Analysis Overview
SHA256
e1770ead4434b67171cf14b48930772591b925b0fd06f781d53dde21a5047f8f
Threat Level: Known bad
The file 2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 23:28
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 23:27
Reported
2024-03-02 23:30
Platform
win7-20240221-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDC3F28-D195-40e2-9513-B31F1A550752}\stubpath = "C:\\Windows\\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe" | C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519F376A-387B-494b-A982-E828120E8DBF} | C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}\stubpath = "C:\\Windows\\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe" | C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A623A6-99EE-48df-BD56-14CB72A4135E} | C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70} | C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280661BB-7D54-4bde-A92A-F6B0E228E8B9} | C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}\stubpath = "C:\\Windows\\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe" | C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D1A74DF-F84C-421e-B870-E26F163FDFEB} | C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0} | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}\stubpath = "C:\\Windows\\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe" | C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D026D140-6467-44d7-A8DC-B6DC105EC22B}\stubpath = "C:\\Windows\\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe" | C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE0751-5E1F-4704-97E7-C09704D66E62}\stubpath = "C:\\Windows\\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe" | C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDC3F28-D195-40e2-9513-B31F1A550752} | C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{519F376A-387B-494b-A982-E828120E8DBF}\stubpath = "C:\\Windows\\{519F376A-387B-494b-A982-E828120E8DBF}.exe" | C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}\stubpath = "C:\\Windows\\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe" | C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9620189A-815C-4339-A780-1A80A60BBE49}\stubpath = "C:\\Windows\\{9620189A-815C-4339-A780-1A80A60BBE49}.exe" | C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48A623A6-99EE-48df-BD56-14CB72A4135E}\stubpath = "C:\\Windows\\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe" | C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D026D140-6467-44d7-A8DC-B6DC105EC22B} | C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11DE0751-5E1F-4704-97E7-C09704D66E62} | C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3} | C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}\stubpath = "C:\\Windows\\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9620189A-815C-4339-A780-1A80A60BBE49} | C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe | N/A |
| N/A | N/A | C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe | N/A |
| N/A | N/A | C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe | N/A |
| N/A | N/A | C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe | N/A |
| N/A | N/A | C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe | N/A |
| N/A | N/A | C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe | N/A |
| N/A | N/A | C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe | N/A |
| N/A | N/A | C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe | N/A |
| N/A | N/A | C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe | N/A |
| N/A | N/A | C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe | N/A |
| N/A | N/A | C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe | C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe | N/A |
| File created | C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe | C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe | N/A |
| File created | C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe | C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe | N/A |
| File created | C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe | C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe | N/A |
| File created | C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| File created | C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe | C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe | N/A |
| File created | C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe | C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe | N/A |
| File created | C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe | C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe | N/A |
| File created | C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe | C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe | N/A |
| File created | C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe | C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe | N/A |
| File created | C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe | C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"
C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDAD~1.EXE > nul
C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96201~1.EXE > nul
C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{48A62~1.EXE > nul
C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{59E02~1.EXE > nul
C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D026D~1.EXE > nul
C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{11DE0~1.EXE > nul
C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDC3~1.EXE > nul
C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe
C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{519F3~1.EXE > nul
C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe
C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{28066~1.EXE > nul
C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe
C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB35~1.EXE > nul
Network
Files
C:\Windows\{2BDADBD1-7E19-4ed5-8DCB-8D9F64FF96F0}.exe
| MD5 | 5963a98cba84b3ffaa652656e7ff3b36 |
| SHA1 | 02a1ec5356b4be995a0bede0e080893a95a4ae2a |
| SHA256 | 6535d2cc4e2ffff6195fd1caffd6787f590543ab24fe3519ffba2d2702028ae0 |
| SHA512 | ff8299317111eed0f268e9db02e3cea6d2f6aa0fca5f156268e086544c522e4cea79f7078906226c4257780286f1ea406a3db71f732a9fea8b6f3470aa0f0417 |
C:\Windows\{9620189A-815C-4339-A780-1A80A60BBE49}.exe
| MD5 | 2d3d34d59943f301cbaf0929bf7a33ff |
| SHA1 | 197d3dde2a59a3285f9886d408e53bbb279b70c8 |
| SHA256 | b8f0f89d4bbb1f440caff44ce1458408cf831b969e80e9ea54bd2a16fda7b1c0 |
| SHA512 | f06fad1ba31a0ba1448cd799459e2a6f7feaa68fdcdbcabe4dcd82b27eee481cd35c742917e569828986d3da6c2e28e71cb5bd936d8ebac38a95c0e2bf84fdbe |
C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
| MD5 | 78bcb17a5b8d448dad01d472c3a1b316 |
| SHA1 | 8b05e812bf6d767040b260f523056274c445cd0e |
| SHA256 | 93b9e37516556b52907555ba4ce660ec1aaa9fecade5c7b05878537eeb601923 |
| SHA512 | 1e0cbe90c6cf156958af8c732503dd9c2437f452806930df56388ce1f3f3768e3554ffd8d6bc0ad0016c32d60a101c794e50ccc01bd8e95eeabfd39ad2f53d4d |
C:\Windows\{48A623A6-99EE-48df-BD56-14CB72A4135E}.exe
| MD5 | ce885b255b68d43e4d2f5b4bff54092a |
| SHA1 | b70d044e341957b9ca2b8a2d2c24632bd17e10f8 |
| SHA256 | 9d63eb3d1f85ce76a31eb296acefb3e83c03e18f2eab97ca4cebf86ed7d930e6 |
| SHA512 | 19eed145dd3a240dab5dc48df7ccd201c6e0945e602ffaff9c4f1fa5049746b31e3f825fa967cf73c67f4e2ff3ea04c7b3f5425b2e303c8e6a1ba1aee5f01d0b |
C:\Windows\{59E0263C-FC2A-417c-B5B3-F0D0C17BFC70}.exe
| MD5 | d73b9ff44106e9fa946359d23322770c |
| SHA1 | fc411966f148a5afdbdedde6c3ba8d72d7d836f6 |
| SHA256 | e3b13eaae672131948ead3a84715a80263810bcae8cf222aab0381a930af07fd |
| SHA512 | ded1dec3babb863513517800b4a0d79993c1b0dd5e00e73d8bac631f511e06e908da36732b7f4d853c07c74007ea059994f71f28e6389d16c9aa4667ce98c22a |
C:\Windows\{D026D140-6467-44d7-A8DC-B6DC105EC22B}.exe
| MD5 | 56772c9b8a787db82e43c44a52342ef1 |
| SHA1 | 743f3f1cace888e90b782b423341ef71648e9920 |
| SHA256 | c69d49b8cfb5922f7be62b51931122f0f22c10d7f71bf5311bbf6c65c6a72541 |
| SHA512 | e126a765f64d47d769aaf77a4d102a31845d0074b2ab0b318d49f2756acca73a0efdc073d8ca8958bd19575f0194580399ec2b680d767d0f2100fe02494f99c1 |
C:\Windows\{11DE0751-5E1F-4704-97E7-C09704D66E62}.exe
| MD5 | 18fdba0988a5dd2de9eb98bbb572ea9c |
| SHA1 | 0887fdd173e6ae1f9b037162010d1cbf0200cc9d |
| SHA256 | 91f6dd0bd869389b0c9e229752f865fdee6c4e79cc43eff0f781bfb04f0308fb |
| SHA512 | 1a4441a9e1d3ae75e8a2ba0ca1a5dd0261879708024aba4ab2c21f1261c5645f69863247f9c078b34f3ddc30dbe3d015b2b1100f998d3d13a5f4a000179730c6 |
C:\Windows\{DDDC3F28-D195-40e2-9513-B31F1A550752}.exe
| MD5 | 07bb153b34b0a38a304cb57f69080589 |
| SHA1 | 9652b4d8d70634df20aa843455dfa24e0d8a80a4 |
| SHA256 | 934f6f27bff80d8fa16df5fa1168ac0c8fec2e910fc9f5126ab2fbbde394257e |
| SHA512 | 98a160c1f374446d50fe11f59a8dff15ba41ceb6ea4067bd9073b355da756a418f178cb3e224311a994bee6cb1901127811d104aa06ef160c96f771ad3156b77 |
C:\Windows\{519F376A-387B-494b-A982-E828120E8DBF}.exe
| MD5 | d8ce69150ce05a24cccf6e64cf5c44c4 |
| SHA1 | 448330ebd731b9beb328328417c475b5fcd45dd3 |
| SHA256 | ead9fad789778163a2f94efc4cc3cc09ff8763cf91db5742fc9a617c75ce01c5 |
| SHA512 | 6e76fa4cd38c26fa1fce8ea2252ae97cb77fe6e0ea9e808350a6197cc6b6c36c206eb8ff9e01756610630fcc8d1a0f5d7ffe483ab35fae9a5015b70fd59f25d7 |
C:\Windows\{280661BB-7D54-4bde-A92A-F6B0E228E8B9}.exe
| MD5 | fe4a6d0c22c44068f7803dcab3a96568 |
| SHA1 | c9745466e18b269a0e38d2a576e71b52e13a6782 |
| SHA256 | 07b9c3187a4b47caec0394a4df5204414e593ed9b58559c32f78286aa2a40410 |
| SHA512 | 8005f1b56d9c0285f739fc3cfd6260746d9e67463eeb931ab375b5679135b633621023a3d4520168c417c69a682c5fab930e399b0f9f07cc780f61b2da6ba459 |
C:\Windows\{5BB3558F-EE01-46fb-8AC1-F0D6B0513BE3}.exe
| MD5 | 4da6c58211f1f4d34d3e99dc9a650eb3 |
| SHA1 | f1f9ad71c6b263608ced44271217b16e08089c64 |
| SHA256 | f88542cdca85621d4d532ce478913f76b712933b5475da4af0c5e70b89c4a50e |
| SHA512 | 59c31466891fb6e9cf37855108b7ec3b2f34454652d3f449493794d5ca83a3e80b4cbe2581bea889cc793c78fd8e8f7922008dedeb87ae309eee2c4dcc9482e7 |
C:\Windows\{5D1A74DF-F84C-421e-B870-E26F163FDFEB}.exe
| MD5 | 04063d1dad94043fa83f9badfea491e0 |
| SHA1 | ec644ab0cb485cb0d236b43ba21f8b7edd7e5a70 |
| SHA256 | cb39be57be9a042d9430c4575d3a5be58d5e9a2b1f330bfc86fd7f2aae7c6302 |
| SHA512 | c1c04956c4bc06db7cdd4b26b0f9a64995b9490cae6db72a4f50013b45d584d27cdc588f7e407c711cce2759547432414e6fb93f617795948009da019a2f384a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 23:27
Reported
2024-03-02 23:31
Platform
win10v2004-20240226-en
Max time kernel
178s
Max time network
187s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F37E9A3-C738-48fe-B59D-BD2082FE3051} | C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}\stubpath = "C:\\Windows\\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe" | C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858AB40B-0C5D-485a-937A-81F60B45E79D}\stubpath = "C:\\Windows\\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe" | C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5} | C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}\stubpath = "C:\\Windows\\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe" | C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF} | C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AB6528-A448-4be0-84B3-B15D4137180F} | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27AB6528-A448-4be0-84B3-B15D4137180F}\stubpath = "C:\\Windows\\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3535E9-8060-499d-85FD-985CB9624787}\stubpath = "C:\\Windows\\{FB3535E9-8060-499d-85FD-985CB9624787}.exe" | C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A5E11B-1FCC-42cd-A857-E015C86B513F} | C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}\stubpath = "C:\\Windows\\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe" | C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2} | C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}\stubpath = "C:\\Windows\\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe" | C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362236B6-37AA-497b-9F3A-E79D52D10E33} | C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362236B6-37AA-497b-9F3A-E79D52D10E33}\stubpath = "C:\\Windows\\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe" | C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{858AB40B-0C5D-485a-937A-81F60B45E79D} | C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3535E9-8060-499d-85FD-985CB9624787} | C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}\stubpath = "C:\\Windows\\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe" | C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe | N/A |
| N/A | N/A | C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe | N/A |
| N/A | N/A | C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe | N/A |
| N/A | N/A | C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe | N/A |
| N/A | N/A | C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe | N/A |
| N/A | N/A | C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe | N/A |
| N/A | N/A | C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe | N/A |
| N/A | N/A | C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe | N/A |
| N/A | N/A | C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe | C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe | N/A |
| File created | C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe | C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe | N/A |
| File created | C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| File created | C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe | C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe | N/A |
| File created | C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe | C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe | N/A |
| File created | C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe | C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe | N/A |
| File created | C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe | C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe | N/A |
| File created | C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe | C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe | N/A |
| File created | C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe | C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-02_635a3c6b18af3c5dd32a436fb72efa92_goldeneye.exe"
C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{27AB6~1.EXE > nul
C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{858AB~1.EXE > nul
C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C3E~1.EXE > nul
C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F37E~1.EXE > nul
C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB353~1.EXE > nul
C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8A5E~1.EXE > nul
C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC88~1.EXE > nul
C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36223~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\{27AB6528-A448-4be0-84B3-B15D4137180F}.exe
| MD5 | 80b0abcb082d91d4bc9b758185f5a7fc |
| SHA1 | 619d17c84eedfb4e260c284fb2f0b6777db4cc80 |
| SHA256 | cd4a6d297c643207782ade5e00319cf394bc43acd34dcf197ea6c65c67f8925b |
| SHA512 | fe16615944c8cfefd207674fe453693fb38a6f4b5b8a3446769c2456caef321f9a912eb95017a0aae561fde3539e34d09a1a19f20fc45632ee6a6a0b1fc490d4 |
C:\Windows\{858AB40B-0C5D-485a-937A-81F60B45E79D}.exe
| MD5 | f314fb6dcc91d777e9f8fdabdc8b41fb |
| SHA1 | f22d8ebad4319da351818f5112525327647f2fec |
| SHA256 | 9c628763541afdba653b5302f097187ed23942da3b9085e4044e7ab6388b1eb9 |
| SHA512 | 48b1a64ec9c9cd228edde66017c509b2ea9e52e00b68b485d62dc6455a9167c32a158fb9c8915715acca22741510314d0ef70b5d8c00e21bfa20f873a60cd3fe |
C:\Windows\{F4C3EB6C-72CF-4eb2-9B20-06CD5366C9B5}.exe
| MD5 | b0b002113bfbe3e1bebea22b10b8876d |
| SHA1 | 608ef026db226b020c30449a4dc111f93bb63784 |
| SHA256 | 8fa543302070d433acf18b172bc70670d16ec83dd118731049ca95574558dbc1 |
| SHA512 | d9f8c8d080ea7320d2f77793f82d1cd3bce7d6bd8b56b7385dffbe1e72c3e9aea641613f558bc40ae6fd8b339b49da27d7507f9a4f259774edaf827489dea233 |
C:\Windows\{4F37E9A3-C738-48fe-B59D-BD2082FE3051}.exe
| MD5 | fb032d75e69fc91738a0a970e10ca438 |
| SHA1 | 6f45843e2ebd65c7eb4be9c8431e47a6fc8b1ef7 |
| SHA256 | b80b48b7374811a235a0d377508f0b8a09a9ec094d2f9f0ea6646230a9620acc |
| SHA512 | 6cb2925fe4bb3b61a2bbf2b131b9070b60e496009836361c081d1aeaf52730e54361d08a8a02ff9e69a402028f5324764b505ac6ac2b6ff54ee8f4f6ec8ac4e9 |
C:\Windows\{FB3535E9-8060-499d-85FD-985CB9624787}.exe
| MD5 | 7f920956bf055810e088a31f7f2895c3 |
| SHA1 | 1a53a8abe8d2042df2016a5c53904149e24822b2 |
| SHA256 | 8326b89edca6f74dcf05e5140feb8ed4c3304ff517b77f4aa6f557d626a64a9b |
| SHA512 | 6e0ee78416bad0c95de67c51ccb99d9237a02ce15b542590d8f476c7ea4435b2dfd5fc8201cebc3121562ebffa80187fff2e965ae7926c68b3a1cce634be9e20 |
C:\Windows\{E8A5E11B-1FCC-42cd-A857-E015C86B513F}.exe
| MD5 | 910eb6415da30ed7947fcab3fc9bb58e |
| SHA1 | b99bdbf53bc9c01c1634e9ebc503f8d24a64f1cd |
| SHA256 | 7c9fc572758e6f28bd6c195e674fdad65b545771c6f8321cb87b1fd22673d75f |
| SHA512 | fe4cbb6beb0401315123936dbe9f92da8bcc524dc4e96471fed59e55765b1a9a7d7ca67dd66ba45e7f6b78e540d4e312bef804a9d7c2f569694db44ddf2d7e1d |
C:\Windows\{EFC882BB-83E8-4177-AAD8-0E2EAE9B0CA2}.exe
| MD5 | d58b02f5a70aa36ba0e722076458c5a3 |
| SHA1 | 46449b00de722ce5e6965652aef10d0ffdef0deb |
| SHA256 | 0b39b3b13ab872cbe3f46aa869f46f443bd9d2d5be33da914df1a31be8c51190 |
| SHA512 | bf27746c0f2a27b91532ad01c590f702aa97cad8029c9cd7f35f127cf28982a212e31742882aff9db5af77ff76773344e2ad847ee4c04b288fbdd9a2261ee90c |
C:\Windows\{362236B6-37AA-497b-9F3A-E79D52D10E33}.exe
| MD5 | bb9bb0787d340588e4321717d25f4448 |
| SHA1 | dfc0ffc7a44c40098709c612ae20e8ca28ff62a8 |
| SHA256 | 833693c5faa31cddd7c1a7f58c3e23ac324bbab86a44fecc40c2e1c67e7a74e0 |
| SHA512 | 346e3e48942d280ebf1e54647ce8bd45350613292c34a110aa28ed86d0e8e33bf94449960aaaba16b0038289b4f0de6de7fcfde1c34e7ba76e4cd17fee384b62 |
C:\Windows\{FA33DB2D-DD71-4de0-959A-3EC7766D7CCF}.exe
| MD5 | 8ff9766b1bc7e0685489c01d2455732b |
| SHA1 | aa6ada078fd92fa806be71dddb8442ffdbbef046 |
| SHA256 | bf4ba5671c5917dc44c5f979eaf048fafb0c4d4f86a3beae6bea34f6f41eda0b |
| SHA512 | 0bc3483e0e75cdb10e8c44ce7996e75b1a65533609621619a7db423af023f693b4349c2b362b43db18fd273bddae03fb2b8ea79ba953af5430dcc78e740e95d7 |