A74385E33F64}.exe
        
        C:\Windows\{EF6C7AB4-C5AE-44fa-8609-A74385E33F64}.exe
        12⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0067~1.EXE > nul
        12⤵
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{D78A64FA-541F-4a41-A4BE-3633C040C7C9}.exe

Filesize
408KB

MD5
fc11a0605dd0b4fe39869df53279d617

SHA1
ae91bce682889ba5bc20951961424166a1e8e03e

SHA256
716bebf6f13ffbb654049447c73dc6e63b8f665108b6946bf03789566fa7a71c

SHA512
511b11e1d55be3caf1692b97099b7d251ccba58f2cb9ac466f4cdb695ef5c9b82eb6a7c648b621d7230895bddb6dea052ff8b0cb2cc7a88b47cb0c6c524ad234

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads