616add09dc872cd13eae4b8076d3b3a2ee454305257f7dd3e63bd4fcc17c1e10

Analysis

max time kernel
88s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Size

168KB
MD5

8cbfba33a059645974562d3856174664
SHA1

ad3c99a6468f1084e6f079e08141414a627fe862
SHA256

616add09dc872cd13eae4b8076d3b3a2ee454305257f7dd3e63bd4fcc17c1e10
SHA512

b8e05e6790f4a1dbfaf03b75df4f2bd9693de96d5ba2f5be1069e005c531bb8db86ff2f8db8da5a876d5bd14a4c70cafa31ed4cfa040150756eb123e8f1274cf
SSDEEP

1536:1EGh0oumlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F503F5-A763-434c-8E79-BD518D89DFFA}	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0876742E-F071-42e6-B45B-775FE8683DBD}	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93171CC7-4779-4996-AE32-AB3CEC0799D6}\stubpath = "C:\\Windows\\{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe"	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862F8828-46E8-4275-AF39-A6307DE15A12}	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79F503F5-A763-434c-8E79-BD518D89DFFA}\stubpath = "C:\\Windows\\{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe"	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41D91A32-C701-4a11-B26C-D825C2529A28}\stubpath = "C:\\Windows\\{41D91A32-C701-4a11-B26C-D825C2529A28}.exe"	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}\stubpath = "C:\\Windows\\{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}.exe"	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0876742E-F071-42e6-B45B-775FE8683DBD}\stubpath = "C:\\Windows\\{0876742E-F071-42e6-B45B-775FE8683DBD}.exe"	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93171CC7-4779-4996-AE32-AB3CEC0799D6}	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862F8828-46E8-4275-AF39-A6307DE15A12}\stubpath = "C:\\Windows\\{862F8828-46E8-4275-AF39-A6307DE15A12}.exe"	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}\stubpath = "C:\\Windows\\{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe"	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41D91A32-C701-4a11-B26C-D825C2529A28}	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe

Deletes itself 1 IoCs

pid	Process
1992	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe
2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe
1312	{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
File created	C:\Windows\{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
File created	C:\Windows\{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
File created	C:\Windows\{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe
File created	C:\Windows\{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
File created	C:\Windows\{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
File created	C:\Windows\{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}.exe	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
Token: SeIncBasePriorityPrivilege	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
Token: SeIncBasePriorityPrivilege	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe
Token: SeIncBasePriorityPrivilege	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
Token: SeIncBasePriorityPrivilege	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
Token: SeIncBasePriorityPrivilege	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3056	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	29
PID 2928 wrote to memory of 3056	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	29
PID 2928 wrote to memory of 3056	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	29
PID 2928 wrote to memory of 3056	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	29
PID 2928 wrote to memory of 1992	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	28
PID 2928 wrote to memory of 1992	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	28
PID 2928 wrote to memory of 1992	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	28
PID 2928 wrote to memory of 1992	2928	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	28
PID 3056 wrote to memory of 2676	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	31
PID 3056 wrote to memory of 2676	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	31
PID 3056 wrote to memory of 2676	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	31
PID 3056 wrote to memory of 2676	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	31
PID 3056 wrote to memory of 2660	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	30
PID 3056 wrote to memory of 2660	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	30
PID 3056 wrote to memory of 2660	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	30
PID 3056 wrote to memory of 2660	3056	{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe	30
PID 2676 wrote to memory of 2808	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	33
PID 2676 wrote to memory of 2808	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	33
PID 2676 wrote to memory of 2808	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	33
PID 2676 wrote to memory of 2808	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	33
PID 2676 wrote to memory of 2304	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	32
PID 2676 wrote to memory of 2304	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	32
PID 2676 wrote to memory of 2304	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	32
PID 2676 wrote to memory of 2304	2676	{0876742E-F071-42e6-B45B-775FE8683DBD}.exe	32
PID 2808 wrote to memory of 2968	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	37
PID 2808 wrote to memory of 2968	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	37
PID 2808 wrote to memory of 2968	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	37
PID 2808 wrote to memory of 2968	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	37
PID 2808 wrote to memory of 2180	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	36
PID 2808 wrote to memory of 2180	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	36
PID 2808 wrote to memory of 2180	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	36
PID 2808 wrote to memory of 2180	2808	{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe	36
PID 2968 wrote to memory of 2836	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	39
PID 2968 wrote to memory of 2836	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	39
PID 2968 wrote to memory of 2836	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	39
PID 2968 wrote to memory of 2836	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	39
PID 2968 wrote to memory of 2724	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	38
PID 2968 wrote to memory of 2724	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	38
PID 2968 wrote to memory of 2724	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	38
PID 2968 wrote to memory of 2724	2968	{41D91A32-C701-4a11-B26C-D825C2529A28}.exe	38
PID 2836 wrote to memory of 1592	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	41
PID 2836 wrote to memory of 1592	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	41
PID 2836 wrote to memory of 1592	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	41
PID 2836 wrote to memory of 1592	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	41
PID 2836 wrote to memory of 812	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	40
PID 2836 wrote to memory of 812	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	40
PID 2836 wrote to memory of 812	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	40
PID 2836 wrote to memory of 812	2836	{862F8828-46E8-4275-AF39-A6307DE15A12}.exe	40
PID 1592 wrote to memory of 1312	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	43
PID 1592 wrote to memory of 1312	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	43
PID 1592 wrote to memory of 1312	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	43
PID 1592 wrote to memory of 1312	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	43
PID 1592 wrote to memory of 2736	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	42
PID 1592 wrote to memory of 2736	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	42
PID 1592 wrote to memory of 2736	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	42
PID 1592 wrote to memory of 2736	1592	{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe	42

C:\Users\Admin\AppData\Local\Temp\2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1992
- C:\Windows\{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
  C:\Windows\{79F503F5-A763-434c-8E79-BD518D89DFFA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{79F50~1.EXE > nul
    3⤵
    PID:2660
- - C:\Windows\{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
    C:\Windows\{0876742E-F071-42e6-B45B-775FE8683DBD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08767~1.EXE > nul
      4⤵
      PID:2304
  - - C:\Windows\{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe
      C:\Windows\{93171CC7-4779-4996-AE32-AB3CEC0799D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93171~1.EXE > nul
        5⤵
        
        PID:2180
    - - C:\Windows\{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
        
        C:\Windows\{41D91A32-C701-4a11-B26C-D825C2529A28}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41D91~1.EXE > nul
        6⤵
        
        PID:2724
      - C:\Windows\{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
        
        C:\Windows\{862F8828-46E8-4275-AF39-A6307DE15A12}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{862F8~1.EXE > nul
        7⤵
        
        PID:812
        
        C:\Windows\{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe
        
        C:\Windows\{9F8B2740-37B1-47ba-A977-5AD57C55B0E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F8B2~1.EXE > nul
        8⤵
        
        PID:2736
        
        C:\Windows\{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}.exe
        
        C:\Windows\{3C938699-A99B-449a-B3D7-C3FEB5BFBA90}.exe
        8⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C938~1.EXE > nul
        9⤵
        
        PID:1264
        
        C:\Windows\{05736025-CD8C-4570-AA52-23C21DE08FFC}.exe
        
        C:\Windows\{05736025-CD8C-4570-AA52-23C21DE08FFC}.exe
        9⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05736~1.EXE > nul
        10⤵
        
        PID:2892
        
        C:\Windows\{132E77CF-230A-4d6d-85D3-D77BEF381F85}.exe
        
        C:\Windows\{132E77CF-230A-4d6d-85D3-D77BEF381F85}.exe
        10⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{132E7~1.EXE > nul
        11⤵
        
        PID:804
        
        C:\Windows\{DDF8A34F-E355-46cf-ABEA-598ECAC48D9F}.exe
        
        C:\Windows\{DDF8A34F-E355-46cf-ABEA-598ECAC48D9F}.exe
        11⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDF8A~1.EXE > nul
        12⤵
        
        PID:1872
        
        C:\Windows\{68AAADCD-3188-4f63-9B0F-9BE40B5B104D}.exe
        
        C:\Windows\{68AAADCD-3188-4f63-9B0F-9BE40B5B104D}.exe
        12⤵
        
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05736025-CD8C-4570-AA52-23C21DE08FFC}.exe

Filesize
136KB

MD5
83c40bee0b6c261d36e9736120b72e9f

SHA1
54b0e79187d6d61ccb9b717ed7a2c5c93c613c78

SHA256
e6ce08093708e59e142aadc286b87730449e7364fc55d924948e25065939b127

SHA512
316c98ebb816d31efe77b32636f263f1a4efe67a0967eecd41df9c6900148544dcdce2d962ecc052a439ad27b0cc3c80d40e9fb3ed842e6f96453dd8ed678530

Download Submit
C:\Windows\{132E77CF-230A-4d6d-85D3-D77BEF381F85}.exe

Filesize
92KB

MD5
e9f42c48b86bee46e85c7a821b3f6e55

SHA1
d11475703ba45a7eb7576feef40480f509c3f06c

SHA256
05d62f31e17a5001c88114f1bf56429a1ba33a07296bc579aa147f3563a3a9d1

SHA512
805dd339c511dfa45564869463ed380f4c7021dc830e323a92f7f7d32f9b179277e9749df119323ae346993097c192725e79c117640b1fbb44c89fdef1750e34

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads