kinsing | de0a1e45ca271da7a40a9cb75d60c1637feaf6e009ca3ed2ac0694ab0d27027b

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Size

180KB
MD5

4fa55fd404b924bfa9810aa11b49e4f9
SHA1

2757134d986d31c6a034a9088dede09e0ecc01ce
SHA256

de0a1e45ca271da7a40a9cb75d60c1637feaf6e009ca3ed2ac0694ab0d27027b
SHA512

e1631b798089725f4244447cd07ba8dbb6c99d00d6ee6ce38a12bc4e4b62ed6553936adb026e491aa8904348ac88ccc92df1f9fc0c417e1b3a675bcf7b94d271
SSDEEP

3072:jEGh0oplfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGbl5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe{EEFF360C-7454-4476-85E2-400B0C46920B}.exe{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe{A7781014-7599-457b-AF2E-CF777CBE9399}.exe{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe{52073A75-0721-40ae-B221-BA67C277A564}.exe{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25783BF1-2F06-44e9-B522-3DCBDF10583E}\stubpath = "C:\\Windows\\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe"	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEFF360C-7454-4476-85E2-400B0C46920B}	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}\stubpath = "C:\\Windows\\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe"	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}\stubpath = "C:\\Windows\\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe"	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}\stubpath = "C:\\Windows\\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe"	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41FA75-9F38-45ce-A832-FA15554DFF75}\stubpath = "C:\\Windows\\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe"	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}\stubpath = "C:\\Windows\\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe"	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25783BF1-2F06-44e9-B522-3DCBDF10583E}	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEFF360C-7454-4476-85E2-400B0C46920B}\stubpath = "C:\\Windows\\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe"	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}\stubpath = "C:\\Windows\\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe"	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52073A75-0721-40ae-B221-BA67C277A564}	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7781014-7599-457b-AF2E-CF777CBE9399}\stubpath = "C:\\Windows\\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe"	{52073A75-0721-40ae-B221-BA67C277A564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D03326-281D-491c-B076-E6A2A4BB0608}	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D03326-281D-491c-B076-E6A2A4BB0608}\stubpath = "C:\\Windows\\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe"	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C76A7559-1185-4079-9CFA-919C3A7528DC}\stubpath = "C:\\Windows\\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe"	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52073A75-0721-40ae-B221-BA67C277A564}\stubpath = "C:\\Windows\\{52073A75-0721-40ae-B221-BA67C277A564}.exe"	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7781014-7599-457b-AF2E-CF777CBE9399}	{52073A75-0721-40ae-B221-BA67C277A564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C76A7559-1185-4079-9CFA-919C3A7528DC}	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41FA75-9F38-45ce-A832-FA15554DFF75}	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe

Executes dropped EXE 12 IoCs

Processes:

{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe{52073A75-0721-40ae-B221-BA67C277A564}.exe{A7781014-7599-457b-AF2E-CF777CBE9399}.exe{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe{EEFF360C-7454-4476-85E2-400B0C46920B}.exe{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe

pid	process
3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe
748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
1108	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
4932	{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe

Drops file in Windows directory 12 IoCs

Processes:

{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe{A7781014-7599-457b-AF2E-CF777CBE9399}.exe{EEFF360C-7454-4476-85E2-400B0C46920B}.exe{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe{52073A75-0721-40ae-B221-BA67C277A564}.exe{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe

description	ioc	process
File created	C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
File created	C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
File created	C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
File created	C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
File created	C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
File created	C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
File created	C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	{52073A75-0721-40ae-B221-BA67C277A564}.exe
File created	C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
File created	C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
File created	C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
File created	C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
File created	C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe{52073A75-0721-40ae-B221-BA67C277A564}.exe{A7781014-7599-457b-AF2E-CF777CBE9399}.exe{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe{EEFF360C-7454-4476-85E2-400B0C46920B}.exe{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Token: SeIncBasePriorityPrivilege	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Token: SeIncBasePriorityPrivilege	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
Token: SeIncBasePriorityPrivilege	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Token: SeIncBasePriorityPrivilege	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe
Token: SeIncBasePriorityPrivilege	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Token: SeIncBasePriorityPrivilege	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Token: SeIncBasePriorityPrivilege	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Token: SeIncBasePriorityPrivilege	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Token: SeIncBasePriorityPrivilege	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Token: SeIncBasePriorityPrivilege	1108	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 548 wrote to memory of 3748	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
PID 548 wrote to memory of 3748	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
PID 548 wrote to memory of 3748	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
PID 548 wrote to memory of 2288	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	cmd.exe
PID 548 wrote to memory of 2288	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	cmd.exe
PID 548 wrote to memory of 2288	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	cmd.exe
PID 3748 wrote to memory of 3932	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
PID 3748 wrote to memory of 3932	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
PID 3748 wrote to memory of 3932	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
PID 3748 wrote to memory of 2016	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	cmd.exe
PID 3748 wrote to memory of 2016	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	cmd.exe
PID 3748 wrote to memory of 2016	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	cmd.exe
PID 3932 wrote to memory of 3208	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
PID 3932 wrote to memory of 3208	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
PID 3932 wrote to memory of 3208	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
PID 3932 wrote to memory of 864	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	cmd.exe
PID 3932 wrote to memory of 864	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	cmd.exe
PID 3932 wrote to memory of 864	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	cmd.exe
PID 3208 wrote to memory of 2708	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
PID 3208 wrote to memory of 2708	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
PID 3208 wrote to memory of 2708	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
PID 3208 wrote to memory of 2212	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	cmd.exe
PID 3208 wrote to memory of 2212	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	cmd.exe
PID 3208 wrote to memory of 2212	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	cmd.exe
PID 2708 wrote to memory of 1980	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	{52073A75-0721-40ae-B221-BA67C277A564}.exe
PID 2708 wrote to memory of 1980	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	{52073A75-0721-40ae-B221-BA67C277A564}.exe
PID 2708 wrote to memory of 1980	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	{52073A75-0721-40ae-B221-BA67C277A564}.exe
PID 2708 wrote to memory of 2564	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	cmd.exe
PID 2708 wrote to memory of 2564	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	cmd.exe
PID 2708 wrote to memory of 2564	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	cmd.exe
PID 1980 wrote to memory of 748	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
PID 1980 wrote to memory of 748	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
PID 1980 wrote to memory of 748	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
PID 1980 wrote to memory of 4664	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	cmd.exe
PID 1980 wrote to memory of 4664	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	cmd.exe
PID 1980 wrote to memory of 4664	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	cmd.exe
PID 748 wrote to memory of 5052	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
PID 748 wrote to memory of 5052	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
PID 748 wrote to memory of 5052	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
PID 748 wrote to memory of 2012	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	cmd.exe
PID 748 wrote to memory of 2012	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	cmd.exe
PID 748 wrote to memory of 2012	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	cmd.exe
PID 5052 wrote to memory of 4372	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
PID 5052 wrote to memory of 4372	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
PID 5052 wrote to memory of 4372	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
PID 5052 wrote to memory of 2428	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	cmd.exe
PID 5052 wrote to memory of 2428	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	cmd.exe
PID 5052 wrote to memory of 2428	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	cmd.exe
PID 4372 wrote to memory of 5016	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
PID 4372 wrote to memory of 5016	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
PID 4372 wrote to memory of 5016	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
PID 4372 wrote to memory of 1584	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	cmd.exe
PID 4372 wrote to memory of 1584	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	cmd.exe
PID 4372 wrote to memory of 1584	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	cmd.exe
PID 5016 wrote to memory of 2580	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
PID 5016 wrote to memory of 2580	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
PID 5016 wrote to memory of 2580	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
PID 5016 wrote to memory of 2572	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	cmd.exe
PID 5016 wrote to memory of 2572	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	cmd.exe
PID 5016 wrote to memory of 2572	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	cmd.exe
PID 2580 wrote to memory of 1108	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
PID 2580 wrote to memory of 1108	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
PID 2580 wrote to memory of 1108	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
PID 2580 wrote to memory of 3700	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{679CF~1.EXE > nul
5⤵
PID:2212

C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe
C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7781~1.EXE > nul
8⤵
PID:2012

C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EEFF3~1.EXE > nul
11⤵
PID:2572

C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{90591~1.EXE > nul
12⤵
PID:3700

C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe
C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe
13⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06DFD~1.EXE > nul
13⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25783~1.EXE > nul
10⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB7E6~1.EXE > nul
9⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{52073~1.EXE > nul
7⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F41F~1.EXE > nul
6⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C76A7~1.EXE > nul
4⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A61A~1.EXE > nul
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
Filesize
180KB

MD5
fc61d5773de2761bfc12f2f1e7761698

SHA1
b7cab20261c62615085bc1c7e28bf29fd837444c

SHA256
e957210a39f62a21fc1b82b5bd6a66e4bb722dca367c417ecbf141593a872452

SHA512
c47dfb3651a573c69cb3f5d9e996f9dffa8f91e1c984b958181f91d865f7d87982bdecbf4b8498fc2df380e31f02d6c13011c32a289da0a44d6f7c44a19d7b3a

Download Submit
C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Filesize
180KB

MD5
5ffffb035c121ad046d42e02fd599f24

SHA1
23069c4b67cd3f6bf21e42434abb199eff9c368a

SHA256
bf5cb26e334e4173cb85c174065d2993ded558901b7d296d4ef32c094d9f6c1f

SHA512
23d677ae37ede1c0b5b56a1681e9c324c2e3b8a103f1f9a3cb4175db5831781cd54f860ae386bffebc598a473a3092cad28af24d02b9382ceb78876c94a17724

Download Submit
C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe
Filesize
180KB

MD5
0cd50cf28595165839c73c933bd3ebeb

SHA1
432c2eef2853c1d17dfc78ffe2bb37135e07cdd6

SHA256
a04db994b1973cbb87f887343a6946a8aa833da30c8402846bda15a43f5dc86e

SHA512
a95be6ca18e046455edd6a82a83d11454f3b8952ed01fe9a73cfc97080b0cddddbe4bd45b70a92dda2d6829b572f74d2df23e61e501f3f0da948a325c7705884

Download Submit
C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Filesize
180KB

MD5
9d2d501e3f99c418333ceec014df10f3

SHA1
40ca213bb642cb4befbd0bef47b69ed47203ad63

SHA256
6de95a074e2b9fb4168ff5521c1ce03f8eeee966af78464cfe48b29d2be364c3

SHA512
9f5edd2f607c016e18417c2d8791af521903aeb9aa1519d150eb03bfa8ca28522cb235f9a1eb2a58e2a55f7fe7b7469101625843bfb0d2cfb9f36e56d8f1c2c1

Download Submit
C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
Filesize
180KB

MD5
c874e1bda29c12cfb32b5e9d0ac701c5

SHA1
ecd322e194f05bc1395e8536769a32747b0f5372

SHA256
9e48ae74597f19132601bacac7f1b3a788455b6785fd332968cfedf774c21a49

SHA512
b19dd243ca2fb23b9601a89146bf778f72df0463f0c9b7fa022ece05a4a6016aefa5c1a949e943df6208bc26cdf2519cc6aef7ab007b0be89ec130a7b6225b77

Download Submit
C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Filesize
180KB

MD5
2b242e1583a05f6334c14773b79ca19b

SHA1
9cfa542afa01f8fcef4e1224c75f8a6e953008c1

SHA256
e63baa08b05bbeb954b3b87eb2d67330cc9c80aa7a2ee2e3a599c11a8649f74d

SHA512
b0e746be3b6e9d7f873a8a2979d78379e6c8204440b0948204a0631a24cfae7b70fd8f3c9864e169c73829cbe7ef722f01765d56ccae78d8cec094819543225b

Download Submit
C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Filesize
180KB

MD5
9fd4fcebb7aa34bd9d388ec8e3a1341a

SHA1
d091e4910b705b043820a73265d3caf2fe12ffc0

SHA256
333b120cb51926af802f3ebc0421ca4ce54cd0c0471d07a606e2d08da17af66b

SHA512
8fcb55b23fa359c83820cc4ab6479c9f078c90da79fa6524a729a63adac9c1bb62b3df4295dd037af7858617168bfb51431a99512d1418f2e7bb6a2d8cc1561e

Download Submit
C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Filesize
180KB

MD5
93bf4c2e823fe21d3f338b0ff87d8053

SHA1
283b7e22af28b6e08833bd1459e20d5203702120

SHA256
22ca4bcdd4a610636b5c112bc430ed735d2d6998d0171d90fadb04e01bf16cde

SHA512
7091f8a464cbe5d3b529a01b143bd4f05086d335a5dc9ad1d47dd50c6f92db429743c93ce299365b34389dc31326bf53fc4b79129f7373846a3581b4a7586ef2

Download Submit
C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe
Filesize
180KB

MD5
fa2bd7f7f97517804b14010f5eb6b627

SHA1
262e4a3670ff897d5d8c349f2c86d4ac0effb84d

SHA256
5c9d740b2a957bdd80d5df3d4256df56f757dfb645269bc4a787379fe0940343

SHA512
c3ede4ede58e24bc987187d5f353da79fdd0ad59b002250f138b117953204f68fe74d9748a70ad29b3aa899f6e0bacbad776b91f3b0894560e57f649b6e95cdd

Download Submit
C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Filesize
180KB

MD5
96a218e3379894116633c32918f084d1

SHA1
fe29bb7559b2c92877a8d7583bef3ad1886bd122

SHA256
b01a0d8c5f5b6bc1c7b938480ae52258cbd4dc27e04e9f737a27876c89ebad00

SHA512
ec03fd05ade9646873b81eaa80c4c0a20b3e912dcbd6e5db4c4dd11d29ca839b0833f2cd82c7d59ba07f7f8a6342505777c810c38c076056aaa087dffe5d8280

Download Submit
C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Filesize
180KB

MD5
1d9a419b82e1a6424c1c8b9396a38426

SHA1
8cb46f78cff4370dda5d139d3a833a05c8951ecd

SHA256
7c4185a41a691bfc64bae706acf828757d65723f3047ff256f7d33918090fdc1

SHA512
473b914b95b63786a65973f5be76f8d55fbc3d868d0cfec92f8cf5aa5a34691a4db10bd8a25a7348499f4a89b5704f96c02caa7198f092926a5e70e638bc6b65

Download Submit
C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Filesize
180KB

MD5
cf8d67d1f81d5da042253bba3340350b

SHA1
4b47a8a1c873d9999e42a1b3fe5949fa465d1ca4

SHA256
f1ebd31cdede886a1afd1748d6e1048a56a4ec3ef934795e78d404d7a284d260

SHA512
c28c76d10dbbe81fd0f305f6be17dcb45337a7dc4439e1bb1236bbe51324ee1caf7dff62e33ae13b151c78479db9fe60ac8449e8b4131d56c436e2cba1c18207

Download Submit