Analysis Overview
SHA256
0dbdaab9f4a49f1a69493c62a58be2a079d3bc8a080344581f96aa2c13692f10
Threat Level: Known bad
The file 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye was found to be: Known bad.
Malicious Activity Summary
Auto-generated rule
Auto-generated rule
Modifies Installed Components in the registry
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:25
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:19
Reported
2024-06-10 04:41
Platform
win7-20240220-en
Max time kernel
76s
Max time network
125s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6A8C64-E312-4490-A1F5-73A411131640} | C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834} | C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{629AD80D-08B7-43b3-B21E-F2700B80A670} | C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5} | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}\stubpath = "C:\\Windows\\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe" | C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6A8C64-E312-4490-A1F5-73A411131640}\stubpath = "C:\\Windows\\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe" | C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}\stubpath = "C:\\Windows\\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe" | C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A09E36FB-B648-4a2d-90BD-33A0E55A1985} | C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}\stubpath = "C:\\Windows\\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe" | C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{629AD80D-08B7-43b3-B21E-F2700B80A670}\stubpath = "C:\\Windows\\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe" | C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}\stubpath = "C:\\Windows\\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C} | C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe | N/A |
| N/A | N/A | C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe | N/A |
| N/A | N/A | C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe | N/A |
| N/A | N/A | C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe | N/A |
| N/A | N/A | C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe | N/A |
| N/A | N/A | C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe | C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe | N/A |
| File created | C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe | C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe | N/A |
| File created | C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe | C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe | N/A |
| File created | C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe | C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe | N/A |
| File created | C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| File created | C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe | C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"
C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7C31E~1.EXE > nul
C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA09~1.EXE > nul
C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5E6A8~1.EXE > nul
C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0DE~1.EXE > nul
C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A09E3~1.EXE > nul
C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe
C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{629AD~1.EXE > nul
C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe
C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9315A~1.EXE > nul
C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe
C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A9A6~1.EXE > nul
C:\Windows\{98075325-87F4-413e-994E-9E604F590B30}.exe
C:\Windows\{98075325-87F4-413e-994E-9E604F590B30}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{933E4~1.EXE > nul
Network
Files
C:\Windows\{7C31E838-BB0B-4efa-BE3D-60419A4B6AC5}.exe
| MD5 | 3e68feca10318e689d86279afe2975ed |
| SHA1 | 14881fdd3fb06bcdbb931c0931a65ef615ef1b6a |
| SHA256 | ae859aac76d7e761d84f32b66b562c0ab9b445e70e3f86534f5f65fb1fecbc3b |
| SHA512 | 9629a69271f99efe4c442dbacc99e41853ca254da6944222b795a97994a574487b7bae4420eae8fa2f5ec51f84c9107526e996de7d36a01471870af852a926a9 |
C:\Windows\{1EA091A3-6CA6-4e51-BF91-C2E59CC5C53C}.exe
| MD5 | 1dc7e2cc64b7839e151c07f7e1099d3f |
| SHA1 | 2a5a439070d748bd836e5a67749e6ddc41bfa642 |
| SHA256 | 99c71a17f091cd571c7be7f60a33a2d1643b046098f779b6f2aba6d83167889b |
| SHA512 | 600bca6892e9e73ad0aa7db8acb7b4d78bb1d78ed5accc469932d31c748c1b92bc2035b695d9075b6a6fe6445daddcd93ae5cd0f1f475f1845e093f50319a4ee |
C:\Windows\{5E6A8C64-E312-4490-A1F5-73A411131640}.exe
| MD5 | ae1308cbe533134393f9aa5fb7ab7ba9 |
| SHA1 | 239beb578c9a1639caaae852fa4cd3fb9128b233 |
| SHA256 | 0dd49ee1e6457bb6f0bb2abf8b94b15482a13a33591181f2099a49c3005fb00a |
| SHA512 | 552a7305f11253fcc725823e3ceb5176ad530fe79b7d44344cc6810d6b93e7d888a6c35d07e4c1288fa6de4e3d0699b79a38068afb74451ab5a38c65f925ad19 |
C:\Windows\{CE0DE8F3-7DDD-4d4d-9FB2-C7DD6AB48834}.exe
| MD5 | 6f18a06a5fa9e9a250708871dcc95b81 |
| SHA1 | ca7e9299cf16a37bbba47d8f165e2301e6727dfc |
| SHA256 | 2a279da836c29bf239bf8cb062ea5f80f6cb9032f54f672a33ad9789042651a2 |
| SHA512 | 688aade79650d30cdbb98fd3c9cfa735759e131b410926e3846e18ffd7c9024c8319ae0da2092464689cfa0637dbe61890733d5938222fdd5dc61749d259d5d6 |
C:\Windows\{A09E36FB-B648-4a2d-90BD-33A0E55A1985}.exe
| MD5 | 3109afd8b54ab2d1c9f2bfb06bb582e4 |
| SHA1 | 2d8a64778a213d87f5fb713a6fb0a5d955395581 |
| SHA256 | f7601e93ef99e93c270ca4e04224db5d5b20f2157bdfb92ffc94e56aa5c45c2a |
| SHA512 | 241aa3952aee0c3d72111e9a14a073e6d48fe06240b111fce543d30dd2a3e1f9b0e012c345dd871eb32411509100e25d4bd57c51b8de754a787c9195a00d9291 |
C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
| MD5 | 80849997449367514d329571d551215b |
| SHA1 | b705fa1dabe9014a6f67226f4feabfecad1e6d39 |
| SHA256 | 1fe6dec60870760c21c5676d43f97f9e019118f18b5f136a414a2603e7975c3d |
| SHA512 | 39290bc65a8f825121a21029dc073509c5fe173c15c3dfaf13154a7f2a47ff5588ac292e202f97126bb27dddde0e8b94bbb771fd4f163392040ede3eb246b6b3 |
C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe
| MD5 | a60ca98940e632c09c0ea54b3a7f389f |
| SHA1 | ff915161cfae0a4eefd5a00c1bd0d7c57a4753ec |
| SHA256 | 557a01dc0bbcf3cc373c7671adf410177a2f131579ebc15450bac855330c8f31 |
| SHA512 | 71079f9e1e8ed829b7f7b418833215ee7e4a1676608aebbf814e2f3741744e20fded689cda5aec1c610436fa2ad625dc9c0e31ae1fdb215e50346f6be7271eb9 |
C:\Windows\{629AD80D-08B7-43b3-B21E-F2700B80A670}.exe
| MD5 | cc505bbf06f4df180a54a3103280150f |
| SHA1 | 8edf2c3a6a127047d7473b273d771c39f2aca175 |
| SHA256 | 940186badce55c215b8aa683004eef681bb392ca685a58bf7b35fdbc09582614 |
| SHA512 | 56693a0b9d5b45c576a0950a0454e39d72ac19775b8fbf37c7edf36312fee79439fd290c71c123927fd04661685f050127ffe9c3f999634c7e4d89f0deb4a8e0 |
C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe
| MD5 | 4ef974897c9c2c0109f45c7ea2236a58 |
| SHA1 | f47388efc8938e363591dcfda58b58a64f74a38b |
| SHA256 | edca44f94b7ae3669f9f882695bd788363f7860e846bba4e354060a11b0d5e00 |
| SHA512 | 5dca899ec6bbfbd6d7610a11bcc49a6ff6f980bb5796e10bb18a71ead4e9b49fef927ef71689a0d1c2b204aa0b6856804262a8c17acf9c5658d9830b5067a468 |
C:\Windows\{9315A027-DC05-4641-8958-2F5B93546B6C}.exe
| MD5 | e3bebdef1477b208ed24f9d09254e983 |
| SHA1 | cb670c0f17bedb2c5a2fa5d51e619c8b6b13dc87 |
| SHA256 | 84898c819c20ff46789fd92289f1c2236520982291895ac92cda7daecac6ed54 |
| SHA512 | 0d1d38c92c091f0e7c70c6cc35ca8895a0a191e4b49b0717f622c17ec778e245d270eb94e7290e8bf32b308759a61eb33718c6ee3a8dd5c944734f8e4c69557a |
C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe
| MD5 | ed57f0edbaf54109639062242b43a527 |
| SHA1 | 3b3d7dfd79787a624b437ad260a42b3850c55fc6 |
| SHA256 | 29f24a2155da4cfe230d99b55d51588e5c8c5f69a3ae89623e9aaa372e899fc2 |
| SHA512 | f09ef74ae52ee9dfa7a3381fa225871eed58feac0bffeb38b4ca26326149307750585a9699d3274d05f22d47a6c032e29537268d5bfabe93823ad3c446826270 |
C:\Windows\{2A9A6F34-CD9C-46f8-8042-DC087BAAFD5E}.exe
| MD5 | 46420b0c9049554c652ecb3a39fb2f9c |
| SHA1 | 800f00a4927a7791b9b25087db43ae40b82db3b3 |
| SHA256 | e2fc202903ed5e6ac137027b7209ec2026b36e2646e409a3b5059e72e23f77f6 |
| SHA512 | bbf904e451c4f1ee62f9a8e8bf375cc1b100806f778d248fa5d973404e52c4917197c7c8dddf0382400f35a9bf65295ffa2e01c4cb593809268ab89a157a9a77 |
C:\Windows\{98075325-87F4-413e-994E-9E604F590B30}.exe
| MD5 | b6affccceafc8fd8904801ccd7192aba |
| SHA1 | e99ee2d68a360ba6d8537a5c50d807e3dbadfdcd |
| SHA256 | 333ef86c138c3ecdd00b36b75531b835be438f85a77032cbc4578ccac76a7d85 |
| SHA512 | 530eb08ad4f05a9251e5e44c631eacd50cff27db6f61f48517c92188bb59b5363064d66d8ea6a2299bab02fef1af83e8501756441bb416b711248a632498ff48 |
C:\Windows\{933E4C93-AFEB-4ceb-8223-7F9C7DDAA35B}.exe
| MD5 | 49e2a1801699fc4deb353b00eaa4698c |
| SHA1 | f3dcfa4ce8b3470cf67fec07cffdf3872b3a7fee |
| SHA256 | e05125d6307aa96b930b030f38d24d0714d4f3aac7af1af85d9b63c8f1b4a2bb |
| SHA512 | 8fe8fdfe891d39b9fd55c63433bad15629d5655ef49107a558e582725b3c601b95bbad302d78caa1578aeddc74dd4e2fc503519d8a8c18a23249d1be537d48fc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:19
Reported
2024-06-10 04:41
Platform
win10v2004-20240508-en
Max time kernel
38s
Max time network
72s
Command Line
Signatures
Auto-generated rule
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C} | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}\stubpath = "C:\\Windows\\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15} | C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}\stubpath = "C:\\Windows\\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe" | C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569} | C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}\stubpath = "C:\\Windows\\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe" | C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe | N/A |
| N/A | N/A | C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe | N/A |
| N/A | N/A | C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| File created | C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe | C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe | N/A |
| File created | C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe | C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"
C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe
C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe
C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F4EE~1.EXE > nul
C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29CE3~1.EXE > nul
C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe
C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{04D2A~1.EXE > nul
C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe
C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9E4F0~1.EXE > nul
C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe
C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B95AD~1.EXE > nul
C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe
C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C30~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe
| MD5 | 4caa8362deb017127e75cfbf15f9ede3 |
| SHA1 | 3d4d6457c84c6272c7e6051904da56f13e125652 |
| SHA256 | 9adf6cce615ff962eb33cb33620cbbdd30e814f0f39d92b9420fdfe45568872a |
| SHA512 | 87796ed33747ff0c79e0f5286e71dbd6cddbea3163a4f5d518019fb42ad9ef333821a2d2f5057f0572d2534ca0944a4a8bbacddcf66b5b621c47ab8c96176aef |
C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe
| MD5 | 70d7270a6b3299a91a4508959902b1b3 |
| SHA1 | 59d463abcb8568b0c589b075ff5eecf6076543e0 |
| SHA256 | 5f64b2e80d6608b07c43dc8bfb8dfb9a6a544f48ab21a8ce773d333d89c1b2ec |
| SHA512 | da9f924a9573e49a9f327c017c87af01019ab5e0453ef912af2fe35f94a46b5c083c1866d08290cb72e206eafb856d16bad295a7ae0584aff99d8136a93283e2 |
C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
| MD5 | ef715bf5745ac9bb90a8e2237ec216e7 |
| SHA1 | d380252cb8d8cc5574a4db4d51f19cbc739ea0b7 |
| SHA256 | 0d8f1d25a90c23abc217a6d36931c1eeab77c041d0fa7ea5987a146bb88d770f |
| SHA512 | c1f02f3037137e610ff0607ffe1aa3c7a9c3b237afdbe1d3ee4a9bdc8eeeee6d2fa3d136754d2c18ae18d980118f139bfb71667cc0f4ffa37e6d2a40cd3e9dec |
C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
| MD5 | 3da8c96cef5664b77bfa3b030aab4d38 |
| SHA1 | c2599c532e26302595625a69843e24922785dd60 |
| SHA256 | 8c9b93110d2d9d65717dd124e10e97ef65a8e6972f346c2d8a04fe50e53e5c3d |
| SHA512 | 66426da7a3d2f2fcbb9f8096eb411d4fb4f3ede3be8e875725c43d8745fd3e9664e9365be882424860c92cc5a8510e2e78bea1de70e7842d2a96ed7309ecbb08 |
C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe
| MD5 | 9b03c0b1662436742ab943c4e1f1a0ae |
| SHA1 | ad4fb39d546c7a56fd10d175ed6d331196a583db |
| SHA256 | 1af44249d2a4e7d0d08ac07c0f6987758959223e198ee28f2ccc68cddb2874cd |
| SHA512 | 6c39a681713155621eddb5c014c25a049350cc0b83047357befbbc0d11145eba01bb4ca1a6ae5bdf68cf7ae4c50f38af98facada38602a51517a8cd8c9852190 |
C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe
| MD5 | e2e85ab24a62dc579ab4285a94bab11e |
| SHA1 | ff487f4b6a15beaed45ed44de0ce550b22f08ed0 |
| SHA256 | 8ff23f33b6446d8177bbca5e048da6230ac8e7ed95f2c56fce8c4a2b6177d3a2 |
| SHA512 | 6adb38e88fab7660b610781ce1b7892d9de55082183bae4136b85dd484136712ff25ea927dbf6c96f06023c3f5854b3630a5a4d36fe09b5d7331c48d8ad4b8b5 |
C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe
| MD5 | 7953d1aba2580821a8fa14e66eb49b0a |
| SHA1 | 174be4e352baa5f43f1a0bbcd18911a53d878b02 |
| SHA256 | bfd67f3fab5bda18ac73e1e8769cd1ae62b8d193e00daa37fa800e869d35e691 |
| SHA512 | 6ecbec72633f8ce827c43cad46222679c59e74aa46a617e6c72018cbecb8ae6c3644ad3b78652e0ed4e6fb5ab98135834c189790831332fea1f1d6a9a20d4705 |
C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe
| MD5 | 4bee6da23400fcc0637c025537360df6 |
| SHA1 | 4a54e85442b67f9258d76f1381a761c0745ad8ce |
| SHA256 | 921b9275c90ea0020100947117860d1d5f2b3de557d6ae0e855193c8ca0872da |
| SHA512 | 224e4f5666e8646e77b1255a6a87762a76fb46ed607a15d8d2ed570695737aa17ca00f29f91e015eef529c683fca3ba03707cdf97148e21ae01fcd5de0312873 |
C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe
| MD5 | dc3249b04bb856d2b7720dd5934bbcc8 |
| SHA1 | 08a798942ab9196755dcfe84219ee6a8c3e354d9 |
| SHA256 | 01a3411df16ff520ca0927e08f83c9af7a1f3ee93b7223fd3ffc4fbe14842a57 |
| SHA512 | 232d03561798b28691ea46f9517154cb9de25db8329ee7ab073bdcdd39c8e2836bafc0208d20b88443ff88680dc4cb0e76c354f2d2da385bd32b0af1f23434c7 |
C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe
| MD5 | 735b5c2540c8886311e4f0697d6f9e14 |
| SHA1 | 684d8131ca871d57fe363fa7ee039479915b8985 |
| SHA256 | 2e865eea9f5ff5fe19f35890e2fcfd5c0881dd2b1492e264e3bb0511bdb6b9eb |
| SHA512 | 34622cd7f90252475e764f3bc3e3faeb8cdec7c84deabf18e670b44acf7aacc7f72cec4044032c89394362e7761ad375b1621add77d4f832188918e76542ec84 |