Analysis
-
max time kernel
69s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 04:10
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe
-
Size
408KB
-
MD5
54def91bc41e5f6dedc6d0b825b03fef
-
SHA1
1cfdc7443fdc12740eb1ec74f09db2dc8eec9b76
-
SHA256
71d546866b6bd57bd3addee83e4738fb057c44eeb1781cf5ca1a55dbc6c1715c
-
SHA512
d6417abddab26c051f00c1e8be422106c36d2a4370830d9596f43741ad788fd2393a0c1f4bc86512c294a4fdfbf254b44392a1190f273268d4bcc4aa1812d402
-
SSDEEP
3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGzldOe2MUVg3vTeKcAEciTBqr3jy
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x00070000000233d2-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233c6-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00080000000233d8-11.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233c6-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233c6-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x00090000000233d8-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233c6-22.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a0000000233d8-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000731-31.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000731-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000733-35.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000731-38.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D80A0B-3479-4edd-B43E-856FD86C53CB} 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}\stubpath = "C:\\Windows\\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe" 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}\stubpath = "C:\\Windows\\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe" {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E49E1E-308D-4e42-AACE-F1634AA78878} {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E} {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}\stubpath = "C:\\Windows\\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe" {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718} {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CC750B-4451-42b5-AA2B-C4C2A510135E} {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CC750B-4451-42b5-AA2B-C4C2A510135E}\stubpath = "C:\\Windows\\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe" {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E49E1E-308D-4e42-AACE-F1634AA78878}\stubpath = "C:\\Windows\\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe" {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe -
Executes dropped EXE 5 IoCs
pid Process 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 428 {18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe File created C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe File created C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe File created C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe File created C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe Token: SeIncBasePriorityPrivilege 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe Token: SeIncBasePriorityPrivilege 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe Token: SeIncBasePriorityPrivilege 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe Token: SeIncBasePriorityPrivilege 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5028 wrote to memory of 2220 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe 88 PID 5028 wrote to memory of 2220 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe 88 PID 5028 wrote to memory of 2220 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe 88 PID 5028 wrote to memory of 2004 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe 89 PID 5028 wrote to memory of 2004 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe 89 PID 5028 wrote to memory of 2004 5028 2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe 89 PID 2220 wrote to memory of 640 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 90 PID 2220 wrote to memory of 640 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 90 PID 2220 wrote to memory of 640 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 90 PID 2220 wrote to memory of 3016 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 91 PID 2220 wrote to memory of 3016 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 91 PID 2220 wrote to memory of 3016 2220 {C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe 91 PID 640 wrote to memory of 2200 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 93 PID 640 wrote to memory of 2200 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 93 PID 640 wrote to memory of 2200 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 93 PID 640 wrote to memory of 3876 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 94 PID 640 wrote to memory of 3876 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 94 PID 640 wrote to memory of 3876 640 {7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe 94 PID 2200 wrote to memory of 4856 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 95 PID 2200 wrote to memory of 4856 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 95 PID 2200 wrote to memory of 4856 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 95 PID 2200 wrote to memory of 880 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 96 PID 2200 wrote to memory of 880 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 96 PID 2200 wrote to memory of 880 2200 {29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe 96 PID 4856 wrote to memory of 428 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 97 PID 4856 wrote to memory of 428 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 97 PID 4856 wrote to memory of 428 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 97 PID 4856 wrote to memory of 2216 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 98 PID 4856 wrote to memory of 2216 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 98 PID 4856 wrote to memory of 2216 4856 {05E49E1E-308D-4e42-AACE-F1634AA78878}.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54def91bc41e5f6dedc6d0b825b03fef_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exeC:\Windows\{C1D80A0B-3479-4edd-B43E-856FD86C53CB}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exeC:\Windows\{7A775777-527C-4d2e-A2E3-BE4E0F1DC718}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exeC:\Windows\{29CC750B-4451-42b5-AA2B-C4C2A510135E}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exeC:\Windows\{05E49E1E-308D-4e42-AACE-F1634AA78878}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exeC:\Windows\{18BADCE2-B1EA-4bdb-9DD5-AA39D6346C3E}.exe6⤵
- Executes dropped EXE
PID:428 -
C:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exeC:\Windows\{D128C14C-13EF-492e-992A-8947AFEB5E13}.exe7⤵PID:4288
-
C:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exeC:\Windows\{4C04DDCB-2D88-4b19-B6F7-FA1A0DA6BB19}.exe8⤵PID:3248
-
C:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exeC:\Windows\{6DC2DCB6-8E37-4086-9A1E-6040EE88FC65}.exe9⤵PID:3268
-
C:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exeC:\Windows\{0F48EC3C-BC6F-4a6c-B79E-89C346FE47AF}.exe10⤵PID:3968
-
C:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exeC:\Windows\{9FB22527-35A3-423f-95A6-9FFDBCA971E6}.exe11⤵PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F48E~1.EXE > nul11⤵PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6DC2D~1.EXE > nul10⤵PID:3748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4C04D~1.EXE > nul9⤵PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D128C~1.EXE > nul8⤵PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18BAD~1.EXE > nul7⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{05E49~1.EXE > nul6⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{29CC7~1.EXE > nul5⤵PID:880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A775~1.EXE > nul4⤵PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C1D80~1.EXE > nul3⤵PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD59c33edd401335e3ab9d16dac6c3b9d7e
SHA17b70f2f8d7ecc5eec27999194d45648bed3e6f6f
SHA25627c2e0df35d2417014b3be06346355ccbc552587403a15aabb991855cacf93b9
SHA512079bbcb650905a5d13bbad7c188e1551973f37f0467e4d296147bf5b7a887d788eb4c5c12a48fe7f97173212dd3f1c9cc7991a1039f3f53f6ce2de264c6f37e8
-
Filesize
128KB
MD574e14ce6556272bebb22b9b2a3a01775
SHA1ff0b46744aa9f6e5f2819334637b9a41a9d1b28a
SHA2567a4cd9f7ca3f97787ad9410467a4f0f193789112d6aaec599d5c17232b0f3291
SHA5123704a36354e356f217d235a52b17120b99945340e8298c203e9231cfbfd3e316be5159c73637da1d210b46a68d2b69a5bd7264f673afcc6b5f3811d27324ab62
-
Filesize
93KB
MD51630bc9119a8eeb6a4eec7fed9576d5f
SHA19b9019cfd7826084f472dddb44cdcadc7ed8ffe3
SHA25681da80a991eec81f83852ad5fc7d4b14bfa076b9f78d25ba5106caba42f72ada
SHA5124b10a455dcd2754e2a2e301f199bd41bdd6f2b59f4fbad99129f9807cb5fbb87b4bb25020d106c014c991077b99bb0e38b1c304061f6d7a4d6efbe3ce2f8a7ac
-
Filesize
408KB
MD5fbffa3044661c44d31b5d74798d17182
SHA11d9efdff54790ebca3922b4729bd29151e2db020
SHA25611b8851bb2057bf929f5a7ca346f1312675ab22ba1f1c2f8c938563696f3f67a
SHA512fc2cc56b787b12375b60887788c1a896178265789892eecca02a0086ee00c76cabcdc32cd8619a02ba6ecb1082f74f2d63caa1f026679f7e89db7a48d45cc93a
-
Filesize
408KB
MD524aff4051286f5ee94d1952af0c0c36b
SHA12f065b149b81a22c303090ed069b5ae4b9c429a4
SHA2564860ee272eea2bbaf86d03f4d36954ff7191afb07f685346cf4b98b7b8e097f5
SHA512de36f09521740d6677f6cb0b74d75883355720dd12349fc3d40ef95fdeba5f85f709eb2ef7cde863d62a93d1e1e2a411cd4c67b3f91ba082c220b2ab0ba8ae41
-
Filesize
408KB
MD5c8cead85543fb65a5e18c8eeb124a663
SHA1fec1a01d034eb1243e3054ff23b7bf6f807cb1a9
SHA2569a966489ebdfc325959e34017306fa1e2a60d4a6471a1e1c0c9f5446eba4c7ae
SHA512ced171321be9fdf8acd24b261d9045493208233ae3704d84e86bc2ce8bc5f2284f8959e62c1c8774ad555ebcca15c3c6fc958b32f9a22a425d4f4a9d2d0879b3
-
Filesize
408KB
MD57ae555bbcbf4489efe2d99dd10ba8031
SHA14107c575054325bbc4aca2af36d950e42a82b938
SHA256ca8673d607d62b3a74e873da6e9e7505fc92859c0f92ef7d7d9a382280d0be4c
SHA51278d205502cd223af3090edc9d8fde3cedc12aaf9c9427129a95442030f159e0ad961814c51ac2cf66a25355ff696ae93965601dd96dde286970c9ec7500067e1
-
Filesize
93KB
MD53ba855d88392589b5241af5f5b047380
SHA1e66d77f100ca2c4813b08f785cd6626b6e677ee4
SHA25674659944398ae1a7fa8c2fb7d715cf39921aed394d9cb3077258bdc708956010
SHA512beaa3809c490b1dec77fdd4e0ca33d7af1c26a309aee758c13559c57c0cac076ef41b98dcf3ae2bbb8d919689d19fa5b083bf8d786b434a30de0e0838d20e2ce
-
Filesize
408KB
MD561f9b1e29fece0443e1335c460452b6d
SHA16506dbc105ab55058af02e98e2eb986bc2fa8efc
SHA256be18a1b86e3f655f9d9c020757c17f233df30de18c31477a8749ee645832dd45
SHA51227f7c1cb8c88a7ec91ada202160fbc2100b3fd8143cb244977bccca2e5206dcd7151f1e17bb8e86f1682ee692a24df080a37a8efb67611bf2a5ccf691995131c
-
Filesize
92KB
MD51a4cbecc2d8ae7b61610b90989f73515
SHA187e95d4ae5ba255d81bdfd28e3f7291f6fc5f8ca
SHA25604933d288a942a7f8ce7c98c0931d9d936a54154121b2c97cdf87c40bf609074
SHA51243a7d2c7cd922681f93c109efd23bce04ffada1447817138cf68b70baf6b8abc8b22d157a2b8c1ddbd145c11570777015488710a7270ff452153a92fdfdca528
-
Filesize
64KB
MD535f19861845f4ed7c053d6ee8ce7999b
SHA15b7226766176ee5fbb182508da286e425109902f
SHA256409835f4cf8ed7f9c1084c1c694331dcc2c51c856900fcc22023817a7f660260
SHA51290c93fa4bce4807ad0cc7122590d8780f24337d764545733a86b0de1620090a85b725950a64dd9ec3d88a0ec42dee40bfe6b358e5dc83dbba30205351ed5c7b2
-
Filesize
408KB
MD5f13ff9cbc42ec6948b2754e12e837750
SHA15d3573d95bb6daa4e4faa0a928630595de32d199
SHA256d95d03996afb65f646a960829a201b669f945813b248264690d1b513a293a9a3
SHA5121c953f2a9d2eea7b1e121ced10472144accab0c4834578e588ed5ef3f3534c7c43f778c74cc255684e45d18fe4d33cfbfb833a458248d93d597b90d6f887ba3b
-
Filesize
128KB
MD56f5b2f4c1eca91fbfcad1b4556aef8eb
SHA10c3f5255b5d2d31142f0e85b94b4d97846738e94
SHA256a6f1603b5ddf36160e22e0d9dad4de3b85f89fa176bf12f893c94327cb39f558
SHA512a4ca19316686367583071a0180fe6c4d964083f0bec84e024adeb2ed66da279cf867cf431143355b805c20c35d368277e60bf51b1c5439d753d6df409ed06bb4