kinsing | c3c6345d545936a6460815736759b3f43a982d81985d308d6fc63eeaaa3ab31f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Size

180KB
MD5

898876907ed8171c2a473416b4af813b
SHA1

d195dd96fc1d9c5300e2406a63d3279792244e8f
SHA256

c3c6345d545936a6460815736759b3f43a982d81985d308d6fc63eeaaa3ab31f
SHA512

9d94c86ec140f1a4eca8a5e908ac3bbfffa1a448588116f7582c9bbb00d1863ca0e01a6a67d474eb15ac0e697874692e4a7b3ed583c5aa06540127f6cb1b2375
SSDEEP

3072:jEGh0oalfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGYl5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{43599755-1381-425f-90DF-2AEAC0012AB6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe{43599755-1381-425f-90DF-2AEAC0012AB6}.exe{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe{06091A77-F8CE-47f3-906C-F37A8659902B}.exe{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}\stubpath = "C:\\Windows\\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe"	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E0273D4-546F-476b-B60D-87428AC4DC46}	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06091A77-F8CE-47f3-906C-F37A8659902B}	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06091A77-F8CE-47f3-906C-F37A8659902B}\stubpath = "C:\\Windows\\{06091A77-F8CE-47f3-906C-F37A8659902B}.exe"	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{332CFBEA-D1C7-4bda-955A-3181417494C4}	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}\stubpath = "C:\\Windows\\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe"	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E0273D4-546F-476b-B60D-87428AC4DC46}\stubpath = "C:\\Windows\\{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe"	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{332CFBEA-D1C7-4bda-955A-3181417494C4}\stubpath = "C:\\Windows\\{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe"	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}\stubpath = "C:\\Windows\\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe"	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}\stubpath = "C:\\Windows\\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe"	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}\stubpath = "C:\\Windows\\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe"	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43599755-1381-425f-90DF-2AEAC0012AB6}	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}\stubpath = "C:\\Windows\\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe"	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7220C948-FBA9-47c4-AE8C-6E9651C10331}	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7220C948-FBA9-47c4-AE8C-6E9651C10331}\stubpath = "C:\\Windows\\{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe"	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEFB260A-8B45-4f2e-A682-07D85633DA01}	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEFB260A-8B45-4f2e-A682-07D85633DA01}\stubpath = "C:\\Windows\\{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe"	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43599755-1381-425f-90DF-2AEAC0012AB6}\stubpath = "C:\\Windows\\{43599755-1381-425f-90DF-2AEAC0012AB6}.exe"	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe

Executes dropped EXE 12 IoCs

Processes:

{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe{06091A77-F8CE-47f3-906C-F37A8659902B}.exe{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe{43599755-1381-425f-90DF-2AEAC0012AB6}.exe{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe

pid	process
1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
3008	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
2096	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
4664	{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe

Drops file in Windows directory 12 IoCs

Processes:

{43599755-1381-425f-90DF-2AEAC0012AB6}.exe2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe{06091A77-F8CE-47f3-906C-F37A8659902B}.exe{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe

description	ioc	process
File created	C:\Windows\{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
File created	C:\Windows\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
File created	C:\Windows\{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
File created	C:\Windows\{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
File created	C:\Windows\{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
File created	C:\Windows\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
File created	C:\Windows\{43599755-1381-425f-90DF-2AEAC0012AB6}.exe	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
File created	C:\Windows\{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
File created	C:\Windows\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
File created	C:\Windows\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
File created	C:\Windows\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
File created	C:\Windows\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe{06091A77-F8CE-47f3-906C-F37A8659902B}.exe{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe{43599755-1381-425f-90DF-2AEAC0012AB6}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
Token: SeIncBasePriorityPrivilege	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
Token: SeIncBasePriorityPrivilege	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
Token: SeIncBasePriorityPrivilege	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
Token: SeIncBasePriorityPrivilege	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
Token: SeIncBasePriorityPrivilege	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
Token: SeIncBasePriorityPrivilege	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
Token: SeIncBasePriorityPrivilege	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
Token: SeIncBasePriorityPrivilege	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
Token: SeIncBasePriorityPrivilege	3008	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
Token: SeIncBasePriorityPrivilege	2096	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3920 wrote to memory of 1208	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
PID 3920 wrote to memory of 1208	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
PID 3920 wrote to memory of 1208	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
PID 3920 wrote to memory of 2784	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 3920 wrote to memory of 2784	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 3920 wrote to memory of 2784	3920	2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe	cmd.exe
PID 1208 wrote to memory of 3716	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
PID 1208 wrote to memory of 3716	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
PID 1208 wrote to memory of 3716	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
PID 1208 wrote to memory of 4752	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	cmd.exe
PID 1208 wrote to memory of 4752	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	cmd.exe
PID 1208 wrote to memory of 4752	1208	{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe	cmd.exe
PID 3716 wrote to memory of 1560	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
PID 3716 wrote to memory of 1560	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
PID 3716 wrote to memory of 1560	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
PID 3716 wrote to memory of 2768	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	cmd.exe
PID 3716 wrote to memory of 2768	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	cmd.exe
PID 3716 wrote to memory of 2768	3716	{06091A77-F8CE-47f3-906C-F37A8659902B}.exe	cmd.exe
PID 1560 wrote to memory of 3392	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
PID 1560 wrote to memory of 3392	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
PID 1560 wrote to memory of 3392	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
PID 1560 wrote to memory of 4240	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	cmd.exe
PID 1560 wrote to memory of 4240	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	cmd.exe
PID 1560 wrote to memory of 4240	1560	{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe	cmd.exe
PID 3392 wrote to memory of 636	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
PID 3392 wrote to memory of 636	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
PID 3392 wrote to memory of 636	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
PID 3392 wrote to memory of 4808	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	cmd.exe
PID 3392 wrote to memory of 4808	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	cmd.exe
PID 3392 wrote to memory of 4808	3392	{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe	cmd.exe
PID 636 wrote to memory of 4484	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
PID 636 wrote to memory of 4484	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
PID 636 wrote to memory of 4484	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
PID 636 wrote to memory of 3208	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	cmd.exe
PID 636 wrote to memory of 3208	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	cmd.exe
PID 636 wrote to memory of 3208	636	{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe	cmd.exe
PID 4484 wrote to memory of 468	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
PID 4484 wrote to memory of 468	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
PID 4484 wrote to memory of 468	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
PID 4484 wrote to memory of 2472	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	cmd.exe
PID 4484 wrote to memory of 2472	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	cmd.exe
PID 4484 wrote to memory of 2472	4484	{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe	cmd.exe
PID 468 wrote to memory of 1596	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
PID 468 wrote to memory of 1596	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
PID 468 wrote to memory of 1596	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
PID 468 wrote to memory of 4824	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	cmd.exe
PID 468 wrote to memory of 4824	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	cmd.exe
PID 468 wrote to memory of 4824	468	{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe	cmd.exe
PID 1596 wrote to memory of 4848	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
PID 1596 wrote to memory of 4848	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
PID 1596 wrote to memory of 4848	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
PID 1596 wrote to memory of 2892	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	cmd.exe
PID 1596 wrote to memory of 2892	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	cmd.exe
PID 1596 wrote to memory of 2892	1596	{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe	cmd.exe
PID 4848 wrote to memory of 3008	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
PID 4848 wrote to memory of 3008	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
PID 4848 wrote to memory of 3008	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
PID 4848 wrote to memory of 2092	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	cmd.exe
PID 4848 wrote to memory of 2092	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	cmd.exe
PID 4848 wrote to memory of 2092	4848	{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe	cmd.exe
PID 3008 wrote to memory of 2096	3008	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
PID 3008 wrote to memory of 2096	3008	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
PID 3008 wrote to memory of 2096	3008	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe	{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
PID 3008 wrote to memory of 4768	3008	{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_898876907ed8171c2a473416b4af813b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
C:\Windows\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
C:\Windows\{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06091~1.EXE > nul
4⤵
PID:2768

C:\Windows\{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
C:\Windows\{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
C:\Windows\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
C:\Windows\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
C:\Windows\{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
C:\Windows\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7FE5C~1.EXE > nul
9⤵
PID:4824

C:\Windows\{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
C:\Windows\{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
C:\Windows\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
C:\Windows\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
C:\Windows\{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe
C:\Windows\{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe
13⤵
- Executes dropped EXE
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{43599~1.EXE > nul
13⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC7F~1.EXE > nul
12⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39D37~1.EXE > nul
11⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BEFB2~1.EXE > nul
10⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7220C~1.EXE > nul
8⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E3D~1.EXE > nul
7⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3A68E~1.EXE > nul
6⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{332CF~1.EXE > nul
5⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CCDAD~1.EXE > nul
3⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06091A77-F8CE-47f3-906C-F37A8659902B}.exe
Filesize
180KB

MD5
839c07e0d1f8886bece2433beb0c738c

SHA1
b89b15bf4507472a4ade58fa51077f85e9a713bd

SHA256
a520498f06fd53dced01df34255c5c89d3a8472d36a441ac87e75e18aa2cda50

SHA512
8f88af41767c48162ba850e08ac06d2efe33ae41c956473cd7288d6ee5764f4d5aceb947cd98971e068800dbf9088fdc5c31a2f108307bb7610a063261bcde02

Download Submit
C:\Windows\{0E0273D4-546F-476b-B60D-87428AC4DC46}.exe
Filesize
180KB

MD5
2a2adaea0a8c3a5788a20dbe223abeac

SHA1
c3882faed95cfe5166c155c528839cf38278185e

SHA256
b6a04b8007ab87b9f7942fddb33203d96a20a8e4ff13e056580dd4aef5a87389

SHA512
4e3fd8f38b462a779e74596db70a455d30a0e74d16c81a9991e03cd6564937ce1f6c81122060f0baae1cd2b54730df23d0a99506a0a29e2a7b4802910a7550d6

Download Submit
C:\Windows\{332CFBEA-D1C7-4bda-955A-3181417494C4}.exe
Filesize
180KB

MD5
b677f8442d83fd69f397289450bddd34

SHA1
16770a486b76d30267327458c62926ffacf624b0

SHA256
fda5422831e655781a718613c512105ea4173be352d036026ae32e33fac448ea

SHA512
cae5ee4f521ae92db7230d3481452c0f4f84f87a00ed59ed76930ff481b9c8b6828e794b0b4f2cc9853284119f9f6a8e68288499220379858ff73f291dc2257c

Download Submit
C:\Windows\{39D3736D-D618-4ae4-8F86-1A1BD15C2AE3}.exe
Filesize
180KB

MD5
5668b11b0aea006805212501c0bdd09a

SHA1
87affb401e3a3b03278fefbb26d6c58e22e5e306

SHA256
a488a7a88aaf5a7148effab00fdb41d08853c71cf3fede251b5a95cfffb45232

SHA512
72a2049ca48f2de16d4a13a76239a674847f33be2bfb0d75a23cb01f23e166846f26575e0d01541432fbd4d865fe91dfc61a32067dc6e402937d986b96261c10

Download Submit
C:\Windows\{3A68E4DC-5CCC-4c1d-AA00-27494460A77B}.exe
Filesize
180KB

MD5
0e7335c9a2f3348d0c3776d761208699

SHA1
a294c19660b81ced63029bdecbdb7ea53c2186ff

SHA256
03a3a050505d8424b16531b495aed45b4157c3d798a2a80cee2304a387a1cdb3

SHA512
f8a7ac672f9bf506bfad4f2232c2e3940baa6a6308509a849a72d274142c647f5bdc70f5f42103ad276e44c8b94ead4867e28303901ea6aa41a77186acf581ec

Download Submit
C:\Windows\{43599755-1381-425f-90DF-2AEAC0012AB6}.exe
Filesize
180KB

MD5
42130a88285b63c3b57b356975f35f8f

SHA1
311bb9bec160e654bbf8df81e192a3670d176768

SHA256
876947929695fe0601c97d68ac90ccbebd1d09b0c9b63568fd09e773591ada4f

SHA512
a800b7dd3d8df70d70349ba69bab383ca10c8ed7a0cfbdd6bdff05f3f62b247937cc8d409c18dc340f2de2cb4b402adb67f7270e5fecdd9d1e67ea112ed418aa

Download Submit
C:\Windows\{7220C948-FBA9-47c4-AE8C-6E9651C10331}.exe
Filesize
180KB

MD5
46505fca2ba653916d7773efd8049eeb

SHA1
520767e243b8d6289df27111128a1ebf58d0efc2

SHA256
2039e8f7c80cca4c1188c8b1dd99beb59d0a7bc7c754f6f353a024619045d3c6

SHA512
697f4ded7941fb8792dc70801a6e6519fbb36e3e42b958a764b0b38455cdc70626eb75c49003f73b18d65017c5292605f6ddbe3adc825afd801b67e584c25ca0

Download Submit
C:\Windows\{7FE5CF70-219D-4e47-ADC7-5ADE06F1F30F}.exe
Filesize
180KB

MD5
664ce23100ad756534437b3662efbd0c

SHA1
092e27d82b068c800fe7e556cf17cff4569aa35b

SHA256
3cfeea59a976b93176f8a5f2363d462470d2facf454217c6f996c53961fe87b9

SHA512
fb745607acb688e415fddc16690d1afe9387c0e1c488787e8475cace3bd1f41472a6c715138732fa14467bd8c1101e4d3d9d65d861a22faf247c6799bf6dcfc8

Download Submit
C:\Windows\{8CC7F25B-567E-4e1d-9A10-BF44D8039963}.exe
Filesize
180KB

MD5
3071cd3671d8a811fe0de1578d70ef60

SHA1
6130a90b4cbafb49d9a2c358fb5ed1abfce14eb9

SHA256
a07f66e01e1043ee0bd33c44aba53a1a007cb0c6ffa37b15a2619a094d43013f

SHA512
33e286c511a1958471ede7c87971cd1dc420f61ee8782330dd5cb8caf58108fe44835b5adcacad04459d59917537602ad85702effe5572b9336b3cd0f938a374

Download Submit
C:\Windows\{A7E3DE44-B6DE-4e32-9DF1-5B8DBB004B70}.exe
Filesize
180KB

MD5
806633a304838cffd748e21fe093bd78

SHA1
9ba1a6d677895b2c40b1cfb29e4eeb8082c18753

SHA256
76a00d4fb5a1779db5d776d2e234a25501e0cd75d4ffb2eac6a688d556dba072

SHA512
b028544ca55a7682f5dec768528940db5da4174803e244997dad83ff88928c3d9bb92f272c7491c595a21cf6ecee2a644f2196cc7fcc43514aeb86d80c809a0e

Download Submit
C:\Windows\{BEFB260A-8B45-4f2e-A682-07D85633DA01}.exe
Filesize
180KB

MD5
02fdad7e99197252d09f5eaa64fe0f58

SHA1
15dce126750e4e8a19a68b43a1796346abfd3f29

SHA256
41356573884a58d8fd82926eb03f712e0c91ac049bfc54791f57a2d234d06dfc

SHA512
9b4e0eb555331ef59a9c2bdc9ac7a14722b775326ccafc6306cda9704da3bb9dde3f8631e52f31825ee567de2376a9589604cfaf03f22faa1feb7a0effac688f

Download Submit
C:\Windows\{CCDAD81E-E4BE-4ad9-B12D-11C83CAA1F41}.exe
Filesize
180KB

MD5
cd03d0add730f413be82a073b9bcd4af

SHA1
3cff77230eb39f6f9db36773d88facb7692e562f

SHA256
64a29c04bbe2d47d52f89d145f8964a58cd02e2335657687442218d398612c73

SHA512
f913136e986a6bc84b4b5ce8d9ce8e1cf13ebc36f7383062fdf12bb8ccc51f78c4a95b046adcb53fd2573ce6a33d7150a2a1f909688ae7edea22004ee8a34670

Download Submit