Analysis Overview
SHA256
9454d51978d5c52075bbda5623ed97a3a53a54f3bc3d098a2ae7ad1293d5ae15
Threat Level: Known bad
The file 2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:58
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:58
Reported
2024-04-06 22:03
Platform
win10v2004-20240226-en
Max time kernel
218s
Max time network
275s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E240DE9A-05E1-4618-870D-3F3478A6B13A}\stubpath = "C:\\Windows\\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe" | C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF12BAA6-F456-4393-A502-429924DF3B88}\stubpath = "C:\\Windows\\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A} | C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEDA601-FC6A-46db-8073-44660FFF28DB} | C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54269115-FB73-4aff-B467-817B4147841A} | C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54269115-FB73-4aff-B467-817B4147841A}\stubpath = "C:\\Windows\\{54269115-FB73-4aff-B467-817B4147841A}.exe" | C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}\stubpath = "C:\\Windows\\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe" | C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3} | C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE} | C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}\stubpath = "C:\\Windows\\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe" | C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E240DE9A-05E1-4618-870D-3F3478A6B13A} | C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCEDA601-FC6A-46db-8073-44660FFF28DB}\stubpath = "C:\\Windows\\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe" | C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836} | C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF12BAA6-F456-4393-A502-429924DF3B88} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}\stubpath = "C:\\Windows\\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe" | C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}\stubpath = "C:\\Windows\\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe" | C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe | N/A |
| N/A | N/A | C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe | N/A |
| N/A | N/A | C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe | N/A |
| N/A | N/A | C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe | N/A |
| N/A | N/A | C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe | N/A |
| N/A | N/A | C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe | N/A |
| N/A | N/A | C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe | N/A |
| N/A | N/A | C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe | C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe | N/A |
| File created | C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe | C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe | N/A |
| File created | C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe | C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe | N/A |
| File created | C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe | C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe | N/A |
| File created | C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe | C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe | N/A |
| File created | C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe | C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe | N/A |
| File created | C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe | C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe | N/A |
| File created | C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe"
C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe
C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe
C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF12B~1.EXE > nul
C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe
C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{80427~1.EXE > nul
C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe
C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A0DA5~1.EXE > nul
C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe
C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6B85F~1.EXE > nul
C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe
C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E240D~1.EXE > nul
C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe
C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCEDA~1.EXE > nul
C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe
C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{54269~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
Files
C:\Windows\{BF12BAA6-F456-4393-A502-429924DF3B88}.exe
| MD5 | 1d25e031ffc89a63f743f05743de5ea3 |
| SHA1 | e3123a3835a5826865ae29cf039b9a8cab060a63 |
| SHA256 | 4694bd0c2cb428bd32071ee8b205e6f9617a5e98a0dc8d6e9d56b44871515d34 |
| SHA512 | 130b17b0cd2beaa13f52bd0172ce5416c0e47c568822e2eeb71ecaa8da67fe1bc3d6317cd2e7fbb6fb81bab14bcb0a4a0bd554fee3ecd475367c7a079f00ace3 |
C:\Windows\{80427F2F-0E41-460c-AD96-A8FFA1F7F12A}.exe
| MD5 | be782e842cd3a75c7c16526e3d3db4a0 |
| SHA1 | ef6d370ddc5f3c338cd19d09a6fc01be7704cccb |
| SHA256 | 3d9b096fad6174e2dc6446d307f6c23e39821ae6a92a2feedbbe8e79ae11c193 |
| SHA512 | 27e68aaf61c7810996041bbd5079351641b9cc9c1b14f2c8f52e9638a3609c38bf9facbb73aa22f8e577122e8d4e46408ccfa7dc6db04fc92319ce2a20b74464 |
C:\Windows\{A0DA522C-395B-457c-BBB9-5E5EAC06E5A3}.exe
| MD5 | 31b278a20e9ecedb384f4eebc7682a75 |
| SHA1 | bc32d83cb4888a1b8c012361a5a84de7485e08dc |
| SHA256 | 20c136c9e50639b8aca25fc95d67ab638710fb82cf795ebf2e383f24e5f96815 |
| SHA512 | 19a87e35d8e9feee55ed3383e9ebf2a2bd16264f82946c173ed816b0124ccb70d01b680439194d5a86fd50c0e2f1adf0bb7fabeb54842dbf1a890bd8fa85aa63 |
C:\Windows\{6B85F12B-D478-4dfb-B3C0-DCC8CD3DABDE}.exe
| MD5 | 4c904275d25b37bbf6bcf9b21fb71a67 |
| SHA1 | fb2e3d47731b2857642bdda3e6c40ea13dff4c26 |
| SHA256 | ab2abb7fcf81923d2952cdefe469c2eacfe029a4ed41f3c6984d77b9f55827ab |
| SHA512 | d85301f50814801b0b51fcfada613d3eef04151110666789da17c25abe6d7fab5a931d857a9e2b5463715525bf47a69e83a8a91712dbdef9c7abbe79459dc637 |
C:\Windows\{E240DE9A-05E1-4618-870D-3F3478A6B13A}.exe
| MD5 | 3038fb7c19fceda124d3c05426c88dfc |
| SHA1 | e69b67c96eb9477be7af3387fdc1f2953e8754fd |
| SHA256 | 766e04f159096a745b6fa1fafe935639c28e7027fe906b7f87f037aba56b368a |
| SHA512 | 5b1557d73e38b7ee83b4d8cfe38222934e2369e7564180abbc57a938657c6e8da0cf2c20b572ebc207c9a8c31be866fbcecb8c31809d0d72eb9e3d441555a85d |
C:\Windows\{BCEDA601-FC6A-46db-8073-44660FFF28DB}.exe
| MD5 | 792837a8562dbaa82126dd1776286765 |
| SHA1 | 93b8152d3a91e539e2b516baaf4a420022bb588d |
| SHA256 | e38bb3d3b19df72fe7c65f2213acad60399822355f26c564763111309781d143 |
| SHA512 | a2a6afaace2e5aa0cefd02881af0a188d9e810ee5ffc00c185bf2033058fa9408999ea0c4b262ecb7d05b1b67233ad717910d65ef596517d72049f896092f92f |
C:\Windows\{54269115-FB73-4aff-B467-817B4147841A}.exe
| MD5 | 8f516284d6f619731a8bdb211522af1a |
| SHA1 | 95717a31c31e390333c06e3559500d38e3f3fe0f |
| SHA256 | dfc7d9b5ddcb2be596c57200523cf13cadfc447f524fabd7654c677417ee49d7 |
| SHA512 | 1bcd51bced192f85ddc1bd0112a9ca9930c1fb2146ea4fd4aa60867957b09185df553d24a697b8fee01700ec37fb95f35a669d26f092cf84351c9c2e58fea413 |
C:\Windows\{DBECD9F7-6FEE-4c7e-A6BE-690D7E220836}.exe
| MD5 | faeb26951d6982f4d43e14aaea15b9ea |
| SHA1 | 8984e0555821718bc8d90e29c28da4c3a72676d1 |
| SHA256 | fb122f130548f359f73646a5923963114e7b7ba25629ff829b8ec1a7010c0028 |
| SHA512 | bc5d74987015c7a6a3180ce03680925917298c8845ca04a3bbb84de23117b891c2d1c96268f7c1f6fce894fdf97acb77902f1ea2c5d9b7ea746c1d0eb7e37ff1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:58
Reported
2024-04-06 22:00
Platform
win7-20240215-en
Max time kernel
144s
Max time network
126s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6} | C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E4F77C-7BB8-4779-8041-68B714170AC5} | C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79E4F77C-7BB8-4779-8041-68B714170AC5}\stubpath = "C:\\Windows\\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe" | C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A9503A-08E4-4833-9E5F-CFD6D577A568} | C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6} | C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}\stubpath = "C:\\Windows\\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe" | C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0442944C-8774-410c-91A8-62B387803DB4} | C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00A9503A-08E4-4833-9E5F-CFD6D577A568}\stubpath = "C:\\Windows\\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe" | C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0442944C-8774-410c-91A8-62B387803DB4}\stubpath = "C:\\Windows\\{0442944C-8774-410c-91A8-62B387803DB4}.exe" | C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53695457-D5D5-41e5-9CB8-342513202B80} | C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE02FFA-E3E8-478e-9481-64E9937D181A} | C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9} | C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}\stubpath = "C:\\Windows\\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe" | C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1} | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}\stubpath = "C:\\Windows\\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE02B52-5836-4997-96D8-73037DF192C1}\stubpath = "C:\\Windows\\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe" | C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43} | C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}\stubpath = "C:\\Windows\\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe" | C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53695457-D5D5-41e5-9CB8-342513202B80}\stubpath = "C:\\Windows\\{53695457-D5D5-41e5-9CB8-342513202B80}.exe" | C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEE02FFA-E3E8-478e-9481-64E9937D181A}\stubpath = "C:\\Windows\\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe" | C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE02B52-5836-4997-96D8-73037DF192C1} | C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}\stubpath = "C:\\Windows\\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe" | C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe | N/A |
| N/A | N/A | C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe | N/A |
| N/A | N/A | C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe | N/A |
| N/A | N/A | C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe | N/A |
| N/A | N/A | C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe | N/A |
| N/A | N/A | C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe | N/A |
| N/A | N/A | C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe | N/A |
| N/A | N/A | C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe | N/A |
| N/A | N/A | C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe | N/A |
| N/A | N/A | C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe | N/A |
| N/A | N/A | C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe | C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe | N/A |
| File created | C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe | N/A |
| File created | C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe | C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe | N/A |
| File created | C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe | C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe | N/A |
| File created | C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe | C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe | N/A |
| File created | C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe | C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe | N/A |
| File created | C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe | C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe | N/A |
| File created | C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe | C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe | N/A |
| File created | C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe | C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe | N/A |
| File created | C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe | C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe | N/A |
| File created | C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe | C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_f908043e7c78d666576d414bc958af9a_goldeneye.exe"
C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B02A~1.EXE > nul
C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{79E4F~1.EXE > nul
C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00A95~1.EXE > nul
C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{36F92~1.EXE > nul
C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{04429~1.EXE > nul
C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{68018~1.EXE > nul
C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53695~1.EXE > nul
C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe
C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE02~1.EXE > nul
C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe
C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE02~1.EXE > nul
C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe
C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB7A~1.EXE > nul
Network
Files
C:\Windows\{8B02A590-E7F7-4535-BDE0-72FD8FEC45F1}.exe
| MD5 | 5a0f6c5c8db006ede1b0c50ce883ed76 |
| SHA1 | cc85698a58af7be153affa5e380339ae9684aaa9 |
| SHA256 | 3541ef8ee4b30b570e62cc843e33ee645292a2cc3464bf3cfd74f59b83694ac9 |
| SHA512 | 151daefb692e22bae41424ae5c534b1be0b9505a972e8b0f2d802c684fd0140c5a8f1e73258af7a6a8a73523d744bb58df50a99a281e6f304c396001c22d55f3 |
C:\Windows\{79E4F77C-7BB8-4779-8041-68B714170AC5}.exe
| MD5 | 2ec6f91f58764bf48b6c4eb5ae1ecc33 |
| SHA1 | 4b1a4353d2b6b0c63ed4abd10b56f6a31a09827d |
| SHA256 | a9331979277cc27dda5bef5698815e98ce10895075197f89a312df66f57916c8 |
| SHA512 | 7db0b2bb30e135c99dd9f5b13a6c890ee8c3c55efca7f3bd2d73f4801c731ed4b13c5c352b0877c7e41b20901adf40cfe05f041adff84c6b05dfa9409d318091 |
C:\Windows\{00A9503A-08E4-4833-9E5F-CFD6D577A568}.exe
| MD5 | 820fb574e0353235705a07b5466f1c94 |
| SHA1 | 017583a7b3753f9bfde7f3b8d538cb39796ecf48 |
| SHA256 | 25bacb2f3ebed5bcb9897c79a2ed3b838f5374a8deb2ace7398ea6652845eea1 |
| SHA512 | 34164c3dcec8498587d167670b63e1197f344f2256badd94ddf4ec606bf98fffa9d7895e258c1fd8e8b5642101962f56e8cf5242dec0ee95c4c8f11971190d97 |
C:\Windows\{36F92EA6-D266-4f3e-BFB2-AD99C5C4A2F6}.exe
| MD5 | 30cd6270d7bf28f9bdd585880e6722ee |
| SHA1 | 82f70423c8e76529759bc7be2936da41b9aef372 |
| SHA256 | 8b4eea4ec6f46c265e1d1689d4b7fe1f1e69ebe2112703da6604185eaf82125a |
| SHA512 | d3e8ec8324407f9fdbc4860bc21fce3b3b1291cd2ba63a7fb05552114fb9cd03f426abb41ba560950a6a28c3c2082bcdfb2ac79314b6b044b2d441a6914d0b80 |
C:\Windows\{0442944C-8774-410c-91A8-62B387803DB4}.exe
| MD5 | 49e4fdaa19dd2e52e0e62a9c4fc97562 |
| SHA1 | 0757e881796cc981e62f67a83b6fa4a9d142ffe2 |
| SHA256 | 8282b37ef1da576de7fa5d2d7876e35058695ea8594bcc54dffbc3424458006b |
| SHA512 | a3fcd43a825115964a0c73bd724c42511b07f1c43461e93464e592c389243455c7af0322b1c0d4f26a4c1290ed2c51442b8969fe4b4dfbdf33dd23e271abdaa6 |
C:\Windows\{680183ED-13B9-4bb5-A9A0-277B03F0ADF6}.exe
| MD5 | c3312dbb56ec9b3ac0be4012dc542baa |
| SHA1 | b576c6ff082eedb1bd73741b6feec82c1b743445 |
| SHA256 | 2e60c86a53283b1486628114e133ba104eea486b9a2b5a604a9e635d9032f489 |
| SHA512 | e6cae4b059d6ce2496cbca2449d4e8d7e9f83a7deb2a8e801074c7e305d6fcee79e6b0b0a7975e46600d1e0b33787b42c6be7fd65798c53f8603f9257f8c77d5 |
C:\Windows\{53695457-D5D5-41e5-9CB8-342513202B80}.exe
| MD5 | 3a747f05b3e002d4d30020cd3e6da5f1 |
| SHA1 | 11ff2c0ee625282b56697caf7deb6abc32499d51 |
| SHA256 | b8fef9f4dbeb60dd20a8b4a6e1605412f7a6df28c1c27dacbf68375c076f273d |
| SHA512 | 94c18b0c01f98a3d6ac046fceb0a8d84f2db3b0b52463fd0823ab827b95c15e94e339797281cd214f055b33396c94ee35ab4bd2924a79106cd09aaa5429555dc |
C:\Windows\{CEE02FFA-E3E8-478e-9481-64E9937D181A}.exe
| MD5 | 915d4d3e73db87dff943c0d99cc20cb4 |
| SHA1 | 77d75cd127c691faff90a7eae9d5ea81f19150ba |
| SHA256 | 31aa6b3473f6a0beefedfc2fbc39c863ce7150720f5580ef24ec05113c7831fa |
| SHA512 | af7ee4007fd1f4872cf8b362c41295fa6a3ba2435294698e81d7935a2b4883f09d80684aeb67d1ba9f5cd2d282e9d746eca1979d4d6525a4907c083d7407fb3c |
C:\Windows\{EDE02B52-5836-4997-96D8-73037DF192C1}.exe
| MD5 | 22a577addfee447b22bfb4c139a45662 |
| SHA1 | 02ab8c4d0b5fc926d92c443f1550b8291e6e54c7 |
| SHA256 | bf5a8b69f3b92957aaea29b1c02e2ad0969bb5821d969f10f4b77c8c675c8617 |
| SHA512 | 421b0b7cfe9c707f445ac2e7958d7fd67819984a78b7c86dfcabc20d064d520ed8e541a1423aa75102808beda6ac2b66b13860f46b934de05741ab188659d1d1 |
C:\Windows\{9AB7A805-FE94-436e-91A8-4CF4FA87AC43}.exe
| MD5 | cd138347a3eb63cc65eacf12f6c17905 |
| SHA1 | 08a3173b724e7c7bae88371892b987d697146bac |
| SHA256 | 6bab3ac21dfdce76898bca0a9a3d1e479d3e63626834f32699f7e8c4f5762f4d |
| SHA512 | 3507499209ebc30c8714c15bc18ea437b7775a4426f45710812f4b6747133b07b92c8b1a21f5a2d8ea603b332a2269dc9c949dadd6bf06750bb844f916ede6b9 |
C:\Windows\{C7B09C42-37E7-446e-ACA6-3F95F4C87BB9}.exe
| MD5 | 2b8a5cbf17cb1cccae6221d238f7297a |
| SHA1 | 48f7dd63d48aff3669fe9015063d3cecfc710207 |
| SHA256 | 6ce7d0fc8f5e8d1ad548402c0276762d1f3f8142d707acf1fa507f1a5817efdf |
| SHA512 | c03598036a074b012cb34a9949e27c1cc581957c36887d6b7f062d95b7c6cfa7ac80ea40b84be30a24e8c7a3107ba10a243f3f61582b4804c197be13271db958 |