Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 17:28
General
-
Target
2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe
-
Size
344KB
-
MD5
560bd77bcfcafc5113df6f48ba690540
-
SHA1
670510ab56d64a18b60ccb3b52feac2a5a9baec7
-
SHA256
6b9b930f8f0bce675b0424f3f8c916ceb91faf5509e8f828d122321d729d1b20
-
SHA512
5c251ae9a9c1d70225631733fb57fb50f984df190230545b2302a865752008fb09e36d53bd78572fd82dd9ca9ba8e9db1f4919ca61a8af3b0f6f1f3217309814
-
SSDEEP
3072:mEGh0oVlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG7lqOe2MUVg3v2IneKcAEcA
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Auto-generated rule 14 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_560bd77bcfcafc5113df6f48ba690540_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exeC:\Windows\{33FF74D7-8240-4646-B438-9347DCCCFBB3}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{33FF7~1.EXE > nul3⤵
-
-
C:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exeC:\Windows\{A36AC0A4-9102-4e20-BB1A-4E6290431646}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A36AC~1.EXE > nul4⤵
-
-
C:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exeC:\Windows\{F400FBEF-AADC-4b2e-B8AB-207145FD3F55}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exeC:\Windows\{BE98E750-937F-4264-A25B-0D0C00B33118}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exeC:\Windows\{7AE10EA7-1F4D-4ca5-9FA4-6DBF1E03E950}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7AE10~1.EXE > nul7⤵
-
-
C:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exeC:\Windows\{8AFEE927-4312-45b4-86F7-DEF4189B3E8C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8AFEE~1.EXE > nul8⤵
-
-
C:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exeC:\Windows\{073C352D-E629-4a3c-82EE-ED06816343D6}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{073C3~1.EXE > nul9⤵
-
-
C:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exeC:\Windows\{87313B54-3E11-4117-9C7F-457B6183AE02}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exeC:\Windows\{7E5A919D-9D46-4801-8DB3-245A3DB11C79}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exeC:\Windows\{61D279BF-EAF4-4df5-9C72-89B7F2665FF1}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{61D27~1.EXE > nul12⤵
-
-
C:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exeC:\Windows\{F53C3930-F924-4c29-A7F9-46F9531A802D}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F53C3~1.EXE > nul13⤵
-
-
C:\Windows\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exeC:\Windows\{6C7772B8-E674-4f37-A1AB-71BF53FA2434}.exe13⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E5A9~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87313~1.EXE > nul10⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BE98E~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F400F~1.EXE > nul5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD508f32bdfea2490d1dd1ea21432fcdc47
SHA17340be730b366aafa03a53cd4226c97bedef659c
SHA25600ac7236250e44b6a5af138e0577a25fdbb886d1544ecd9cd8ea36783f1ef80c
SHA51213eb961a87b853ac53bbecb7d581228d6c654dc331abb511672dd4a195cd893d5c9cdf5596faaabff614aab84d80e38dab41d63a3f3d25ea476125c87580e933
-
Filesize
96KB
MD5b5ed4219929e8be6facd4d4a2dd6fcbe
SHA1ff179cd1862ceaaa1957ce2e796228616dee5ce4
SHA256152712028eef91213bd791ee5c5ead91d66cc0b9969bd5ad4c2e4b86c62ed9d5
SHA5129f62c1a083a12a5b7074246ac641c780577c87fb362eedb180545459b4f8c8f599fd561d7385507edc4b470cb2e6e1b18a00bc2703cc5ebbf3af0b142595b563
-
Filesize
344KB
MD528ef37cade7b1efdc86a481ffc9c96ef
SHA1cf98cc4d9a5049401cc9270153a7f9dd2da36029
SHA25638cafd013ee395ed27794ce195489aee570674e1512bed1572edd9d27317484b
SHA512d53025f4efb5034a6558eec8a9fdb435e2162375e599855e38114524fbd6483d113c33db90c60daf47ed8c6a26dbf7a98515b11399ca0cd08585ad1df09deffe
-
Filesize
344KB
MD5053b7cfd6ecb9c65433632fd3f476564
SHA13d30b4d81bb6df6dd829d794b8d5a98feaa5e178
SHA2562756b1386f66482f676fb0ec18b0e6bfb00b421928a607436db8ae6c751a8b77
SHA512bda537984f28b04a70e091ef11a2797149c16b387e1d5501884752fd1d812b81e37207a4b40db0f322ca93d87f7d538ac09d9a71f70c4e55ba97266aad26fcb4
-
Filesize
344KB
MD51c194d3ff51b945a250be415c17c2c7f
SHA19ec8e4b97988412344e012d3b5528b7c59035bd6
SHA25659bb2e88a6ab77485435b5c6024dd682dc510d9cea23a60b8964354a3449f8f9
SHA5129d8522d89f4aec3d98efaa803145ddf0337ab561186787808efcb8da40fb45bee83c66f27310632725ff59a0aa9539b070fe688a4681b086e24f7d29fc51e40f
-
Filesize
344KB
MD58eefa48799dc635726f304490931d480
SHA11e226d11f370babfb3c72cf125a63b28f9e61642
SHA256038d868199b8ae5da206c24af4cee25d855e39806a9ff4a57a526c033d6b858a
SHA512b0d55dd0b1ffbcaf4f2121e1d98ed88737ab41bc833d21a94809d183eac4b5aac83f98cae232ad02a2cd24f4a53d9166afcd7186523d223eda6c0e2bf65d14f2
-
Filesize
344KB
MD5b4c0ae4e1f158c74435d2b4726d34e3f
SHA1957e0847350af9849e9984fdb8ce37b0ba720cb2
SHA25637f795fd17943d82b776a32cabf059229961e6569a3d550184529e866232cc76
SHA5122dd897904c3fc08a14d08e2f943147a40e5a1d84cdd64fe8970303da83a54bcb2c5bf33d3ef6c83acb15fa2d06defc6a82c44c648e624438f771bf04b745f2fd
-
Filesize
344KB
MD512b4fa7829c631d9630a41d3d7b1bbc7
SHA18fe29dbf09e54bc18f241e72a5828887dc508ea6
SHA2565a058907ea3eb13b6a6512c53a38f5b3c6bcaa8ce5f502913a16a09a8445ea1f
SHA51235093bb14b7f2a5610c8323e114bfb654ed8bc9feedf16e9189e100b1421d1285794964460284fcb0407457ca13661f90e87ad39d81b19088a40d879672b63a8
-
Filesize
344KB
MD585211c5be5abc8d8a3667aa7cac3727e
SHA1b8ef71d76f49dacee20bbaeec6ffa562a12a8b9b
SHA25682743099ffe728db2ef4f5ab4cba700f4efd969b1b3b17a08271fe694407de8d
SHA512c4abb301c67bdf1d9df570b06e1b58302c0b441fa1cf893d71bc2457abe6100f4f341856b4dbbc1be976b36111a4ca62d8e8e10b49968acd2dc381088e5afd60
-
Filesize
344KB
MD549a5b6c28b90d60d6f781cf8429af135
SHA16a858e41b7de4dfa1ac3fb6bb2958a9926c377c5
SHA256f3cfccf4373ec5035605648e6e15f75b3555e00bef8bdd8ca7b7eefe8f02a0f7
SHA51297a5bff487a113b959d5b2f7250f2f6a2e735a34227c27766fe098899f75307f410d882b018392798b276e1da67370a7955993cab63e49ecc57c38487c67a272
-
Filesize
344KB
MD5e8c7270a751d0adf29fa4339dbdaf646
SHA14a9c1b994598168fbd5063024709c551c9aca615
SHA256e1a532f3294b87275d14627cda3363a6054f0f6255082542932b517ca236fcdd
SHA51297f1aeeaf6a60c66965a4cd2ce15f94b117f737318ed4046ec1461f85a65bbb4f03b216bc27cae255b5fa1ba950c509e90ed746815d10cd19850fefe73c6be7d
-
Filesize
285KB
MD5f4518a6402377f32c8a5fec3cb6eee02
SHA15e8049021a2bbac7060c5d33eda548b4ecb20950
SHA2562374731bdcc39b1ce25065db412b6e4bb3a4a319d42ec8c2e81e8779bf1e1ade
SHA5122725f11a0f0bf4290966bd01762f72c866d73d24d4fcddbd731e8a8196301ad3c2bed91009accb5802ac8c961737d9e2239d6f7b79dbfe61110a1161ac7606df
-
Filesize
344KB
MD5374dd43a9ebcad2f9b0f712ba1765e58
SHA1909d4187a49ae9aa302140594b5acd25105f9b93
SHA25673b2b15e59de882f145b43ca60e7db4261bf8410ad4b93019fceb1d098957464
SHA5120460ad23b4a36284f002a1f7281ac6f3375dfe7f235b305b4238168d88aefb2e45309f3d50b8579cf775032c441c3bd08e8f0273e51483a0db72b0c0436f9565
-
Filesize
344KB
MD559b4e1c91a925fb5abdc5ba2647416aa
SHA177c12e669b87eaddd9ec89ad0c26e1ab37c5c5cf
SHA2560a4968ad7638304ddab91afa32336b86b52f72e53c561481a73a9d603bf392f9
SHA5129ccbade0f91424546dbbe4daf263f00c9e9058a43168f910a8ec9b4254bd366b9d08628af9c7e24bc5a4f4378464fb69ba12b850dfdf1e3c971aa507412e0ff3