2fbbef8d00ef090bf87a77a5c8337fc7610626bedceda328c4d2b75da25bc22e

Analysis

max time kernel
63s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Size

180KB
MD5

60eac2616ad8192e3f7451b4b6168802
SHA1

e9e57001f7379efc976a4cfde9afa593cbf2ed2d
SHA256

2fbbef8d00ef090bf87a77a5c8337fc7610626bedceda328c4d2b75da25bc22e
SHA512

4fadccc60ec2f2c1c9ea5f2373adb3ba92e4a47ed3b44082b136ddbe65da43770ff2482ee9591e3ab465dbbd4781f2856da5d59f4535d3da44648045b6f438f8
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGal5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}\stubpath = "C:\\Windows\\{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe"	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115C1656-A7FA-44d8-B75A-415F7973EE4A}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115C1656-A7FA-44d8-B75A-415F7973EE4A}\stubpath = "C:\\Windows\\{115C1656-A7FA-44d8-B75A-415F7973EE4A}.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8055813B-5FCB-4890-A539-E59834BEB629}	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8055813B-5FCB-4890-A539-E59834BEB629}\stubpath = "C:\\Windows\\{8055813B-5FCB-4890-A539-E59834BEB629}.exe"	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E071747-8988-45cb-8CF7-C88DE3DD20AB}	{8055813B-5FCB-4890-A539-E59834BEB629}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E071747-8988-45cb-8CF7-C88DE3DD20AB}\stubpath = "C:\\Windows\\{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe"	{8055813B-5FCB-4890-A539-E59834BEB629}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}\stubpath = "C:\\Windows\\{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}.exe"	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe

Executes dropped EXE 5 IoCs

pid	Process
3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe
3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe
4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe
4892	{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}.exe
3168	{115C1656-A7FA-44d8-B75A-415F7973EE4A}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	{8055813B-5FCB-4890-A539-E59834BEB629}.exe
File created	C:\Windows\{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}.exe	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe
File created	C:\Windows\{115C1656-A7FA-44d8-B75A-415F7973EE4A}.exe	cmd.exe
File created	C:\Windows\{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
File created	C:\Windows\{8055813B-5FCB-4890-A539-E59834BEB629}.exe	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe
Token: SeIncBasePriorityPrivilege	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe
Token: SeIncBasePriorityPrivilege	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe
Token: SeIncBasePriorityPrivilege	4892	cmd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3180	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	99
PID 4496 wrote to memory of 3180	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	99
PID 4496 wrote to memory of 3180	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	99
PID 4496 wrote to memory of 4072	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	98
PID 4496 wrote to memory of 4072	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	98
PID 4496 wrote to memory of 4072	4496	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	98
PID 3180 wrote to memory of 3600	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	103
PID 3180 wrote to memory of 3600	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	103
PID 3180 wrote to memory of 3600	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	103
PID 3180 wrote to memory of 3648	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	102
PID 3180 wrote to memory of 3648	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	102
PID 3180 wrote to memory of 3648	3180	{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe	102
PID 3600 wrote to memory of 4528	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe	107
PID 3600 wrote to memory of 4528	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe	107
PID 3600 wrote to memory of 4528	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe	107
PID 3600 wrote to memory of 4832	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe	106
PID 3600 wrote to memory of 4832	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe	106
PID 3600 wrote to memory of 4832	3600	{8055813B-5FCB-4890-A539-E59834BEB629}.exe	106
PID 4528 wrote to memory of 4892	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	110
PID 4528 wrote to memory of 4892	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	110
PID 4528 wrote to memory of 4892	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	110
PID 4528 wrote to memory of 3788	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	109
PID 4528 wrote to memory of 3788	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	109
PID 4528 wrote to memory of 3788	4528	{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe	109
PID 4892 wrote to memory of 3168	4892	cmd.exe	112
PID 4892 wrote to memory of 3168	4892	cmd.exe	112
PID 4892 wrote to memory of 3168	4892	cmd.exe	112
PID 4892 wrote to memory of 2592	4892	cmd.exe	111
PID 4892 wrote to memory of 2592	4892	cmd.exe	111
PID 4892 wrote to memory of 2592	4892	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4072
- C:\Windows\{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe
  C:\Windows\{B5E7D6F3-914C-4a05-B182-41E0BEABFB01}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5E7D~1.EXE > nul
    3⤵
    PID:3648
- - C:\Windows\{8055813B-5FCB-4890-A539-E59834BEB629}.exe
    C:\Windows\{8055813B-5FCB-4890-A539-E59834BEB629}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80558~1.EXE > nul
      4⤵
      PID:4832
  - - C:\Windows\{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe
      C:\Windows\{4E071747-8988-45cb-8CF7-C88DE3DD20AB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E071~1.EXE > nul
        5⤵
        
        PID:3788
    - - C:\Windows\{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}.exe
        
        C:\Windows\{9EAF366F-5B6D-41d8-A4CB-A6E7F9EB300C}.exe
        5⤵
        Executes dropped EXE
        
        PID:4892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EAF3~1.EXE > nul
        6⤵
        
        PID:2592
      - C:\Windows\{115C1656-A7FA-44d8-B75A-415F7973EE4A}.exe
        
        C:\Windows\{115C1656-A7FA-44d8-B75A-415F7973EE4A}.exe
        6⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\{BF2B5F02-F9B4-4bea-86FE-6EA202E52177}.exe
        
        C:\Windows\{BF2B5F02-F9B4-4bea-86FE-6EA202E52177}.exe
        7⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF2B5~1.EXE > nul
        8⤵
        
        PID:3352
        
        C:\Windows\{C0F69880-FCB6-45c9-8902-57A0C814CFC1}.exe
        
        C:\Windows\{C0F69880-FCB6-45c9-8902-57A0C814CFC1}.exe
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0F69~1.EXE > nul
        9⤵
        
        PID:2044
        
        C:\Windows\{2690455E-AE8D-4a6a-8D5F-BE8014852947}.exe
        
        C:\Windows\{2690455E-AE8D-4a6a-8D5F-BE8014852947}.exe
        9⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26904~1.EXE > nul
        10⤵
        
        PID:4384
        
        C:\Windows\{F85FBA32-13F1-4833-BF72-4C3C9128C5AB}.exe
        
        C:\Windows\{F85FBA32-13F1-4833-BF72-4C3C9128C5AB}.exe
        10⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F85FB~1.EXE > nul
        11⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{00100D69-86CF-4827-BB53-B622B3BBA64B}.exe
        
        C:\Windows\{00100D69-86CF-4827-BB53-B622B3BBA64B}.exe
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00100~1.EXE > nul
        12⤵
        
        PID:1420
        
        C:\Windows\{3AA81BF0-59C6-43b8-AA51-6B2E229C9131}.exe
        
        C:\Windows\{3AA81BF0-59C6-43b8-AA51-6B2E229C9131}.exe
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{115C1~1.EXE > nul
        7⤵
        
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{115C1656-A7FA-44d8-B75A-415F7973EE4A}.exe

Filesize
180KB

MD5
b844baa9df17e15c5c575d2af3db5f33

SHA1
798f2a6307026e1d309bdba6a98d555080a8a30e

SHA256
eced08696cf7b932f5f2a1b7eb5ba6cf616c7a302cd817b4ecc3a86e17323c5e

SHA512
89bbe54796e52ff1d5d1a9a9bf3b8ca31e8a639b629d67bd83abcaffed115cff388d16feb8ed9ce7232049a8c63d868acc6a608288e00555b3fce3c515421570

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads