kinsing | cb468bfa4b86df6fe53dd138d892972e44f680edc756af3f27d3aa00164b030f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Size

344KB
MD5

8775b09a69c8c3f6524395e50dd16b35
SHA1

e688394efbe45b5e928393a761ad46fd8dc0d232
SHA256

cb468bfa4b86df6fe53dd138d892972e44f680edc756af3f27d3aa00164b030f
SHA512

9e90551f09a614f45e3338c892fd744089bbba177249fc626eaf0ac79525ebb9c82f599a42de9420737433cb9286ff1d6a189bdfbdb52c99d5483c3f2fa3ae19
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
C:\Windows\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe{F3419F77-DA45-49b3-97AA-8716B8351420}.exe{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B767D51-9771-4d46-B359-6D15FCB9E617}\stubpath = "C:\\Windows\\{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe"	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}\stubpath = "C:\\Windows\\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe"	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3419F77-DA45-49b3-97AA-8716B8351420}\stubpath = "C:\\Windows\\{F3419F77-DA45-49b3-97AA-8716B8351420}.exe"	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}\stubpath = "C:\\Windows\\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe"	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}\stubpath = "C:\\Windows\\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe"	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}\stubpath = "C:\\Windows\\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe"	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}\stubpath = "C:\\Windows\\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe"	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B767D51-9771-4d46-B359-6D15FCB9E617}	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}\stubpath = "C:\\Windows\\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe"	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3419F77-DA45-49b3-97AA-8716B8351420}	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}\stubpath = "C:\\Windows\\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe"	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}\stubpath = "C:\\Windows\\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe"	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}\stubpath = "C:\\Windows\\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe"	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}\stubpath = "C:\\Windows\\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe"	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe

Executes dropped EXE 12 IoCs

Processes:

{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe{F3419F77-DA45-49b3-97AA-8716B8351420}.exe{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe

pid	process
3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
2848	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
664	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
3948	{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe

Drops file in Windows directory 12 IoCs

Processes:

{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe{F3419F77-DA45-49b3-97AA-8716B8351420}.exe{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe

description	ioc	process
File created	C:\Windows\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
File created	C:\Windows\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
File created	C:\Windows\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
File created	C:\Windows\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
File created	C:\Windows\{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
File created	C:\Windows\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
File created	C:\Windows\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
File created	C:\Windows\{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
File created	C:\Windows\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
File created	C:\Windows\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
File created	C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
File created	C:\Windows\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe{F3419F77-DA45-49b3-97AA-8716B8351420}.exe{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
Token: SeIncBasePriorityPrivilege	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
Token: SeIncBasePriorityPrivilege	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
Token: SeIncBasePriorityPrivilege	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
Token: SeIncBasePriorityPrivilege	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
Token: SeIncBasePriorityPrivilege	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
Token: SeIncBasePriorityPrivilege	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
Token: SeIncBasePriorityPrivilege	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
Token: SeIncBasePriorityPrivilege	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
Token: SeIncBasePriorityPrivilege	2848	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
Token: SeIncBasePriorityPrivilege	664	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1856 wrote to memory of 3844	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
PID 1856 wrote to memory of 3844	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
PID 1856 wrote to memory of 3844	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
PID 1856 wrote to memory of 3488	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 1856 wrote to memory of 3488	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 1856 wrote to memory of 3488	1856	2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe	cmd.exe
PID 3844 wrote to memory of 2380	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
PID 3844 wrote to memory of 2380	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
PID 3844 wrote to memory of 2380	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
PID 3844 wrote to memory of 2552	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	cmd.exe
PID 3844 wrote to memory of 2552	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	cmd.exe
PID 3844 wrote to memory of 2552	3844	{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe	cmd.exe
PID 2380 wrote to memory of 4184	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
PID 2380 wrote to memory of 4184	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
PID 2380 wrote to memory of 4184	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
PID 2380 wrote to memory of 624	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	cmd.exe
PID 2380 wrote to memory of 624	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	cmd.exe
PID 2380 wrote to memory of 624	2380	{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe	cmd.exe
PID 4184 wrote to memory of 4820	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
PID 4184 wrote to memory of 4820	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
PID 4184 wrote to memory of 4820	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
PID 4184 wrote to memory of 1448	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	cmd.exe
PID 4184 wrote to memory of 1448	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	cmd.exe
PID 4184 wrote to memory of 1448	4184	{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe	cmd.exe
PID 4820 wrote to memory of 1160	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
PID 4820 wrote to memory of 1160	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
PID 4820 wrote to memory of 1160	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
PID 4820 wrote to memory of 1016	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	cmd.exe
PID 4820 wrote to memory of 1016	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	cmd.exe
PID 4820 wrote to memory of 1016	4820	{F3419F77-DA45-49b3-97AA-8716B8351420}.exe	cmd.exe
PID 1160 wrote to memory of 4912	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
PID 1160 wrote to memory of 4912	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
PID 1160 wrote to memory of 4912	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
PID 1160 wrote to memory of 532	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	cmd.exe
PID 1160 wrote to memory of 532	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	cmd.exe
PID 1160 wrote to memory of 532	1160	{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe	cmd.exe
PID 4912 wrote to memory of 1604	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
PID 4912 wrote to memory of 1604	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
PID 4912 wrote to memory of 1604	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
PID 4912 wrote to memory of 5080	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	cmd.exe
PID 4912 wrote to memory of 5080	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	cmd.exe
PID 4912 wrote to memory of 5080	4912	{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe	cmd.exe
PID 1604 wrote to memory of 4884	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
PID 1604 wrote to memory of 4884	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
PID 1604 wrote to memory of 4884	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
PID 1604 wrote to memory of 2472	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	cmd.exe
PID 1604 wrote to memory of 2472	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	cmd.exe
PID 1604 wrote to memory of 2472	1604	{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe	cmd.exe
PID 4884 wrote to memory of 1684	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
PID 4884 wrote to memory of 1684	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
PID 4884 wrote to memory of 1684	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
PID 4884 wrote to memory of 4336	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	cmd.exe
PID 4884 wrote to memory of 4336	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	cmd.exe
PID 4884 wrote to memory of 4336	4884	{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe	cmd.exe
PID 1684 wrote to memory of 2848	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
PID 1684 wrote to memory of 2848	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
PID 1684 wrote to memory of 2848	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
PID 1684 wrote to memory of 4068	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	cmd.exe
PID 1684 wrote to memory of 4068	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	cmd.exe
PID 1684 wrote to memory of 4068	1684	{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe	cmd.exe
PID 2848 wrote to memory of 664	2848	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
PID 2848 wrote to memory of 664	2848	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
PID 2848 wrote to memory of 664	2848	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe	{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
PID 2848 wrote to memory of 856	2848	{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8775b09a69c8c3f6524395e50dd16b35_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
C:\Windows\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
C:\Windows\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FC335~1.EXE > nul
4⤵
PID:624

C:\Windows\{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
C:\Windows\{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
C:\Windows\{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
C:\Windows\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
C:\Windows\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
C:\Windows\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE78~1.EXE > nul
9⤵
PID:2472

C:\Windows\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
C:\Windows\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
C:\Windows\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
C:\Windows\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe
C:\Windows\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe
13⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1204~1.EXE > nul
13⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{26A9A~1.EXE > nul
12⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{09C35~1.EXE > nul
11⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6D8DF~1.EXE > nul
10⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{511F9~1.EXE > nul
8⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3C602~1.EXE > nul
7⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F3419~1.EXE > nul
6⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3B767~1.EXE > nul
5⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{70E1A~1.EXE > nul
3⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08B58FA4-DE98-4dcb-BBB8-009D1E9828BA}.exe
Filesize
344KB

MD5
5dbf89391f15c6d56f1ee01fb39032d0

SHA1
ac248e86af35ca4dc62063bbd6739c1d867b7e68

SHA256
e88ff9a9cb135aefca9edbf90b9a92e7d5e1938ada1c047d5c56ea68bcd76629

SHA512
7cd304b318a79f8414d976c9ea47af374d5efca83baac661d5df9722a58e7952c3712d64205ce93530a913c0ba5347e2246661e9709aafd147c1793124f569a3

Download Submit
C:\Windows\{09C35F6B-42A7-425d-AA27-B15804EDE4EE}.exe
Filesize
344KB

MD5
1bc34102e21fadc4e20633847933d4ec

SHA1
10f71dbcaf0e917af045a60372f5dd3424ae2f8c

SHA256
4840349559c08b54c5cca7e8215b1afbb6a94af04c7d089d6b6fadad825210ab

SHA512
bc000c8586cd9a3b8ca5e6046043bd2c807c8e09b4d73dd1255ca3cc8e57e3f069fc9cae130a5f4c71cf4578a2b2e51641cb82a401735f73a8fb822cc6bc64db

Download Submit
C:\Windows\{26A9A0F3-4FD1-400a-8E98-297CE8F88658}.exe
Filesize
344KB

MD5
d45eb1037dc5d07b25b38f793aa08eb3

SHA1
0e7cc406a7b874a944b0d66eb32c18672b7ba5b1

SHA256
21b224d7239dea1cb718d514a62a8346aaa265b806fe7c46b8a573a1b1aaba26

SHA512
6c82eb4a7534f523dcd8762edd0e35de1677bb120f1e08d39de43658d6e461a3fcbdfa283b0fff66880c069c61b55672e3f3e65b0caefe6b5bffa502c4319869

Download Submit
C:\Windows\{2EE784A9-CEF6-4d06-8DC6-37BCBF9B4520}.exe
Filesize
344KB

MD5
20bdfaa551c912f8e0c2cd607fcc1722

SHA1
a894294c0f0af8dd0c2b9d34b40d818a29646598

SHA256
194778f5e616fbd1fbcc0b0f48fa080c468281e7c1db63e437cc09f1578cfc8b

SHA512
cebf29746550507f4f26f6f3a4ed52cdd4780c863090e265509647325003415137ef93529a42e5109721d94209ba80f35f68f24749282385428663415d86464b

Download Submit
C:\Windows\{3B767D51-9771-4d46-B359-6D15FCB9E617}.exe
Filesize
344KB

MD5
5d69d095ef6037af8927750012425a19

SHA1
1bf86397176a6e35790b8b0c271d310b38019e46

SHA256
170245d63e74f2ae7cf04f818f7b726a3f3bc79e499984e4c9046e2b9b7afc6c

SHA512
d083f2d20732a64a6a1217a0dd4a0dd9e9d6c7d38c62c96a8b008f9f992bbeb50f2e4f8d3607f2260109aeecf23783595cc65ddc0e0a56185875df09d9d9c67f

Download Submit
C:\Windows\{3C60291D-16DD-4d87-9E3C-64AF6A80ED84}.exe
Filesize
344KB

MD5
b12d187ad48b4682ad1003f7e1e72758

SHA1
bddec28d714281bb42105d9da804417b5aee5573

SHA256
fefdbc908e441395ea0e99c3b1acfe00e6d7ad5948e6afc3ff911ecf0810a092

SHA512
eda034082aa0370ea27437007691b293b6965638f87d0ca8f588a1f80c56cdce9c649fccdc0f4b618b94204c1ff0a30be45ebde52ec362420651d00980567782

Download Submit
C:\Windows\{511F9CF7-EE24-4e66-8379-9218C1D9DBD1}.exe
Filesize
344KB

MD5
f197562c9cc7842c7576aad75f6de253

SHA1
1f07fcb0c2cb071dc0842456a9b84c9c2270d517

SHA256
4106f07efe527ad217ff4452160a081206affb806f66c20197b009ffa90baadf

SHA512
228bf00555f15ac6fab98b5e7b6c26680c0cc5e3f0b69f8e9ef7dbf33df4ec883931adb7f93a78ac4c4505aa980ad479e03f35eb1c4836a728d453639a40b097

Download Submit
C:\Windows\{6D8DF831-BFEE-4ecc-9266-191E9025F1A7}.exe
Filesize
344KB

MD5
83c0880e95b796b51eb198a45d656893

SHA1
8cd1d8bebcb777936ced5e80afc8c65e62f9dc2f

SHA256
ceaec73d64341e8b616c7de666ebe5a2149eb3e03a53a66931506f633d1657ae

SHA512
f70093c7a91a8d228299bf6f82f229165f77795e052bd70d6bf3a329dfb7be54083c7e96b18dcc7eab0c3537bc4145b4e4b618fc5e11c1bf19a53945c29880f9

Download Submit
C:\Windows\{70E1AFB5-215B-4f73-8852-43963DD4AFF6}.exe
Filesize
344KB

MD5
a4ca3914bb7dfcc52ef3f879b8de9f82

SHA1
a9efaa0ae384c094d2273ea2dc7fb2b7fe782189

SHA256
acbf180ac39049bd2a7db55d1b4457347c23e5c6dfc1a7295ab05aeb27d8e62a

SHA512
444b5c86f39bf2f40d7186949e6fa11f7183da2ba91f1951ba2bbc4f32fe8d9b253e00e550230b7d1bd03ecfad6a4b353c4f2a45767d701956c40765c6ec320a

Download Submit
C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
Filesize
344KB

MD5
d05caa4b29cc157cbc6592901cae3eb8

SHA1
09dfc37d3d574452e8ac5303878e7d20edbc3e23

SHA256
5c272aad9ee2497fd8b8b24fde99c86984167d2ae8d10d2bef7216588f46460e

SHA512
90a0d7920fb085fe0fea7cc1f787f8e123a3e10f56f8f969e533339e0caf0912b78517e931ccf26e3c373840296f65f96f2f1376ae8c22189c2f55d12239b174

Download Submit
C:\Windows\{A1204BD9-1645-45bf-AE89-2FB04D8B40BC}.exe
Filesize
27KB

MD5
ce6c8f843d15a5a978b3c21886880da5

SHA1
fb28d1a138dec6e2113fb42397913fc36b818fca

SHA256
fbee0bfb7b8c802d7502519480b123da1dfc2433b942ec1a735a857756860064

SHA512
7b56758ba7a76904b00ee2016e7708bfbd6b71cd8639f2b8caf2db4ff73ccc1f77f1c2345b26a483160d8fa6bc6ee3ceee5239cbbfb0c71678c47da06cb40f13

Download Submit
C:\Windows\{F3419F77-DA45-49b3-97AA-8716B8351420}.exe
Filesize
344KB

MD5
f4d93705292ff4e3d6d5c474738b102e

SHA1
5a5dc657ef129b3a0ce15bd106ab08a85cfa474c

SHA256
2424313132a65a328b92cca95b47837fddac9bb3ca1dc12b732cd37cfad9b4b8

SHA512
4edc0b537c69a7cdecfaf16e65fe256d7ffb2e1bd7f41f4045fb887cd1c55767d4a4a7e93bcd1e75bf08195d99be1d2186f212be6c281efc0db60d6e5e711ae7

Download Submit
C:\Windows\{FC3357F0-52EC-4554-BE02-CBB23C7DC123}.exe
Filesize
344KB

MD5
650f188a5584a9c7501dcedb061ddae9

SHA1
c53ebfde4afd8f46df969db474f124cf9d5edd21

SHA256
d0a0d28eef3140973f3355cc7f01a2334360502a23038a000a4cb27b11d8a566

SHA512
d96de709debc31279efd47b6b7e40c5812b2359f2db1d944bba81b23c42cac6c589dba1ac21d6602787883567a5e9f25607b495863b93bd18fa8fc5ad2dbdc0e

Download Submit