47daa38f12e10e0edf88a735102205f19d31bc916481eb05aab055b034dff759

Analysis

max time kernel
88s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe
Size

216KB
MD5

4334e4dd71bc6f1945d88e91422b2e3a
SHA1

1748fc28012ed55b14fed17f03eab9c39abe264a
SHA256

47daa38f12e10e0edf88a735102205f19d31bc916481eb05aab055b034dff759
SHA512

486f9ac68b7b09a3e8d2d51c8727cf3ec30cee30bcea65cba8ec5af0549d54555800cc9c874a72a3c6e4c391922929bfafaf9f967c4662681d585d84e6a3ebbe
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG9lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BCE5298-A8C5-496a-AA39-6C62754152F7}\stubpath = "C:\\Windows\\{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe"	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}\stubpath = "C:\\Windows\\{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe"	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}\stubpath = "C:\\Windows\\{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe"	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95089FED-8F76-485a-989C-3D8B232FF8C4}	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BCE5298-A8C5-496a-AA39-6C62754152F7}	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}\stubpath = "C:\\Windows\\{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe"	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}\stubpath = "C:\\Windows\\{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe"	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}\stubpath = "C:\\Windows\\{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}.exe"	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95089FED-8F76-485a-989C-3D8B232FF8C4}\stubpath = "C:\\Windows\\{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe"	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe
1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe
1356	{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
File created	C:\Windows\{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}.exe	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe
File created	C:\Windows\{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe
File created	C:\Windows\{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
File created	C:\Windows\{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
File created	C:\Windows\{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
File created	C:\Windows\{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
Token: SeIncBasePriorityPrivilege	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
Token: SeIncBasePriorityPrivilege	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
Token: SeIncBasePriorityPrivilege	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe
Token: SeIncBasePriorityPrivilege	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
Token: SeIncBasePriorityPrivilege	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2672	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	29
PID 1980 wrote to memory of 2672	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	29
PID 1980 wrote to memory of 2672	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	29
PID 1980 wrote to memory of 2672	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	29
PID 1980 wrote to memory of 2780	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	28
PID 1980 wrote to memory of 2780	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	28
PID 1980 wrote to memory of 2780	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	28
PID 1980 wrote to memory of 2780	1980	2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe	28
PID 2672 wrote to memory of 2680	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	31
PID 2672 wrote to memory of 2680	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	31
PID 2672 wrote to memory of 2680	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	31
PID 2672 wrote to memory of 2680	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	31
PID 2672 wrote to memory of 2836	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	30
PID 2672 wrote to memory of 2836	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	30
PID 2672 wrote to memory of 2836	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	30
PID 2672 wrote to memory of 2836	2672	{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe	30
PID 2680 wrote to memory of 2156	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	33
PID 2680 wrote to memory of 2156	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	33
PID 2680 wrote to memory of 2156	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	33
PID 2680 wrote to memory of 2156	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	33
PID 2680 wrote to memory of 2576	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	32
PID 2680 wrote to memory of 2576	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	32
PID 2680 wrote to memory of 2576	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	32
PID 2680 wrote to memory of 2576	2680	{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe	32
PID 2156 wrote to memory of 2552	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	37
PID 2156 wrote to memory of 2552	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	37
PID 2156 wrote to memory of 2552	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	37
PID 2156 wrote to memory of 2552	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	37
PID 2156 wrote to memory of 2856	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	36
PID 2156 wrote to memory of 2856	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	36
PID 2156 wrote to memory of 2856	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	36
PID 2156 wrote to memory of 2856	2156	{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe	36
PID 2552 wrote to memory of 1808	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	39
PID 2552 wrote to memory of 1808	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	39
PID 2552 wrote to memory of 1808	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	39
PID 2552 wrote to memory of 1808	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	39
PID 2552 wrote to memory of 2992	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	38
PID 2552 wrote to memory of 2992	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	38
PID 2552 wrote to memory of 2992	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	38
PID 2552 wrote to memory of 2992	2552	{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe	38
PID 1808 wrote to memory of 332	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	41
PID 1808 wrote to memory of 332	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	41
PID 1808 wrote to memory of 332	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	41
PID 1808 wrote to memory of 332	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	41
PID 1808 wrote to memory of 1564	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	40
PID 1808 wrote to memory of 1564	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	40
PID 1808 wrote to memory of 1564	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	40
PID 1808 wrote to memory of 1564	1808	{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe	40
PID 332 wrote to memory of 1356	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	43
PID 332 wrote to memory of 1356	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	43
PID 332 wrote to memory of 1356	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	43
PID 332 wrote to memory of 1356	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	43
PID 332 wrote to memory of 632	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	42
PID 332 wrote to memory of 632	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	42
PID 332 wrote to memory of 632	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	42
PID 332 wrote to memory of 632	332	{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe	42

C:\Users\Admin\AppData\Local\Temp\2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_4334e4dd71bc6f1945d88e91422b2e3a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780
- C:\Windows\{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
  C:\Windows\{95089FED-8F76-485a-989C-3D8B232FF8C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{95089~1.EXE > nul
    3⤵
    PID:2836
- - C:\Windows\{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
    C:\Windows\{6BCE5298-A8C5-496a-AA39-6C62754152F7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6BCE5~1.EXE > nul
      4⤵
      PID:2576
  - - C:\Windows\{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
      C:\Windows\{EEC2BDDB-7017-43e2-BFFA-65765C1952B6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC2B~1.EXE > nul
        5⤵
        
        PID:2856
    - - C:\Windows\{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe
        
        C:\Windows\{2EDE41ED-9B01-4dcb-9B7F-EF8F2B278501}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EDE4~1.EXE > nul
        6⤵
        
        PID:2992
      - C:\Windows\{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
        
        C:\Windows\{5C8E6154-9D14-4c15-AD49-A2CA81E59C4C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C8E6~1.EXE > nul
        7⤵
        
        PID:1564
        
        C:\Windows\{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe
        
        C:\Windows\{B3FB26FA-B74D-4573-9E38-CA7B4B6421A1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3FB2~1.EXE > nul
        8⤵
        
        PID:632
        
        C:\Windows\{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}.exe
        
        C:\Windows\{868A83BF-7F92-4ee5-B357-C27EBB22D9F5}.exe
        8⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{868A8~1.EXE > nul
        9⤵
        
        PID:2388
        
        C:\Windows\{B90961B4-61C3-4cbc-B8E4-EF22A6E36402}.exe
        
        C:\Windows\{B90961B4-61C3-4cbc-B8E4-EF22A6E36402}.exe
        9⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9096~1.EXE > nul
        10⤵
        
        PID:2548
        
        C:\Windows\{064F45B9-CB49-4a1f-BF68-5B6EF928341C}.exe
        
        C:\Windows\{064F45B9-CB49-4a1f-BF68-5B6EF928341C}.exe
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{064F4~1.EXE > nul
        11⤵
        
        PID:1416
        
        C:\Windows\{4744EC80-D6AC-4328-8726-A52577DBEA46}.exe
        
        C:\Windows\{4744EC80-D6AC-4328-8726-A52577DBEA46}.exe
        11⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4744E~1.EXE > nul
        12⤵
        
        PID:1804
        
        C:\Windows\{817AC917-BC15-412e-95E3-CFBA502DFD9F}.exe
        
        C:\Windows\{817AC917-BC15-412e-95E3-CFBA502DFD9F}.exe
        12⤵
        
        PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads