kinsing | 966908d184f13c088bbdafeb766444e758b4a60c572b15186e899eb3ac52945a

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Size

204KB
MD5

8b1cd4edb2a6b8728a45fa10ded9d24e
SHA1

2aeef12350a2263d8284b671d8875b538b523037
SHA256

966908d184f13c088bbdafeb766444e758b4a60c572b15186e899eb3ac52945a
SHA512

3ac11c8d8908acc6a3feb29cad81a7c12c7eeb46546bdde9bad5c48ebd6eb1037a67771fbf72474630eace05531e0ec576e5d46ca8142ec53e957b26d821c6f2
SSDEEP

1536:1EGh0oVl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oVl1OPOe2MUVg3Ve+rXfMUy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}\stubpath = "C:\\Windows\\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe"	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0470F81-71DB-411d-BE7E-CE61253FC271}\stubpath = "C:\\Windows\\{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe"	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}\stubpath = "C:\\Windows\\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe"	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A4202A-60FE-48c7-997C-FE032FAB9521}\stubpath = "C:\\Windows\\{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe"	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}\stubpath = "C:\\Windows\\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe"	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}\stubpath = "C:\\Windows\\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe"	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}\stubpath = "C:\\Windows\\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe"	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A4202A-60FE-48c7-997C-FE032FAB9521}	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}\stubpath = "C:\\Windows\\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe"	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}\stubpath = "C:\\Windows\\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe"	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0470F81-71DB-411d-BE7E-CE61253FC271}	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}\stubpath = "C:\\Windows\\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe"	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}\stubpath = "C:\\Windows\\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe"	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}\stubpath = "C:\\Windows\\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe"	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe

Executes dropped EXE 12 IoCs

Processes:

{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe

pid	process
4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
3580	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
1856	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
1772	{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe

Drops file in Windows directory 12 IoCs

Processes:

{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe

description	ioc	process
File created	C:\Windows\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
File created	C:\Windows\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
File created	C:\Windows\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
File created	C:\Windows\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
File created	C:\Windows\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
File created	C:\Windows\{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
File created	C:\Windows\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
File created	C:\Windows\{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
File created	C:\Windows\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
File created	C:\Windows\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
File created	C:\Windows\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
File created	C:\Windows\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
Token: SeIncBasePriorityPrivilege	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
Token: SeIncBasePriorityPrivilege	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
Token: SeIncBasePriorityPrivilege	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
Token: SeIncBasePriorityPrivilege	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
Token: SeIncBasePriorityPrivilege	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
Token: SeIncBasePriorityPrivilege	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
Token: SeIncBasePriorityPrivilege	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
Token: SeIncBasePriorityPrivilege	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
Token: SeIncBasePriorityPrivilege	3580	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
Token: SeIncBasePriorityPrivilege	1856	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4320 wrote to memory of 4124	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
PID 4320 wrote to memory of 4124	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
PID 4320 wrote to memory of 4124	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
PID 4320 wrote to memory of 3008	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 4320 wrote to memory of 3008	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 4320 wrote to memory of 3008	4320	2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe	cmd.exe
PID 4124 wrote to memory of 2696	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
PID 4124 wrote to memory of 2696	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
PID 4124 wrote to memory of 2696	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
PID 4124 wrote to memory of 4980	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	cmd.exe
PID 4124 wrote to memory of 4980	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	cmd.exe
PID 4124 wrote to memory of 4980	4124	{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe	cmd.exe
PID 2696 wrote to memory of 1208	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
PID 2696 wrote to memory of 1208	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
PID 2696 wrote to memory of 1208	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
PID 2696 wrote to memory of 4192	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	cmd.exe
PID 2696 wrote to memory of 4192	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	cmd.exe
PID 2696 wrote to memory of 4192	2696	{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe	cmd.exe
PID 1208 wrote to memory of 2240	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
PID 1208 wrote to memory of 2240	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
PID 1208 wrote to memory of 2240	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
PID 1208 wrote to memory of 4052	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	cmd.exe
PID 1208 wrote to memory of 4052	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	cmd.exe
PID 1208 wrote to memory of 4052	1208	{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe	cmd.exe
PID 2240 wrote to memory of 3200	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
PID 2240 wrote to memory of 3200	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
PID 2240 wrote to memory of 3200	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
PID 2240 wrote to memory of 1892	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	cmd.exe
PID 2240 wrote to memory of 1892	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	cmd.exe
PID 2240 wrote to memory of 1892	2240	{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe	cmd.exe
PID 3200 wrote to memory of 3788	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
PID 3200 wrote to memory of 3788	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
PID 3200 wrote to memory of 3788	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
PID 3200 wrote to memory of 2936	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	cmd.exe
PID 3200 wrote to memory of 2936	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	cmd.exe
PID 3200 wrote to memory of 2936	3200	{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe	cmd.exe
PID 3788 wrote to memory of 4284	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
PID 3788 wrote to memory of 4284	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
PID 3788 wrote to memory of 4284	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
PID 3788 wrote to memory of 1388	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	cmd.exe
PID 3788 wrote to memory of 1388	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	cmd.exe
PID 3788 wrote to memory of 1388	3788	{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe	cmd.exe
PID 4284 wrote to memory of 664	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
PID 4284 wrote to memory of 664	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
PID 4284 wrote to memory of 664	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
PID 4284 wrote to memory of 3940	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	cmd.exe
PID 4284 wrote to memory of 3940	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	cmd.exe
PID 4284 wrote to memory of 3940	4284	{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe	cmd.exe
PID 664 wrote to memory of 5020	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
PID 664 wrote to memory of 5020	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
PID 664 wrote to memory of 5020	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
PID 664 wrote to memory of 4900	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	cmd.exe
PID 664 wrote to memory of 4900	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	cmd.exe
PID 664 wrote to memory of 4900	664	{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe	cmd.exe
PID 5020 wrote to memory of 3580	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
PID 5020 wrote to memory of 3580	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
PID 5020 wrote to memory of 3580	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
PID 5020 wrote to memory of 5116	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	cmd.exe
PID 5020 wrote to memory of 5116	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	cmd.exe
PID 5020 wrote to memory of 5116	5020	{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe	cmd.exe
PID 3580 wrote to memory of 1856	3580	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
PID 3580 wrote to memory of 1856	3580	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
PID 3580 wrote to memory of 1856	3580	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe	{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
PID 3580 wrote to memory of 4548	3580	{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8b1cd4edb2a6b8728a45fa10ded9d24e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
C:\Windows\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
C:\Windows\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E02AE~1.EXE > nul
4⤵
PID:4192

C:\Windows\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
C:\Windows\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
C:\Windows\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
C:\Windows\{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
C:\Windows\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
C:\Windows\{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
C:\Windows\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
C:\Windows\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
C:\Windows\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
C:\Windows\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe
C:\Windows\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe
13⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1A486~1.EXE > nul
13⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8057A~1.EXE > nul
12⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29C74~1.EXE > nul
11⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{672C5~1.EXE > nul
10⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{66A42~1.EXE > nul
9⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{87AEC~1.EXE > nul
8⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C0470~1.EXE > nul
7⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D830D~1.EXE > nul
6⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF447~1.EXE > nul
5⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E51FD~1.EXE > nul
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A48686B-80F8-4d4b-9856-57E8527CA9F7}.exe
Filesize
204KB

MD5
a32be285f02926caecf02e93091b7b2c

SHA1
70dad8663b15ce186f2a40fb176da0b91c179f16

SHA256
589f880bd4f0f0cd3c23f073b439e855e1c74f4aea61bd1ecedcfb231be3c355

SHA512
1a0290f7236067bd200f20fb5e9a6edcdcd4f924cbfc272a17f859fe356ee838fecd37196c1b564a815efb79fc39b5d05e022126e72d72ebbcae0aef24aed0f9

Download Submit
C:\Windows\{29C74FCA-ABA3-4857-95B5-F98A3DD2695F}.exe
Filesize
204KB

MD5
ad33388a0bfc0497d73836a408e3fdfc

SHA1
1b691c5e951092b8d6a5807265e5f2f628f1873d

SHA256
4d16556a03069756670fd801ddd732efbc7ae008511c89609a1e3e4454d8780a

SHA512
bbfbe814c0037503a5549d11f1b8a01fd3db17b55e81e4539675a80f007be139f33811b7acad20c350c04afeca56b3eddd2367caf45cab3888556cb251a69a52

Download Submit
C:\Windows\{38EA5E61-035F-4984-8A9B-D0CB50C366B9}.exe
Filesize
204KB

MD5
1367b54f81a35f44eb57700eaa8fbd74

SHA1
cbf2741f7d978fbc74692d7d446caa61cf1a3f93

SHA256
30ea57e046ef795d19e5dda42a0ef094a86bb6723865b8e5304571c5f1eb6827

SHA512
5eee88b19b97deca4e4a49200204d09302aba3c375794dbf896254892902f7b2c262d4b7bc46f3ae0cd4b0628c5896deff82b5a534f087914b47a170994ea0eb

Download Submit
C:\Windows\{66A4202A-60FE-48c7-997C-FE032FAB9521}.exe
Filesize
204KB

MD5
6fe30edc949ae65d2123dcac340bd872

SHA1
a72b610a5ec1ab276df4dc885badfdace6e816e4

SHA256
3adf5580deb73dffb2a182d751d987ff1cae697003e446b0879468f25b7bed35

SHA512
d03db774a491720a1094d3c0a2a14a9fee8a9f931b103133f4aa93b7077d279dbbe57c9c441c1390ed0db1857607f4681a4f443236cd142b255b0a7230e25338

Download Submit
C:\Windows\{672C5777-9AB5-42c9-8F2F-4E1647DF52E0}.exe
Filesize
204KB

MD5
b02f1a4651e9fe73d321644701c23323

SHA1
4b036cd3bcdd65c605b38c29821e2a3e4cf3f297

SHA256
0557548b56dd7779247728d7b9c4c4e9e0a54d7d95afce3759393b500d4a5a52

SHA512
232ccf5b1e788e513d2e128d4c4dd0fb2b3ad42bf3ee61fcc11e0eda2799c338344d572a03285cfae14f157b282fdad1961852b13c7b07fb05f6e8eea440f27a

Download Submit
C:\Windows\{8057A8DD-9192-4fe7-9215-8B44C93DBDD0}.exe
Filesize
204KB

MD5
9954a5c4b04e60e9290236251e9c7bfd

SHA1
667434efa86a21c4ce89a2d335fa4d7d5095e615

SHA256
97f878ee62be4fba733201c3f31989aa3887843e40dc2fdf263fd9428f883bdb

SHA512
9247b4579cc144081f1ef1392cc7595ecd9c05ec50a21447f0c123d8fbf5aaf03f5f27c8f1d6e0db219ab23dd85983b9b3554af473a7c4e7a2e74754945beb32

Download Submit
C:\Windows\{87AEC837-F4C9-43a9-9876-B68EEFA7E6B0}.exe
Filesize
204KB

MD5
9947f2f3f5c82b6925a69597031a715a

SHA1
dd4d94c4258ee34d95aeff9542d66d5162ed3aac

SHA256
37be56ea43cc05a7284f227680021548f3d155d603addea3fe00e2c87c7ccf52

SHA512
fa21014570fb4488cbe570ac4d36ca2323e6cc534499517baf457fd6d4e5aa11d4ee4a667399bd49bd4c3c01c14c1a9edee81f51b4ef06c2c62de27da82531b0

Download Submit
C:\Windows\{AF44748B-41D3-4df4-BCEC-AA9DA8EC2042}.exe
Filesize
204KB

MD5
8ff4069ca42000548cab3ed8c0f09f5b

SHA1
b0350d928b75f60f8fb929d03b4c09b7949789c6

SHA256
5d9dd771a444845520d8e476d319c5d22f1e3e26961bc88931494bb199ebd1cc

SHA512
36b5413f05696a7ae41465a62122a7073e4df754263fd1fc9f650f90c1a4ef168c97154f99a7cdbfb219f1054731080deaa6408248faee7dd829d9aa6f4834af

Download Submit
C:\Windows\{C0470F81-71DB-411d-BE7E-CE61253FC271}.exe
Filesize
204KB

MD5
48ddbe063229d62c5c0f5b174a468797

SHA1
1087576fda06fc4a9259ad5a94171bb6dd89aae9

SHA256
ea5507395bbecea93e640cd96e0870ef88b4cfec5e19d539b734df3d6ad052fc

SHA512
dc99f187f85f5eca267387deb9edf3fbc210bd8dfeb6dde759c3651e3935eadc3cd00497b45ccba93820f4dcdf1cbf0301a596f5706b0c8d60bda8f85c1a1141

Download Submit
C:\Windows\{D830D6C5-AB07-4d47-AAE8-536B873A11A6}.exe
Filesize
204KB

MD5
a034035fe8c9932880ee21d73987f328

SHA1
dc39f007c959e0c8e7f34c771d8a2b4e57de464e

SHA256
ea9cc4ff0baec172cdcd651b3f67e5db8bd90c1cd1790c9f7567e49977f93e50

SHA512
d3656a7288850556251f7d42022df703d61a5277cd7e0c01aab342bee594b227a38a30640fab84338fb4ebf5a0472ffb4e4a05ffd6e6b662dfeb8211ecde8e3b

Download Submit
C:\Windows\{E02AEA2F-4115-4db4-9DAE-16FDC6DFC8BD}.exe
Filesize
204KB

MD5
9d720aa6ecf31bd13fc96d4d843f621f

SHA1
d0eccec7a8a5bdabda14ce0a6ed785c122957dfe

SHA256
c2b24da96f3948d232381be10727aef2eb8a85ee3e2eb8639679c8f858dfb337

SHA512
870eaf0a3d4666ed445f4c053cc44ea5277975b177d2af4be5a7655d4088e3b55db5b65b5c2d61aaf4161d08dfb2fcf7477896b3d4faf656a46b13ddb137ed81

Download Submit
C:\Windows\{E51FDE9E-6CF0-45df-A7E9-4181A85EC721}.exe
Filesize
204KB

MD5
fb2ff2ac33af653be85905d9c4ffe065

SHA1
8b83191012a46d1245d4abd158c253c573c5b447

SHA256
df66a3bd902d82321a896d1184e058e64b3817333b2528a5e9820eebeb300428

SHA512
41b3c930422b39d1c947b7cc885934fcf4f6d978687458a4bfaced860c5599db45061f09ed5e7aec7600a35ea0392b684027d22b4df57fbbba3aa63d4f05bc52

Download Submit