kinsing | de0a1e45ca271da7a40a9cb75d60c1637feaf6e009ca3ed2ac0694ab0d27027b

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Size

180KB
MD5

4fa55fd404b924bfa9810aa11b49e4f9
SHA1

2757134d986d31c6a034a9088dede09e0ecc01ce
SHA256

de0a1e45ca271da7a40a9cb75d60c1637feaf6e009ca3ed2ac0694ab0d27027b
SHA512

e1631b798089725f4244447cd07ba8dbb6c99d00d6ee6ce38a12bc4e4b62ed6553936adb026e491aa8904348ac88ccc92df1f9fc0c417e1b3a675bcf7b94d271
SSDEEP

3072:jEGh0oplfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGbl5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023232-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023239-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023239-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023240-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023239-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023240-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25783BF1-2F06-44e9-B522-3DCBDF10583E}\stubpath = "C:\\Windows\\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe"	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEFF360C-7454-4476-85E2-400B0C46920B}	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}\stubpath = "C:\\Windows\\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe"	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}\stubpath = "C:\\Windows\\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe"	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}\stubpath = "C:\\Windows\\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe"	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41FA75-9F38-45ce-A832-FA15554DFF75}\stubpath = "C:\\Windows\\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe"	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}\stubpath = "C:\\Windows\\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe"	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25783BF1-2F06-44e9-B522-3DCBDF10583E}	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEFF360C-7454-4476-85E2-400B0C46920B}\stubpath = "C:\\Windows\\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe"	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}\stubpath = "C:\\Windows\\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe"	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52073A75-0721-40ae-B221-BA67C277A564}	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7781014-7599-457b-AF2E-CF777CBE9399}\stubpath = "C:\\Windows\\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe"	{52073A75-0721-40ae-B221-BA67C277A564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D03326-281D-491c-B076-E6A2A4BB0608}	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D03326-281D-491c-B076-E6A2A4BB0608}\stubpath = "C:\\Windows\\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe"	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C76A7559-1185-4079-9CFA-919C3A7528DC}\stubpath = "C:\\Windows\\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe"	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52073A75-0721-40ae-B221-BA67C277A564}\stubpath = "C:\\Windows\\{52073A75-0721-40ae-B221-BA67C277A564}.exe"	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7781014-7599-457b-AF2E-CF777CBE9399}	{52073A75-0721-40ae-B221-BA67C277A564}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C76A7559-1185-4079-9CFA-919C3A7528DC}	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41FA75-9F38-45ce-A832-FA15554DFF75}	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe

Executes dropped EXE 12 IoCs

pid	Process
3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe
748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
1108	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
4932	{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
File created	C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
File created	C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
File created	C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
File created	C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
File created	C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
File created	C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	{52073A75-0721-40ae-B221-BA67C277A564}.exe
File created	C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
File created	C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
File created	C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
File created	C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
File created	C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
Token: SeIncBasePriorityPrivilege	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
Token: SeIncBasePriorityPrivilege	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
Token: SeIncBasePriorityPrivilege	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
Token: SeIncBasePriorityPrivilege	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe
Token: SeIncBasePriorityPrivilege	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
Token: SeIncBasePriorityPrivilege	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
Token: SeIncBasePriorityPrivilege	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
Token: SeIncBasePriorityPrivilege	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
Token: SeIncBasePriorityPrivilege	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
Token: SeIncBasePriorityPrivilege	1108	{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 3748	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	95
PID 548 wrote to memory of 3748	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	95
PID 548 wrote to memory of 3748	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	95
PID 548 wrote to memory of 2288	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	96
PID 548 wrote to memory of 2288	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	96
PID 548 wrote to memory of 2288	548	2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe	96
PID 3748 wrote to memory of 3932	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	97
PID 3748 wrote to memory of 3932	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	97
PID 3748 wrote to memory of 3932	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	97
PID 3748 wrote to memory of 2016	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	98
PID 3748 wrote to memory of 2016	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	98
PID 3748 wrote to memory of 2016	3748	{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe	98
PID 3932 wrote to memory of 3208	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	100
PID 3932 wrote to memory of 3208	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	100
PID 3932 wrote to memory of 3208	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	100
PID 3932 wrote to memory of 864	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	101
PID 3932 wrote to memory of 864	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	101
PID 3932 wrote to memory of 864	3932	{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe	101
PID 3208 wrote to memory of 2708	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	103
PID 3208 wrote to memory of 2708	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	103
PID 3208 wrote to memory of 2708	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	103
PID 3208 wrote to memory of 2212	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	102
PID 3208 wrote to memory of 2212	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	102
PID 3208 wrote to memory of 2212	3208	{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe	102
PID 2708 wrote to memory of 1980	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	104
PID 2708 wrote to memory of 1980	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	104
PID 2708 wrote to memory of 1980	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	104
PID 2708 wrote to memory of 2564	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	105
PID 2708 wrote to memory of 2564	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	105
PID 2708 wrote to memory of 2564	2708	{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe	105
PID 1980 wrote to memory of 748	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	106
PID 1980 wrote to memory of 748	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	106
PID 1980 wrote to memory of 748	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	106
PID 1980 wrote to memory of 4664	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	107
PID 1980 wrote to memory of 4664	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	107
PID 1980 wrote to memory of 4664	1980	{52073A75-0721-40ae-B221-BA67C277A564}.exe	107
PID 748 wrote to memory of 5052	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	109
PID 748 wrote to memory of 5052	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	109
PID 748 wrote to memory of 5052	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	109
PID 748 wrote to memory of 2012	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	108
PID 748 wrote to memory of 2012	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	108
PID 748 wrote to memory of 2012	748	{A7781014-7599-457b-AF2E-CF777CBE9399}.exe	108
PID 5052 wrote to memory of 4372	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	110
PID 5052 wrote to memory of 4372	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	110
PID 5052 wrote to memory of 4372	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	110
PID 5052 wrote to memory of 2428	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	111
PID 5052 wrote to memory of 2428	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	111
PID 5052 wrote to memory of 2428	5052	{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe	111
PID 4372 wrote to memory of 5016	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	112
PID 4372 wrote to memory of 5016	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	112
PID 4372 wrote to memory of 5016	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	112
PID 4372 wrote to memory of 1584	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	113
PID 4372 wrote to memory of 1584	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	113
PID 4372 wrote to memory of 1584	4372	{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe	113
PID 5016 wrote to memory of 2580	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	115
PID 5016 wrote to memory of 2580	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	115
PID 5016 wrote to memory of 2580	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	115
PID 5016 wrote to memory of 2572	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	114
PID 5016 wrote to memory of 2572	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	114
PID 5016 wrote to memory of 2572	5016	{EEFF360C-7454-4476-85E2-400B0C46920B}.exe	114
PID 2580 wrote to memory of 1108	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	117
PID 2580 wrote to memory of 1108	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	117
PID 2580 wrote to memory of 1108	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	117
PID 2580 wrote to memory of 3700	2580	{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_4fa55fd404b924bfa9810aa11b49e4f9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
  C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
    C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
      C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{679CF~1.EXE > nul
        5⤵
        
        PID:2212
    - - C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
        
        C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe
        
        C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
        
        C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7781~1.EXE > nul
        8⤵
        
        PID:2012
        
        C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
        
        C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
        
        C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
        
        C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEFF3~1.EXE > nul
        11⤵
        
        PID:2572
        
        C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
        
        C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90591~1.EXE > nul
        12⤵
        
        PID:3700
        
        C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
        
        C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe
        
        C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe
        13⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06DFD~1.EXE > nul
        13⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25783~1.EXE > nul
        10⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB7E6~1.EXE > nul
        9⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52073~1.EXE > nul
        7⤵
        
        PID:4664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F41F~1.EXE > nul
        6⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C76A7~1.EXE > nul
      4⤵
      PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A61A~1.EXE > nul
    3⤵
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06DFDF33-D8A6-4eed-8F15-D8CD449A6D4B}.exe

Filesize
180KB

MD5
fc61d5773de2761bfc12f2f1e7761698

SHA1
b7cab20261c62615085bc1c7e28bf29fd837444c

SHA256
e957210a39f62a21fc1b82b5bd6a66e4bb722dca367c417ecbf141593a872452

SHA512
c47dfb3651a573c69cb3f5d9e996f9dffa8f91e1c984b958181f91d865f7d87982bdecbf4b8498fc2df380e31f02d6c13011c32a289da0a44d6f7c44a19d7b3a

Download Submit
C:\Windows\{25783BF1-2F06-44e9-B522-3DCBDF10583E}.exe

Filesize
180KB

MD5
5ffffb035c121ad046d42e02fd599f24

SHA1
23069c4b67cd3f6bf21e42434abb199eff9c368a

SHA256
bf5cb26e334e4173cb85c174065d2993ded558901b7d296d4ef32c094d9f6c1f

SHA512
23d677ae37ede1c0b5b56a1681e9c324c2e3b8a103f1f9a3cb4175db5831781cd54f860ae386bffebc598a473a3092cad28af24d02b9382ceb78876c94a17724

Download Submit
C:\Windows\{52073A75-0721-40ae-B221-BA67C277A564}.exe

Filesize
180KB

MD5
0cd50cf28595165839c73c933bd3ebeb

SHA1
432c2eef2853c1d17dfc78ffe2bb37135e07cdd6

SHA256
a04db994b1973cbb87f887343a6946a8aa833da30c8402846bda15a43f5dc86e

SHA512
a95be6ca18e046455edd6a82a83d11454f3b8952ed01fe9a73cfc97080b0cddddbe4bd45b70a92dda2d6829b572f74d2df23e61e501f3f0da948a325c7705884

Download Submit
C:\Windows\{5A61A7B2-0D84-414d-8500-2E8EE1CB9EA8}.exe

Filesize
180KB

MD5
9d2d501e3f99c418333ceec014df10f3

SHA1
40ca213bb642cb4befbd0bef47b69ed47203ad63

SHA256
6de95a074e2b9fb4168ff5521c1ce03f8eeee966af78464cfe48b29d2be364c3

SHA512
9f5edd2f607c016e18417c2d8791af521903aeb9aa1519d150eb03bfa8ca28522cb235f9a1eb2a58e2a55f7fe7b7469101625843bfb0d2cfb9f36e56d8f1c2c1

Download Submit
C:\Windows\{679CF78C-B95E-48d4-BA99-49DE21B1BA1B}.exe

Filesize
180KB

MD5
c874e1bda29c12cfb32b5e9d0ac701c5

SHA1
ecd322e194f05bc1395e8536769a32747b0f5372

SHA256
9e48ae74597f19132601bacac7f1b3a788455b6785fd332968cfedf774c21a49

SHA512
b19dd243ca2fb23b9601a89146bf778f72df0463f0c9b7fa022ece05a4a6016aefa5c1a949e943df6208bc26cdf2519cc6aef7ab007b0be89ec130a7b6225b77

Download Submit
C:\Windows\{9059142E-C4B6-4256-9ED6-A7C21C477A1C}.exe

Filesize
180KB

MD5
2b242e1583a05f6334c14773b79ca19b

SHA1
9cfa542afa01f8fcef4e1224c75f8a6e953008c1

SHA256
e63baa08b05bbeb954b3b87eb2d67330cc9c80aa7a2ee2e3a599c11a8649f74d

SHA512
b0e746be3b6e9d7f873a8a2979d78379e6c8204440b0948204a0631a24cfae7b70fd8f3c9864e169c73829cbe7ef722f01765d56ccae78d8cec094819543225b

Download Submit
C:\Windows\{9F41FA75-9F38-45ce-A832-FA15554DFF75}.exe

Filesize
180KB

MD5
9fd4fcebb7aa34bd9d388ec8e3a1341a

SHA1
d091e4910b705b043820a73265d3caf2fe12ffc0

SHA256
333b120cb51926af802f3ebc0421ca4ce54cd0c0471d07a606e2d08da17af66b

SHA512
8fcb55b23fa359c83820cc4ab6479c9f078c90da79fa6524a729a63adac9c1bb62b3df4295dd037af7858617168bfb51431a99512d1418f2e7bb6a2d8cc1561e

Download Submit
C:\Windows\{A7781014-7599-457b-AF2E-CF777CBE9399}.exe

Filesize
180KB

MD5
93bf4c2e823fe21d3f338b0ff87d8053

SHA1
283b7e22af28b6e08833bd1459e20d5203702120

SHA256
22ca4bcdd4a610636b5c112bc430ed735d2d6998d0171d90fadb04e01bf16cde

SHA512
7091f8a464cbe5d3b529a01b143bd4f05086d335a5dc9ad1d47dd50c6f92db429743c93ce299365b34389dc31326bf53fc4b79129f7373846a3581b4a7586ef2

Download Submit
C:\Windows\{A8D03326-281D-491c-B076-E6A2A4BB0608}.exe

Filesize
180KB

MD5
fa2bd7f7f97517804b14010f5eb6b627

SHA1
262e4a3670ff897d5d8c349f2c86d4ac0effb84d

SHA256
5c9d740b2a957bdd80d5df3d4256df56f757dfb645269bc4a787379fe0940343

SHA512
c3ede4ede58e24bc987187d5f353da79fdd0ad59b002250f138b117953204f68fe74d9748a70ad29b3aa899f6e0bacbad776b91f3b0894560e57f649b6e95cdd

Download Submit
C:\Windows\{AB7E64E6-21BC-4cd5-8312-1C93C1942CC4}.exe

Filesize
180KB

MD5
96a218e3379894116633c32918f084d1

SHA1
fe29bb7559b2c92877a8d7583bef3ad1886bd122

SHA256
b01a0d8c5f5b6bc1c7b938480ae52258cbd4dc27e04e9f737a27876c89ebad00

SHA512
ec03fd05ade9646873b81eaa80c4c0a20b3e912dcbd6e5db4c4dd11d29ca839b0833f2cd82c7d59ba07f7f8a6342505777c810c38c076056aaa087dffe5d8280

Download Submit
C:\Windows\{C76A7559-1185-4079-9CFA-919C3A7528DC}.exe

Filesize
180KB

MD5
1d9a419b82e1a6424c1c8b9396a38426

SHA1
8cb46f78cff4370dda5d139d3a833a05c8951ecd

SHA256
7c4185a41a691bfc64bae706acf828757d65723f3047ff256f7d33918090fdc1

SHA512
473b914b95b63786a65973f5be76f8d55fbc3d868d0cfec92f8cf5aa5a34691a4db10bd8a25a7348499f4a89b5704f96c02caa7198f092926a5e70e638bc6b65

Download Submit
C:\Windows\{EEFF360C-7454-4476-85E2-400B0C46920B}.exe

Filesize
180KB

MD5
cf8d67d1f81d5da042253bba3340350b

SHA1
4b47a8a1c873d9999e42a1b3fe5949fa465d1ca4

SHA256
f1ebd31cdede886a1afd1748d6e1048a56a4ec3ef934795e78d404d7a284d260

SHA512
c28c76d10dbbe81fd0f305f6be17dcb45337a7dc4439e1bb1236bbe51324ee1caf7dff62e33ae13b151c78479db9fe60ac8449e8b4131d56c436e2cba1c18207

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads