kinsing | 7cbc4d6e0c01be66e067f901ea31c8fdd072721971f9ff6d020e4cacbd8e2e54

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Size

168KB
MD5

82a2b4cd281ab7846611643e00925108
SHA1

ab2bef54ffba61ef123055730d5f9cac7c1b2138
SHA256

7cbc4d6e0c01be66e067f901ea31c8fdd072721971f9ff6d020e4cacbd8e2e54
SHA512

12f31160b0379c695c8eebd94b95717879a2cadecee8454a67d1b0269d671f8f758aa7ad7e329591761f8039f8ab2d407f87015d100c229d6b8b5d6e0aefd887
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF81597-1C6F-41ad-8141-3D9A87E92214}	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}\stubpath = "C:\\Windows\\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe"	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BACB84-B96C-4d2f-A87D-691A29645D5A}\stubpath = "C:\\Windows\\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe"	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}\stubpath = "C:\\Windows\\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe"	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0519B459-C133-407a-8BF7-9631A0AE8D57}	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B528F6-8DFC-42cd-8435-1126B41066BA}	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF81597-1C6F-41ad-8141-3D9A87E92214}\stubpath = "C:\\Windows\\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe"	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345B2311-85CC-40fd-ACB3-D650820F0C6B}	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{345B2311-85CC-40fd-ACB3-D650820F0C6B}\stubpath = "C:\\Windows\\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe"	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BACB84-B96C-4d2f-A87D-691A29645D5A}	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}\stubpath = "C:\\Windows\\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe"	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0519B459-C133-407a-8BF7-9631A0AE8D57}\stubpath = "C:\\Windows\\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe"	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFAA1936-54A4-4209-A3F4-6968C197C43F}	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3B528F6-8DFC-42cd-8435-1126B41066BA}\stubpath = "C:\\Windows\\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe"	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}\stubpath = "C:\\Windows\\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe"	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}\stubpath = "C:\\Windows\\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe"	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFAA1936-54A4-4209-A3F4-6968C197C43F}\stubpath = "C:\\Windows\\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe"	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe

Executes dropped EXE 11 IoCs

Processes:

{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe

pid	process
4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
2352	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
2448	{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe

Drops file in Windows directory 11 IoCs

Processes:

{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe

description	ioc	process
File created	C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
File created	C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
File created	C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
File created	C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
File created	C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
File created	C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
File created	C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
File created	C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
File created	C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
File created	C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
File created	C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
Token: SeIncBasePriorityPrivilege	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
Token: SeIncBasePriorityPrivilege	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
Token: SeIncBasePriorityPrivilege	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
Token: SeIncBasePriorityPrivilege	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
Token: SeIncBasePriorityPrivilege	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
Token: SeIncBasePriorityPrivilege	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
Token: SeIncBasePriorityPrivilege	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
Token: SeIncBasePriorityPrivilege	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
Token: SeIncBasePriorityPrivilege	2352	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2472 wrote to memory of 4968	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
PID 2472 wrote to memory of 4968	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
PID 2472 wrote to memory of 4968	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
PID 2472 wrote to memory of 2664	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 2472 wrote to memory of 2664	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 2472 wrote to memory of 2664	2472	2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe	cmd.exe
PID 4968 wrote to memory of 4756	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
PID 4968 wrote to memory of 4756	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
PID 4968 wrote to memory of 4756	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
PID 4968 wrote to memory of 3980	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	cmd.exe
PID 4968 wrote to memory of 3980	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	cmd.exe
PID 4968 wrote to memory of 3980	4968	{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe	cmd.exe
PID 4756 wrote to memory of 1256	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
PID 4756 wrote to memory of 1256	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
PID 4756 wrote to memory of 1256	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
PID 4756 wrote to memory of 4876	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	cmd.exe
PID 4756 wrote to memory of 4876	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	cmd.exe
PID 4756 wrote to memory of 4876	4756	{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe	cmd.exe
PID 1256 wrote to memory of 4476	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
PID 1256 wrote to memory of 4476	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
PID 1256 wrote to memory of 4476	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
PID 1256 wrote to memory of 4100	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	cmd.exe
PID 1256 wrote to memory of 4100	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	cmd.exe
PID 1256 wrote to memory of 4100	1256	{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe	cmd.exe
PID 4476 wrote to memory of 1704	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
PID 4476 wrote to memory of 1704	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
PID 4476 wrote to memory of 1704	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
PID 4476 wrote to memory of 4524	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	cmd.exe
PID 4476 wrote to memory of 4524	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	cmd.exe
PID 4476 wrote to memory of 4524	4476	{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe	cmd.exe
PID 1704 wrote to memory of 1284	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
PID 1704 wrote to memory of 1284	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
PID 1704 wrote to memory of 1284	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
PID 1704 wrote to memory of 3120	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	cmd.exe
PID 1704 wrote to memory of 3120	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	cmd.exe
PID 1704 wrote to memory of 3120	1704	{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe	cmd.exe
PID 1284 wrote to memory of 1832	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
PID 1284 wrote to memory of 1832	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
PID 1284 wrote to memory of 1832	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
PID 1284 wrote to memory of 5060	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	cmd.exe
PID 1284 wrote to memory of 5060	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	cmd.exe
PID 1284 wrote to memory of 5060	1284	{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe	cmd.exe
PID 1832 wrote to memory of 4920	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
PID 1832 wrote to memory of 4920	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
PID 1832 wrote to memory of 4920	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
PID 1832 wrote to memory of 408	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	cmd.exe
PID 1832 wrote to memory of 408	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	cmd.exe
PID 1832 wrote to memory of 408	1832	{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe	cmd.exe
PID 4920 wrote to memory of 4848	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
PID 4920 wrote to memory of 4848	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
PID 4920 wrote to memory of 4848	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
PID 4920 wrote to memory of 4208	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	cmd.exe
PID 4920 wrote to memory of 4208	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	cmd.exe
PID 4920 wrote to memory of 4208	4920	{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe	cmd.exe
PID 4848 wrote to memory of 2352	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
PID 4848 wrote to memory of 2352	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
PID 4848 wrote to memory of 2352	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
PID 4848 wrote to memory of 4936	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	cmd.exe
PID 4848 wrote to memory of 4936	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	cmd.exe
PID 4848 wrote to memory of 4936	4848	{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe	cmd.exe
PID 2352 wrote to memory of 2448	2352	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe	{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
PID 2352 wrote to memory of 2448	2352	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe	{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
PID 2352 wrote to memory of 2448	2352	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe	{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
PID 2352 wrote to memory of 2964	2352	{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_82a2b4cd281ab7846611643e00925108_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe
12⤵
- Executes dropped EXE
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3B52~1.EXE > nul
12⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0519B~1.EXE > nul
11⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{304AF~1.EXE > nul
10⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7171C~1.EXE > nul
9⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56BAC~1.EXE > nul
8⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{345B2~1.EXE > nul
7⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DFAA1~1.EXE > nul
6⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C8368~1.EXE > nul
5⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0FF81~1.EXE > nul
4⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E635E~1.EXE > nul
3⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0519B459-C133-407a-8BF7-9631A0AE8D57}.exe

Filesize
168KB

MD5
74847ce7fbdc36fe1efb96744a248a58

SHA1
c4d82404b7631ee69421e1d64ecb4065c635b016

SHA256
e552fbf83933b8163078ce1b2a280d074cebbfde5c29d6ad195ed7d405178b7b

SHA512
22de10df27483bea4831814b67236f692817ec8bc8b9d874597d54fd5a3450d7f78b93ca51e3d364ac544a8cdf3dd95c224eb7056c74f68a60215cc10c7ff7d0

Download Submit
C:\Windows\{0FF81597-1C6F-41ad-8141-3D9A87E92214}.exe

Filesize
168KB

MD5
dfaae9d99804e2b795919c3f52216b42

SHA1
c34f7d209a9b690bf5ea36e36c2aacda71681449

SHA256
600ba21c45789ea3263c47802844c13b8a7dfd72339ca099b4ba480d456ccf60

SHA512
e5deca87d6f17a125c994ad20793b65c64c5a4bba0b49dabbae8d55fa6c92d7ddd8494b36cc5ba8aa116e6d20f1e29fb27ce7c4f857d9b6d64c761721f4e0250

Download Submit
C:\Windows\{304AFF06-B0B4-4df9-97B6-C5DD0458CB5E}.exe

Filesize
168KB

MD5
3d5d196f86cc08010d95e5a9f80f1053

SHA1
5e069b77f39a6da52dea9f119b0953b393a748e6

SHA256
ed30ab9adc68da5f6e5e47caf83b3fdcb90ddc17714308c7b5ae59990b675da2

SHA512
fa9245e0f357d21bbd400b614d288d1fdae4d6a843c45bab32866f7d8291aaaf99e66f9c2a5cae40abdab3642eae8e7ecfe4353911c14f1b2fcd87affcda7b1e

Download Submit
C:\Windows\{345B2311-85CC-40fd-ACB3-D650820F0C6B}.exe

Filesize
168KB

MD5
d538a071798692e137e3fb81c8c6014f

SHA1
25fc81fb986c2ebaa307273f461e668828071237

SHA256
a410652778d71bc13ffb45e6fcd0de901112300e38ccf97103f4636605fe4c78

SHA512
572ef50a62ca7068fd04472ca5bd83b20a674b5e48d60b3811da4abb890904789a98578492886fc35afd177dc8d3dec0405ea8e5a36dbc8d2fb107b560613549

Download Submit
C:\Windows\{56BACB84-B96C-4d2f-A87D-691A29645D5A}.exe

Filesize
168KB

MD5
d62140265ff48530e57177cfe50119e2

SHA1
4c73e4a8ea8630737e7551e610a0811686a69fd8

SHA256
4ce2677e62c2000a53797c722c59cd76b9cfab89ed6b068758d9a195f59d94b8

SHA512
9bad2284a60278443b0641ac9dd384ea79957136f8d242f3d817149f09517c38c0d771f70870e09ed6ee6528bfc72b401f07e5babb8f8e75793989617a63ec21

Download Submit
C:\Windows\{7171C8F6-2C58-4c1a-9782-78BDAFC46DC9}.exe

Filesize
168KB

MD5
348af5267597cd59d0696f214c227d5e

SHA1
d3a23031153b6451ee853510f28e6fd395b8462c

SHA256
fb55ea5eb15e2fef711642ceaf93afcd28c01aa44c51bfd686e219c5fd2774da

SHA512
37c6941f71cc5d0ef994345184df14bb6b2fa9249d47347c2e87950ad8377e4e18fc67c057964b978711843da110c2be0369d029c5045a1a0ac5b9f514ef4e9e

Download Submit
C:\Windows\{9236D06D-405B-4cce-A3AF-F71CA9745CC9}.exe

Filesize
168KB

MD5
a504990bc15f986c2320e27c25f05d15

SHA1
7b80ca27d11f4f09aeb67875c5672bab4f080b61

SHA256
93404d6b6e8068c7c03f30ce14cef4b32a42903ac469753891d04bdf166ef169

SHA512
160cc8468b152fcfc4a867a8f374acdcda776b5860264b760440c73aee17e54299b813bbe58fb22435fe45c8ebe2c80fd5e630c427650bce6713941e2bd4955c

Download Submit
C:\Windows\{B3B528F6-8DFC-42cd-8435-1126B41066BA}.exe

Filesize
168KB

MD5
ce34f6a7d9868f67bf36568df7b7b7a6

SHA1
bded85f5c7190dc371552fa6d293179d5e7cedcb

SHA256
e6c03b7ba0daef9c01e8ad38ba5d2c501169a4688e1833f5765077fe8f886b5c

SHA512
8295566a0f162fd27fa2ccbb578ea095b07c4f8aeeb23da546240c7f335e9d3ccde585d94855dd7805f081a24efb6b24924217df194d52f9c61d70dd6fce8710

Download Submit
C:\Windows\{C83682E7-B91B-4868-B1AC-EDDC26E44CC7}.exe

Filesize
168KB

MD5
e4af7fbfb899ee94a2e58c870c0b8936

SHA1
1bd7982afbb2a47e353d990049fd2038f50ca08d

SHA256
47381d2637731a18a8d407863dae01c8fccf342e858e9e26f495f5a77f37b064

SHA512
3711e13f3f9d496b40ebc872010c532b2f31e23ae70fd77ded1c712bc63b715ad980a562628fa05e3a753d88828b689a11540a30a9043228d63767244dc5bc04

Download Submit
C:\Windows\{DFAA1936-54A4-4209-A3F4-6968C197C43F}.exe

Filesize
168KB

MD5
33378e0062c4444ea869a54ff4013e59

SHA1
248d59072670ab1b17e408032bf7e0c09db89688

SHA256
bb7988da621577f2aac4e068037f2ef82c9a313714507f96cfea20d2d3622cd1

SHA512
e8cb1c6e64f0cfa13248da72d9b9d1c03013284020467f535125ac05ccd757f51954c524cb31af98829815b9f8f1d121bc0b10c76e9a38e2dc93f0f5de0dbefa

Download Submit
C:\Windows\{E635EA02-FFFE-4cba-9E01-7AEFEED2F762}.exe

Filesize
168KB

MD5
e8308692e2234d9afcdf87d2c22df565

SHA1
3a9af6563d0e457ca71a7a443658b4802ed79530

SHA256
f3ec195747534d277b5c0b6b4583ecf86b0c75c8b18b5d9882007423c0807caf

SHA512
aab4a1fae38cc3767b52e4d13c7ad5f7d796a55aa2a40b7ee6249d59776d775946ce5f8fa0aeb442c9482f9ff78a7f9328e49617f946d0ba76c132b9703efd9f

Download Submit