kinsing | 925accd04f62c0628ccd361b8fb5aa197b3693158e7b3ac2781fb29b8b010f42

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Size

372KB
MD5

4410354ecf1f12dac32e7509180cf312
SHA1

5633c7d48a12ca700132e5de5d4c21422584c8ef
SHA256

925accd04f62c0628ccd361b8fb5aa197b3693158e7b3ac2781fb29b8b010f42
SHA512

593f1e8a25a25880f829e782f46c94110ccf9f3722a5a62b77b910abc57de7f491f1b9a6e07706aa0a75904b89d46682fc5fea4c84f7ef04f7a3d68da8ea9737
SSDEEP

3072:CEGh0oUmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 14 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0006000000023226-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022043-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022044-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022043-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{2096307A-0CB4-49c1-B933-529809CA1868}.exe{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}\stubpath = "C:\\Windows\\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe"	{2096307A-0CB4-49c1-B933-529809CA1868}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}\stubpath = "C:\\Windows\\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe"	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}\stubpath = "C:\\Windows\\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe"	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FA5A003-192A-4e55-A063-C1384037B0B4}\stubpath = "C:\\Windows\\{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe"	{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{100DC87C-9F51-4c86-9F08-846E380D64FA}\stubpath = "C:\\Windows\\{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe"	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}\stubpath = "C:\\Windows\\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe"	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2096307A-0CB4-49c1-B933-529809CA1868}\stubpath = "C:\\Windows\\{2096307A-0CB4-49c1-B933-529809CA1868}.exe"	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}	{2096307A-0CB4-49c1-B933-529809CA1868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}\stubpath = "C:\\Windows\\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe"	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}\stubpath = "C:\\Windows\\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe"	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{100DC87C-9F51-4c86-9F08-846E380D64FA}	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36C35A48-6076-47ce-908C-E20ADBE11E09}	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}\stubpath = "C:\\Windows\\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe"	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}\stubpath = "C:\\Windows\\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe"	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2096307A-0CB4-49c1-B933-529809CA1868}	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36C35A48-6076-47ce-908C-E20ADBE11E09}\stubpath = "C:\\Windows\\{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe"	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FA5A003-192A-4e55-A063-C1384037B0B4}	{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe

Executes dropped EXE 12 IoCs

Processes:

{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe{2096307A-0CB4-49c1-B933-529809CA1868}.exe{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe

pid	Process
2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe
3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
3196	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
4328	{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe
2952	{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe

Drops file in Windows directory 12 IoCs

Processes:

{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe{2096307A-0CB4-49c1-B933-529809CA1868}.exe

description	ioc	Process
File created	C:\Windows\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
File created	C:\Windows\{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe	{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe
File created	C:\Windows\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
File created	C:\Windows\{2096307A-0CB4-49c1-B933-529809CA1868}.exe	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
File created	C:\Windows\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
File created	C:\Windows\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
File created	C:\Windows\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
File created	C:\Windows\{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
File created	C:\Windows\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
File created	C:\Windows\{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
File created	C:\Windows\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
File created	C:\Windows\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	{2096307A-0CB4-49c1-B933-529809CA1868}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe{2096307A-0CB4-49c1-B933-529809CA1868}.exe{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
Token: SeIncBasePriorityPrivilege	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
Token: SeIncBasePriorityPrivilege	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
Token: SeIncBasePriorityPrivilege	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe
Token: SeIncBasePriorityPrivilege	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
Token: SeIncBasePriorityPrivilege	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
Token: SeIncBasePriorityPrivilege	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
Token: SeIncBasePriorityPrivilege	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
Token: SeIncBasePriorityPrivilege	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
Token: SeIncBasePriorityPrivilege	3196	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
Token: SeIncBasePriorityPrivilege	4328	{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 4696 wrote to memory of 2220	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	98
PID 4696 wrote to memory of 2220	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	98
PID 4696 wrote to memory of 2220	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	98
PID 4696 wrote to memory of 4996	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	97
PID 4696 wrote to memory of 4996	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	97
PID 4696 wrote to memory of 4996	4696	2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe	97
PID 2220 wrote to memory of 1152	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	99
PID 2220 wrote to memory of 1152	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	99
PID 2220 wrote to memory of 1152	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	99
PID 2220 wrote to memory of 2952	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	100
PID 2220 wrote to memory of 2952	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	100
PID 2220 wrote to memory of 2952	2220	{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe	100
PID 1152 wrote to memory of 3668	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	102
PID 1152 wrote to memory of 3668	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	102
PID 1152 wrote to memory of 3668	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	102
PID 1152 wrote to memory of 3192	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	103
PID 1152 wrote to memory of 3192	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	103
PID 1152 wrote to memory of 3192	1152	{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe	103
PID 3668 wrote to memory of 1760	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	104
PID 3668 wrote to memory of 1760	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	104
PID 3668 wrote to memory of 1760	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	104
PID 3668 wrote to memory of 1216	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	105
PID 3668 wrote to memory of 1216	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	105
PID 3668 wrote to memory of 1216	3668	{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe	105
PID 1760 wrote to memory of 3700	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe	106
PID 1760 wrote to memory of 3700	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe	106
PID 1760 wrote to memory of 3700	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe	106
PID 1760 wrote to memory of 3040	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe	107
PID 1760 wrote to memory of 3040	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe	107
PID 1760 wrote to memory of 3040	1760	{2096307A-0CB4-49c1-B933-529809CA1868}.exe	107
PID 3700 wrote to memory of 4248	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	109
PID 3700 wrote to memory of 4248	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	109
PID 3700 wrote to memory of 4248	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	109
PID 3700 wrote to memory of 4764	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	108
PID 3700 wrote to memory of 4764	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	108
PID 3700 wrote to memory of 4764	3700	{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe	108
PID 4248 wrote to memory of 408	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	111
PID 4248 wrote to memory of 408	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	111
PID 4248 wrote to memory of 408	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	111
PID 4248 wrote to memory of 1148	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	110
PID 4248 wrote to memory of 1148	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	110
PID 4248 wrote to memory of 1148	4248	{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe	110
PID 408 wrote to memory of 3876	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	112
PID 408 wrote to memory of 3876	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	112
PID 408 wrote to memory of 3876	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	112
PID 408 wrote to memory of 4124	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	113
PID 408 wrote to memory of 4124	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	113
PID 408 wrote to memory of 4124	408	{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe	113
PID 3876 wrote to memory of 2960	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	115
PID 3876 wrote to memory of 2960	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	115
PID 3876 wrote to memory of 2960	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	115
PID 3876 wrote to memory of 2040	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	114
PID 3876 wrote to memory of 2040	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	114
PID 3876 wrote to memory of 2040	3876	{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe	114
PID 2960 wrote to memory of 3196	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	117
PID 2960 wrote to memory of 3196	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	117
PID 2960 wrote to memory of 3196	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	117
PID 2960 wrote to memory of 968	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	116
PID 2960 wrote to memory of 968	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	116
PID 2960 wrote to memory of 968	2960	{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe	116
PID 3196 wrote to memory of 4328	3196	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe	118
PID 3196 wrote to memory of 4328	3196	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe	118
PID 3196 wrote to memory of 4328	3196	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe	118
PID 3196 wrote to memory of 3676	3196	{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_4410354ecf1f12dac32e7509180cf312_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4996
- C:\Windows\{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
  C:\Windows\{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
    C:\Windows\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
      C:\Windows\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\{2096307A-0CB4-49c1-B933-529809CA1868}.exe
        
        C:\Windows\{2096307A-0CB4-49c1-B933-529809CA1868}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
      - C:\Windows\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
        
        C:\Windows\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB2D9~1.EXE > nul
        7⤵
        
        PID:4764
        
        C:\Windows\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
        
        C:\Windows\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C20D3~1.EXE > nul
        8⤵
        
        PID:1148
        
        C:\Windows\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
        
        C:\Windows\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
        
        C:\Windows\{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36C35~1.EXE > nul
        10⤵
        
        PID:2040
        
        C:\Windows\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
        
        C:\Windows\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B59C0~1.EXE > nul
        11⤵
        
        PID:968
        
        C:\Windows\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
        
        C:\Windows\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe
        
        C:\Windows\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{539DC~1.EXE > nul
        13⤵
        
        PID:2220
        
        C:\Windows\{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe
        
        C:\Windows\{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe
        13⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{914E1~1.EXE > nul
        12⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A62~1.EXE > nul
        9⤵
        
        PID:4124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20963~1.EXE > nul
        6⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5005~1.EXE > nul
        5⤵
        
        PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E622D~1.EXE > nul
      4⤵
      PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{100DC~1.EXE > nul
    3⤵
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{100DC87C-9F51-4c86-9F08-846E380D64FA}.exe

Filesize
372KB

MD5
4dd5e40c6da4758e000ba2e8e45053cd

SHA1
1314c821b667acd16efa0291c4e7c3ad0173a46c

SHA256
b0d4653daf2d43fa036b4ba8f719fd2408049d096c52b6466d689430335810e8

SHA512
6bd6a426262e02e812bfcf0051785e996d820f24c670d031dcc0f416168b967fffc55a491c7e2077abcfe08719bd7484305e410586fa1f2f1d30ff809f87fb67

Download Submit
C:\Windows\{2096307A-0CB4-49c1-B933-529809CA1868}.exe

Filesize
372KB

MD5
e3089917d4b19e241ccb11343bfe0538

SHA1
e83b62bea008be7885fae340781bd788510fb793

SHA256
f37efd5617bf275eeacb4c2727fff77b13402bc112d4c5b1e58352046d815144

SHA512
7ae7cf3883160312fad387d7bf50d6bd353603f650471b166e97a9e986fcc00fca82f9bab8d4855eb55df03a71d67f62eb7cc0d3017b0f93e16c1114727dedc2

Download Submit
C:\Windows\{36C35A48-6076-47ce-908C-E20ADBE11E09}.exe

Filesize
372KB

MD5
01e9c784aba2514ac8a8ecb0b08e7b06

SHA1
a53651644e63f4447812085087afa52622318ad7

SHA256
3fb8c1ae56dc011d147514e5d3ef19c0c49c6ff4d1d9c9cba05c6b941530b8d6

SHA512
ca6642f5c4a626dde59c6908702b5da6ee9d1f083d46eb97c7d7ab8777eff3138d9d574b68bce53ba801b6023ef4853a67b14d19aa2c1af225fb0bdf0af2b9b6

Download Submit
C:\Windows\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe

Filesize
86KB

MD5
ba76fe1ebeaccaa974b0416bbadf5518

SHA1
9127b95aafa1c66f6ab63506c5ebc3d7291daa5f

SHA256
bebb671e8e2f16556204f51d979b48f2ce72efcb96938532f1cae0e07852f914

SHA512
523703732348fd6c27e41ca207ee250a656967a7d100d900e67e291044701975b5164754a23d3769a1d6fec85a8d40c1533ac4c866bf04976094c0016f9b03ea

Download Submit
C:\Windows\{539DC171-1576-4d42-A8A9-3FF9B0E201A6}.exe

Filesize
64KB

MD5
7117910bc800cddbff5881f47086cabd

SHA1
7910e3009b60d631251d43bcf5c4eaf295fa6fa7

SHA256
ae79ed3c263cca525b48192456b6606737eaab1a0cc5ff4da4ff44be8022c0ce

SHA512
034759dcb83bb2a8f80c9e1dfaa6beb4abd0f0f9fc4a2f9cefd667bb9caab2ed60b3199807b5a3cfa39d8271e4dcb3ca22141cf2ee97456cbbf8deaf3f1190c3

Download Submit
C:\Windows\{914E1055-6E3F-4ad4-8A02-77CCB9D6ACB8}.exe

Filesize
372KB

MD5
190f709e4a5178b0bd487a358e02c1dd

SHA1
12e293323ffe0d0ae3f55331985072cd5b5e883b

SHA256
3946ab2af2136d947991ed67113f6351a0b5626dfff2fb6700975a08098f9655

SHA512
560b619a6df5f0e8f230aa818fc5ae7294209dcdbd1dc3efd1c5296579fbfd054273de8c11e747eddb402b0154fd66991c6f62d4b1ae79dfac529b1f68c1c053

Download Submit
C:\Windows\{9FA5A003-192A-4e55-A063-C1384037B0B4}.exe

Filesize
372KB

MD5
5ad3ae442b4c1f082e107ac5262772e5

SHA1
b7798feeb20712093924ca1eea817e6024fc0687

SHA256
f5ef3c8d6d4a92ca07bcac7965f461c5ed996f8bdfd231c2ba2b498a785266b4

SHA512
1cdba7391d02489bd6a6f24d929d131dc47f57040ae11a454742cc657210b4cbea49a7516e17758a1f1f7b7dbd3e170d67791ac1f80fb5efbb7d2f73937e2dbd

Download Submit
C:\Windows\{A1A620D1-DF73-473e-95A7-0C2A5820FDA1}.exe

Filesize
372KB

MD5
d923cd33999c5c22cc14e5c6381ece3a

SHA1
f394fbb2b5d1d79e1618efd67599c501e2e1db01

SHA256
db6d685c58b0a32d10f76525da46f6e225b5ed67e545de7c18e8a9f3430cb1a4

SHA512
a4e27f60c94af38bd9135a4a37bef476435e60dc5c6e61ecf8c6fd479ef5fe3af187d0a2e1b0f472adcea824c7426324b01c6440ea54a2423313d76c2ec67022

Download Submit
C:\Windows\{A500531B-F6C7-4e35-8C08-255CDBAE4D09}.exe

Filesize
372KB

MD5
88319ce7919750fd2cc76a717a879679

SHA1
d00b3e9185443ece939eb06de4aa2b52e95f94db

SHA256
ef989e990ab1a880ffc7a5659f4d4ab19328807354f6ba2cf28e4ac9a41addda

SHA512
79063aac308b6c6add74042fbc4913d30ca25333800138d5477fa7a114ac1e61bcec12f5f2e1110c87903f1d02a5a1f1e301f580334094e8f5138002d49c005c

Download Submit
C:\Windows\{B59C062A-BCEB-4f1c-82AB-460D2A392DC1}.exe

Filesize
372KB

MD5
65a27811d9af63de9b9802cb5815897d

SHA1
4f7e7fa5fb02d60eaddf9a48aa88d57fc9805f06

SHA256
5a66bbbd9dec412444b419336d9a1968497f07e1208585d3ff5a4d2998c9ad5e

SHA512
da075ced204e04ee1131894f56f99728358776c9829bc875c56413c7679f0a0a683b55f4999e295c8044e2e89d8e652fb3c23c0a7677107ff0c3fef78ee9cc26

Download Submit
C:\Windows\{C20D3B02-EE69-40cf-9E46-1D2E10CFA2CC}.exe

Filesize
372KB

MD5
013cca873ef075f4d6cd447f567854ce

SHA1
0e7441197fb9598fd601b576f0a7f79014a0b80b

SHA256
56f12d87b1a8b24d3912e55b844450cd2e8006200f8b4712b77da624ec87adba

SHA512
56d2edc1396595d06b479fcf3e1e49dcf317b05196cbebcb63feb8ab77ae92d61308705ea0ce818bac6ec4ddea5862aeea5e2a962f730dd389765f476e3bf83a

Download Submit
C:\Windows\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe

Filesize
372KB

MD5
8bb028b8a22bb806be0206107bdaa502

SHA1
0ea973a268f3a6836221841d6b58228984914e5b

SHA256
6a289783ff28e1fa9e43c9254f13590f2ca36f1e1a10ade97976ee9fa53c5874

SHA512
03a347305fa372b56427db1da0ddb90d0fa167343f0d69d10544b3eaf22cecd44cec6b4e71cc9d6b669b9d90cfaac484d7333ffe206ce2f7c04e2b90b5df96e7

Download Submit
C:\Windows\{CB2D99A2-9E81-4698-ADB0-CFF1351EE96A}.exe

Filesize
339KB

MD5
53c49259d7f9ece5398b8bd244ff84c4

SHA1
887b01a3070e6a011c3b81f6902395e062bfe55e

SHA256
bba542aa937ce126cf8ecb877c38d9da97d36c648346624180e9df81a0bb30d7

SHA512
8b65aa73f18c4f2140da9b93a453dee076b410ba89e0eb9381169e630bc00f26d82b759008a866b91692321a549baab255521816a7691548bcf8961db7ef5a63

Download Submit
C:\Windows\{E622D3DB-4D58-45cf-A92F-AD7DC20BE72D}.exe

Filesize
372KB

MD5
2bb3c7cfb87f4bcdf4eacde4b9d01a3e

SHA1
852ad2ed03a5cb171473d7b2dfed816a0a1b3efb

SHA256
c2e8a67a3389136ffde42e99cd8d713190eeed47a1f01a045dab2a14fdb2c8df

SHA512
df6ae77b90ba1bc1dcc9e5298af571c1b72b38e1693e563192785e17985fb5baa8098696a7a03f822bb38b4f929d94659596f02afafe9b3106c590a4678a0891

Download Submit