Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:31

General

  • Target

    2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe

  • Size

    216KB

  • MD5

    7c7b3edf03d7bfafbdd998980609e48a

  • SHA1

    1c10476bccdff2e38d9e61f764e03b8389f1219d

  • SHA256

    18a59b14d32216b8eec2064a0bed2658dc049d90376223dcd10c58697ef2e383

  • SHA512

    b2702fdd987d8bcc3cf62039b67334139357f9db2d25aab7402885b8746d8c05074e309fd06112b2795e642813dd0de6c6d887b5b2bb6bdbd1f30b93fcd0e93a

  • SSDEEP

    3072:jEGh0oXl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_7c7b3edf03d7bfafbdd998980609e48a_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
      C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
        C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{31D59~1.EXE > nul
          4⤵
            PID:4988
          • C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
            C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3732
            • C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
              C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4848
              • C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
                C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4488
                • C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
                  C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2944
                  • C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
                    C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2208
                    • C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
                      C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:788
                      • C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
                        C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3628
                        • C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
                          C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4560
                          • C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
                            C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe
                            12⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4336
                            • C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe
                              C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe
                              13⤵
                              • Executes dropped EXE
                              PID:3292
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{C91C7~1.EXE > nul
                              13⤵
                                PID:4404
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{41759~1.EXE > nul
                              12⤵
                                PID:684
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{18E1E~1.EXE > nul
                              11⤵
                                PID:5036
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD2F~1.EXE > nul
                              10⤵
                                PID:2548
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{7EC31~1.EXE > nul
                              9⤵
                                PID:3120
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{155FE~1.EXE > nul
                              8⤵
                                PID:840
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{E93E2~1.EXE > nul
                              7⤵
                                PID:4996
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{362A4~1.EXE > nul
                              6⤵
                                PID:1580
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD9C~1.EXE > nul
                              5⤵
                                PID:1840
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC96~1.EXE > nul
                            3⤵
                              PID:880
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:672

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{155FECBB-063B-45a5-AB2D-22AD75E80B91}.exe

                            Filesize

                            216KB

                            MD5

                            4c41233f1ca06ef01f77ab600d45effd

                            SHA1

                            67c03936caba21d771b3cda99d0a7b5a01563209

                            SHA256

                            608ce408f794e100c5890a4a7a7513966f2ab97021c65a327b29e08b1bc25caf

                            SHA512

                            f7e4b457dfecfad3e6a126d625c0c908ec73e2bff611b3dbfc97b4bd59f958cda482167685c8a31cb4efc61ec355e31fb0fbd1a67f6dff91f4430c9fdb172fcb

                          • C:\Windows\{18E1EE97-CC13-4fa6-8264-79491A81533A}.exe

                            Filesize

                            216KB

                            MD5

                            6300a421b2e23cb72dc96b588b0f235d

                            SHA1

                            90d114f033929b6a0655fdf81124befb1651ad3e

                            SHA256

                            c187bda316b670fdb0b07fc0ac44d0220f77d6fad5b5e1641911e665680ccab6

                            SHA512

                            d0ca9968a16b7759c933ccee4d06d993dbcc03b131982917b23eeeea458bacc48267a65cccc5cc53edbaa64ae928108d5d48d93b7cf38f8473e499476e366386

                          • C:\Windows\{1AD2FAB6-4CD5-4867-8118-8F1F6B013239}.exe

                            Filesize

                            216KB

                            MD5

                            1dad67fb726306e6e0d5bd0c03c26d82

                            SHA1

                            6255c7911f0e30329456a6250ace901ecb848bb4

                            SHA256

                            164ed231ba7946300630fca66f708a3c7c3daebaf54815eb106da362bb7c44dc

                            SHA512

                            36f79b73f96b15c85d524acd06d8c824bb1ccdec0181dcda7c5dc015bcc0c489d3244308c1e473c3f4b74333c96019b3ddc393b2bf1e04737d95f5584b5abf4f

                          • C:\Windows\{31D593F8-3003-4a1a-A6B5-140B34CBCCCD}.exe

                            Filesize

                            216KB

                            MD5

                            23da486df77f8e313ed52707e9e61eab

                            SHA1

                            8dd1aa08ecd7a3d92676b314dd21573d71e0298a

                            SHA256

                            b9be9a8c4b1a724b4b5e29edb3eb24df9c6dd8df7a0d3b5f88c716c319e9cba4

                            SHA512

                            bebd36652622b69855cb6eb6148c1c0aea6d7594dbd1b2c1f90acde47dca38c593a81c3e588c3e9ff814b233e236121aea27e0036ef269ddc6c7467efbaad54b

                          • C:\Windows\{362A468D-AD47-4af2-A09A-79C360CD61C7}.exe

                            Filesize

                            216KB

                            MD5

                            2dad342ad75567ae7bf529da0e1d5719

                            SHA1

                            ea380b4203198e20494a6e54c634cba782971ef4

                            SHA256

                            ed7166d2434c1d85f343c18cb1352427477eff62c46c61ac494421be6c800afe

                            SHA512

                            7c451a5e36f18596cc9edc0ce4bc542319bdc594d2af928193b38cfb39291e0c56e668cc75bff24739d7d8e3e014dd6b559f8cad8ab3ed7dfcf51937a321a8af

                          • C:\Windows\{41759B85-D583-4309-808F-D598DA2A93EC}.exe

                            Filesize

                            216KB

                            MD5

                            ecfdca7af9112762e965f99ca03b999e

                            SHA1

                            de0fedba07e85444e38f1c94903512177c03aa44

                            SHA256

                            a1cff0bec52437d94b822c3939716ca435f3703c6c428e9cc574ed3332181c89

                            SHA512

                            ea02e28f626637a07caeeb7fd311010746fcb1bbc9e96b48ad639e3d1eccfb5f172d875365ba922f387e827771932ce8622b16a05bba65bcedf26db6a5303c11

                          • C:\Windows\{7EC31105-4917-4f29-BF39-BE93D8666FAD}.exe

                            Filesize

                            216KB

                            MD5

                            b6d276ef85383d8f27f19b8dfed623f5

                            SHA1

                            481cdd55fd63c9929cf073a6d94a7966b7f56760

                            SHA256

                            0297743b0098af96705b5241997906684895ae9faba91f2392a68245a67a5976

                            SHA512

                            af00fb1438eb17c5e9c80c608b14d1b0d54da44ac35d6d7e5b581582ee9ae35ca20e028581bd5b04ccb4c865b3e1477184e441359ffcb7b26a51674e2027245a

                          • C:\Windows\{8CC964B1-BCAA-4158-A604-6E556C646EDC}.exe

                            Filesize

                            216KB

                            MD5

                            b3b712819d2355a41e5d245e1a60253e

                            SHA1

                            b31f318dd7f8139173b3366acde3b9c776ba2195

                            SHA256

                            c193597542339e00e71ae62024a5b424ffdfa6847d7b0b3b01f897d4e25841b9

                            SHA512

                            12b7cde73131459f60d24533215d7383d4a8d0a767fa70862419ec915b25f498d97cb27144f10c1200a9aa4d05ef4f58d40812c972f62bcbb6685ae96980c848

                          • C:\Windows\{ADD9C2F7-8718-48f3-BA09-A446A9D66601}.exe

                            Filesize

                            216KB

                            MD5

                            fcb4c8a8bc96f8d16451c4703d628d38

                            SHA1

                            901b7ac6101f9819f3b0899bb9d7170136f6cc06

                            SHA256

                            8c608c72afa76bdc31225e8a0c886fe49dd6d87686b80eb31b31b5aa9572ad52

                            SHA512

                            bf7a6c9aef61eddcdd6b4012bdc5cee64a1bba1fcf278fd69696d3ba82658dcbda4a9b5a5c346ad01255b1ae96a0a85477d547abd6902fd40b151ab781c4e96b

                          • C:\Windows\{C91C7D97-EB08-42c7-AA79-4AB281EBF77A}.exe

                            Filesize

                            216KB

                            MD5

                            be3c56b55017eed6d3a64ed4166b93ee

                            SHA1

                            002172e54febb03685d466c08112b4bebc6f4ce7

                            SHA256

                            4bfaec2bed8d24cd96d2f2ceedce07eba542bb6e53627ec98657f60a22ba4cb5

                            SHA512

                            5c09780e1dc6b9af559f7909c1ea034fe26e9d3ecaa576d012ad51be04a4d3be28d72f13cb2f39e12194f02b9869da2b2ce46ae0e4eec94bc22da7f08d348e1d

                          • C:\Windows\{D18F2EAC-792D-4b36-A108-BAA69867C0F1}.exe

                            Filesize

                            216KB

                            MD5

                            35961e7db13a4c47262e9cf409ce4c48

                            SHA1

                            d256f2305c42b71236ff9dbe968331851c9272d5

                            SHA256

                            8261dd8ce0099fc37aa413fdcbaee66f0a1513656ff08a377d184a96e95a8de5

                            SHA512

                            9dfc3e8d8640ad2ac29d4da6b275bdbd2eeac3a5b428cc9bea2b6c24b83da215fc09c24c96d0637403768e5d972a63929c18cbf461e62cde0acca4c667a3d1ea

                          • C:\Windows\{E93E265A-C146-4d8b-9AE6-4DE383AF73FF}.exe

                            Filesize

                            216KB

                            MD5

                            a4a2798f3b51ae59879231316f5232f3

                            SHA1

                            ed6c3a6d2c877407a841c6a592b68f0c6b6c51b5

                            SHA256

                            4e80242d1417b52ae239ec8da2170c4bf72d6d5906e49571d4c39e0088478d03

                            SHA512

                            d698d5918879dd230a5a28bcaa2758e66445fcf6eedc6cc4c3147abf448a1113ccbfaee0f1f5d298448ea889e07d19bf0242dfbd871b481d59805ad5763f21db