Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 15:55
General
-
Target
2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe
-
Size
168KB
-
MD5
f0c25c8a89cc8a13c499f95d5131db82
-
SHA1
847b9d56c83b43c9bc04387c705b962dafeeb82b
-
SHA256
5cda1f5a39fe82aa6ee646a9b4ecee7990e5c718c8b1f081520da25ed6d316aa
-
SHA512
c7f9c1e5d11e902632c331babc5d3bb04e1b5c893ebdbc2684b659fd209f2aefa6d903ec9ddd2149dbd4f4e5d711b0fc1646fc8b50f8032af3c1630f2079b3d6
-
SSDEEP
1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_f0c25c8a89cc8a13c499f95d5131db82_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C80324DE-7C60-44ac-86D9-E73903837509}.exeC:\Windows\{C80324DE-7C60-44ac-86D9-E73903837509}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4031A294-8D8E-47eb-BE2B-ECC0F3ADCF9F}.exeC:\Windows\{4031A294-8D8E-47eb-BE2B-ECC0F3ADCF9F}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{73080A89-114B-4b64-BF9F-026AD88D3CC8}.exeC:\Windows\{73080A89-114B-4b64-BF9F-026AD88D3CC8}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{AE2317F5-2BD7-427a-8592-258864DEF735}.exeC:\Windows\{AE2317F5-2BD7-427a-8592-258864DEF735}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{70F5DA56-D5C1-44eb-B2E7-F2FDEB5ABC01}.exeC:\Windows\{70F5DA56-D5C1-44eb-B2E7-F2FDEB5ABC01}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{64556675-990C-47ef-9D12-70C3F6FC1F00}.exeC:\Windows\{64556675-990C-47ef-9D12-70C3F6FC1F00}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0EE24D8B-50AC-4fe9-9C6F-5D16022CADBD}.exeC:\Windows\{0EE24D8B-50AC-4fe9-9C6F-5D16022CADBD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6685BA2D-6713-452e-9DD4-86300CF85351}.exeC:\Windows\{6685BA2D-6713-452e-9DD4-86300CF85351}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BDD0D4C4-9B7D-40eb-B0B2-9A1EA085BF84}.exeC:\Windows\{BDD0D4C4-9B7D-40eb-B0B2-9A1EA085BF84}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2EAB27C8-8FB2-4b3b-A4DA-9AEF96856A1B}.exeC:\Windows\{2EAB27C8-8FB2-4b3b-A4DA-9AEF96856A1B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{22F79A3C-883E-4356-8B6B-AEC1A899DC2E}.exeC:\Windows\{22F79A3C-883E-4356-8B6B-AEC1A899DC2E}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6603BBD1-6754-4d25-88A7-2B70B9D128EB}.exeC:\Windows\{6603BBD1-6754-4d25-88A7-2B70B9D128EB}.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{22F79~1.EXE > nul13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2EAB2~1.EXE > nul12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BDD0D~1.EXE > nul11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6685B~1.EXE > nul10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0EE24~1.EXE > nul9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64556~1.EXE > nul8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{70F5D~1.EXE > nul7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AE231~1.EXE > nul6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{73080~1.EXE > nul5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4031A~1.EXE > nul4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C8032~1.EXE > nul3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\{0EE24D8B-50AC-4fe9-9C6F-5D16022CADBD}.exeFilesize
168KB
MD5f0a1ac6147fa229076fcd7ef8d993e8c
SHA13c2029a590000b9f6285301e3629dfb0d5614ef2
SHA256c421e09491b15b1898db3531b1fa25c7c6b8ad242157cbc89aba55faed9474be
SHA5129a80075f4c85e81beef63ec8b7ac33a64e420f85eca8f735b1c64429fe6aab86491b52a5c94878fdbc080f95ffa8aa72a6209c0e800b75ff77546d9dd3b245c8
-
C:\Windows\{22F79A3C-883E-4356-8B6B-AEC1A899DC2E}.exeFilesize
168KB
MD51032e82fba7a2d8ad9499aa7ca53d2b4
SHA1cbf64c8b3938941951433ff10409f1137d9ae718
SHA2568e7229bc8b34e051c679332c925d83440f943f1a47809040cb81a4c0d1f50b57
SHA5124dded380da6fb5ea36d1c35d4ff4aef1ee22856f6cfc6518b062e1926b5700c4e0101247f80bc1ced4965641bf9f28ecede5d016078307cca8597d439c25195b
-
C:\Windows\{2EAB27C8-8FB2-4b3b-A4DA-9AEF96856A1B}.exeFilesize
168KB
MD5600b34e179019eef395e748fcf04d535
SHA152d0af97827d2b6b5bdc85eb5c3979b2ea840554
SHA2569792fb91bd1197fee75b9353e62b7cec2c08edc4e02d0adfee19e325f161ffa1
SHA5123ab47dcdb3b71b2dcf7862209c11f56cc73ea8159969f3c57ed84b37080b97ea0bc009abbeca802506fcacd50b74d896d6b537947073fe22acd5077f090e767a
-
C:\Windows\{4031A294-8D8E-47eb-BE2B-ECC0F3ADCF9F}.exeFilesize
168KB
MD5249a61b0bfc81bdd79d09291c55b7b5f
SHA151f84d1fa51243a587a7da6823da886b99f3336a
SHA256094dae1670d89f4807c5a0a9d97080666c719ea5415b6ecdfb30194ef1a3fac3
SHA5120679a615c27b7fe3540162e5390bc016cfabf35851d32aeef59b7fe70d6027d2ff840b3f85cb890e17bb0ea84ca0db03c0b99c7772c28598e01a5a4d50a6c862
-
C:\Windows\{64556675-990C-47ef-9D12-70C3F6FC1F00}.exeFilesize
168KB
MD521b592136db537089a3c6583150c9eb5
SHA1b71a4a031a226a955c914a4cd462ffd491ddc24c
SHA256e81e021736f813d619e9719d658855588a7bff70629339bf799d93cc463b87a8
SHA5123a2ab02aacf5b91db7c7b2ba64eeaab5360462aced8b0f6615f6c920b0ea7ee254c5dec9af42c9cde7b0fcdb34942bd6fd10dd2d3e27df4a158d0c7a80e00e33
-
C:\Windows\{6603BBD1-6754-4d25-88A7-2B70B9D128EB}.exeFilesize
168KB
MD5cae07fbfc878d81d5951ce7a860cae83
SHA1756a984b3739a33a8a979e67c3dd40a130d5fbca
SHA25658aa0aa79758fb95e2232684da4df16ea881bea9a1b9d6ba0876d17e98b093f8
SHA512d615a014af7bef19c0d21b02ce84b1ec25d10477e30a56e263deaf48e16c3d5d132fdb043698803c5d4b8d8e08b6e3cebeca45c363d957a40e8f994e0f0384e2
-
C:\Windows\{6685BA2D-6713-452e-9DD4-86300CF85351}.exeFilesize
168KB
MD59de7590a3f79d0dfdf4e3c9e61b2db18
SHA109d73c5e85d7609ccfb14b777603454843577829
SHA256f6f45b0476964538e051368f0f927b0d9e593ff9828a879fefdd2a82f021ca90
SHA5123c9fe85d4632205c0ca7648ecab3e63287f0f9bb04591784930a17e6d7d73487b9bd1b993a28b6b94dec97e1506bb15db0b5241e1fa7bc89423b562f4bcaa6b2
-
C:\Windows\{70F5DA56-D5C1-44eb-B2E7-F2FDEB5ABC01}.exeFilesize
168KB
MD5556b0261b83759a89b82466eedb2a557
SHA1ff7d61ef188b4cb4311890302083f22ad9ca7143
SHA2565c99b1b0d7cbdef1645991b1cd6ac4996dcee69fe04300d969bcbc3a8db432f4
SHA512c49c36e88bbe64aac8190d0253c760fc785382ae75e46177e0ca9239d36623798ef7abf27f2dedbee4d497e6e0e46406c259f509b44ca2f47a43cb34d9e54ccb
-
C:\Windows\{73080A89-114B-4b64-BF9F-026AD88D3CC8}.exeFilesize
168KB
MD5cb44afae8442c3a8fc6f3ea7c4969f82
SHA14deda6975533591c95235da88208a09bc087b736
SHA256a9530ac08eef4b2ab13cb69d7fd89eb774042f38900f13ea306fc8ce589ec7f7
SHA512b84c411888853979fc6c827f3b951e4037d0f8131cf4e63cae796fe679e0f3edd477881b52032d15406b54afcba696a87e0dd8172711238102733285915f947e
-
C:\Windows\{AE2317F5-2BD7-427a-8592-258864DEF735}.exeFilesize
168KB
MD58fac5c383f898fec5b70fec342776dad
SHA1a9cfe3480f5c5e3d2d6c69ed3366b00cc856532f
SHA2567e23dcf4a6dcd0d960efe5ed751ecaa41ef40e16feb647e20cda31b1f89faa69
SHA512bca9fd1b4d884db8b057c02463214b4d3b0000eb3a78059802969dfc703d3b08df959c485c5e871724c1ebdef81d9a08177b0f02f511bd36e6d1f516b7c56bff
-
C:\Windows\{BDD0D4C4-9B7D-40eb-B0B2-9A1EA085BF84}.exeFilesize
168KB
MD537940185ec87227cfa04ea7d78b1c32c
SHA111f9bf3a6b12a300f3a6e1c8c062a0b61a0d0dbf
SHA2569acdb44753e9fbd7edaa85f980b3a10097c076bc5a894182abf2d197da4c972d
SHA512930e13f0c5d6ced975aec450e88b114a5d74ee79d5729f435b3d02d864072a8799ad9d88f31a8381f1a84d8951e74712a67b0f1986f7c4b53d506082091641d6
-
C:\Windows\{C80324DE-7C60-44ac-86D9-E73903837509}.exeFilesize
168KB
MD558a3d423e2e13e3ee56b01c7bd7cccf4
SHA101771b3f32bfcc53b88b1d2b1f69e0500299c3dd
SHA256ac90e043e9b21aa48c05523a427399a775562a24698369b1d29e34662b5acb8d
SHA512326443f4865c44718359730cc7cda3aab6411e83ab324a319502c544dc67bd6a0a33b32ea9beb4a37878ed9171d34cb4fe336fe8572ea89932458a38ff64202a