d74c9b9e40f432e631b7dd623eb5195680242079fa0abfb2d34d3c15d91e615f

General

Target

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Size

168KB
MD5

ce91d0c905bccaba39047e0175c6b6cf
SHA1

a3f82237a9838a73f60542f1c5fef3fbc41111e4
SHA256

d74c9b9e40f432e631b7dd623eb5195680242079fa0abfb2d34d3c15d91e615f
SHA512

cffde8743d59216a2988ef01044139ad08740c99574e79cb71a3840a87df9d7bdedd15ee0122b86920a1e2b16832e45a1b0af871d4c278fda03ffe44014c9842
SSDEEP

1536:1EGh0oVlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 2 IoCs

Processes:

resource	yara_rule
C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02610932-0964-4d34-9274-6C930FC5936F}	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02610932-0964-4d34-9274-6C930FC5936F}\stubpath = "C:\\Windows\\{02610932-0964-4d34-9274-6C930FC5936F}.exe"	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}	{02610932-0964-4d34-9274-6C930FC5936F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}\stubpath = "C:\\Windows\\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe"	{02610932-0964-4d34-9274-6C930FC5936F}.exe

Executes dropped EXE 2 IoCs

Processes:

{02610932-0964-4d34-9274-6C930FC5936F}.exe{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe

pid process

1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe
1604 {C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe

pid	process
1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe
1604	{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exe

description	ioc	process
File created	C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
File created	C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe	{02610932-0964-4d34-9274-6C930FC5936F}.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exe

description	pid	process	target process
PID 848 wrote to memory of 1860	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{02610932-0964-4d34-9274-6C930FC5936F}.exe
PID 848 wrote to memory of 1860	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{02610932-0964-4d34-9274-6C930FC5936F}.exe
PID 848 wrote to memory of 1860	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	{02610932-0964-4d34-9274-6C930FC5936F}.exe
PID 848 wrote to memory of 3672	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 848 wrote to memory of 3672	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 848 wrote to memory of 3672	848	2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe	cmd.exe
PID 1860 wrote to memory of 1604	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe	{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe
PID 1860 wrote to memory of 1604	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe	{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe
PID 1860 wrote to memory of 1604	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe	{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe
PID 1860 wrote to memory of 2120	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe	cmd.exe
PID 1860 wrote to memory of 2120	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe	cmd.exe
PID 1860 wrote to memory of 2120	1860	{02610932-0964-4d34-9274-6C930FC5936F}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe
C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe
C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe
3⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{02610~1.EXE > nul
3⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe

Filesize
168KB

MD5
6b7d4314c873944a4a748ad89beb063e

SHA1
8e98462585d0057ceb19d2f16cb5a0a8bd2ed1bd

SHA256
be8c8c4749c7491c9966efbc02ad06b699ce4b4b778cfe2d5bdc87db814e1a7a

SHA512
e3c35577abbc47894d97c31334c79338b4a41f15ca5a15e59516add2c4d7a2805d2502fc2c0f9f6d7462955bacaeeb1149271e223b6e238b984d04f73c8e4283

Download Submit
C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe

Filesize
168KB

MD5
9c34309ab109c12dfc1807b474b2c219

SHA1
5ed8b6ff40e27ce921ea66cf3d3c9f7120307e16

SHA256
e546f37de4cf38a90c1dd16b981ec81dcaea7b48c93f2a19a59d3e5ce47a2b84

SHA512
22253b5074edcb09b1ce92c6ed07be2ff3c78fb754c19ae987874782a6c19406be9b4c6116f580d02af9447dd96a161c489a6e308e243030d00f2096bc9cc71b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads