kinsing | a4b5a5eb9a43ca8ef3f64d5f4c6722d14107628125b90ccc83bc850a4f1472eb

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Size

180KB
MD5

780d9a0366a953f6b74dd4bf20da23dd
SHA1

88f263a7d696826dbc147af8cff02fa1ae2a8ebd
SHA256

a4b5a5eb9a43ca8ef3f64d5f4c6722d14107628125b90ccc83bc850a4f1472eb
SHA512

2cfc16a835645d70b9b1b3cca7c50b9539aa6ecdc9b009c2846ccd6dac05336cbf93bfe9718977147f9f17355ea5efdd80625709f2a8ed2048b1ca56f76a45f1
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{53153B56-D753-4421-8739-15BAEB870646}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D6651A27-A165-496e-8BDF-BE307D743198}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe{D6651A27-A165-496e-8BDF-BE307D743198}.exe{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe{53153B56-D753-4421-8739-15BAEB870646}.exe{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E987E6A-CF8F-46e9-93E5-722018C3141F}	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E987E6A-CF8F-46e9-93E5-722018C3141F}\stubpath = "C:\\Windows\\{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe"	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}	{53153B56-D753-4421-8739-15BAEB870646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}	{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6651A27-A165-496e-8BDF-BE307D743198}	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}\stubpath = "C:\\Windows\\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe"	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}\stubpath = "C:\\Windows\\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe"	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}\stubpath = "C:\\Windows\\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe"	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53153B56-D753-4421-8739-15BAEB870646}\stubpath = "C:\\Windows\\{53153B56-D753-4421-8739-15BAEB870646}.exe"	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D126CF0A-11B4-4f23-82A8-ED2098173B65}	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D126CF0A-11B4-4f23-82A8-ED2098173B65}\stubpath = "C:\\Windows\\{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe"	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}\stubpath = "C:\\Windows\\{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe"	{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6651A27-A165-496e-8BDF-BE307D743198}\stubpath = "C:\\Windows\\{D6651A27-A165-496e-8BDF-BE307D743198}.exe"	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}\stubpath = "C:\\Windows\\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe"	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}\stubpath = "C:\\Windows\\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe"	{53153B56-D753-4421-8739-15BAEB870646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}\stubpath = "C:\\Windows\\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe"	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53153B56-D753-4421-8739-15BAEB870646}	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}\stubpath = "C:\\Windows\\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe"	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe

Executes dropped EXE 11 IoCs

Processes:

{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe{53153B56-D753-4421-8739-15BAEB870646}.exe{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe{D6651A27-A165-496e-8BDF-BE307D743198}.exe{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe

pid	process
1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
5072	{53153B56-D753-4421-8739-15BAEB870646}.exe
2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
1416	{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
5020	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
436	{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe

Drops file in Windows directory 11 IoCs

Processes:

{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe{53153B56-D753-4421-8739-15BAEB870646}.exe{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe{D6651A27-A165-496e-8BDF-BE307D743198}.exe{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe

description	ioc	process
File created	C:\Windows\{53153B56-D753-4421-8739-15BAEB870646}.exe	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
File created	C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	{53153B56-D753-4421-8739-15BAEB870646}.exe
File created	C:\Windows\{D6651A27-A165-496e-8BDF-BE307D743198}.exe	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe
File created	C:\Windows\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
File created	C:\Windows\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
File created	C:\Windows\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
File created	C:\Windows\{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
File created	C:\Windows\{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
File created	C:\Windows\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
File created	C:\Windows\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
File created	C:\Windows\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe{53153B56-D753-4421-8739-15BAEB870646}.exe{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe{D6651A27-A165-496e-8BDF-BE307D743198}.exe{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
Token: SeIncBasePriorityPrivilege	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
Token: SeIncBasePriorityPrivilege	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
Token: SeIncBasePriorityPrivilege	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
Token: SeIncBasePriorityPrivilege	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe
Token: SeIncBasePriorityPrivilege	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
Token: SeIncBasePriorityPrivilege	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe
Token: SeIncBasePriorityPrivilege	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
Token: SeIncBasePriorityPrivilege	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
Token: SeIncBasePriorityPrivilege	5020	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2280 wrote to memory of 1640	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
PID 2280 wrote to memory of 1640	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
PID 2280 wrote to memory of 1640	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
PID 2280 wrote to memory of 404	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 2280 wrote to memory of 404	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 2280 wrote to memory of 404	2280	2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe	cmd.exe
PID 1640 wrote to memory of 3356	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
PID 1640 wrote to memory of 3356	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
PID 1640 wrote to memory of 3356	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
PID 1640 wrote to memory of 4964	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	cmd.exe
PID 1640 wrote to memory of 4964	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	cmd.exe
PID 1640 wrote to memory of 4964	1640	{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe	cmd.exe
PID 3356 wrote to memory of 4672	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
PID 3356 wrote to memory of 4672	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
PID 3356 wrote to memory of 4672	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
PID 3356 wrote to memory of 3984	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	cmd.exe
PID 3356 wrote to memory of 3984	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	cmd.exe
PID 3356 wrote to memory of 3984	3356	{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe	cmd.exe
PID 4672 wrote to memory of 1048	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
PID 4672 wrote to memory of 1048	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
PID 4672 wrote to memory of 1048	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
PID 4672 wrote to memory of 3524	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	cmd.exe
PID 4672 wrote to memory of 3524	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	cmd.exe
PID 4672 wrote to memory of 3524	4672	{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe	cmd.exe
PID 1048 wrote to memory of 5072	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	{53153B56-D753-4421-8739-15BAEB870646}.exe
PID 1048 wrote to memory of 5072	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	{53153B56-D753-4421-8739-15BAEB870646}.exe
PID 1048 wrote to memory of 5072	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	{53153B56-D753-4421-8739-15BAEB870646}.exe
PID 1048 wrote to memory of 932	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	cmd.exe
PID 1048 wrote to memory of 932	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	cmd.exe
PID 1048 wrote to memory of 932	1048	{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe	cmd.exe
PID 5072 wrote to memory of 2796	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
PID 5072 wrote to memory of 2796	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
PID 5072 wrote to memory of 2796	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
PID 5072 wrote to memory of 228	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe	cmd.exe
PID 5072 wrote to memory of 228	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe	cmd.exe
PID 5072 wrote to memory of 228	5072	{53153B56-D753-4421-8739-15BAEB870646}.exe	cmd.exe
PID 2796 wrote to memory of 1416	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
PID 2796 wrote to memory of 1416	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
PID 2796 wrote to memory of 1416	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
PID 2796 wrote to memory of 4588	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	cmd.exe
PID 2796 wrote to memory of 4588	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	cmd.exe
PID 2796 wrote to memory of 4588	2796	{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe	cmd.exe
PID 2976 wrote to memory of 4032	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
PID 2976 wrote to memory of 4032	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
PID 2976 wrote to memory of 4032	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe	{D6651A27-A165-496e-8BDF-BE307D743198}.exe
PID 2976 wrote to memory of 1100	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe	cmd.exe
PID 2976 wrote to memory of 1100	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe	cmd.exe
PID 2976 wrote to memory of 1100	2976	{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe	cmd.exe
PID 4032 wrote to memory of 4688	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
PID 4032 wrote to memory of 4688	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
PID 4032 wrote to memory of 4688	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
PID 4032 wrote to memory of 3392	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe	cmd.exe
PID 4032 wrote to memory of 3392	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe	cmd.exe
PID 4032 wrote to memory of 3392	4032	{D6651A27-A165-496e-8BDF-BE307D743198}.exe	cmd.exe
PID 4688 wrote to memory of 5020	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
PID 4688 wrote to memory of 5020	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
PID 4688 wrote to memory of 5020	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
PID 4688 wrote to memory of 1884	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	cmd.exe
PID 4688 wrote to memory of 1884	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	cmd.exe
PID 4688 wrote to memory of 1884	4688	{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe	cmd.exe
PID 5020 wrote to memory of 436	5020	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe	{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe
PID 5020 wrote to memory of 436	5020	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe	{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe
PID 5020 wrote to memory of 436	5020	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe	{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe
PID 5020 wrote to memory of 4768	5020	{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_780d9a0366a953f6b74dd4bf20da23dd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
C:\Windows\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
C:\Windows\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
C:\Windows\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
C:\Windows\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\{53153B56-D753-4421-8739-15BAEB870646}.exe
C:\Windows\{53153B56-D753-4421-8739-15BAEB870646}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{53153~1.EXE > nul
7⤵
PID:228

C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
C:\Windows\{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:1416

C:\Windows\{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe
C:\Windows\{401F2BFE-C57C-4bc0-A195-A0E9C08C5DC9}.exe
9⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\{D6651A27-A165-496e-8BDF-BE307D743198}.exe
C:\Windows\{D6651A27-A165-496e-8BDF-BE307D743198}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
C:\Windows\{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
C:\Windows\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe
C:\Windows\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe
13⤵
- Executes dropped EXE
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF3CB~1.EXE > nul
13⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1E987~1.EXE > nul
12⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6651~1.EXE > nul
11⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{401F2~1.EXE > nul
10⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D126C~1.EXE > nul
9⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0E634~1.EXE > nul
8⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5DC8~1.EXE > nul
6⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB66~1.EXE > nul
5⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4A746~1.EXE > nul
4⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0ADF6~1.EXE > nul
3⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ADF6303-752C-45b4-B0A2-6A7BBBD9AFB6}.exe

Filesize
180KB

MD5
f678cddf61b5d922ae65f663199176bd

SHA1
cc0ccb497e08fc76d4ea4aa193b2c7d24ecad58d

SHA256
4d637169e303e6a3ac5055fa47867a68745a6226737fb079a3a6403754ae982f

SHA512
579b90cfbd153efb43b372851159a55a5bf1b4fce0c937427da3321035ea207a1d45ea1da594a79be03fe0e201d36262f4894f1bfc60c90feb2ee2a928475b17

Download Submit
C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe

Filesize
41KB

MD5
d4bda7edafbd01419437cef844e2852c

SHA1
57819e68a9c0fedfe25f371243fd15d751d52760

SHA256
bb32f19790a3efce7b102df55d150cf28e5056eed31148cf89cf39c392c81c0d

SHA512
36e8134d149c433e07fe293b15cafc6dfb1889738106bae7818b382d87fdc14c1a82971bdd0a2e6420fbf870bcd9390cb4b81d990b59d7dd400e6714510dec06

Download Submit
C:\Windows\{0E6340BA-E0DD-4634-868B-E0F04C5F4811}.exe

Filesize
180KB

MD5
198d2be0288289b928f7909c1675bda5

SHA1
8b165dade9b5c05309a7eb0cc23809dc3b747753

SHA256
ce8c89fb03ee6aa309ccdb8027e180b718149e1e6725bab75e0059a30cba5b49

SHA512
88cc2c988624969681e24a7f87c1491a66a46391909be35308dade89e79cfb4ad27facd7a20b6ebe7d0c3e4bb77886a513366020bbc0d392d13df8f01ec11163

Download Submit
C:\Windows\{1E987E6A-CF8F-46e9-93E5-722018C3141F}.exe

Filesize
180KB

MD5
c6c8a624bd45f5a458ffd2110c3840db

SHA1
042dca52017d8bfbc982ea673f34323c7b200aac

SHA256
1252f3399f4b70eda988d4b69b1b19e82377d0b1dee999477f71b23a0e9e12ac

SHA512
0d339093ab48a6c8a86cf2b461c0580a119aaba9ab6c354c94a9a10675911bbae6dbeebbf18a9b0fc9b9c3b858fcb336d8c88efc07ce94cc8d41015f1c19fa1e

Download Submit
C:\Windows\{4A746AAA-69D1-4f91-98A0-22315DD66CD5}.exe

Filesize
180KB

MD5
3aa16f86141251b11d33960409a6cddf

SHA1
96994d860eb5f0054d0fa9e566b1224ae45a5b60

SHA256
9c36baa66fa673c283861afc95107220d5551ff36e88a26ba82b8953a970d8cf

SHA512
a40f24ab51ee4c363d200f33e50510220be04056db6a191a05387e450c46e8aec8929d5636131c5a74213b800cd7000eb91251e38b1a8487a7fce681bddf0e03

Download Submit
C:\Windows\{53153B56-D753-4421-8739-15BAEB870646}.exe

Filesize
180KB

MD5
5e0613ca3a8f79de402e91fc1d904ca2

SHA1
2ecadd7d9f1d705bcfc4cdd20a661d602185b8d2

SHA256
1773b98718c44271b5ddc750c377b8953c8b5ebf531c7dff7a60a985e74b3058

SHA512
317f719060da610ac4d24c274a6804ed405c2a31b6496a2476cbd00789d79ccef144734818c4add39e96d5dbc3c1c55ed68d874c27fe1e6e64216afdccf08c6a

Download Submit
C:\Windows\{9AB6674E-1A4B-49e7-8889-81FA51EF3547}.exe

Filesize
180KB

MD5
e95d1fb3066f9d5e04cfa23f3c7cfc68

SHA1
66e5ffdb9ee41fb6bfba65cd55e185ddda4acd23

SHA256
244b7ce0409980a550b67ced422ceacbfb627a69ae6aa6000e442ad67b1bb515

SHA512
8aa696bb98caa63b80e7676609a179fbee9909acb8abd386c2ad53fbba5e4e00bcc1d7e8dff124ddbc29ae801df3a014d27aa5da5cc2e655adf87c5a92753cc8

Download Submit
C:\Windows\{A5DC8091-40DC-42fd-87B0-35DEB241BF3A}.exe

Filesize
180KB

MD5
eaf585e50d53d980861cc4a9f45067db

SHA1
632a251c967637b6473e93f4071b13160e669124

SHA256
87cb2b9b038b15eb9b4d7dabfa92d348091cfb5dd731b8b83ac735b286674b65

SHA512
98317b5e0715365d928c86779d6dac312c2a9752b5615d8755407e403e99e523aeb8be48ebd6027cbbae5c8a9d4521b6925ac25588b31a2518d823f3eb4f4317

Download Submit
C:\Windows\{BD5DD6E6-D168-4513-8562-F2F2B0BAED28}.exe

Filesize
180KB

MD5
f8196f5c9699c6346747cb591b5b520d

SHA1
2218559e05f8f42d31931f29d454793d4375030b

SHA256
180b383cd7c71a5345d53b2d095f93fee16e410b041ec35dd6d240be580bbb81

SHA512
6aa1c1baa574c69d0fba734f3917ae4f8924c1ddc8f589699d06bfaf5c3a2ace5d14f2726b7c5a6074dd60dbb10dfb6b9127fb2da0eb4f9b49342527623a0da3

Download Submit
C:\Windows\{D126CF0A-11B4-4f23-82A8-ED2098173B65}.exe

Filesize
180KB

MD5
bf41414306e8f450ebdd1a60759e4467

SHA1
7bd83c21a2cc18543f57c2efe1887e12e8ea2bf7

SHA256
66bbac44e68ff97f3707628dd7ab4d73409061e18413d7a3502e7d9dd024996c

SHA512
6eaac411e631fa7b35767ad0a074a4acf04f04c3033f56d8c89e89c4973ac7cbcbcb9cd5a82f0f1ddbf581b3a4244d6b4d65cb61a4f9eaad47a1149c12c43bcf

Download Submit
C:\Windows\{D6651A27-A165-496e-8BDF-BE307D743198}.exe

Filesize
180KB

MD5
87eb4086624ef88a5d8466d5cff623a7

SHA1
6c41c34a0e6461d40fb766d588bdb7a0fe16c774

SHA256
56b66649e80ac6686bd1757aab63626fee3208c8856448fe60f3cec224982463

SHA512
9b171c23a986f8121e244c90946bce32e10f2a2bc8fa02041a98b29729c125cf88926ebd58bc3439961b1fa495ba7b2761bcc2429e116c29c4f6bf012d538002

Download Submit
C:\Windows\{FF3CB4C0-16F4-4415-A17D-2D2465AFC008}.exe

Filesize
180KB

MD5
29e897c45d90738cfe6023c59adfda11

SHA1
c216f033d07870a738a5d349a1047e420eb572ad

SHA256
4b5f99c84bd60d4e479a02576e6e94059d3310be1710fa12da65522fc6ed9efd

SHA512
11612f59db2e6e4f6038938027f5fd8c94282c6b3c32eab622a78edf8fee7fa6cb56ab864088f5822804ba0552b0a98df2c992efc1945301918411956223ccbb

Download Submit