Overview

overview

10

Static

static

10

2024-01-25...ye.exe

windows7-x64

9

2024-01-25...ye.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-25_a6a6c6a7a55cefd0235aad1ddff45bff_goldeneye.exe

  • Size

    197KB

  • MD5

    a6a6c6a7a55cefd0235aad1ddff45bff

  • SHA1

    a5e8cc5603244f21808646fb0fd44aafc648d160

  • SHA256

    c7688f50d6cffe2a151e13461a876e9eb58e3e2dfee23d80e60f4925db3adfdd

  • SHA512

    e982e78a244a4600fc33003439d352e4773925925bbe5a113cf2f6bcc45bf6d45a3533a497f74b0be4848e29fcf2c2f9527f26fb5ee0604d43eda3db27cd9f35

  • SSDEEP

    3072:jEGh0oJ5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score
10/10
kinsingloaderpersistence

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Auto-generated rule 13 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_a6a6c6a7a55cefd0235aad1ddff45bff_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_a6a6c6a7a55cefd0235aad1ddff45bff_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Windows\{80ED15F7-6DF9-41cb-8BC1-7EC02458CE0D}.exe
      C:\Windows\{80ED15F7-6DF9-41cb-8BC1-7EC02458CE0D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Windows\{530B4F51-0136-4aae-965C-D3DD70A2BF1A}.exe
        C:\Windows\{530B4F51-0136-4aae-965C-D3DD70A2BF1A}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\{F7BE0743-039C-417b-9070-DB43F3488FA3}.exe
          C:\Windows\{F7BE0743-039C-417b-9070-DB43F3488FA3}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4556
          • C:\Windows\{C81B4663-0F96-4bf6-9BEE-243844519071}.exe
            C:\Windows\{C81B4663-0F96-4bf6-9BEE-243844519071}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Windows\{A2B709AF-038E-4594-BE43-EE77C3B4B118}.exe
              C:\Windows\{A2B709AF-038E-4594-BE43-EE77C3B4B118}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:676
              • C:\Windows\{64D517B6-10C6-4953-8B1A-9100FBBE7606}.exe
                C:\Windows\{64D517B6-10C6-4953-8B1A-9100FBBE7606}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3748
                • C:\Windows\{883976AB-830E-4675-AE83-C0C5B9D172F0}.exe
                  C:\Windows\{883976AB-830E-4675-AE83-C0C5B9D172F0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3724
                  • C:\Windows\{D4E58070-32DD-4d13-810E-84096889C1F2}.exe
                    C:\Windows\{D4E58070-32DD-4d13-810E-84096889C1F2}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2060
                    • C:\Windows\{B1446858-5364-4376-9C30-E52A44DB1821}.exe
                      C:\Windows\{B1446858-5364-4376-9C30-E52A44DB1821}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1552
                      • C:\Windows\{3805EBDC-50C3-4704-A885-53D6D5031A13}.exe
                        C:\Windows\{3805EBDC-50C3-4704-A885-53D6D5031A13}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:548
                        • C:\Windows\{7C9BA5F5-409C-4635-8BC4-C5464A7B20D9}.exe
                          C:\Windows\{7C9BA5F5-409C-4635-8BC4-C5464A7B20D9}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3212
                          • C:\Windows\{FF6DAD88-6AE8-40cd-98C3-7E28E8016DBD}.exe
                            C:\Windows\{FF6DAD88-6AE8-40cd-98C3-7E28E8016DBD}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1584
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7C9BA~1.EXE > nul
                            13⤵
                              PID:1468
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3805E~1.EXE > nul
                            12⤵
                              PID:400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B1446~1.EXE > nul
                            11⤵
                              PID:1976
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E58~1.EXE > nul
                            10⤵
                              PID:2288
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{88397~1.EXE > nul
                            9⤵
                              PID:2884
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{64D51~1.EXE > nul
                            8⤵
                              PID:1732
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A2B70~1.EXE > nul
                            7⤵
                              PID:2724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C81B4~1.EXE > nul
                            6⤵
                              PID:4724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F7BE0~1.EXE > nul
                            5⤵
                              PID:3956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{530B4~1.EXE > nul
                            4⤵
                              PID:672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{80ED1~1.EXE > nul
                            3⤵
                              PID:4812
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1488

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{3805EBDC-50C3-4704-A885-53D6D5031A13}.exe
                            Filesize

                            197KB

                            MD5

                            2025182a5d5a7177f6cf705901924c85

                            SHA1

                            72b43d42a5f33caf749e74b3e72b5affb8bd6520

                            SHA256

                            88a7779a8d1c45cd77f0d50fa22b55ed6853692ca88b61e4a8cd8da012827ddf

                            SHA512

                            994f2c9a6c2adabbe5a1571d3a3e0580f44442adeadda55eaa8ff1d20c8f8b63d34963342a4918e98c560c209756bcb18e6863d9db2464297ac5dfe476044a2f

                            Download Submit
                          • C:\Windows\{530B4F51-0136-4aae-965C-D3DD70A2BF1A}.exe
                            Filesize

                            197KB

                            MD5

                            ba3a3fc2f86a1d1e088e6e9bfb6413f4

                            SHA1

                            1078e6944b67f26ee24d7404c6e8a7a66d4552b9

                            SHA256

                            7db783c315b5ee9c65bdbfc6713a258dfe786add8d74288167618aa1404810da

                            SHA512

                            647a9c9f826212b224c279068b696e6c7fb1dd0f67aae281dc1586ea84bba5ce73f24dbd8e7ee11dec00a6fae59f80f04e63aad7f93c43cacfc94bbed5945136

                            Download Submit
                          • C:\Windows\{64D517B6-10C6-4953-8B1A-9100FBBE7606}.exe
                            Filesize

                            166KB

                            MD5

                            67115f3600a35c79bb24691d8a0fe556

                            SHA1

                            e5870fba1be0a0cdd257cc8b227028fdae1e2947

                            SHA256

                            e0998ec3ef2989ff3bcafbf8985801c2c3b31506c561a8abc84ce9d283e05f73

                            SHA512

                            a9180b0ee98b54015f0fe73efc0af0c9f303e9fede979a1a4b73c272306f97dc969e8baad9aecf6a8a8b4d33acb899ef780f76ed169d7c683e75b98bf027f102

                            Download Submit
                          • C:\Windows\{64D517B6-10C6-4953-8B1A-9100FBBE7606}.exe
                            Filesize

                            197KB

                            MD5

                            42b0da8f371ff7aa045977824d2e119d

                            SHA1

                            cd74e86bdf368aff5aed9331556611c792d309d2

                            SHA256

                            b5393f4bd13d9108dc296fec7780bbd1a5d49500b86a10e760542d267610d7ab

                            SHA512

                            3c5b7c0df25c7d4d110252892c22549a7ee020535e483cf3b739a93f4fe49238823a56822e77f7f8a7ae2a962ba1450236ae7ebcf762e136bcfe5ded7033e13e

                            Download Submit
                          • C:\Windows\{7C9BA5F5-409C-4635-8BC4-C5464A7B20D9}.exe
                            Filesize

                            197KB

                            MD5

                            a6cbed048100dad874b323dc99964dc4

                            SHA1

                            398ef3806641c7c9d97ae908ae7e206f0829da4b

                            SHA256

                            b8802ffee0a5c772fb23f137ddef76b919c58e48b3a471a893ca1ff13e3a7260

                            SHA512

                            98f6aef37e0b130488d14fe3b507ed455d66836e13753afabca1f708d9d1ab8a48c88ec54ae024c440c8bbac3ce209fb8a3e81c9ffdc0f1e4c3e9846f5acd4ca

                            Download Submit
                          • C:\Windows\{80ED15F7-6DF9-41cb-8BC1-7EC02458CE0D}.exe
                            Filesize

                            197KB

                            MD5

                            213b27c8837f7edefd8dc89ae65c3434

                            SHA1

                            88ac95c6766b019f23c1d29e288552cb142ceba4

                            SHA256

                            5aae9f0b0cdcc3a25741e5a3a61d9daef01fd0c2d2dc38d881e72be64c99d7bf

                            SHA512

                            25940c61af3a83666626f20682039e32e823ac1cbb36689232e4890841134c41c42c5eb87284eb6478f8fca27df4d8147a7a6642dba2c098af8b24a743c7c3e5

                            Download Submit
                          • C:\Windows\{883976AB-830E-4675-AE83-C0C5B9D172F0}.exe
                            Filesize

                            197KB

                            MD5

                            a5f6aafafbc549c80dc2863e8ea1ba8a

                            SHA1

                            bc087ac3cf71a243540e37342f0a4696a7bb27ff

                            SHA256

                            6c879099f9fe92851506dbcaba72fd43c282518a425f1204d5a506b58609487b

                            SHA512

                            f7571c1d70146ed833ae3b2319fcb49cbda56e48179341382dd57fdcc98c6b47257fc6974715508fb9874e6f57fe7f2ba100e6b8704c05ad38bffeb2e66ef449

                            Download Submit
                          • C:\Windows\{A2B709AF-038E-4594-BE43-EE77C3B4B118}.exe
                            Filesize

                            197KB

                            MD5

                            e44d78082516ebb2caac4024ca4597dd

                            SHA1

                            a66cc6e3c0beafefb289aff5295794055eb732d1

                            SHA256

                            197b896873ea087d19a12319f5131e3d4911e3fcc3cf38fa22b35d2088305998

                            SHA512

                            5f2e5e5c91c83111aec3b00f8fae0c3a6bc61a3af15bc6e55c081619352cf25dae66db87da2623932090472ad7b7ddc1a05e6c523310100b84268df24541a8e8

                            Download Submit
                          • C:\Windows\{B1446858-5364-4376-9C30-E52A44DB1821}.exe
                            Filesize

                            197KB

                            MD5

                            9922f77c9942b4b8f0e4a616a7a3a985

                            SHA1

                            38c1954f63d6f05d54fd44f40be358c4e52b67c6

                            SHA256

                            2efa37b9d4d0242bca170f9ad56b6ae0eca7f18ee70ddf9d4590bc25331b88e0

                            SHA512

                            b0b24126667ada15be031a4e9672279b17346bfa795bd56ce49c59eff741a9abefeda6fb4420e36db8efc76fad697ba01d741fb4b83af6561df8aca36325beb6

                            Download Submit
                          • C:\Windows\{C81B4663-0F96-4bf6-9BEE-243844519071}.exe
                            Filesize

                            197KB

                            MD5

                            a582e85237693655c4edeec6da6a43fc

                            SHA1

                            fb5c51c5ddd7302e15caaa54ac0ad3e70d7a1158

                            SHA256

                            f9b2bb9356c51a40871649a185d88ab5281953074ace32112b0a7aed87cb570f

                            SHA512

                            d61c7b2b1c72c59a075279754ec1231196908ffc1aca8867cae8942ebbbe97428f8eea822a31b02b5c66f62ab3ce29bd220acd639ede5380ad9226aa805dc1e1

                            Download Submit
                          • C:\Windows\{D4E58070-32DD-4d13-810E-84096889C1F2}.exe
                            Filesize

                            197KB

                            MD5

                            8ac943ac912928c4b92ffab3ecb222db

                            SHA1

                            3c95237eeda09d8454145a187f4ce3bc7a5704bd

                            SHA256

                            55b71972646db36ecb089bc7d5208555d121532b88580460c2e8fb04f9957b28

                            SHA512

                            341c78a55b647d643be68ace832f19238340323e6bc9a04ee360a229c7a5ba4bffb68250292a5c22e59e0086b000408a8b7f38f65c2cbae035b819c96b929c51

                            Download Submit
                          • C:\Windows\{F7BE0743-039C-417b-9070-DB43F3488FA3}.exe
                            Filesize

                            197KB

                            MD5

                            7267f1954e5323750c6991bbfdee5aa9

                            SHA1

                            24f42b3954f301b86d5f4b724d86a740ffb4397c

                            SHA256

                            9268ffc7958d20454aadca2089d9d9c204a598f35dd25861ad268f420ba1902c

                            SHA512

                            76e4a9a1d08377f25e2ef50b976b2730d49dabc224018ffda6cd7ee5899ea60892b7196199247607840b763bf8a92090ec51c92181bd24bcd60df17d6dfd8218

                            Download Submit
                          • C:\Windows\{FF6DAD88-6AE8-40cd-98C3-7E28E8016DBD}.exe
                            Filesize

                            197KB

                            MD5

                            a4bffe38223e22af21be50b7492a25c1

                            SHA1

                            f2006489ec4825035e8585685ae4e8a298d02e45

                            SHA256

                            95b1cf8bf461138dd48938ce50a73bb36721432f3dd071f3bc11ad91abcaf72c

                            SHA512

                            9cfc3de5ed451ff1ba670c8463772edb6725b6aafc824ecf638aa85348e034920a7cc62a09b329c9cb62259df9f6b5e5ec8720811ab807afe3e9bc3d7fcf3f8e

                            Download Submit