kinsing | 2ca065cae559efd8a6299c4f445039f89c4634d3ed5ebe04b852dca766638d86

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Size

408KB
MD5

7df4b59046fdae4fcc69bdeb2e2e8c60
SHA1

5abc70556eacaf2444e7b4f5bf516f05dbe2befe
SHA256

2ca065cae559efd8a6299c4f445039f89c4634d3ed5ebe04b852dca766638d86
SHA512

09e656cc6c180d7ba28d6394f3a90443bbcab652c89cb2dae77ea90485cdc091451f4ffb62b93b01944aaa667806947b5c259679c79bf3cbcf0c8b1e8d90d72a
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{298F27EB-CE93-42ae-847D-582E1911D743}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{15B1250D-31E4-497d-A583-8800EC829DA0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe{438CDC0F-8619-4ab8-8980-3383570943AF}.exe{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe{2181A24C-0594-4f91-A982-2961D3DA1670}.exe{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe{298F27EB-CE93-42ae-847D-582E1911D743}.exe{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF54594-D091-4877-9F64-2E7D78A941A1}\stubpath = "C:\\Windows\\{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe"	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}\stubpath = "C:\\Windows\\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe"	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}\stubpath = "C:\\Windows\\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe"	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2181A24C-0594-4f91-A982-2961D3DA1670}\stubpath = "C:\\Windows\\{2181A24C-0594-4f91-A982-2961D3DA1670}.exe"	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{412FA2FC-DBAC-4464-8097-F738640E2B5C}\stubpath = "C:\\Windows\\{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe"	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B1250D-31E4-497d-A583-8800EC829DA0}\stubpath = "C:\\Windows\\{15B1250D-31E4-497d-A583-8800EC829DA0}.exe"	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}\stubpath = "C:\\Windows\\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe"	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{298F27EB-CE93-42ae-847D-582E1911D743}	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{298F27EB-CE93-42ae-847D-582E1911D743}\stubpath = "C:\\Windows\\{298F27EB-CE93-42ae-847D-582E1911D743}.exe"	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2181A24C-0594-4f91-A982-2961D3DA1670}	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438CDC0F-8619-4ab8-8980-3383570943AF}	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{438CDC0F-8619-4ab8-8980-3383570943AF}\stubpath = "C:\\Windows\\{438CDC0F-8619-4ab8-8980-3383570943AF}.exe"	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E499E94-EC00-4d3a-8770-C78275E4EA58}\stubpath = "C:\\Windows\\{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe"	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}\stubpath = "C:\\Windows\\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe"	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF54594-D091-4877-9F64-2E7D78A941A1}	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B1250D-31E4-497d-A583-8800EC829DA0}	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{412FA2FC-DBAC-4464-8097-F738640E2B5C}	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}\stubpath = "C:\\Windows\\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe"	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E499E94-EC00-4d3a-8770-C78275E4EA58}	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe

Executes dropped EXE 12 IoCs

Processes:

{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe{298F27EB-CE93-42ae-847D-582E1911D743}.exe{438CDC0F-8619-4ab8-8980-3383570943AF}.exe{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe{2181A24C-0594-4f91-A982-2961D3DA1670}.exe{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe{15B1250D-31E4-497d-A583-8800EC829DA0}.exe

pid	process
1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
1340	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
64	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
3024	{15B1250D-31E4-497d-A583-8800EC829DA0}.exe

Drops file in Windows directory 12 IoCs

Processes:

{298F27EB-CE93-42ae-847D-582E1911D743}.exe{438CDC0F-8619-4ab8-8980-3383570943AF}.exe{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe{2181A24C-0594-4f91-A982-2961D3DA1670}.exe{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe

description	ioc	process
File created	C:\Windows\{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
File created	C:\Windows\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
File created	C:\Windows\{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
File created	C:\Windows\{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
File created	C:\Windows\{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
File created	C:\Windows\{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
File created	C:\Windows\{15B1250D-31E4-497d-A583-8800EC829DA0}.exe	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
File created	C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
File created	C:\Windows\{298F27EB-CE93-42ae-847D-582E1911D743}.exe	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
File created	C:\Windows\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
File created	C:\Windows\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
File created	C:\Windows\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe{298F27EB-CE93-42ae-847D-582E1911D743}.exe{438CDC0F-8619-4ab8-8980-3383570943AF}.exe{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe{2181A24C-0594-4f91-A982-2961D3DA1670}.exe{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
Token: SeIncBasePriorityPrivilege	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
Token: SeIncBasePriorityPrivilege	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
Token: SeIncBasePriorityPrivilege	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
Token: SeIncBasePriorityPrivilege	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
Token: SeIncBasePriorityPrivilege	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
Token: SeIncBasePriorityPrivilege	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
Token: SeIncBasePriorityPrivilege	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
Token: SeIncBasePriorityPrivilege	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
Token: SeIncBasePriorityPrivilege	1340	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
Token: SeIncBasePriorityPrivilege	64	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4552 wrote to memory of 1160	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
PID 4552 wrote to memory of 1160	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
PID 4552 wrote to memory of 1160	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
PID 4552 wrote to memory of 4736	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 4552 wrote to memory of 4736	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 4552 wrote to memory of 4736	4552	2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe	cmd.exe
PID 1160 wrote to memory of 4524	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
PID 1160 wrote to memory of 4524	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
PID 1160 wrote to memory of 4524	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
PID 1160 wrote to memory of 4252	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	cmd.exe
PID 1160 wrote to memory of 4252	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	cmd.exe
PID 1160 wrote to memory of 4252	1160	{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe	cmd.exe
PID 4524 wrote to memory of 4204	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
PID 4524 wrote to memory of 4204	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
PID 4524 wrote to memory of 4204	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	{298F27EB-CE93-42ae-847D-582E1911D743}.exe
PID 4524 wrote to memory of 1580	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	cmd.exe
PID 4524 wrote to memory of 1580	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	cmd.exe
PID 4524 wrote to memory of 1580	4524	{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe	cmd.exe
PID 4204 wrote to memory of 2968	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
PID 4204 wrote to memory of 2968	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
PID 4204 wrote to memory of 2968	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
PID 4204 wrote to memory of 1972	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe	cmd.exe
PID 4204 wrote to memory of 1972	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe	cmd.exe
PID 4204 wrote to memory of 1972	4204	{298F27EB-CE93-42ae-847D-582E1911D743}.exe	cmd.exe
PID 2968 wrote to memory of 5044	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
PID 2968 wrote to memory of 5044	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
PID 2968 wrote to memory of 5044	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
PID 2968 wrote to memory of 2764	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	cmd.exe
PID 2968 wrote to memory of 2764	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	cmd.exe
PID 2968 wrote to memory of 2764	2968	{438CDC0F-8619-4ab8-8980-3383570943AF}.exe	cmd.exe
PID 5044 wrote to memory of 4296	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
PID 5044 wrote to memory of 4296	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
PID 5044 wrote to memory of 4296	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
PID 5044 wrote to memory of 2884	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	cmd.exe
PID 5044 wrote to memory of 2884	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	cmd.exe
PID 5044 wrote to memory of 2884	5044	{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe	cmd.exe
PID 4296 wrote to memory of 3464	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
PID 4296 wrote to memory of 3464	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
PID 4296 wrote to memory of 3464	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
PID 4296 wrote to memory of 4288	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	cmd.exe
PID 4296 wrote to memory of 4288	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	cmd.exe
PID 4296 wrote to memory of 4288	4296	{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe	cmd.exe
PID 3464 wrote to memory of 4460	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
PID 3464 wrote to memory of 4460	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
PID 3464 wrote to memory of 4460	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
PID 3464 wrote to memory of 840	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	cmd.exe
PID 3464 wrote to memory of 840	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	cmd.exe
PID 3464 wrote to memory of 840	3464	{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe	cmd.exe
PID 4460 wrote to memory of 1524	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
PID 4460 wrote to memory of 1524	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
PID 4460 wrote to memory of 1524	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
PID 4460 wrote to memory of 4656	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	cmd.exe
PID 4460 wrote to memory of 4656	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	cmd.exe
PID 4460 wrote to memory of 4656	4460	{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe	cmd.exe
PID 1524 wrote to memory of 1340	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
PID 1524 wrote to memory of 1340	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
PID 1524 wrote to memory of 1340	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
PID 1524 wrote to memory of 4692	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	cmd.exe
PID 1524 wrote to memory of 4692	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	cmd.exe
PID 1524 wrote to memory of 4692	1524	{2181A24C-0594-4f91-A982-2961D3DA1670}.exe	cmd.exe
PID 1340 wrote to memory of 64	1340	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
PID 1340 wrote to memory of 64	1340	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
PID 1340 wrote to memory of 64	1340	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe	{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
PID 1340 wrote to memory of 2944	1340	{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7df4b59046fdae4fcc69bdeb2e2e8c60_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
C:\Windows\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1DAFB~1.EXE > nul
4⤵
PID:1580

C:\Windows\{298F27EB-CE93-42ae-847D-582E1911D743}.exe
C:\Windows\{298F27EB-CE93-42ae-847D-582E1911D743}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
C:\Windows\{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
C:\Windows\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
C:\Windows\{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
C:\Windows\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
C:\Windows\{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
C:\Windows\{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
C:\Windows\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
C:\Windows\{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\{15B1250D-31E4-497d-A583-8800EC829DA0}.exe
C:\Windows\{15B1250D-31E4-497d-A583-8800EC829DA0}.exe
13⤵
- Executes dropped EXE
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF54~1.EXE > nul
13⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CCFA4~1.EXE > nul
12⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2181A~1.EXE > nul
11⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9E499~1.EXE > nul
10⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E52B3~1.EXE > nul
9⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{412FA~1.EXE > nul
8⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0AFF2~1.EXE > nul
7⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{438CD~1.EXE > nul
6⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{298F2~1.EXE > nul
5⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC34E~1.EXE > nul
3⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AFF27F2-8A1E-49b9-A5E2-0E24FFF3758C}.exe
Filesize
408KB

MD5
57149133b51ae4b2b2cd3d929eb7bd23

SHA1
6f3c9c6f3eaecffb0e791bdb0170efa33e883c42

SHA256
c34711846eacea9e59c148e024f2c32d01c80a8b8e43f50d534b4dbb0f2a80e9

SHA512
a12f3d9d13352d66f1eac360f91e11c96e4876aca08ac907badb18f42ab6b744c1db13817efd175b64a78b129c910530570fce447341c23c34831dc132048da1

Download Submit
C:\Windows\{15B1250D-31E4-497d-A583-8800EC829DA0}.exe
Filesize
408KB

MD5
edb05fece9f9bbcf4cec74ae28ef8846

SHA1
2eeaa9fe340304d416cb58a52c957b3ee782b0ce

SHA256
b12a88c7a85ecb3d8e3cff1faece03faafc89680832821cc492725b98247f10a

SHA512
1e4a0544b1d366246c3070c7d55f5b2f09f89bcedcf9a7d742697a7402a63ac18d4edc015bbe5c2d3e2ffcb4e3fa59072d89a655a965fa5e715d1ff83d250318

Download Submit
C:\Windows\{1DAFBF8A-AE5F-416d-8C6F-B265FC079053}.exe
Filesize
408KB

MD5
b972f59c9009a44ec24e7b4b961941f1

SHA1
ece04840ff5c3f11c9609820924d9f8ffc409af9

SHA256
60452d904abee1228f300d4f04b838f995b02173714eac97ba14324b38692b87

SHA512
00c2301c31a36968f4e1384673bd22e235a48a6867a89eca6ba6323b6df3dfae5df64f9dfc4f7b83dd298bbb445b1f92f94cc35c9c1b8dc2e80cb478bfe5e9f8

Download Submit
C:\Windows\{2181A24C-0594-4f91-A982-2961D3DA1670}.exe
Filesize
408KB

MD5
99e7891ba765c4bfadc910fa6ce2aa1e

SHA1
165e9c0df3630e40199b6a9149efba5622bbb306

SHA256
e62c78731b3bf86e51ff06369ae313342aaf568f66c557448c8fca0be90da0bf

SHA512
d6cc2a12d664ef60b6dc406a8916831600366e8c4d5a3ca4572ab1f3871309c9de28b4bdf443caa36ba24adf8b72878e86fe24954286078c0c2386d7f6c07caa

Download Submit
C:\Windows\{298F27EB-CE93-42ae-847D-582E1911D743}.exe
Filesize
408KB

MD5
9440b2f35b843e6ad1eada7afbdc211d

SHA1
74439ca586e2dc11aeab039e4bf9e06f2902ff2c

SHA256
1f645a79ee706dab39398eaea06ce1c077069d0b84c6a770f8dca88496c45e25

SHA512
a2dd8208ba0f61c8de0d32777e44bbab54aef7657c12cf380507e3086e74f15dff557c43d9db04f83b79a6b77673c66e9fa7b9cdb65755606b06085e78d3ec1a

Download Submit
C:\Windows\{412FA2FC-DBAC-4464-8097-F738640E2B5C}.exe
Filesize
408KB

MD5
a7d72047d435699e54a928ce1b0fddb8

SHA1
93f0280274a16efc5de1785d08f68387ae90c238

SHA256
3b17e7eed06864c5d2483b397ff7de1df49c9266056b756216d1e5f5083d02c3

SHA512
5c945223437d6506680ec0340c80fe6288a585af700e84ea2a6556af0f445786343549f0fd63011f7189a034f6dcde0e5e7360b360cf663104fa735217a9a259

Download Submit
C:\Windows\{438CDC0F-8619-4ab8-8980-3383570943AF}.exe
Filesize
408KB

MD5
e1ce7b91da3d9b8f87214de273601fd7

SHA1
ad67718ba16424ac150f6c1a542b9e3c7035c56d

SHA256
f50d0207a98b763184e111a2f8636ec3275176354e2060697d601b03f364076e

SHA512
39c7ef65fef0fa5c1ebf371474f5e39742b6135f075c7523ddf0570ab43cb8c30cf8721aad34fffb3192927fce262596683d796fea32176200c287d05ae44045

Download Submit
C:\Windows\{9E499E94-EC00-4d3a-8770-C78275E4EA58}.exe
Filesize
408KB

MD5
f01f0eea51fe8134e81bf4ef1899cd24

SHA1
f06e493c60ceb17600c9abfc974a0a636ccc5155

SHA256
11caec6d93bfa9b529e3bc5f222f3f19551af842207a1b9e9d850b8911a2eb2d

SHA512
a814d62b0510a5857b3c8e966a5ede5ee8cb09982c8650ac1ab65dbf321c4a856674b5a5a65f10042ddc6f97483bf379f6187068af3fa85ccc540b96738c268c

Download Submit
C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
Filesize
408KB

MD5
940b2296cfbcbc400775af96afc34099

SHA1
f8fc05bac956d19cd7387d9c69371b9eea79730f

SHA256
1959474fdcbc7d9db8ce9ca31b007e35c84d7e5a4d1a92a055f889b57ca23bdd

SHA512
4bb43b404f8348ef9d92d37522efd390502c4791a826dc3f064c748a87557b8b948a88270a90e0c3876038070fb2f82b51e1a78652099eb4acb0272e9ee6a50a

Download Submit
C:\Windows\{AC34E955-8703-402e-B5CA-EB9EB3316DD0}.exe
Filesize
261KB

MD5
1ff4036c3b32c84b01fa18aa5096de7e

SHA1
71318e6073174210f314c8979cc14e59e26d9e45

SHA256
aa7f3f9b9ca63ced84e84a04ace3ab64b6962ee73b1a1803059abca7a1efde0b

SHA512
e22c5d4f989ead274487d71ca9226b6c16bb0b1eba7044794b443c2943fada4faa1248adaade6e4a66ca3d8941b33e0b2a82df2f58076b719acf8cef39b5bd68

Download Submit
C:\Windows\{BEF54594-D091-4877-9F64-2E7D78A941A1}.exe
Filesize
408KB

MD5
0eb6461a926703ea3a14f54887de3a0d

SHA1
4c7de22657efcd76720456648d4f8fe008270abf

SHA256
21a51054f2999c73f56569694db3d193c94322eab8a03020e38bb60871544378

SHA512
9afcba8f269317bc5c9fc8a87daf05b38f9ea00cabe89381644e3361b48f21078c97e7217ce122d97634bea4b91ab2a40c5fd8f3d27b5c1dac91e76089fa562f

Download Submit
C:\Windows\{CCFA45B0-6D45-4b36-B811-AC4F05A31E2F}.exe
Filesize
408KB

MD5
ef648b3318fec92c84a044ec5cd2a603

SHA1
a43be173a2c1750290fdb161f57f24147cf7833c

SHA256
8097b40d99b38ed09765e78baa33d99540d4f380c1ecd631aa20cdb7dee8c5e5

SHA512
5bfd11b33911c59ae0f2f301d9dda838e70994702969a0a1df726670571ee5fb89831550292fed358cab15737f0fb8b93d5c1cb9e28959df8870c148667254f0

Download Submit
C:\Windows\{E52B3F2A-7BE7-4d09-B8EF-B05781B4339E}.exe
Filesize
408KB

MD5
c66085b90f038ca01a4abe7334e369be

SHA1
7faae9d7047434756f2eae5dce652645ab481015

SHA256
fbea3d167797f7cf9424c628eb8a763157b9856c2d5fa93c063435a510a1f58f

SHA512
f41d2097b2e8ddcac75b570572b3299c88354776905b3e5c654ad0c48928940709011eff8e6193022eea69f4af93fd702a0134933bf9a02950f1123bd6bb91f0

Download Submit