0e29bc16fb0e7ba81896f0f533d7b6d99965bf0c842adb938d40b5b136767a8c

Analysis

max time kernel
63s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe
Size

180KB
MD5

12e4fd1fc91085d27ed642eb6f96f12e
SHA1

f1f38221d60a6baf4e0abc8e177bd6dd834532ae
SHA256

0e29bc16fb0e7ba81896f0f533d7b6d99965bf0c842adb938d40b5b136767a8c
SHA512

f286823390b529f26c1a526cd35cdd1e1cb5d037560445d78516962bf7aeaf2e8a3689bea56d65d06fb4e435b18d2ec5d2f117aaa591ba59c78a7c306b0ad553
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB484F5B-2AE1-4fe9-994E-64C038C4C799}\stubpath = "C:\\Windows\\{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe"	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3782BDB7-D041-42ab-BDB0-3C499E888794}	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A07B136-5C30-4965-B02E-3FFFC6B641A8}	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BED682-B0A5-485b-BDDF-7082054EC45D}\stubpath = "C:\\Windows\\{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe"	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB484F5B-2AE1-4fe9-994E-64C038C4C799}	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BED682-B0A5-485b-BDDF-7082054EC45D}	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3782BDB7-D041-42ab-BDB0-3C499E888794}\stubpath = "C:\\Windows\\{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe"	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A07B136-5C30-4965-B02E-3FFFC6B641A8}\stubpath = "C:\\Windows\\{0A07B136-5C30-4965-B02E-3FFFC6B641A8}.exe"	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF5478E9-4DFB-4179-9EB5-22CF4425424B}	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF5478E9-4DFB-4179-9EB5-22CF4425424B}\stubpath = "C:\\Windows\\{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe"	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe

Executes dropped EXE 5 IoCs

pid	Process
1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe
4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe
3968	{0A07B136-5C30-4965-B02E-3FFFC6B641A8}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
File created	C:\Windows\{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
File created	C:\Windows\{0A07B136-5C30-4965-B02E-3FFFC6B641A8}.exe	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe
File created	C:\Windows\{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe
File created	C:\Windows\{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe
Token: SeIncBasePriorityPrivilege	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
Token: SeIncBasePriorityPrivilege	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
Token: SeIncBasePriorityPrivilege	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1056	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe	97
PID 3508 wrote to memory of 1056	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe	97
PID 3508 wrote to memory of 1056	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe	97
PID 3508 wrote to memory of 2852	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe	96
PID 3508 wrote to memory of 2852	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe	96
PID 3508 wrote to memory of 2852	3508	2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe	96
PID 1056 wrote to memory of 4440	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	101
PID 1056 wrote to memory of 4440	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	101
PID 1056 wrote to memory of 4440	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	101
PID 1056 wrote to memory of 4348	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	100
PID 1056 wrote to memory of 4348	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	100
PID 1056 wrote to memory of 4348	1056	{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe	100
PID 4440 wrote to memory of 4480	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	104
PID 4440 wrote to memory of 4480	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	104
PID 4440 wrote to memory of 4480	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	104
PID 4440 wrote to memory of 1184	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	103
PID 4440 wrote to memory of 1184	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	103
PID 4440 wrote to memory of 1184	4440	{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe	103
PID 4480 wrote to memory of 2944	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	109
PID 4480 wrote to memory of 2944	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	109
PID 4480 wrote to memory of 2944	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	109
PID 4480 wrote to memory of 656	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	108
PID 4480 wrote to memory of 656	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	108
PID 4480 wrote to memory of 656	4480	{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe	108
PID 2944 wrote to memory of 3968	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	111
PID 2944 wrote to memory of 3968	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	111
PID 2944 wrote to memory of 3968	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	111
PID 2944 wrote to memory of 3308	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	112
PID 2944 wrote to memory of 3308	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	112
PID 2944 wrote to memory of 3308	2944	{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_12e4fd1fc91085d27ed642eb6f96f12e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2852
- C:\Windows\{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe
  C:\Windows\{DF5478E9-4DFB-4179-9EB5-22CF4425424B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF547~1.EXE > nul
    3⤵
    PID:4348
- - C:\Windows\{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
    C:\Windows\{C0BED682-B0A5-485b-BDDF-7082054EC45D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0BED~1.EXE > nul
      4⤵
      PID:1184
  - - C:\Windows\{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
      C:\Windows\{BB484F5B-2AE1-4fe9-994E-64C038C4C799}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB484~1.EXE > nul
        5⤵
        
        PID:656
    - - C:\Windows\{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe
        
        C:\Windows\{3782BDB7-D041-42ab-BDB0-3C499E888794}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\{0A07B136-5C30-4965-B02E-3FFFC6B641A8}.exe
        
        C:\Windows\{0A07B136-5C30-4965-B02E-3FFFC6B641A8}.exe
        6⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A07B~1.EXE > nul
        7⤵
        
        PID:1608
        
        C:\Windows\{B5F4451D-036A-4e9e-9602-E687ED5E5597}.exe
        
        C:\Windows\{B5F4451D-036A-4e9e-9602-E687ED5E5597}.exe
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F44~1.EXE > nul
        8⤵
        
        PID:4464
        
        C:\Windows\{9B09EB07-D95C-469c-925B-CF18E786959B}.exe
        
        C:\Windows\{9B09EB07-D95C-469c-925B-CF18E786959B}.exe
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B09E~1.EXE > nul
        9⤵
        
        PID:2580
        
        C:\Windows\{E10A15ED-E689-4a8d-A623-8A117A07EC41}.exe
        
        C:\Windows\{E10A15ED-E689-4a8d-A623-8A117A07EC41}.exe
        9⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E10A1~1.EXE > nul
        10⤵
        
        PID:1096
        
        C:\Windows\{8D7FD8CF-0EDD-4c5b-BFDF-255BA908175F}.exe
        
        C:\Windows\{8D7FD8CF-0EDD-4c5b-BFDF-255BA908175F}.exe
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7FD~1.EXE > nul
        11⤵
        
        PID:2748
        
        C:\Windows\{60EC1B39-3DD9-49bf-8020-9E37B95B1BC1}.exe
        
        C:\Windows\{60EC1B39-3DD9-49bf-8020-9E37B95B1BC1}.exe
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60EC1~1.EXE > nul
        12⤵
        
        PID:3416
        
        C:\Windows\{747D8293-389B-4e61-934D-19135DEBA853}.exe
        
        C:\Windows\{747D8293-389B-4e61-934D-19135DEBA853}.exe
        12⤵
        
        PID:3212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3782B~1.EXE > nul
        6⤵
        
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads