File name:

GoldenEye.exe

Full analysis: https://app.any.run/tasks/1b5267be-3856-401c-a474-b8cc4d5728a3
Verdict: Malicious activity
Analysis date: October 10, 2024, 16:22:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E3B7D39BE5E821B59636D0FE7C2944CC

SHA1:

00479A97E415E9B6A5DFB5D04F5D9244BC8FBE88

SHA256:

389A7D395492C2DA6F8ABF5A8A7C49C3482F7844F77FE681808C71E961BCAE97

SSDEEP:

3072:iTAjnioLO7WpLyLNZMcPSK7BaZ0NwAWMGc0HfmY4KsyyOiy12KJ3I4YgTl5:i6nrD0ZMcPBAL7c0fTHs+2sYXg3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • Netplwiz.exe (PID: 2648)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Netplwiz.exe (PID: 2648)
      • GoldenEye.exe (PID: 5172)

    • Process drops legitimate windows executable

      • GoldenEye.exe (PID: 5172)

  • INFO

    • Checks supported languages

      • GoldenEye.exe (PID: 5172)
      • Netplwiz.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • GoldenEye.exe (PID: 5172)

    • Reads the computer name

      • GoldenEye.exe (PID: 5172)

    • Creates files or folders in the user directory

      • GoldenEye.exe (PID: 5172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(2648) Netplwiz.exe
Decrypted-URLs (1)https://www.torproject.org/
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:18 21:01:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 194560
InitializedDataSize: 75264
UninitializedDataSize: -
EntryPoint: 0xc424
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start goldeneye.exe #XOR-URL netplwiz.exe

Process information

PID
CMD
Path
Indicators
Parent process
2648"C:\Users\admin\AppData\Roaming\{c9697d46-f45e-4c6c-9582-fbf8b2f56fb1}\Netplwiz.exe"C:\Users\admin\AppData\Roaming\{c9697d46-f45e-4c6c-9582-fbf8b2f56fb1}\Netplwiz.exe
GoldenEye.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Advanced User Accounts Control Panel
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\roaming\{c9697d46-f45e-4c6c-9582-fbf8b2f56fb1}\netplwiz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(2648) Netplwiz.exe
Decrypted-URLs (1)https://www.torproject.org/
5172"C:\Users\admin\Desktop\GoldenEye.exe" C:\Users\admin\Desktop\GoldenEye.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\goldeneye.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
16 399
Read events
16 399
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
2 436
Text files
9
Unknown types
22

Dropped files

PID
Process
Filename
Type
5172GoldenEye.exeC:\Users\admin\AppData\Roaming\{c9697d46-f45e-4c6c-9582-fbf8b2f56fb1}\RCXC099.tmpexecutable
MD5:6E12034A5CC8270A507F305703EAD0C7
SHA256:5D8B42C33BAB0D35B4EBFB44F78B17173A87DD15CA5B4DED8410543A9ACBF79C
2648Netplwiz.exeC:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.rVWKuUzwbinary
MD5:B82E425F111A26B52D30F55E43457063
SHA256:DFCA23C2C0E49A33F7140D0DC6C70E90EEFEFECB1E5F89821F5ACAE57DA78473
2648Netplwiz.exeC:\Users\admin\AppData\Roaming\Microsoft\Templates\Welcome to Word.docx.rVWKuUzwbinary
MD5:24CD619DB6595842F9E06E7C4F0DBB3F
SHA256:A015FEB7559FB9087EBD44ACB6F111EA11A9AA639B543B82C4B1E66BA61B655E
5172GoldenEye.exeC:\Users\admin\AppData\Roaming\{c9697d46-f45e-4c6c-9582-fbf8b2f56fb1}\Netplwiz.exeexecutable
MD5:E3B7D39BE5E821B59636D0FE7C2944CC
SHA256:389A7D395492C2DA6F8ABF5A8A7C49C3482F7844F77FE681808C71E961BCAE97
2648Netplwiz.exeC:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docxbinary
MD5:B82E425F111A26B52D30F55E43457063
SHA256:DFCA23C2C0E49A33F7140D0DC6C70E90EEFEFECB1E5F89821F5ACAE57DA78473
2648Netplwiz.exeC:\Users\admin\Pictures\healthsubmitted.jpgbinary
MD5:6849C0246651C4704B3611E7CFB153DE
SHA256:A63E7F29F7898BC173A6CFD283010BA62148067D059469155CFA0A08860D2D3A
2648Netplwiz.exeC:\Users\admin\Pictures\surveysafety.jpgbinary
MD5:CD03BFB88103120C6640B9E7FE423EF4
SHA256:B7648D226C1D540CD59B07C4D5E6DBFBBDF57CA0BFB46919612CCC74EA23A3D8
2648Netplwiz.exeC:\Users\admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:910AF73BF2DE2DAFDAB5CF5E84D1152E
SHA256:EC81BCB55BC636A11E4D2DC40FCF3F9C4A8B486582BCC717A396147B0074B441
2648Netplwiz.exeC:\Users\admin\Pictures\particularlyrated.jpgbinary
MD5:5F594AA356FFF0C258F47636A471C79A
SHA256:A87AA567E684551E5CEC0840A5306A801F04D42F68EC314A5BF425CCA9F7E696
2648Netplwiz.exeC:\Users\admin\Pictures\providingball.jpgbinary
MD5:39053A0F5525D566500C145B595744DC
SHA256:1CC79D1E8AD683803BF05B9A3D70F6F0749A5681810E0142FC6B870BBAF3F1C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1764
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1764
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1764
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GoldenEye.exe