25132311f4e43e0b035e542e4f0de23807fc303bce6a95c0ae76d3f3f1e9cbb1

Analysis

max time kernel
88s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe
Size

168KB
MD5

a8078cca6a4c2b09c1a19dc14c1fcbbf
SHA1

abe2333f4cc166f47158ee4a0e77262564617e3a
SHA256

25132311f4e43e0b035e542e4f0de23807fc303bce6a95c0ae76d3f3f1e9cbb1
SHA512

5dda8bc6cab2ff90301bd3f601120ea33a37d0d46a80296c3b16ed5cc88a0a079576b4bb974473d638cd2fa3312e4a0825fd4978f86cd6ab84c78bb30bbbc7db
SSDEEP

1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9233E38D-6232-44fa-A0C5-9E22193BCB87}\stubpath = "C:\\Windows\\{9233E38D-6232-44fa-A0C5-9E22193BCB87}.exe"	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}\stubpath = "C:\\Windows\\{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe"	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}\stubpath = "C:\\Windows\\{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe"	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{756D0570-F530-4a69-AD48-EA32A8092ACE}	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{756D0570-F530-4a69-AD48-EA32A8092ACE}\stubpath = "C:\\Windows\\{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe"	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C75A6D1-1670-4efa-9732-9EBB51C577B9}	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}\stubpath = "C:\\Windows\\{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe"	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C75A6D1-1670-4efa-9732-9EBB51C577B9}\stubpath = "C:\\Windows\\{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe"	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}\stubpath = "C:\\Windows\\{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe"	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9233E38D-6232-44fa-A0C5-9E22193BCB87}	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe

Deletes itself 1 IoCs

pid	Process
1412	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe
2344	{9233E38D-6232-44fa-A0C5-9E22193BCB87}.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe
File created	C:\Windows\{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
File created	C:\Windows\{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
File created	C:\Windows\{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
File created	C:\Windows\{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
File created	C:\Windows\{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
File created	C:\Windows\{9233E38D-6232-44fa-A0C5-9E22193BCB87}.exe	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
Token: SeIncBasePriorityPrivilege	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
Token: SeIncBasePriorityPrivilege	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
Token: SeIncBasePriorityPrivilege	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
Token: SeIncBasePriorityPrivilege	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
Token: SeIncBasePriorityPrivilege	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2196	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	29
PID 2284 wrote to memory of 2196	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	29
PID 2284 wrote to memory of 2196	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	29
PID 2284 wrote to memory of 2196	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	29
PID 2284 wrote to memory of 1412	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	28
PID 2284 wrote to memory of 1412	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	28
PID 2284 wrote to memory of 1412	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	28
PID 2284 wrote to memory of 1412	2284	2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe	28
PID 2196 wrote to memory of 2588	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	31
PID 2196 wrote to memory of 2588	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	31
PID 2196 wrote to memory of 2588	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	31
PID 2196 wrote to memory of 2588	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	31
PID 2196 wrote to memory of 2656	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	30
PID 2196 wrote to memory of 2656	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	30
PID 2196 wrote to memory of 2656	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	30
PID 2196 wrote to memory of 2656	2196	{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe	30
PID 2588 wrote to memory of 2700	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	33
PID 2588 wrote to memory of 2700	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	33
PID 2588 wrote to memory of 2700	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	33
PID 2588 wrote to memory of 2700	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	33
PID 2588 wrote to memory of 2828	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	32
PID 2588 wrote to memory of 2828	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	32
PID 2588 wrote to memory of 2828	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	32
PID 2588 wrote to memory of 2828	2588	{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe	32
PID 2700 wrote to memory of 2520	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	37
PID 2700 wrote to memory of 2520	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	37
PID 2700 wrote to memory of 2520	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	37
PID 2700 wrote to memory of 2520	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	37
PID 2700 wrote to memory of 2504	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	36
PID 2700 wrote to memory of 2504	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	36
PID 2700 wrote to memory of 2504	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	36
PID 2700 wrote to memory of 2504	2700	{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe	36
PID 2520 wrote to memory of 2008	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	39
PID 2520 wrote to memory of 2008	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	39
PID 2520 wrote to memory of 2008	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	39
PID 2520 wrote to memory of 2008	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	39
PID 2520 wrote to memory of 1940	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	38
PID 2520 wrote to memory of 1940	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	38
PID 2520 wrote to memory of 1940	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	38
PID 2520 wrote to memory of 1940	2520	{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe	38
PID 2008 wrote to memory of 1664	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	41
PID 2008 wrote to memory of 1664	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	41
PID 2008 wrote to memory of 1664	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	41
PID 2008 wrote to memory of 1664	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	41
PID 2008 wrote to memory of 1916	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	40
PID 2008 wrote to memory of 1916	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	40
PID 2008 wrote to memory of 1916	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	40
PID 2008 wrote to memory of 1916	2008	{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe	40
PID 1664 wrote to memory of 2344	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	43
PID 1664 wrote to memory of 2344	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	43
PID 1664 wrote to memory of 2344	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	43
PID 1664 wrote to memory of 2344	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	43
PID 1664 wrote to memory of 1288	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	42
PID 1664 wrote to memory of 1288	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	42
PID 1664 wrote to memory of 1288	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	42
PID 1664 wrote to memory of 1288	1664	{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe	42

C:\Users\Admin\AppData\Local\Temp\2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_a8078cca6a4c2b09c1a19dc14c1fcbbf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1412
- C:\Windows\{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
  C:\Windows\{4F8E4490-C071-44c8-8AA8-5DB6563A62C7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4F8E4~1.EXE > nul
    3⤵
    PID:2656
- - C:\Windows\{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
    C:\Windows\{59922029-49BC-4acb-B5F6-1CB1DCC5AD34}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59922~1.EXE > nul
      4⤵
      PID:2828
  - - C:\Windows\{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
      C:\Windows\{756D0570-F530-4a69-AD48-EA32A8092ACE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{756D0~1.EXE > nul
        5⤵
        
        PID:2504
    - - C:\Windows\{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
        
        C:\Windows\{2C75A6D1-1670-4efa-9732-9EBB51C577B9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C75A~1.EXE > nul
        6⤵
        
        PID:1940
      - C:\Windows\{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
        
        C:\Windows\{8B2A8CE1-F4CD-497a-9B41-66A13FE5408A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B2A8~1.EXE > nul
        7⤵
        
        PID:1916
        
        C:\Windows\{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe
        
        C:\Windows\{A21D44D7-68D4-40e4-806F-BA8FC3432EE3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A21D4~1.EXE > nul
        8⤵
        
        PID:1288
        
        C:\Windows\{9233E38D-6232-44fa-A0C5-9E22193BCB87}.exe
        
        C:\Windows\{9233E38D-6232-44fa-A0C5-9E22193BCB87}.exe
        8⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9233E~1.EXE > nul
        9⤵
        
        PID:320
        
        C:\Windows\{AE79FA90-A088-407c-B1E0-C858B7B62130}.exe
        
        C:\Windows\{AE79FA90-A088-407c-B1E0-C858B7B62130}.exe
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE79F~1.EXE > nul
        10⤵
        
        PID:2808
        
        C:\Windows\{CCBB2CDD-D94A-4485-B21D-D9FD8B7353C7}.exe
        
        C:\Windows\{CCBB2CDD-D94A-4485-B21D-D9FD8B7353C7}.exe
        10⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCBB2~1.EXE > nul
        11⤵
        
        PID:2620
        
        C:\Windows\{D30B0F7C-F260-470e-8CEA-471469EF5C40}.exe
        
        C:\Windows\{D30B0F7C-F260-470e-8CEA-471469EF5C40}.exe
        11⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D30B0~1.EXE > nul
        12⤵
        
        PID:1460
        
        C:\Windows\{DF6D16C1-5868-4408-B898-E0FF2146CCA5}.exe
        
        C:\Windows\{DF6D16C1-5868-4408-B898-E0FF2146CCA5}.exe
        12⤵
        
        PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads