Analysis Overview
SHA256
71d546866b6bd57bd3addee83e4738fb057c44eeb1781cf5ca1a55dbc6c1715c
Threat Level: Known bad
The file 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:17
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:10
Reported
2024-06-10 04:41
Platform
win10v2004-20240508-en
Max time kernel
69s
Max time network
97s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D80A0B-3479-4edd-B43E-856FD86C53CB} | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}\stubpath = "C:\\Windows\\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}\stubpath = "C:\\Windows\\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe" | C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E49E1E-308D-4e42-AACE-F1634AA78878} | C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E} | C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}\stubpath = "C:\\Windows\\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe" | C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718} | C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CC750B-4451-42b5-AA2B-C4C2A510135E} | C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CC750B-4451-42b5-AA2B-C4C2A510135E}\stubpath = "C:\\Windows\\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe" | C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E49E1E-308D-4e42-AACE-F1634AA78878}\stubpath = "C:\\Windows\\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe" | C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe | N/A |
| N/A | N/A | C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe | N/A |
| N/A | N/A | C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe | N/A |
| N/A | N/A | C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe | N/A |
| N/A | N/A | C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| File created | C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe | C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe | N/A |
| File created | C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe | C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe | N/A |
| File created | C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe | C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe | N/A |
| File created | C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe | C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"
C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe
C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe
C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D80~1.EXE > nul
C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe
C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7A775~1.EXE > nul
C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29CC7~1.EXE > nul
C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe
C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05E49~1.EXE > nul
C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe
C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{18BAD~1.EXE > nul
C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe
C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D128C~1.EXE > nul
C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe
C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4C04D~1.EXE > nul
C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe
C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6DC2D~1.EXE > nul
C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe
C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0F48E~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe
| MD5 | f13ff9cbc42ec6948b2754e12e837750 |
| SHA1 | 5d3573d95bb6daa4e4faa0a928630595de32d199 |
| SHA256 | d95d03996afb65f646a960829a201b669f945813b248264690d1b513a293a9a3 |
| SHA512 | 1c953f2a9d2eea7b1e121ced10472144accab0c4834578e588ed5ef3f3534c7c43f778c74cc255684e45d18fe4d33cfbfb833a458248d93d597b90d6f887ba3b |
C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe
| MD5 | 61f9b1e29fece0443e1335c460452b6d |
| SHA1 | 6506dbc105ab55058af02e98e2eb986bc2fa8efc |
| SHA256 | be18a1b86e3f655f9d9c020757c17f233df30de18c31477a8749ee645832dd45 |
| SHA512 | 27f7c1cb8c88a7ec91ada202160fbc2100b3fd8143cb244977bccca2e5206dcd7151f1e17bb8e86f1682ee692a24df080a37a8efb67611bf2a5ccf691995131c |
C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe
| MD5 | 24aff4051286f5ee94d1952af0c0c36b |
| SHA1 | 2f065b149b81a22c303090ed069b5ae4b9c429a4 |
| SHA256 | 4860ee272eea2bbaf86d03f4d36954ff7191afb07f685346cf4b98b7b8e097f5 |
| SHA512 | de36f09521740d6677f6cb0b74d75883355720dd12349fc3d40ef95fdeba5f85f709eb2ef7cde863d62a93d1e1e2a411cd4c67b3f91ba082c220b2ab0ba8ae41 |
C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
| MD5 | 74e14ce6556272bebb22b9b2a3a01775 |
| SHA1 | ff0b46744aa9f6e5f2819334637b9a41a9d1b28a |
| SHA256 | 7a4cd9f7ca3f97787ad9410467a4f0f193789112d6aaec599d5c17232b0f3291 |
| SHA512 | 3704a36354e356f217d235a52b17120b99945340e8298c203e9231cfbfd3e316be5159c73637da1d210b46a68d2b69a5bd7264f673afcc6b5f3811d27324ab62 |
C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe
| MD5 | 9c33edd401335e3ab9d16dac6c3b9d7e |
| SHA1 | 7b70f2f8d7ecc5eec27999194d45648bed3e6f6f |
| SHA256 | 27c2e0df35d2417014b3be06346355ccbc552587403a15aabb991855cacf93b9 |
| SHA512 | 079bbcb650905a5d13bbad7c188e1551973f37f0467e4d296147bf5b7a887d788eb4c5c12a48fe7f97173212dd3f1c9cc7991a1039f3f53f6ce2de264c6f37e8 |
C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe
| MD5 | fbffa3044661c44d31b5d74798d17182 |
| SHA1 | 1d9efdff54790ebca3922b4729bd29151e2db020 |
| SHA256 | 11b8851bb2057bf929f5a7ca346f1312675ab22ba1f1c2f8c938563696f3f67a |
| SHA512 | fc2cc56b787b12375b60887788c1a896178265789892eecca02a0086ee00c76cabcdc32cd8619a02ba6ecb1082f74f2d63caa1f026679f7e89db7a48d45cc93a |
C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe
| MD5 | 6f5b2f4c1eca91fbfcad1b4556aef8eb |
| SHA1 | 0c3f5255b5d2d31142f0e85b94b4d97846738e94 |
| SHA256 | a6f1603b5ddf36160e22e0d9dad4de3b85f89fa176bf12f893c94327cb39f558 |
| SHA512 | a4ca19316686367583071a0180fe6c4d964083f0bec84e024adeb2ed66da279cf867cf431143355b805c20c35d368277e60bf51b1c5439d753d6df409ed06bb4 |
C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe
| MD5 | c8cead85543fb65a5e18c8eeb124a663 |
| SHA1 | fec1a01d034eb1243e3054ff23b7bf6f807cb1a9 |
| SHA256 | 9a966489ebdfc325959e34017306fa1e2a60d4a6471a1e1c0c9f5446eba4c7ae |
| SHA512 | ced171321be9fdf8acd24b261d9045493208233ae3704d84e86bc2ce8bc5f2284f8959e62c1c8774ad555ebcca15c3c6fc958b32f9a22a425d4f4a9d2d0879b3 |
C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe
| MD5 | 3ba855d88392589b5241af5f5b047380 |
| SHA1 | e66d77f100ca2c4813b08f785cd6626b6e677ee4 |
| SHA256 | 74659944398ae1a7fa8c2fb7d715cf39921aed394d9cb3077258bdc708956010 |
| SHA512 | beaa3809c490b1dec77fdd4e0ca33d7af1c26a309aee758c13559c57c0cac076ef41b98dcf3ae2bbb8d919689d19fa5b083bf8d786b434a30de0e0838d20e2ce |
C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe
| MD5 | 7ae555bbcbf4489efe2d99dd10ba8031 |
| SHA1 | 4107c575054325bbc4aca2af36d950e42a82b938 |
| SHA256 | ca8673d607d62b3a74e873da6e9e7505fc92859c0f92ef7d7d9a382280d0be4c |
| SHA512 | 78d205502cd223af3090edc9d8fde3cedc12aaf9c9427129a95442030f159e0ad961814c51ac2cf66a25355ff696ae93965601dd96dde286970c9ec7500067e1 |
C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe
| MD5 | 1630bc9119a8eeb6a4eec7fed9576d5f |
| SHA1 | 9b9019cfd7826084f472dddb44cdcadc7ed8ffe3 |
| SHA256 | 81da80a991eec81f83852ad5fc7d4b14bfa076b9f78d25ba5106caba42f72ada |
| SHA512 | 4b10a455dcd2754e2a2e301f199bd41bdd6f2b59f4fbad99129f9807cb5fbb87b4bb25020d106c014c991077b99bb0e38b1c304061f6d7a4d6efbe3ce2f8a7ac |
C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe
| MD5 | 35f19861845f4ed7c053d6ee8ce7999b |
| SHA1 | 5b7226766176ee5fbb182508da286e425109902f |
| SHA256 | 409835f4cf8ed7f9c1084c1c694331dcc2c51c856900fcc22023817a7f660260 |
| SHA512 | 90c93fa4bce4807ad0cc7122590d8780f24337d764545733a86b0de1620090a85b725950a64dd9ec3d88a0ec42dee40bfe6b358e5dc83dbba30205351ed5c7b2 |
C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe
| MD5 | 1a4cbecc2d8ae7b61610b90989f73515 |
| SHA1 | 87e95d4ae5ba255d81bdfd28e3f7291f6fc5f8ca |
| SHA256 | 04933d288a942a7f8ce7c98c0931d9d936a54154121b2c97cdf87c40bf609074 |
| SHA512 | 43a7d2c7cd922681f93c109efd23bce04ffada1447817138cf68b70baf6b8abc8b22d157a2b8c1ddbd145c11570777015488710a7270ff452153a92fdfdca528 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:10
Reported
2024-06-10 04:41
Platform
win7-20240220-en
Max time kernel
75s
Max time network
121s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7959034-881C-42e8-8249-89AD8819C1DC}\stubpath = "C:\\Windows\\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe" | C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160} | C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9813416-B0D7-40e2-A823-1ED3622119CF} | C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{859B9250-2726-4e1e-8340-CFBD3D779E2C}\stubpath = "C:\\Windows\\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe" | C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F3891D4-74EC-468b-A927-C66142374897} | C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701B1477-0536-4ce8-A0AC-4272467DFDCA}\stubpath = "C:\\Windows\\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7959034-881C-42e8-8249-89AD8819C1DC} | C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9813416-B0D7-40e2-A823-1ED3622119CF}\stubpath = "C:\\Windows\\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe" | C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{859B9250-2726-4e1e-8340-CFBD3D779E2C} | C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F3891D4-74EC-468b-A927-C66142374897}\stubpath = "C:\\Windows\\{2F3891D4-74EC-468b-A927-C66142374897}.exe" | C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{701B1477-0536-4ce8-A0AC-4272467DFDCA} | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}\stubpath = "C:\\Windows\\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe" | C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe | N/A |
| N/A | N/A | C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe | N/A |
| N/A | N/A | C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe | N/A |
| N/A | N/A | C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe | N/A |
| N/A | N/A | C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe | N/A |
| N/A | N/A | C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe | C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe | N/A |
| File created | C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe | C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe | N/A |
| File created | C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe | C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe | N/A |
| File created | C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe | C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe | N/A |
| File created | C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| File created | C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe | C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"
C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{701B1~1.EXE > nul
C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D7959~1.EXE > nul
C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6B1F~1.EXE > nul
C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A9813~1.EXE > nul
C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{859B9~1.EXE > nul
C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe
C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F389~1.EXE > nul
C:\Windows\{4381FE12-067D-4ddb-8CB2-5B12FA51CDC3}.exe
C:\Windows\{4381FE12-067D-4ddb-8CB2-5B12FA51CDC3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D7390~1.EXE > nul
Network
Files
C:\Windows\{701B1477-0536-4ce8-A0AC-4272467DFDCA}.exe
| MD5 | bf9398b7fedc16b39b773397812a5603 |
| SHA1 | f15b6e10211cfef1ff9944b627b2c53758eab839 |
| SHA256 | e03807bc203bae44159274cc5a09317b33fb87bfa4f0500dc7b50f32ac8a5149 |
| SHA512 | d60f64b8cf4197c109a86b990f38866c6b4028de9db5b96a329981bbf948694ca93871d939629e5241d8d36cd88a44343c3129257b3283926e87c270f64c4a58 |
C:\Windows\{D7959034-881C-42e8-8249-89AD8819C1DC}.exe
| MD5 | 6b1347e4e69bf6877df30eb1d5678fca |
| SHA1 | 4773265902984216aa242fb9f68658edf609cc69 |
| SHA256 | 510fdb82b323a1eefba450d16794df314e32dcbbc84e24a7c3c55ee3d2720aa6 |
| SHA512 | 0d4203fd768b2713e62153c863cb49d34455c28bbfb0c87a7f4288d68e856f38f3bd57267c1c53896581205ba491f9b851b716230b7c1ffd0bb12a1746d5e9f2 |
C:\Windows\{E6B1F28E-3DCD-40e9-8B37-E2C3FB9B7160}.exe
| MD5 | 787dc17bb7f2ef76e4126af6cd8a9d19 |
| SHA1 | 6deea89cab426c2679c8ca7db2afcf35fb010bc2 |
| SHA256 | 8d9dbd860fe3f0a71f4da99ea47e99440c7adbbd67e74554ebcd0d6075d88978 |
| SHA512 | e8bdb300730d0e28f943a3701ca6b98d66eb520b83110afe3cd7083dc4c31721756f11167289496f186f5c162915b05c3d17c656467e3022f3875cdf594ac56f |
C:\Windows\{A9813416-B0D7-40e2-A823-1ED3622119CF}.exe
| MD5 | f1bb9fe2f7feeb62734012e2d07cc994 |
| SHA1 | 6dc7b96925c88304416c8319823b3869b14e64e6 |
| SHA256 | 8df266fde65afa0c35c7335d17723b77d58e32e7d70aae4ab40024cb3b97fb26 |
| SHA512 | 83c0b6b2cf99acef6a4039004121820a57a9f319486935dc11670c5a70c4fd8adb4ffb32ebb604dc4c6a5c2c0428a9e00912fb37c83a5e4f8f0c8cab21822782 |
C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
| MD5 | 7f657649944b4c91452521dd0a891839 |
| SHA1 | 251ebff75dcd3a7a95de7d8326e55cf5ad9c773d |
| SHA256 | bb295233bc59157419b2195027bcfbe8c1a4d6fb59957b5e596e9d4b0e6cf252 |
| SHA512 | 7790006eae2dd668790c8f59fde23d5975965a689087ddcaa0187007517b9a6f1f1297df995f820d0b4b1b34fdee50d2692ee6e3bfac7f8c14e865a942df2b62 |
C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
| MD5 | 8fba8d942fa96dab5244a563a9498d31 |
| SHA1 | 88f71da3e9377bc8f28991e6219442a0bd2601d7 |
| SHA256 | ad78f0e70c87297901f89395e8dbce919112c23be002d68842ef8541fba648b4 |
| SHA512 | a73301538bad72df7253d81a5a49dd7fc4aab3c363fa930bd004b80177c7379bc36602502cd1416e346e8ecd4f2a9acf83feb10448e4fb891c15f3f0f2b6a3c0 |
C:\Windows\{859B9250-2726-4e1e-8340-CFBD3D779E2C}.exe
| MD5 | c9e2ac6497509f5815050348e472fbea |
| SHA1 | 2f53431b4ea143f14877337012f3e9834e2cce7b |
| SHA256 | d204247c12cecfd2af845ee2087066c34d82993b2cd6fa0eea08162f6e0ecf48 |
| SHA512 | 0b94ce14e6d1f31c38bc2cc44cddb4092e053b52ac78805ec1a84807afeceec46a0786afa0dc45158bd360435e5428387436685a7aef6477cb98129651b319bc |
C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe
| MD5 | e67dc4636100246c1a8b602647079f72 |
| SHA1 | d998a29735e47e980409d93857b6abc704903b05 |
| SHA256 | 17527124380df17cfa24cdda99dbb9ed3aaf469d93b34f75b1f8dd70058e6717 |
| SHA512 | e15fb73e8ff654c82e14c28bed78af820a89c497837961c6ece1e688d2f194afb6972db46ee1b96885d562da2fa816e3322ca2f10772684ee660a160fb45a46f |
C:\Windows\{2F3891D4-74EC-468b-A927-C66142374897}.exe
| MD5 | 8ab61473e99b58673a5b4331a53d0883 |
| SHA1 | d5bdb78e27009f88e3e45e8e746ae8d933c84abd |
| SHA256 | cd552f209b39d6a617d086a7c0a35931c6367321f18e1c60e56ef12f070b468a |
| SHA512 | 550da3c88837852e6a85f9daf086fea41cb0914e75f19c97b048863e859ce91e6d5f1c1f047b492d8906300a0b3821caf509159e3221ac9064aaf60d365ad038 |
C:\Windows\{D7390EF6-EE50-4bcf-B5A0-2C467D102060}.exe
| MD5 | dc880221f9b5257f6b552a6c79abe53a |
| SHA1 | fbf0e8dc2936539de1861288c9d2e541fd674456 |
| SHA256 | d069ade7da504316e15a41f9b25e25dc5f6b44b590014c026643dc7d39a8ffc7 |
| SHA512 | 8033a339bade456f0ea7abdb471eb780aed76c011a394d9455f6412f34d1985285117eaabe62f4cd14934299b7380244772bcb0f644976ada7cd45b1423259b3 |
C:\Windows\{4381FE12-067D-4ddb-8CB2-5B12FA51CDC3}.exe
| MD5 | e2773bc901ce7abcb741aa0c18417991 |
| SHA1 | 58bad29624673bf08b68d568955002a4c20df0ad |
| SHA256 | c694123d4df7d665931dc671b872b6c25be851fa5b10b3ee15788515932a00d0 |
| SHA512 | f52f1ff6bf0724a3372a88b51d7ae0e1367c95f2c03bd01bc546f5de829ea83f6a1cf2e7a8a45c0f1c118a239979fab0e02c950fa423c797963ae2baec3c4423 |