File name:

GoldenEye Builder.7z

Full analysis: https://app.any.run/tasks/aa9f29b3-79ed-4ac5-8fc6-c1b41748c497
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:08:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4D01DBC86DF141A6E694C059648ACE39

SHA1:

68A6349C2104CB6E0D042CD1CBA7C6BB0F35B9FF

SHA256:

48DE9BAFD54FED92B7D23E3F59EAEF1071BB0B3DC23B3F59C9547E8967BE3CED

SSDEEP:

3072:m54ojSZlaWnMu8QQKQ7zzs60w+Ctas/WtsAn:m2o2LLTrrQ7zzs60dCtaztN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Dism.exe (PID: 3060)
    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 5788)
      • net.exe (PID: 4132)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 6092)
    • Executable content was dropped or overwritten

      • Dism.exe (PID: 3060)
      • GoldenEye Builder.exe (PID: 7100)
    • Executes as Windows Service

      • VSSVC.exe (PID: 6404)
    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 4672)
    • Searches for installed software

      • TiWorker.exe (PID: 2408)
    • The system shut down or reboot

      • GoldenEye.exe (PID: 2744)
  • INFO

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7032)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 4320)
    • The sample compiled with english language support

      • Dism.exe (PID: 3060)
    • Sends debugging messages

      • Dism.exe (PID: 3060)
    • Manual execution by a user

      • notepad.exe (PID: 7032)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 3620)
      • GoldenEye Builder.exe (PID: 4228)
      • GoldenEye Builder.exe (PID: 7100)
      • GoldenEye.exe (PID: 4132)
      • GoldenEye.exe (PID: 2744)
    • Create files in a temporary directory

      • Dism.exe (PID: 3060)
      • GoldenEye Builder.exe (PID: 7100)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4320)
    • Reads the computer name

      • DismHost.exe (PID: 4672)
      • GoldenEye Builder.exe (PID: 7100)
    • Checks supported languages

      • DismHost.exe (PID: 4672)
      • GoldenEye Builder.exe (PID: 7100)
      • GoldenEye.exe (PID: 2744)
    • Reads Environment values

      • DismHost.exe (PID: 4672)
    • Manages system restore points

      • SrTasks.exe (PID: 5556)
    • Reads the software policy settings

      • TiWorker.exe (PID: 2408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
24
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe conhost.exe no specs net.exe no specs net1.exe no specs dism.exe dismhost.exe no specs tiworker.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs goldeneye builder.exe no specs goldeneye builder.exe goldeneye.exe no specs goldeneye.exe shutdown.exe no specs shutdown.exe no specs conhost.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4320"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GoldenEye Builder.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7032"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\netfx3_enable.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6092C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\netfx3_enable.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1016\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4132net session C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wkscli.dll
2612C:\WINDOWS\system32\net1 session C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dsrole.dll
3620"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\Desktop\netfx3_enable.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5788net session C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mpr.dll
4244C:\WINDOWS\system32\net1 session C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
Total events
39 778
Read events
39 244
Write events
386
Delete events
148

Modification events

(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\GoldenEye Builder.7z
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
53
Suspicious files
1 351
Text files
1 365
Unknown types
3

Dropped files

PID
Process
Filename
Type
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\en-US\DismProv.dll.muiexecutable
MD5:7D06108999CC83EB3A23EADCEBB547A5
SHA256:CF8CC85CDD12CF4A02DF5274F8D0CDC625C6409FE80866B3052B7D5A862AC311
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\en-US\DismCore.dll.muiexecutable
MD5:7A15F6E845F0679DE593C5896FE171F9
SHA256:F91E3C35B472F95D7B1AE3DC83F9D6BFDE33515AA29E8B310F55D9FE66466419
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\en-US\CbsProvider.dll.muiexecutable
MD5:6C51A3187D2464C48CC8550B141E25C5
SHA256:D7A0253D6586E7BBFB0ACB6FACD9A326B32BA1642B458F5B5ED27FECCB4FC199
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\en-US\AssocProvider.dll.muiexecutable
MD5:8833761572F0964BDC1BEA6E1667F458
SHA256:B18C6CE1558C9EF6942A3BCE246A46557C2A7D12AEC6C4A07E4FA84DD5C422F5
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\CbsProvider.dllexecutable
MD5:14932441A96E254B3D29D452CE1263A0
SHA256:8FFF21CB7C88A0DD8C8E7B386604001F2974E75D229369A87BEE0BA18DA575F3
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\en-US\DmiProvider.dll.muiexecutable
MD5:B7252234AA43B7295BB62336ADC1B85C
SHA256:73709C25DC5300A435E53DF97FC01A7DC184B56796CAE48EE728D54D26076D6C
4320WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4320.35359\GoldenEye Builder.exe.configxml
MD5:FDAD6E56C3813F4021FF8177DC33EF84
SHA256:581337C905162B25581705895A91F3AF7C8A577161C18187485F1BD15692C90D
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\DismCore.dllexecutable
MD5:681186B5696BA7D46B6681C027A659AD
SHA256:FBB5135DE4F6A5C9422A0B218D676930DB9BC9A2AEA0F7219077862912455914
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\en-US\FfuProvider.dll.muiexecutable
MD5:DC826A9CB121E2142B670D0B10022E22
SHA256:BA6695148F96A5D45224324006AE29BECFD2A6AA1DE947E27371A4EB84E7451A
3060Dism.exeC:\Users\admin\AppData\Local\Temp\F2465155-DD37-425B-BEF1-7474A29C9E34\DismProv.dllexecutable
MD5:AB0DBC4F05B33EAAA447E31ACCAB8D21
SHA256:6A3C3F07BDDBC3079873F8799F2C19ADDDC59F15D6B2DBA6E9314E5626BFD2A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5988
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7064
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5988
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6240
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7064
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5988
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5988
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.155
  • 104.126.37.123
  • 104.126.37.171
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.154
  • 104.126.37.153
  • 104.126.37.129
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.0
  • 20.190.159.71
  • 20.190.159.23
  • 40.126.31.69
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 2.23.242.9
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
Process
Message
Dism.exe
PID=3060 TID=3876 Loading Provider from location C:\WINDOWS\system32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=3060 TID=3876 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=3060 TID=3876 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=3060 TID=3876 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=3060 TID=3876 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=3060 TID=3876 Connecting to the provider located at C:\WINDOWS\system32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider