Analysis
-
max time kernel
38s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe
-
Size
380KB
-
MD5
6e6cf573257ba32da37b3503f7758daf
-
SHA1
e58a7a82a23c63efbe2b25176ce0ccbad1c965d6
-
SHA256
0dbdaab9f4a49f1a69493c62a58be2a079d3bc8a080344581f96aa2c13692f10
-
SHA512
18449428a09784327bfa2b612a45a528a9baf1d4c5630fbfc57c559ab43eb71102e9f8e59ad8826af49c07085be71fb6e11c16151778187830cf00f1d712fa41
-
SSDEEP
3072:mEGh0o0lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG+l7Oe2MUVg3v2IneKcAEcARy
Malware Config
Signatures
-
Auto-generated rule 10 IoCs
resource yara_rule behavioral2/files/0x0014000000023386-3.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023411-7.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002341c-11.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002341c-10.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000800000002341c-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023411-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023411-15.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000900000002341c-19.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a000000023411-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000a00000002341c-27.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C} 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}\stubpath = "C:\\Windows\\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe" 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15} {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}\stubpath = "C:\\Windows\\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe" {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569} {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}\stubpath = "C:\\Windows\\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe" {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe -
Executes dropped EXE 3 IoCs
pid Process 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 1224 {04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe File created C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe File created C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe Token: SeIncBasePriorityPrivilege 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe Token: SeIncBasePriorityPrivilege 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3508 wrote to memory of 4468 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe 93 PID 3508 wrote to memory of 4468 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe 93 PID 3508 wrote to memory of 4468 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe 93 PID 3508 wrote to memory of 2376 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe 94 PID 3508 wrote to memory of 2376 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe 94 PID 3508 wrote to memory of 2376 3508 2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe 94 PID 4468 wrote to memory of 3496 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 95 PID 4468 wrote to memory of 3496 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 95 PID 4468 wrote to memory of 3496 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 95 PID 4468 wrote to memory of 2140 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 96 PID 4468 wrote to memory of 2140 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 96 PID 4468 wrote to memory of 2140 4468 {9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe 96 PID 3496 wrote to memory of 1224 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 98 PID 3496 wrote to memory of 1224 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 98 PID 3496 wrote to memory of 1224 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 98 PID 3496 wrote to memory of 3956 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 99 PID 3496 wrote to memory of 3956 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 99 PID 3496 wrote to memory of 3956 3496 {29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_6e6cf573257ba32da37b3503f7758daf_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exeC:\Windows\{9F4EE00D-F2BC-4f74-B601-1672CAC0810C}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exeC:\Windows\{29CE31C2-DA8B-4a91-9868-73F0BB4A7E15}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exeC:\Windows\{04D2A4A9-AEF6-43bd-8F62-CB9B6F7B8569}.exe4⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exeC:\Windows\{9E4F0DF2-A5D7-4537-BD71-15A5B1005C70}.exe5⤵PID:3052
-
C:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exeC:\Windows\{B95ADFD0-2753-4f85-9C73-4A21DB665ED5}.exe6⤵PID:3576
-
C:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exeC:\Windows\{F8C3016B-A707-4c3d-88DE-67128B797E9B}.exe7⤵PID:2236
-
C:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exeC:\Windows\{FCD9A6A2-EA35-4a21-9A49-8263523F13E4}.exe8⤵PID:4320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8C30~1.EXE > nul8⤵PID:4308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B95AD~1.EXE > nul7⤵PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9E4F0~1.EXE > nul6⤵PID:3616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04D2A~1.EXE > nul5⤵PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{29CE3~1.EXE > nul4⤵PID:3956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F4EE~1.EXE > nul3⤵PID:2140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD53da8c96cef5664b77bfa3b030aab4d38
SHA1c2599c532e26302595625a69843e24922785dd60
SHA2568c9b93110d2d9d65717dd124e10e97ef65a8e6972f346c2d8a04fe50e53e5c3d
SHA51266426da7a3d2f2fcbb9f8096eb411d4fb4f3ede3be8e875725c43d8745fd3e9664e9365be882424860c92cc5a8510e2e78bea1de70e7842d2a96ed7309ecbb08
-
Filesize
380KB
MD5ef715bf5745ac9bb90a8e2237ec216e7
SHA1d380252cb8d8cc5574a4db4d51f19cbc739ea0b7
SHA2560d8f1d25a90c23abc217a6d36931c1eeab77c041d0fa7ea5987a146bb88d770f
SHA512c1f02f3037137e610ff0607ffe1aa3c7a9c3b237afdbe1d3ee4a9bdc8eeeee6d2fa3d136754d2c18ae18d980118f139bfb71667cc0f4ffa37e6d2a40cd3e9dec
-
Filesize
92KB
MD59b03c0b1662436742ab943c4e1f1a0ae
SHA1ad4fb39d546c7a56fd10d175ed6d331196a583db
SHA2561af44249d2a4e7d0d08ac07c0f6987758959223e198ee28f2ccc68cddb2874cd
SHA5126c39a681713155621eddb5c014c25a049350cc0b83047357befbbc0d11145eba01bb4ca1a6ae5bdf68cf7ae4c50f38af98facada38602a51517a8cd8c9852190
-
Filesize
380KB
MD570d7270a6b3299a91a4508959902b1b3
SHA159d463abcb8568b0c589b075ff5eecf6076543e0
SHA2565f64b2e80d6608b07c43dc8bfb8dfb9a6a544f48ab21a8ce773d333d89c1b2ec
SHA512da9f924a9573e49a9f327c017c87af01019ab5e0453ef912af2fe35f94a46b5c083c1866d08290cb72e206eafb856d16bad295a7ae0584aff99d8136a93283e2
-
Filesize
128KB
MD5e2e85ab24a62dc579ab4285a94bab11e
SHA1ff487f4b6a15beaed45ed44de0ce550b22f08ed0
SHA2568ff23f33b6446d8177bbca5e048da6230ac8e7ed95f2c56fce8c4a2b6177d3a2
SHA5126adb38e88fab7660b610781ce1b7892d9de55082183bae4136b85dd484136712ff25ea927dbf6c96f06023c3f5854b3630a5a4d36fe09b5d7331c48d8ad4b8b5
-
Filesize
93KB
MD57953d1aba2580821a8fa14e66eb49b0a
SHA1174be4e352baa5f43f1a0bbcd18911a53d878b02
SHA256bfd67f3fab5bda18ac73e1e8769cd1ae62b8d193e00daa37fa800e869d35e691
SHA5126ecbec72633f8ce827c43cad46222679c59e74aa46a617e6c72018cbecb8ae6c3644ad3b78652e0ed4e6fb5ab98135834c189790831332fea1f1d6a9a20d4705
-
Filesize
380KB
MD54caa8362deb017127e75cfbf15f9ede3
SHA13d4d6457c84c6272c7e6051904da56f13e125652
SHA2569adf6cce615ff962eb33cb33620cbbdd30e814f0f39d92b9420fdfe45568872a
SHA51287796ed33747ff0c79e0f5286e71dbd6cddbea3163a4f5d518019fb42ad9ef333821a2d2f5057f0572d2534ca0944a4a8bbacddcf66b5b621c47ab8c96176aef
-
Filesize
97KB
MD54bee6da23400fcc0637c025537360df6
SHA14a54e85442b67f9258d76f1381a761c0745ad8ce
SHA256921b9275c90ea0020100947117860d1d5f2b3de557d6ae0e855193c8ca0872da
SHA512224e4f5666e8646e77b1255a6a87762a76fb46ed607a15d8d2ed570695737aa17ca00f29f91e015eef529c683fca3ba03707cdf97148e21ae01fcd5de0312873
-
Filesize
93KB
MD5dc3249b04bb856d2b7720dd5934bbcc8
SHA108a798942ab9196755dcfe84219ee6a8c3e354d9
SHA25601a3411df16ff520ca0927e08f83c9af7a1f3ee93b7223fd3ffc4fbe14842a57
SHA512232d03561798b28691ea46f9517154cb9de25db8329ee7ab073bdcdd39c8e2836bafc0208d20b88443ff88680dc4cb0e76c354f2d2da385bd32b0af1f23434c7
-
Filesize
93KB
MD5735b5c2540c8886311e4f0697d6f9e14
SHA1684d8131ca871d57fe363fa7ee039479915b8985
SHA2562e865eea9f5ff5fe19f35890e2fcfd5c0881dd2b1492e264e3bb0511bdb6b9eb
SHA51234622cd7f90252475e764f3bc3e3faeb8cdec7c84deabf18e670b44acf7aacc7f72cec4044032c89394362e7761ad375b1621add77d4f832188918e76542ec84