kinsing | 18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Size

216KB
MD5

7c7b3edf03d7bfafbdd998980609e48a
SHA1

1c10476bccdff2e38d9e61f764e03b8389f1219d
SHA256

18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383
SHA512

b2702fdd987d8bcc3cf62039b67334139357f9db2d25aab7402885b8746d8c05074e309fd06112b2795e642813dd0de6c6d887b5b2bb6bdbd1f30b93fcd0e93a
SSDEEP

3072:jEGh0oXl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe{41759B85-D583-4309-808F-D598DA2A93EC}.exe{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC964B1-BCAA-4158-A604-6E556C646EDC}	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EC31105-4917-4f29-BF39-BE93D8666FAD}	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41759B85-D583-4309-808F-D598DA2A93EC}	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41759B85-D583-4309-808F-D598DA2A93EC}\stubpath = "C:\\Windows\\{41759B85-D583-4309-808F-D598DA2A93EC}.exe"	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC964B1-BCAA-4158-A604-6E556C646EDC}\stubpath = "C:\\Windows\\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe"	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362A468D-AD47-4af2-A09A-79C360CD61C7}	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}\stubpath = "C:\\Windows\\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe"	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155FECBB-063B-45a5-AB2D-22AD75E80B91}	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155FECBB-063B-45a5-AB2D-22AD75E80B91}\stubpath = "C:\\Windows\\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe"	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EC31105-4917-4f29-BF39-BE93D8666FAD}\stubpath = "C:\\Windows\\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe"	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}\stubpath = "C:\\Windows\\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe"	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}\stubpath = "C:\\Windows\\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe"	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}\stubpath = "C:\\Windows\\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe"	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{362A468D-AD47-4af2-A09A-79C360CD61C7}\stubpath = "C:\\Windows\\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe"	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}\stubpath = "C:\\Windows\\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe"	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}\stubpath = "C:\\Windows\\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe"	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18E1EE97-CC13-4fa6-8264-79491A81533A}	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18E1EE97-CC13-4fa6-8264-79491A81533A}\stubpath = "C:\\Windows\\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe"	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe

Executes dropped EXE 12 IoCs

Processes:

{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe{41759B85-D583-4309-808F-D598DA2A93EC}.exe{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe

pid	process
4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
4560	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
4336	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
3292	{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe

Drops file in Windows directory 12 IoCs

Processes:

{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe{41759B85-D583-4309-808F-D598DA2A93EC}.exe{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe

description	ioc	process
File created	C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
File created	C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
File created	C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
File created	C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
File created	C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
File created	C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
File created	C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
File created	C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
File created	C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
File created	C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
File created	C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
File created	C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe{41759B85-D583-4309-808F-D598DA2A93EC}.exe{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
Token: SeIncBasePriorityPrivilege	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
Token: SeIncBasePriorityPrivilege	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
Token: SeIncBasePriorityPrivilege	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
Token: SeIncBasePriorityPrivilege	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
Token: SeIncBasePriorityPrivilege	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
Token: SeIncBasePriorityPrivilege	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
Token: SeIncBasePriorityPrivilege	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
Token: SeIncBasePriorityPrivilege	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
Token: SeIncBasePriorityPrivilege	4560	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
Token: SeIncBasePriorityPrivilege	4336	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 816 wrote to memory of 4448	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
PID 816 wrote to memory of 4448	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
PID 816 wrote to memory of 4448	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
PID 816 wrote to memory of 672	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	cmd.exe
PID 816 wrote to memory of 672	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	cmd.exe
PID 816 wrote to memory of 672	816	2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe	cmd.exe
PID 4448 wrote to memory of 2132	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
PID 4448 wrote to memory of 2132	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
PID 4448 wrote to memory of 2132	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
PID 4448 wrote to memory of 880	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	cmd.exe
PID 4448 wrote to memory of 880	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	cmd.exe
PID 4448 wrote to memory of 880	4448	{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe	cmd.exe
PID 2132 wrote to memory of 3732	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
PID 2132 wrote to memory of 3732	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
PID 2132 wrote to memory of 3732	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
PID 2132 wrote to memory of 4988	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	cmd.exe
PID 2132 wrote to memory of 4988	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	cmd.exe
PID 2132 wrote to memory of 4988	2132	{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe	cmd.exe
PID 3732 wrote to memory of 4848	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
PID 3732 wrote to memory of 4848	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
PID 3732 wrote to memory of 4848	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
PID 3732 wrote to memory of 1840	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	cmd.exe
PID 3732 wrote to memory of 1840	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	cmd.exe
PID 3732 wrote to memory of 1840	3732	{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe	cmd.exe
PID 4848 wrote to memory of 4488	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
PID 4848 wrote to memory of 4488	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
PID 4848 wrote to memory of 4488	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
PID 4848 wrote to memory of 1580	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	cmd.exe
PID 4848 wrote to memory of 1580	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	cmd.exe
PID 4848 wrote to memory of 1580	4848	{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe	cmd.exe
PID 4488 wrote to memory of 2944	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
PID 4488 wrote to memory of 2944	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
PID 4488 wrote to memory of 2944	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
PID 4488 wrote to memory of 4996	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	cmd.exe
PID 4488 wrote to memory of 4996	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	cmd.exe
PID 4488 wrote to memory of 4996	4488	{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe	cmd.exe
PID 2944 wrote to memory of 2208	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
PID 2944 wrote to memory of 2208	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
PID 2944 wrote to memory of 2208	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
PID 2944 wrote to memory of 840	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	cmd.exe
PID 2944 wrote to memory of 840	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	cmd.exe
PID 2944 wrote to memory of 840	2944	{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe	cmd.exe
PID 2208 wrote to memory of 788	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
PID 2208 wrote to memory of 788	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
PID 2208 wrote to memory of 788	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
PID 2208 wrote to memory of 3120	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	cmd.exe
PID 2208 wrote to memory of 3120	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	cmd.exe
PID 2208 wrote to memory of 3120	2208	{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe	cmd.exe
PID 788 wrote to memory of 3628	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
PID 788 wrote to memory of 3628	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
PID 788 wrote to memory of 3628	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
PID 788 wrote to memory of 2548	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	cmd.exe
PID 788 wrote to memory of 2548	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	cmd.exe
PID 788 wrote to memory of 2548	788	{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe	cmd.exe
PID 3628 wrote to memory of 4560	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
PID 3628 wrote to memory of 4560	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
PID 3628 wrote to memory of 4560	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	{41759B85-D583-4309-808F-D598DA2A93EC}.exe
PID 3628 wrote to memory of 5036	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	cmd.exe
PID 3628 wrote to memory of 5036	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	cmd.exe
PID 3628 wrote to memory of 5036	3628	{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe	cmd.exe
PID 4560 wrote to memory of 4336	4560	{41759B85-D583-4309-808F-D598DA2A93EC}.exe	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
PID 4560 wrote to memory of 4336	4560	{41759B85-D583-4309-808F-D598DA2A93EC}.exe	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
PID 4560 wrote to memory of 4336	4560	{41759B85-D583-4309-808F-D598DA2A93EC}.exe	{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
PID 4560 wrote to memory of 684	4560	{41759B85-D583-4309-808F-D598DA2A93EC}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{31D59~1.EXE > nul
4⤵
PID:4988

C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe
C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe
13⤵
- Executes dropped EXE
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C91C7~1.EXE > nul
13⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{41759~1.EXE > nul
12⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{18E1E~1.EXE > nul
11⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD2F~1.EXE > nul
10⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7EC31~1.EXE > nul
9⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{155FE~1.EXE > nul
8⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E93E2~1.EXE > nul
7⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{362A4~1.EXE > nul
6⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD9C~1.EXE > nul
5⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC96~1.EXE > nul
3⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
Filesize
216KB

MD5
4c41233f1ca06ef01f77ab600d45effd

SHA1
67c03936caba21d771b3cda99d0a7b5a01563209

SHA256
608ce408f794e100c5890a4a7a7513966f2ab97021c65a327b29e08b1bc25caf

SHA512
f7e4b457dfecfad3e6a126d625c0c908ec73e2bff611b3dbfc97b4bd59f958cda482167685c8a31cb4efc61ec355e31fb0fbd1a67f6dff91f4430c9fdb172fcb

Download Submit
C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
Filesize
216KB

MD5
6300a421b2e23cb72dc96b588b0f235d

SHA1
90d114f033929b6a0655fdf81124befb1651ad3e

SHA256
c187bda316b670fdb0b07fc0ac44d0220f77d6fad5b5e1641911e665680ccab6

SHA512
d0ca9968a16b7759c933ccee4d06d993dbcc03b131982917b23eeeea458bacc48267a65cccc5cc53edbaa64ae928108d5d48d93b7cf38f8473e499476e366386

Download Submit
C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
Filesize
216KB

MD5
1dad67fb726306e6e0d5bd0c03c26d82

SHA1
6255c7911f0e30329456a6250ace901ecb848bb4

SHA256
164ed231ba7946300630fca66f708a3c7c3daebaf54815eb106da362bb7c44dc

SHA512
36f79b73f96b15c85d524acd06d8c824bb1ccdec0181dcda7c5dc015bcc0c489d3244308c1e473c3f4b74333c96019b3ddc393b2bf1e04737d95f5584b5abf4f

Download Submit
C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
Filesize
216KB

MD5
23da486df77f8e313ed52707e9e61eab

SHA1
8dd1aa08ecd7a3d92676b314dd21573d71e0298a

SHA256
b9be9a8c4b1a724b4b5e29edb3eb24df9c6dd8df7a0d3b5f88c716c319e9cba4

SHA512
bebd36652622b69855cb6eb6148c1c0aea6d7594dbd1b2c1f90acde47dca38c593a81c3e588c3e9ff814b233e236121aea27e0036ef269ddc6c7467efbaad54b

Download Submit
C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
Filesize
216KB

MD5
2dad342ad75567ae7bf529da0e1d5719

SHA1
ea380b4203198e20494a6e54c634cba782971ef4

SHA256
ed7166d2434c1d85f343c18cb1352427477eff62c46c61ac494421be6c800afe

SHA512
7c451a5e36f18596cc9edc0ce4bc542319bdc594d2af928193b38cfb39291e0c56e668cc75bff24739d7d8e3e014dd6b559f8cad8ab3ed7dfcf51937a321a8af

Download Submit
C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
Filesize
216KB

MD5
ecfdca7af9112762e965f99ca03b999e

SHA1
de0fedba07e85444e38f1c94903512177c03aa44

SHA256
a1cff0bec52437d94b822c3939716ca435f3703c6c428e9cc574ed3332181c89

SHA512
ea02e28f626637a07caeeb7fd311010746fcb1bbc9e96b48ad639e3d1eccfb5f172d875365ba922f387e827771932ce8622b16a05bba65bcedf26db6a5303c11

Download Submit
C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
Filesize
216KB

MD5
b6d276ef85383d8f27f19b8dfed623f5

SHA1
481cdd55fd63c9929cf073a6d94a7966b7f56760

SHA256
0297743b0098af96705b5241997906684895ae9faba91f2392a68245a67a5976

SHA512
af00fb1438eb17c5e9c80c608b14d1b0d54da44ac35d6d7e5b581582ee9ae35ca20e028581bd5b04ccb4c865b3e1477184e441359ffcb7b26a51674e2027245a

Download Submit
C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
Filesize
216KB

MD5
b3b712819d2355a41e5d245e1a60253e

SHA1
b31f318dd7f8139173b3366acde3b9c776ba2195

SHA256
c193597542339e00e71ae62024a5b424ffdfa6847d7b0b3b01f897d4e25841b9

SHA512
12b7cde73131459f60d24533215d7383d4a8d0a767fa70862419ec915b25f498d97cb27144f10c1200a9aa4d05ef4f58d40812c972f62bcbb6685ae96980c848

Download Submit
C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
Filesize
216KB

MD5
fcb4c8a8bc96f8d16451c4703d628d38

SHA1
901b7ac6101f9819f3b0899bb9d7170136f6cc06

SHA256
8c608c72afa76bdc31225e8a0c886fe49dd6d87686b80eb31b31b5aa9572ad52

SHA512
bf7a6c9aef61eddcdd6b4012bdc5cee64a1bba1fcf278fd69696d3ba82658dcbda4a9b5a5c346ad01255b1ae96a0a85477d547abd6902fd40b151ab781c4e96b

Download Submit
C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
Filesize
216KB

MD5
be3c56b55017eed6d3a64ed4166b93ee

SHA1
002172e54febb03685d466c08112b4bebc6f4ce7

SHA256
4bfaec2bed8d24cd96d2f2ceedce07eba542bb6e53627ec98657f60a22ba4cb5

SHA512
5c09780e1dc6b9af559f7909c1ea034fe26e9d3ecaa576d012ad51be04a4d3be28d72f13cb2f39e12194f02b9869da2b2ce46ae0e4eec94bc22da7f08d348e1d

Download Submit
C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe
Filesize
216KB

MD5
35961e7db13a4c47262e9cf409ce4c48

SHA1
d256f2305c42b71236ff9dbe968331851c9272d5

SHA256
8261dd8ce0099fc37aa413fdcbaee66f0a1513656ff08a377d184a96e95a8de5

SHA512
9dfc3e8d8640ad2ac29d4da6b275bdbd2eeac3a5b428cc9bea2b6c24b83da215fc09c24c96d0637403768e5d972a63929c18cbf461e62cde0acca4c667a3d1ea

Download Submit
C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
Filesize
216KB

MD5
a4a2798f3b51ae59879231316f5232f3

SHA1
ed6c3a6d2c877407a841c6a592b68f0c6b6c51b5

SHA256
4e80242d1417b52ae239ec8da2170c4bf72d6d5906e49571d4c39e0088478d03

SHA512
d698d5918879dd230a5a28bcaa2758e66445fcf6eedc6cc4c3147abf448a1113ccbfaee0f1f5d298448ea889e07d19bf0242dfbd871b481d59805ad5763f21db

Download Submit