kinsing | c6fd2dbb502cc870835c35c6595b481359b0dea8b68aa123c08b8aa4997b4920

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Size

408KB
MD5

89617b58056b84659001ffdef2bfff55
SHA1

8c2d868c7d39529144454b96225ec139dfa04ea5
SHA256

c6fd2dbb502cc870835c35c6595b481359b0dea8b68aa123c08b8aa4997b4920
SHA512

8a3aeecd1cc40e4790aabb86724d8421b3e51e8a37fd7b6aa2c67f8cf5f25df5640473d2eeb716711d29418c7f3340c712db0a28b4e2292708ba044ca5ea95c6
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 13 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0006000000023239-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023234-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023234-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023234-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023240-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023234-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023240-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D2FCA06-E75A-46cc-9E4C-38D489795701}	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D2FCA06-E75A-46cc-9E4C-38D489795701}\stubpath = "C:\\Windows\\{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe"	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A06829-385A-4711-A872-EDD0272A9A62}	{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}\stubpath = "C:\\Windows\\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe"	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{328F8880-1DB1-4dbb-909F-819203C28D9D}\stubpath = "C:\\Windows\\{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe"	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{328F8880-1DB1-4dbb-909F-819203C28D9D}	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}\stubpath = "C:\\Windows\\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe"	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A717440B-EF73-4163-8CEB-B1A01D2801BA}\stubpath = "C:\\Windows\\{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe"	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10A06829-385A-4711-A872-EDD0272A9A62}\stubpath = "C:\\Windows\\{10A06829-385A-4711-A872-EDD0272A9A62}.exe"	{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}\stubpath = "C:\\Windows\\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe"	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}\stubpath = "C:\\Windows\\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe"	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}\stubpath = "C:\\Windows\\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe"	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}\stubpath = "C:\\Windows\\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe"	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A717440B-EF73-4163-8CEB-B1A01D2801BA}	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}\stubpath = "C:\\Windows\\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe"	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}\stubpath = "C:\\Windows\\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe"	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe

Executes dropped EXE 12 IoCs

Processes:

{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe{10A06829-385A-4711-A872-EDD0272A9A62}.exe

pid	Process
860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe
2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe
2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
4968	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
4632	{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe
860	{10A06829-385A-4711-A872-EDD0272A9A62}.exe

Drops file in Windows directory 12 IoCs

Processes:

{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe

description	ioc	Process
File created	C:\Windows\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
File created	C:\Windows\{10A06829-385A-4711-A872-EDD0272A9A62}.exe	{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe
File created	C:\Windows\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
File created	C:\Windows\{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
File created	C:\Windows\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe
File created	C:\Windows\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
File created	C:\Windows\{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
File created	C:\Windows\{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
File created	C:\Windows\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
File created	C:\Windows\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
File created	C:\Windows\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
File created	C:\Windows\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
Token: SeIncBasePriorityPrivilege	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
Token: SeIncBasePriorityPrivilege	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
Token: SeIncBasePriorityPrivilege	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe
Token: SeIncBasePriorityPrivilege	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
Token: SeIncBasePriorityPrivilege	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
Token: SeIncBasePriorityPrivilege	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe
Token: SeIncBasePriorityPrivilege	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
Token: SeIncBasePriorityPrivilege	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
Token: SeIncBasePriorityPrivilege	4968	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
Token: SeIncBasePriorityPrivilege	4632	{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 1192 wrote to memory of 860	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	95
PID 1192 wrote to memory of 860	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	95
PID 1192 wrote to memory of 860	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	95
PID 1192 wrote to memory of 2348	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	96
PID 1192 wrote to memory of 2348	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	96
PID 1192 wrote to memory of 2348	1192	2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe	96
PID 860 wrote to memory of 4660	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	97
PID 860 wrote to memory of 4660	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	97
PID 860 wrote to memory of 4660	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	97
PID 860 wrote to memory of 4812	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	98
PID 860 wrote to memory of 4812	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	98
PID 860 wrote to memory of 4812	860	{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe	98
PID 4660 wrote to memory of 2108	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	100
PID 4660 wrote to memory of 2108	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	100
PID 4660 wrote to memory of 2108	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	100
PID 4660 wrote to memory of 3240	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	101
PID 4660 wrote to memory of 3240	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	101
PID 4660 wrote to memory of 3240	4660	{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe	101
PID 2108 wrote to memory of 4748	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	102
PID 2108 wrote to memory of 4748	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	102
PID 2108 wrote to memory of 4748	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	102
PID 2108 wrote to memory of 4500	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	103
PID 2108 wrote to memory of 4500	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	103
PID 2108 wrote to memory of 4500	2108	{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe	103
PID 4748 wrote to memory of 2204	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	104
PID 4748 wrote to memory of 2204	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	104
PID 4748 wrote to memory of 2204	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	104
PID 4748 wrote to memory of 3884	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	105
PID 4748 wrote to memory of 3884	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	105
PID 4748 wrote to memory of 3884	4748	{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe	105
PID 2204 wrote to memory of 2860	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	107
PID 2204 wrote to memory of 2860	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	107
PID 2204 wrote to memory of 2860	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	107
PID 2204 wrote to memory of 4240	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	106
PID 2204 wrote to memory of 4240	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	106
PID 2204 wrote to memory of 4240	2204	{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe	106
PID 2860 wrote to memory of 1308	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	108
PID 2860 wrote to memory of 1308	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	108
PID 2860 wrote to memory of 1308	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	108
PID 2860 wrote to memory of 5032	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	109
PID 2860 wrote to memory of 5032	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	109
PID 2860 wrote to memory of 5032	2860	{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe	109
PID 1308 wrote to memory of 2564	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	110
PID 1308 wrote to memory of 2564	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	110
PID 1308 wrote to memory of 2564	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	110
PID 1308 wrote to memory of 5060	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	111
PID 1308 wrote to memory of 5060	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	111
PID 1308 wrote to memory of 5060	1308	{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe	111
PID 2564 wrote to memory of 1464	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	112
PID 2564 wrote to memory of 1464	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	112
PID 2564 wrote to memory of 1464	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	112
PID 2564 wrote to memory of 3000	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	113
PID 2564 wrote to memory of 3000	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	113
PID 2564 wrote to memory of 3000	2564	{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe	113
PID 1464 wrote to memory of 4968	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	114
PID 1464 wrote to memory of 4968	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	114
PID 1464 wrote to memory of 4968	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	114
PID 1464 wrote to memory of 4432	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	115
PID 1464 wrote to memory of 4432	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	115
PID 1464 wrote to memory of 4432	1464	{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe	115
PID 4968 wrote to memory of 4632	4968	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe	116
PID 4968 wrote to memory of 4632	4968	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe	116
PID 4968 wrote to memory of 4632	4968	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe	116
PID 4968 wrote to memory of 3880	4968	{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_89617b58056b84659001ffdef2bfff55_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
  C:\Windows\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
    C:\Windows\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
      C:\Windows\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe
        
        C:\Windows\{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
      - C:\Windows\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
        
        C:\Windows\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47B23~1.EXE > nul
        7⤵
        
        PID:4240
        
        C:\Windows\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
        
        C:\Windows\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe
        
        C:\Windows\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
        
        C:\Windows\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
        
        C:\Windows\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
        
        C:\Windows\{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe
        
        C:\Windows\{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\{10A06829-385A-4711-A872-EDD0272A9A62}.exe
        
        C:\Windows\{10A06829-385A-4711-A872-EDD0272A9A62}.exe
        13⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D2FC~1.EXE > nul
        13⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7174~1.EXE > nul
        12⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2ED4~1.EXE > nul
        11⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1598~1.EXE > nul
        10⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E960~1.EXE > nul
        9⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51BA1~1.EXE > nul
        8⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{328F8~1.EXE > nul
        6⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C1BC~1.EXE > nul
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C61B1~1.EXE > nul
      4⤵
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AB701~1.EXE > nul
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10A06829-385A-4711-A872-EDD0272A9A62}.exe

Filesize
408KB

MD5
b65c1f9d2aee857641ba33a472832af7

SHA1
4cefc91470693ddf9281196b5c9feebf7efd4cf2

SHA256
efb2748df85e5a45b798acc61b315ddc9bf59eb8adeb4ada60d8771a660515b3

SHA512
bdfb6215671bb9ddd4e995db35b181da7d4111c9c14da99667064edd059a669d77288aeee20b3212eb40d14a91e1845d0a99f3ed630a21446ea81985260f031d

Download Submit
C:\Windows\{1D2FCA06-E75A-46cc-9E4C-38D489795701}.exe

Filesize
408KB

MD5
98be5735bab393d56b5fb0509d3ad4ac

SHA1
8330b16d52b7ad425458a2dc3da62538d1d25ca2

SHA256
0293f22905603cef7f20deebbf85f808a71c6c4a7be072562180813066bd2dd7

SHA512
d526659ae25552e2bc080ba11a42f4d3f1bab5f698dbc72f8f5cb106e404e63303832a2497a2aabeb823ec83d6fd9ea18aa0cde1a30835b0067dc1f3988e20af

Download Submit
C:\Windows\{2C1BC85B-9B77-4277-A53D-234BA48A15C0}.exe

Filesize
408KB

MD5
246e244e5e95dfcf5d89e3ad0c1f6cdc

SHA1
b81c26edb927e85ff75c8896a30e8f2363f4063e

SHA256
5b47442c6b6e20e6149263d587c3d0e5f0bdfddad1e32ff36869e7adf10ad322

SHA512
0a410a3f74f7626131d2e893d35b432d89dcba38a37f38f06a2b245c38e8ed68d4e5d94fd9068c2df40bb3f3933e6c95a336204f8df2344915a24272d521b078

Download Submit
C:\Windows\{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe

Filesize
128KB

MD5
f013bf697890b2a018782f254103b322

SHA1
a3ac675f09bc1db998171818870c9e8881eba7ab

SHA256
46395894b32cc6a86e04b6b9490bf3fe6182a022a48df6bfcf14f767cc932f4f

SHA512
730f6e0ea065c7df840d9ff79bcee811886a3c67869e3b5161f9b47619f0e6a08b685f7db12f62add3b5136319f5c910c81b6dfc1978fa9cd862bf712d18a015

Download Submit
C:\Windows\{328F8880-1DB1-4dbb-909F-819203C28D9D}.exe

Filesize
69KB

MD5
716630920009b1cf65dffddd814facc1

SHA1
bd1f048d705dc2ac1633d1acf5493ac9e92289e9

SHA256
e6284639ef9c2cadbab1b8f081946035879b05f4d73c4555972dc3ccc1f77c4e

SHA512
87191b278d234856be3b6515c34a8c32d64225a8df1816675e5dd427a86bea389d3c36670ea34a9bac08dc7cdd36d8793d94d94cb69915224afeef663890dd56

Download Submit
C:\Windows\{47B23E7D-AA8D-4ae0-B35E-8F7EC2D379E7}.exe

Filesize
408KB

MD5
8057a240f5de3850029a8a5ec7764a7c

SHA1
1f884efda507bbf981b6b53f06774e335c2dc971

SHA256
1f91b1e6f04ec5a2e2fb077f5b64d8d3d1e498dcb44d18d6b7799a87ab4fe514

SHA512
8ab2a4f164c65f40ea8102eabed0dd7201380e9f887968489b255aa06982dc63a01109c260e39e6df0085a3d4ecbaa601783066990899611f128faec1cb981fc

Download Submit
C:\Windows\{51BA1A90-C6EA-43d5-BDB4-E6060A5F5341}.exe

Filesize
408KB

MD5
35e43e10138a768c3202303af40c1802

SHA1
5364add457bf281c80bcf71492ed39c2c9ee7efe

SHA256
80994e949fcd2133064dba9456376041bd31c5862f1d3b75edfd5fbe40c59a48

SHA512
4084208449bd613f52fab566dc1f75299682d35aa64a9c62e0c896f7e806575dd2362b82b041f92b0ff57b78c0ad9c5d74a63a2a69d615848dd8fece03595a00

Download Submit
C:\Windows\{5E96006A-668D-44c2-9F7C-B6B99D9C1CAD}.exe

Filesize
408KB

MD5
7bdac726737a0c60b69ce17c94dd4935

SHA1
84d2cee58393d23f913cadc72b98275b3d7a199e

SHA256
3838b3d95bf7bd85e4de372ee10d15c769227860f42aaa8366082a948c75743d

SHA512
83a9b290904edd3cc6bc875553583f7266c1fa02b6f6f73574af23ecfbeb0c685a40b3db4f0c3d5a1e4a5e8556b186770973f3734ede23b2e58f4d7f01891780

Download Submit
C:\Windows\{A717440B-EF73-4163-8CEB-B1A01D2801BA}.exe

Filesize
408KB

MD5
907926c637eb650ccdd9d3426b9c00ff

SHA1
ba7cd9bc8398cf224a6e64f86aace4020107ea2d

SHA256
55f161e6a7c87fccadf7dd2ba0bad5cdaea155c2ca1b901b822fc4a5eed2b5cb

SHA512
6aa1f791fd1e17c87733db3aa7a63a01b92c6bb98be24a5c8d535b05a2800f98a0cb7d686915e75868ecb3c5ab85a1ee3bd9057996eb039d87840b8d6839e64f

Download Submit
C:\Windows\{AB701ABC-9077-4c2a-A0D6-6C587D5285B7}.exe

Filesize
408KB

MD5
501de5d5d411ef55a66425889fda2e96

SHA1
c6c839f036d72d8543414fc32f58339d070d1fd1

SHA256
7bf369491dc7cbd248db3d7e51f3b44bca376ab97ed5f17a4e78540432031094

SHA512
359764334b9abf93805d3e1637051cdfc220803987407305382d76e64799955abaeb80e8e94eab3e028513733cff91f046ed2d0e5bae04f43ded5a2330e910e3

Download Submit
C:\Windows\{B2ED4221-3B83-4c85-B4FF-855A719D8F97}.exe

Filesize
408KB

MD5
332459dbe9a880f7ee5926107b4f56ca

SHA1
dc3de5e41ee577f27f001a5a49d369dffea9ab95

SHA256
8520385405cb9212238de0abc711503c9bc7519c875adb51e7bb6d02912cb27a

SHA512
3e451d8683f63be83284ca1d7dabeadfaa93a0e40aff5f897abf23a6e97141d179b6fff3d683b1f1f7906ee1e45662e838b1263744d24fc3653187c1a1ffe55e

Download Submit
C:\Windows\{C61B18B9-0A13-4c69-A3A7-62A04CB861AA}.exe

Filesize
408KB

MD5
08bacc46db5110e3f988bcd4965d6523

SHA1
b6746a05d416cebfa721fa61e5a5d7152aff2843

SHA256
558d9d151d9889192c4ab7e49f968277f6df6575241e7eef299d2d84ec4b184d

SHA512
31e2ea8168f12dae8c0bcfabb7d247d9c3004f24f97d803521e90ad7f98b30ccfe16e7f3eb612be813c17d2180f6e8b603537cce762e160f66d07075a7f52062

Download Submit
C:\Windows\{F1598F1D-94CC-4de3-ABD9-B8DB3AAA7427}.exe

Filesize
408KB

MD5
1ffe4b66f6e887be8a82e0a2b98971ee

SHA1
fa2c0979877c7ee85a92ae85d575f4fc21427797

SHA256
d8b8ccc1c2a4cb8d1c5e96cf1c3858b175b613fd623fba0bd42382134a1d9968

SHA512
63eae63876a7bd8f94b589e34a1483e1a660565c7ccf5202d6160174a98cf84fe334b266a5863f15f2062eb93e16bdb9bc164a5acd4c6179969381654735c067

Download Submit