616add09dc872cd13eae4b8076d3b3a2ee454305257f7dd3e63bd4fcc17c1e10

Analysis

max time kernel
63s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Size

168KB
MD5

8cbfba33a059645974562d3856174664
SHA1

ad3c99a6468f1084e6f079e08141414a627fe862
SHA256

616add09dc872cd13eae4b8076d3b3a2ee454305257f7dd3e63bd4fcc17c1e10
SHA512

b8e05e6790f4a1dbfaf03b75df4f2bd9693de96d5ba2f5be1069e005c531bb8db86ff2f8db8da5a876d5bd14a4c70cafa31ed4cfa040150756eb123e8f1274cf
SSDEEP

1536:1EGh0oumlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B233D348-2578-4ab6-AF9F-A9FE9033230F}\stubpath = "C:\\Windows\\{B233D348-2578-4ab6-AF9F-A9FE9033230F}.exe"	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69BA9186-B587-4921-A621-8A83DD57154F}	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55EFB486-1D92-48cd-8125-2647FF677A01}	{69BA9186-B587-4921-A621-8A83DD57154F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50395704-1749-4c1b-9305-D9E68A7A25AC}	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50395704-1749-4c1b-9305-D9E68A7A25AC}\stubpath = "C:\\Windows\\{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe"	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}\stubpath = "C:\\Windows\\{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe"	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B233D348-2578-4ab6-AF9F-A9FE9033230F}	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69BA9186-B587-4921-A621-8A83DD57154F}\stubpath = "C:\\Windows\\{69BA9186-B587-4921-A621-8A83DD57154F}.exe"	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55EFB486-1D92-48cd-8125-2647FF677A01}\stubpath = "C:\\Windows\\{55EFB486-1D92-48cd-8125-2647FF677A01}.exe"	{69BA9186-B587-4921-A621-8A83DD57154F}.exe

Executes dropped EXE 5 IoCs

pid	Process
412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe
5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe
3996	{B233D348-2578-4ab6-AF9F-A9FE9033230F}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
File created	C:\Windows\{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
File created	C:\Windows\{B233D348-2578-4ab6-AF9F-A9FE9033230F}.exe	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe
File created	C:\Windows\{69BA9186-B587-4921-A621-8A83DD57154F}.exe	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
File created	C:\Windows\{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	{69BA9186-B587-4921-A621-8A83DD57154F}.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
Token: SeIncBasePriorityPrivilege	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe
Token: SeIncBasePriorityPrivilege	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
Token: SeIncBasePriorityPrivilege	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
Token: SeIncBasePriorityPrivilege	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 412	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	99
PID 4984 wrote to memory of 412	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	99
PID 4984 wrote to memory of 412	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	99
PID 4984 wrote to memory of 1844	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	98
PID 4984 wrote to memory of 1844	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	98
PID 4984 wrote to memory of 1844	4984	2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe	98
PID 412 wrote to memory of 5024	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe	101
PID 412 wrote to memory of 5024	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe	101
PID 412 wrote to memory of 5024	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe	101
PID 412 wrote to memory of 4136	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe	100
PID 412 wrote to memory of 4136	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe	100
PID 412 wrote to memory of 4136	412	{69BA9186-B587-4921-A621-8A83DD57154F}.exe	100
PID 5024 wrote to memory of 3228	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	105
PID 5024 wrote to memory of 3228	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	105
PID 5024 wrote to memory of 3228	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	105
PID 5024 wrote to memory of 2692	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	104
PID 5024 wrote to memory of 2692	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	104
PID 5024 wrote to memory of 2692	5024	{55EFB486-1D92-48cd-8125-2647FF677A01}.exe	104
PID 3228 wrote to memory of 1844	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	108
PID 3228 wrote to memory of 1844	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	108
PID 3228 wrote to memory of 1844	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	108
PID 3228 wrote to memory of 2896	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	109
PID 3228 wrote to memory of 2896	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	109
PID 3228 wrote to memory of 2896	3228	{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe	109
PID 1844 wrote to memory of 3996	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	115
PID 1844 wrote to memory of 3996	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	115
PID 1844 wrote to memory of 3996	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	115
PID 1844 wrote to memory of 3524	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	114
PID 1844 wrote to memory of 3524	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	114
PID 1844 wrote to memory of 3524	1844	{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_8cbfba33a059645974562d3856174664_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1844
- C:\Windows\{69BA9186-B587-4921-A621-8A83DD57154F}.exe
  C:\Windows\{69BA9186-B587-4921-A621-8A83DD57154F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69BA9~1.EXE > nul
    3⤵
    PID:4136
- - C:\Windows\{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
    C:\Windows\{55EFB486-1D92-48cd-8125-2647FF677A01}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55EFB~1.EXE > nul
      4⤵
      PID:2692
  - - C:\Windows\{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
      C:\Windows\{50395704-1749-4c1b-9305-D9E68A7A25AC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe
        
        C:\Windows\{FFCD6EC5-E0FB-47b2-9355-D5EB890120FB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFCD6~1.EXE > nul
        6⤵
        
        PID:3524
      - C:\Windows\{B233D348-2578-4ab6-AF9F-A9FE9033230F}.exe
        
        C:\Windows\{B233D348-2578-4ab6-AF9F-A9FE9033230F}.exe
        6⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B233D~1.EXE > nul
        7⤵
        
        PID:452
        
        C:\Windows\{B04B8D1A-680F-42ac-9E2D-A5B474DFDA6E}.exe
        
        C:\Windows\{B04B8D1A-680F-42ac-9E2D-A5B474DFDA6E}.exe
        7⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B04B8~1.EXE > nul
        8⤵
        
        PID:4612
        
        C:\Windows\{ED0B5D70-01B3-4ed4-B17F-36A5A5EA6E85}.exe
        
        C:\Windows\{ED0B5D70-01B3-4ed4-B17F-36A5A5EA6E85}.exe
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED0B5~1.EXE > nul
        9⤵
        
        PID:924
        
        C:\Windows\{618BAA59-22EA-4fb1-ABB9-E225F8949F48}.exe
        
        C:\Windows\{618BAA59-22EA-4fb1-ABB9-E225F8949F48}.exe
        9⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{618BA~1.EXE > nul
        10⤵
        
        PID:3972
        
        C:\Windows\{1C0C7587-BD31-410d-B9C2-F14D7873C4EE}.exe
        
        C:\Windows\{1C0C7587-BD31-410d-B9C2-F14D7873C4EE}.exe
        10⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0C7~1.EXE > nul
        11⤵
        
        PID:864
        
        C:\Windows\{14E43057-C5A6-4263-9CC5-4880E5A2ACC2}.exe
        
        C:\Windows\{14E43057-C5A6-4263-9CC5-4880E5A2ACC2}.exe
        11⤵
        
        PID:1120
        
        C:\Windows\{C6A098E7-8AB8-4611-9BF9-8ECDAC55059E}.exe
        
        C:\Windows\{C6A098E7-8AB8-4611-9BF9-8ECDAC55059E}.exe
        12⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E43~1.EXE > nul
        12⤵
        
        PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50395~1.EXE > nul
        5⤵
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads