Analysis
-
max time kernel
32s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
Resource
win10v2004-20240319-en
General
-
Target
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe
-
Size
168KB
-
MD5
ce91d0c905bccaba39047e0175c6b6cf
-
SHA1
a3f82237a9838a73f60542f1c5fef3fbc41111e4
-
SHA256
d74c9b9e40f432e631b7dd623eb5195680242079fa0abfb2d34d3c15d91e615f
-
SHA512
cffde8743d59216a2988ef01044139ad08740c99574e79cb71a3840a87df9d7bdedd15ee0122b86920a1e2b16832e45a1b0af871d4c278fda03ffe44014c9842
-
SSDEEP
1536:1EGh0oVlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Auto-generated rule 2 IoCs
Processes:
resource yara_rule C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe GoldenEyeRansomware_Dropper_MalformedZoomit C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02610932-0964-4d34-9274-6C930FC5936F} 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02610932-0964-4d34-9274-6C930FC5936F}\stubpath = "C:\\Windows\\{02610932-0964-4d34-9274-6C930FC5936F}.exe" 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B} {02610932-0964-4d34-9274-6C930FC5936F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}\stubpath = "C:\\Windows\\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe" {02610932-0964-4d34-9274-6C930FC5936F}.exe -
Executes dropped EXE 2 IoCs
Processes:
{02610932-0964-4d34-9274-6C930FC5936F}.exe{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exepid process 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe 1604 {C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exedescription ioc process File created C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe File created C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe {02610932-0964-4d34-9274-6C930FC5936F}.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exedescription pid process Token: SeIncBasePriorityPrivilege 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe Token: SeIncBasePriorityPrivilege 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe{02610932-0964-4d34-9274-6C930FC5936F}.exedescription pid process target process PID 848 wrote to memory of 1860 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe {02610932-0964-4d34-9274-6C930FC5936F}.exe PID 848 wrote to memory of 1860 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe {02610932-0964-4d34-9274-6C930FC5936F}.exe PID 848 wrote to memory of 1860 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe {02610932-0964-4d34-9274-6C930FC5936F}.exe PID 848 wrote to memory of 3672 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe cmd.exe PID 848 wrote to memory of 3672 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe cmd.exe PID 848 wrote to memory of 3672 848 2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe cmd.exe PID 1860 wrote to memory of 1604 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe {C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe PID 1860 wrote to memory of 1604 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe {C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe PID 1860 wrote to memory of 1604 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe {C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe PID 1860 wrote to memory of 2120 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe cmd.exe PID 1860 wrote to memory of 2120 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe cmd.exe PID 1860 wrote to memory of 2120 1860 {02610932-0964-4d34-9274-6C930FC5936F}.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_ce91d0c905bccaba39047e0175c6b6cf_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exeC:\Windows\{02610932-0964-4d34-9274-6C930FC5936F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exeC:\Windows\{C102AF8F-AB2B-4a40-A5B9-777CA6F57C0B}.exe3⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{02610~1.EXE > nul3⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:3672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD56b7d4314c873944a4a748ad89beb063e
SHA18e98462585d0057ceb19d2f16cb5a0a8bd2ed1bd
SHA256be8c8c4749c7491c9966efbc02ad06b699ce4b4b778cfe2d5bdc87db814e1a7a
SHA512e3c35577abbc47894d97c31334c79338b4a41f15ca5a15e59516add2c4d7a2805d2502fc2c0f9f6d7462955bacaeeb1149271e223b6e238b984d04f73c8e4283
-
Filesize
168KB
MD59c34309ab109c12dfc1807b474b2c219
SHA15ed8b6ff40e27ce921ea66cf3d3c9f7120307e16
SHA256e546f37de4cf38a90c1dd16b981ec81dcaea7b48c93f2a19a59d3e5ce47a2b84
SHA51222253b5074edcb09b1ce92c6ed07be2ff3c78fb754c19ae987874782a6c19406be9b4c6116f580d02af9447dd96a161c489a6e308e243030d00f2096bc9cc71b