kinsing | 6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Size

180KB
MD5

8d15983b44ca410b26bcb1edb2e588f3
SHA1

c918100f2164d5e25cc71b4bc742a01b64e836f7
SHA256

6b93f59a8cd2eddc51651cbcf7bf7d6386a910beb7bd4bdc93be6ad8c3714bd8
SHA512

d34a0263343aca76e4f9f995f0d25d6bd67ef1bf2762f4315c57587ae63733b9fcc4e8dff89c914a598a93356aa995cff3bb98fee2158ef99d326a45777fdf7e
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGll5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000600000002322d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023232-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023232-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002167d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}\stubpath = "C:\\Windows\\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe"	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221E345D-F0BA-4b7e-BA82-94C25018B861}	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B47F50-1626-4d53-80AD-55E42391FB38}\stubpath = "C:\\Windows\\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe"	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0B47F50-1626-4d53-80AD-55E42391FB38}	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C774A946-17D0-4364-90C2-FACE823EBCB3}	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24830048-D45D-421e-9010-6ADD79E6B8EB}	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67237A6B-13D8-494a-9694-7E3D78BF0B54}	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}\stubpath = "C:\\Windows\\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe"	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}\stubpath = "C:\\Windows\\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe"	{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24830048-D45D-421e-9010-6ADD79E6B8EB}\stubpath = "C:\\Windows\\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe"	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F519155-F399-417b-B0CB-86DCEE4B6588}\stubpath = "C:\\Windows\\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe"	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}\stubpath = "C:\\Windows\\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe"	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}	{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}\stubpath = "C:\\Windows\\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe"	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C774A946-17D0-4364-90C2-FACE823EBCB3}\stubpath = "C:\\Windows\\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe"	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F519155-F399-417b-B0CB-86DCEE4B6588}	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67237A6B-13D8-494a-9694-7E3D78BF0B54}\stubpath = "C:\\Windows\\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe"	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{221E345D-F0BA-4b7e-BA82-94C25018B861}\stubpath = "C:\\Windows\\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe"	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}\stubpath = "C:\\Windows\\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe"	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe

Executes dropped EXE 12 IoCs

Processes:

{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe

pid	Process
772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
3508	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
3956	{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
4884	{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe

Drops file in Windows directory 12 IoCs

Processes:

{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe

description	ioc	Process
File created	C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
File created	C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
File created	C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
File created	C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
File created	C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
File created	C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
File created	C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
File created	C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe	{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
File created	C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
File created	C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
File created	C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
File created	C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
Token: SeIncBasePriorityPrivilege	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
Token: SeIncBasePriorityPrivilege	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
Token: SeIncBasePriorityPrivilege	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
Token: SeIncBasePriorityPrivilege	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
Token: SeIncBasePriorityPrivilege	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
Token: SeIncBasePriorityPrivilege	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
Token: SeIncBasePriorityPrivilege	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
Token: SeIncBasePriorityPrivilege	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
Token: SeIncBasePriorityPrivilege	3508	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
Token: SeIncBasePriorityPrivilege	3956	{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 1636 wrote to memory of 772	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	96
PID 1636 wrote to memory of 772	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	96
PID 1636 wrote to memory of 772	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	96
PID 1636 wrote to memory of 884	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	97
PID 1636 wrote to memory of 884	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	97
PID 1636 wrote to memory of 884	1636	2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe	97
PID 772 wrote to memory of 1692	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	98
PID 772 wrote to memory of 1692	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	98
PID 772 wrote to memory of 1692	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	98
PID 772 wrote to memory of 3560	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	99
PID 772 wrote to memory of 3560	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	99
PID 772 wrote to memory of 3560	772	{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe	99
PID 1692 wrote to memory of 2752	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	101
PID 1692 wrote to memory of 2752	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	101
PID 1692 wrote to memory of 2752	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	101
PID 1692 wrote to memory of 4992	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	102
PID 1692 wrote to memory of 4992	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	102
PID 1692 wrote to memory of 4992	1692	{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe	102
PID 2752 wrote to memory of 3480	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	103
PID 2752 wrote to memory of 3480	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	103
PID 2752 wrote to memory of 3480	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	103
PID 2752 wrote to memory of 3484	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	104
PID 2752 wrote to memory of 3484	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	104
PID 2752 wrote to memory of 3484	2752	{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe	104
PID 3480 wrote to memory of 5088	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	105
PID 3480 wrote to memory of 5088	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	105
PID 3480 wrote to memory of 5088	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	105
PID 3480 wrote to memory of 4012	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	106
PID 3480 wrote to memory of 4012	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	106
PID 3480 wrote to memory of 4012	3480	{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe	106
PID 5088 wrote to memory of 4636	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	107
PID 5088 wrote to memory of 4636	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	107
PID 5088 wrote to memory of 4636	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	107
PID 5088 wrote to memory of 464	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	108
PID 5088 wrote to memory of 464	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	108
PID 5088 wrote to memory of 464	5088	{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe	108
PID 4636 wrote to memory of 4036	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	109
PID 4636 wrote to memory of 4036	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	109
PID 4636 wrote to memory of 4036	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	109
PID 4636 wrote to memory of 4240	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	110
PID 4636 wrote to memory of 4240	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	110
PID 4636 wrote to memory of 4240	4636	{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe	110
PID 4036 wrote to memory of 3456	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	111
PID 4036 wrote to memory of 3456	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	111
PID 4036 wrote to memory of 3456	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	111
PID 4036 wrote to memory of 4580	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	112
PID 4036 wrote to memory of 4580	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	112
PID 4036 wrote to memory of 4580	4036	{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe	112
PID 3456 wrote to memory of 4684	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	113
PID 3456 wrote to memory of 4684	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	113
PID 3456 wrote to memory of 4684	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	113
PID 3456 wrote to memory of 4464	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	114
PID 3456 wrote to memory of 4464	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	114
PID 3456 wrote to memory of 4464	3456	{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe	114
PID 4684 wrote to memory of 3508	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	115
PID 4684 wrote to memory of 3508	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	115
PID 4684 wrote to memory of 3508	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	115
PID 4684 wrote to memory of 3788	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	116
PID 4684 wrote to memory of 3788	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	116
PID 4684 wrote to memory of 3788	4684	{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe	116
PID 3508 wrote to memory of 3956	3508	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe	117
PID 3508 wrote to memory of 3956	3508	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe	117
PID 3508 wrote to memory of 3956	3508	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe	117
PID 3508 wrote to memory of 2380	3508	{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8d15983b44ca410b26bcb1edb2e588f3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
  C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
    C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
      C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
        
        C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
        
        C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
        
        C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
        
        C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
        
        C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
        
        C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
        
        C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
        
        C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe
        
        C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe
        13⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55DAD~1.EXE > nul
        13⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{221E3~1.EXE > nul
        12⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85270~1.EXE > nul
        11⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67237~1.EXE > nul
        10⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F519~1.EXE > nul
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24830~1.EXE > nul
        8⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C774A~1.EXE > nul
        7⤵
        
        PID:464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{502EC~1.EXE > nul
        6⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E25E~1.EXE > nul
        5⤵
        
        PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B47~1.EXE > nul
      4⤵
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{11A9A~1.EXE > nul
    3⤵
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11A9AFA7-D17D-4b0f-AD79-9542A28D67DC}.exe

Filesize
180KB

MD5
69024dc6ec2573df3219cafbf694d45e

SHA1
d953e80a307368608f610effaca983deb6907eba

SHA256
3bd99d472ea28ac8891bfa42383532f8bffb35d1892ee0c1128bf8cffd6b5b83

SHA512
8154e7181d11ec2c4cb5d25317a1829cff67e15931bb52c7fd8923aeafc733c6ecc5a7d9b2ab39310b63e5e082ad3a980610a4ee9d67c1024bdde510b23e9dae

Download Submit
C:\Windows\{221E345D-F0BA-4b7e-BA82-94C25018B861}.exe

Filesize
180KB

MD5
e65d19488abc72f5b726c53e0d81d759

SHA1
ca6972af1e4dc928ed39b6ebd41a3b4c8e87a260

SHA256
ce75f0d04811a919c62802b16e2250a86743dc5307de84155557273548e85d25

SHA512
3cc713fbe26298f17b7fe791eed1c2791100f13193c52140e04562605a865e7f9e6993c52dda833597876ce8e15c3073a2df4ec244e9abe60a4ff12e730084ab

Download Submit
C:\Windows\{24830048-D45D-421e-9010-6ADD79E6B8EB}.exe

Filesize
180KB

MD5
0ae64d694da20642c4e5893d654b42a7

SHA1
c21c75a1363d62897b0cc31331600b674db2f0a8

SHA256
6753ec0a8c2842fb0a150ed5d7b2febe4d0372d4d906167632690ac4ca928386

SHA512
4d3cef5a0d4ae022093f7ac8479564f13c81a37178a51035c78bbc812a225957d6ded2d17fa54a80184efbb7240c9447d1e1670e6b7d317c850e6c9302e32cc1

Download Submit
C:\Windows\{502ECEF9-5EB2-4c38-96D6-43E00D08DE8B}.exe

Filesize
180KB

MD5
3a6dce5fa139d229a1f5f9b51717d2a0

SHA1
691c833d12e16d7d45357879148d93203eac8289

SHA256
f5439e0234a8d7893847592d4316125fe0e8e22fcec829234aa8d072b3eb3ea6

SHA512
b93d3ffd98f05ef20be55da35d7084a5f745c9f44e929465ec9e9fbc6dc16ea5ffe28d5c88f3113ee9b1a4cb659bb159106bf17677ab02640070c5b5bf3ae9e1

Download Submit
C:\Windows\{55DAD4F0-1C5F-4c14-8ACF-FA95FD1DA1BC}.exe

Filesize
180KB

MD5
d77a05685576ee077b35b9a1ea1d790f

SHA1
4a2455e05286222b73a9dc9d60066559877f54df

SHA256
5bf66d84220e665ac7c2750ec34f04930f436a6422ba953ada25613c8e9098e2

SHA512
3246cdf4c6e5d90465f79c628d239b57dde6ba85db04e780056b12067141ca5d2ff6ad4a19b9b900b75dcc321a335f84d34444c92f338bc71fdf8bc71bba99f0

Download Submit
C:\Windows\{67237A6B-13D8-494a-9694-7E3D78BF0B54}.exe

Filesize
180KB

MD5
4c4c867ce4a184c7a0e449829b2f7ea5

SHA1
8183bb3f8da523988acc3133a29856fb9829402a

SHA256
173b68790b31496802eef9133d0722a3042768985306b7ad2ad253b59f23739f

SHA512
9a921687012166fe68502888b08300a415178534d317c5d0e50174f41abe057f149507d936946014034bc3a6649a4b6da9aeb5a29b1b0d576d8148961f166c5b

Download Submit
C:\Windows\{6E25E36E-9AEC-490b-9BAD-49937DD15DDC}.exe

Filesize
180KB

MD5
30710f9540ff9c5b1db57bc365bc5ea3

SHA1
8d6059b3edf46708686e37fd588cda8d3c897dc2

SHA256
c8a8c9d6af55e36ec44542c781a83b7e65219908661b6f61c0d2c837cde8782d

SHA512
9c23c489e1b2bfbf67f2bb4b2ea278d6fa823aee90d55de6fb93d79a2ccf868a6450e5dc906ef573a37379c8b75ee63318ef466d54746660217a50e42d5c0364

Download Submit
C:\Windows\{7F519155-F399-417b-B0CB-86DCEE4B6588}.exe

Filesize
180KB

MD5
9e6299e759a5d92a5fe00f5b7341f6c7

SHA1
e3605512ed72e5dc96f55bf0f22aca0c1f0e144c

SHA256
5eadfb3613cc15a56f3f5dc13f5f688954541983933d171665adc40f872fed29

SHA512
09d6259ef039fe6ece5ef16a19eb9488a69b40d338db3dd8acf9f3bd445cce0fe7c58d90dd5e6c7b6ffc5163dd5172f5ccc3c999b22dc897d0a89aa4a7add63c

Download Submit
C:\Windows\{85270AF2-D633-4cc9-B0BE-41D68AB99CB8}.exe

Filesize
180KB

MD5
4bff1603dcd89edbc0d812c4296ae809

SHA1
09f421d7d0c5b499c231460b0e909025b056056a

SHA256
28a853069b86ebdb6ddd759fca342fb2c01264ca33b852c8719e6f411d3b1284

SHA512
2d06faec0f841142e2af7100001fd4334dd81a2dcf05d591062fc4a7efd587ee84e3fa199b97577aead6ba438fe1a6134dc2ea63fc0b8d3539701cc67c5f8f9d

Download Submit
C:\Windows\{C774A946-17D0-4364-90C2-FACE823EBCB3}.exe

Filesize
180KB

MD5
49ace39d602160f4e3f8c5b3bb0922b0

SHA1
83cfbfab882d317b386bb1260f6cce9517213caf

SHA256
db3fe6113991cea4b4456bcb647f308d41cbd6381a03879d476f7ee09c1f5842

SHA512
c50e5cb1bd8cefb45b8351ba462aebe881f8b3f5f581a01dd2c0237f3def85920e05e4e46bb016450e9daac6e831c2f38a100c76f57e62b632837485cb444f5a

Download Submit
C:\Windows\{D0B47F50-1626-4d53-80AD-55E42391FB38}.exe

Filesize
180KB

MD5
7eb1c02bb3eddbbedeb86f5b060af21c

SHA1
72490a782c8ae5a26e315fbb1a8168fef638e724

SHA256
c4b54bd03b5701d71e7aa122202fad75ecb2f014d905c165adf3f3b7060d0c22

SHA512
0266b4c6a723c1d808903cada3c53cf83fbbd3dbb9f44c1fce0f89a5365f523fb3cd3895ac3c8239a742670c673c2a3c8fa5c536610308425ff74227c8995a30

Download Submit
C:\Windows\{D8E3C3E5-340F-4a6f-A138-6E0B99C57047}.exe

Filesize
180KB

MD5
85b3a951a3a110a9a8f1219ac9ccc26d

SHA1
1960de13df25cf2f89c89be5c67ae975573581e5

SHA256
5e6ac7553986dd14f472078c91faa8d829dce2dcccd6955415ee7b5a7beb4450

SHA512
6993bb31bd54d94fa5ba7ae4a7681d74da6657543633416d039bb4837113389ad6a32cba9b1958eb7fe73384d70afc708db6e00187c019cc02b74f62c9b4ee6a

Download Submit