c5f1baf71a8c88a78bddde9e027e416887959f73b69dce8e790ffddffb1d880a

Analysis

max time kernel
63s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe
Size

168KB
MD5

30b046d16a09940a9ac0b306d5747cda
SHA1

bc50658224c007911b0d498f61ce1c24016c9980
SHA256

c5f1baf71a8c88a78bddde9e027e416887959f73b69dce8e790ffddffb1d880a
SHA512

c9c199dddf83fd560626a70c25922056f6f89d6adeddd896a7721db60c985dc532d9564d8f2f39f1b63060652c0faff1e4bd531caff145c087d30a5320d53026
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}\stubpath = "C:\\Windows\\{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe"	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}\stubpath = "C:\\Windows\\{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe"	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}\stubpath = "C:\\Windows\\{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe"	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA7655B-670F-4ab9-977C-98C6CB758495}	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA7655B-670F-4ab9-977C-98C6CB758495}\stubpath = "C:\\Windows\\{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe"	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B066DD62-F32B-46bb-B623-C960713D40F6}	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B066DD62-F32B-46bb-B623-C960713D40F6}\stubpath = "C:\\Windows\\{B066DD62-F32B-46bb-B623-C960713D40F6}.exe"	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe

Executes dropped EXE 5 IoCs

pid	Process
3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe
1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe
920	{B066DD62-F32B-46bb-B623-C960713D40F6}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\{B066DD62-F32B-46bb-B623-C960713D40F6}.exe	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe
File created	C:\Windows\{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe
File created	C:\Windows\{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
File created	C:\Windows\{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
File created	C:\Windows\{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
Token: SeIncBasePriorityPrivilege	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
Token: SeIncBasePriorityPrivilege	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe
Token: SeIncBasePriorityPrivilege	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3956	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe	98
PID 3684 wrote to memory of 3956	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe	98
PID 3684 wrote to memory of 3956	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe	98
PID 3684 wrote to memory of 4444	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe	97
PID 3684 wrote to memory of 4444	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe	97
PID 3684 wrote to memory of 4444	3684	2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe	97
PID 3956 wrote to memory of 3736	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	102
PID 3956 wrote to memory of 3736	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	102
PID 3956 wrote to memory of 3736	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	102
PID 3956 wrote to memory of 2740	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	101
PID 3956 wrote to memory of 2740	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	101
PID 3956 wrote to memory of 2740	3956	{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe	101
PID 3736 wrote to memory of 3848	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	106
PID 3736 wrote to memory of 3848	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	106
PID 3736 wrote to memory of 3848	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	106
PID 3736 wrote to memory of 2016	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	105
PID 3736 wrote to memory of 2016	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	105
PID 3736 wrote to memory of 2016	3736	{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe	105
PID 3848 wrote to memory of 1596	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	109
PID 3848 wrote to memory of 1596	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	109
PID 3848 wrote to memory of 1596	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	109
PID 3848 wrote to memory of 4388	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	108
PID 3848 wrote to memory of 4388	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	108
PID 3848 wrote to memory of 4388	3848	{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe	108
PID 1596 wrote to memory of 920	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	111
PID 1596 wrote to memory of 920	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	111
PID 1596 wrote to memory of 920	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	111
PID 1596 wrote to memory of 4900	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	110
PID 1596 wrote to memory of 4900	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	110
PID 1596 wrote to memory of 4900	1596	{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_30b046d16a09940a9ac0b306d5747cda_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4444
- C:\Windows\{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
  C:\Windows\{C7D9EE4E-3AAB-48d8-96ED-FC5F3C1B6E23}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7D9E~1.EXE > nul
    3⤵
    PID:2740
- - C:\Windows\{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
    C:\Windows\{4E8CF6A5-E3FD-487b-B3DB-79FBE35849AD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E8CF~1.EXE > nul
      4⤵
      PID:2016
  - - C:\Windows\{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe
      C:\Windows\{EA234009-B02B-4a9a-BB76-BFF7A0AFB125}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA234~1.EXE > nul
        5⤵
        
        PID:4388
    - - C:\Windows\{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe
        
        C:\Windows\{4CA7655B-670F-4ab9-977C-98C6CB758495}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA76~1.EXE > nul
        6⤵
        
        PID:4900
      - C:\Windows\{B066DD62-F32B-46bb-B623-C960713D40F6}.exe
        
        C:\Windows\{B066DD62-F32B-46bb-B623-C960713D40F6}.exe
        6⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B066D~1.EXE > nul
        7⤵
        
        PID:4772
        
        C:\Windows\{499A3EB7-B2ED-4835-B4EB-5D776C89326F}.exe
        
        C:\Windows\{499A3EB7-B2ED-4835-B4EB-5D776C89326F}.exe
        7⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{499A3~1.EXE > nul
        8⤵
        
        PID:5068
        
        C:\Windows\{9CA0D7B4-D3C9-4e57-B8F9-9EFFC67BCEF4}.exe
        
        C:\Windows\{9CA0D7B4-D3C9-4e57-B8F9-9EFFC67BCEF4}.exe
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA0D~1.EXE > nul
        9⤵
        
        PID:4904
        
        C:\Windows\{C5497AC6-FC4F-4ed3-8DF9-4332E9869694}.exe
        
        C:\Windows\{C5497AC6-FC4F-4ed3-8DF9-4332E9869694}.exe
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5497~1.EXE > nul
        10⤵
        
        PID:4708
        
        C:\Windows\{21FB8E77-7795-4d69-81C9-8B07BE13E992}.exe
        
        C:\Windows\{21FB8E77-7795-4d69-81C9-8B07BE13E992}.exe
        10⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21FB8~1.EXE > nul
        11⤵
        
        PID:2016
        
        C:\Windows\{9A330DA8-194D-48c8-89E4-1BE84B9FAD1A}.exe
        
        C:\Windows\{9A330DA8-194D-48c8-89E4-1BE84B9FAD1A}.exe
        11⤵
        
        PID:528
        
        C:\Windows\{5EC468B3-167D-482f-A54D-98CA615063A8}.exe
        
        C:\Windows\{5EC468B3-167D-482f-A54D-98CA615063A8}.exe
        12⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A330~1.EXE > nul
        12⤵
        
        PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads