kinsing | 01def3ddd9531a31c4a54f8eff1922693d558526dfc2aa8566a9f1a1f00a3b08

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Size

408KB
MD5

aaa58d116e01e3fd4ab9c1f65efa3583
SHA1

88982993e1252c7c7680df51ef5c95d7bd3e4a6b
SHA256

01def3ddd9531a31c4a54f8eff1922693d558526dfc2aa8566a9f1a1f00a3b08
SHA512

0140d5acc9c3971e9bd82c8a70127d5c6cc8f9330e1e341a09d06e9f0e380db3a703dbc9cbdcd56bd0a97707f23be4e2984386829fbfea06ac1d0e4ee64cbf89
SSDEEP

3072:CEGh0oEl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGyldOe2MUVg3vTeKcAEciTBqr3jy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{98D123DF-83CA-42ab-8728-222606583AD3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{231FFD69-401D-4136-BF85-2C1B6293664A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe{98D123DF-83CA-42ab-8728-222606583AD3}.exe2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe{C8E8160F-8D63-437d-AD4B-016280A28788}.exe{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe{231FFD69-401D-4136-BF85-2C1B6293664A}.exe{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C12B4554-14AA-4706-AF43-9DC5721224D0}	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D123DF-83CA-42ab-8728-222606583AD3}\stubpath = "C:\\Windows\\{98D123DF-83CA-42ab-8728-222606583AD3}.exe"	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231FFD69-401D-4136-BF85-2C1B6293664A}	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E8160F-8D63-437d-AD4B-016280A28788}	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}\stubpath = "C:\\Windows\\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe"	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}\stubpath = "C:\\Windows\\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe"	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D123DF-83CA-42ab-8728-222606583AD3}	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7E98D1-E24E-4b0c-A090-B2C980175305}	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8E8160F-8D63-437d-AD4B-016280A28788}\stubpath = "C:\\Windows\\{C8E8160F-8D63-437d-AD4B-016280A28788}.exe"	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}\stubpath = "C:\\Windows\\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe"	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C12B4554-14AA-4706-AF43-9DC5721224D0}\stubpath = "C:\\Windows\\{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe"	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}\stubpath = "C:\\Windows\\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe"	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}\stubpath = "C:\\Windows\\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe"	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}\stubpath = "C:\\Windows\\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe"	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}\stubpath = "C:\\Windows\\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe"	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231FFD69-401D-4136-BF85-2C1B6293664A}\stubpath = "C:\\Windows\\{231FFD69-401D-4136-BF85-2C1B6293664A}.exe"	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7E98D1-E24E-4b0c-A090-B2C980175305}\stubpath = "C:\\Windows\\{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe"	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe

Executes dropped EXE 12 IoCs

Processes:

{C8E8160F-8D63-437d-AD4B-016280A28788}.exe{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe{98D123DF-83CA-42ab-8728-222606583AD3}.exe{231FFD69-401D-4136-BF85-2C1B6293664A}.exe{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe

pid	process
3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
4844	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
3836	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
3432	{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe

Drops file in Windows directory 12 IoCs

Processes:

{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe{98D123DF-83CA-42ab-8728-222606583AD3}.exe2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe{C8E8160F-8D63-437d-AD4B-016280A28788}.exe{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe{231FFD69-401D-4136-BF85-2C1B6293664A}.exe{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe

description	ioc	process
File created	C:\Windows\{98D123DF-83CA-42ab-8728-222606583AD3}.exe	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
File created	C:\Windows\{231FFD69-401D-4136-BF85-2C1B6293664A}.exe	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
File created	C:\Windows\{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
File created	C:\Windows\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
File created	C:\Windows\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
File created	C:\Windows\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
File created	C:\Windows\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
File created	C:\Windows\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
File created	C:\Windows\{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
File created	C:\Windows\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
File created	C:\Windows\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
File created	C:\Windows\{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe{C8E8160F-8D63-437d-AD4B-016280A28788}.exe{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe{98D123DF-83CA-42ab-8728-222606583AD3}.exe{231FFD69-401D-4136-BF85-2C1B6293664A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
Token: SeIncBasePriorityPrivilege	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
Token: SeIncBasePriorityPrivilege	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
Token: SeIncBasePriorityPrivilege	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
Token: SeIncBasePriorityPrivilege	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
Token: SeIncBasePriorityPrivilege	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
Token: SeIncBasePriorityPrivilege	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
Token: SeIncBasePriorityPrivilege	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
Token: SeIncBasePriorityPrivilege	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
Token: SeIncBasePriorityPrivilege	4844	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
Token: SeIncBasePriorityPrivilege	3836	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2892 wrote to memory of 3724	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
PID 2892 wrote to memory of 3724	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
PID 2892 wrote to memory of 3724	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
PID 2892 wrote to memory of 2852	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	cmd.exe
PID 2892 wrote to memory of 2852	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	cmd.exe
PID 2892 wrote to memory of 2852	2892	2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe	cmd.exe
PID 3724 wrote to memory of 4380	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
PID 3724 wrote to memory of 4380	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
PID 3724 wrote to memory of 4380	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
PID 3724 wrote to memory of 724	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	cmd.exe
PID 3724 wrote to memory of 724	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	cmd.exe
PID 3724 wrote to memory of 724	3724	{C8E8160F-8D63-437d-AD4B-016280A28788}.exe	cmd.exe
PID 4380 wrote to memory of 4932	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
PID 4380 wrote to memory of 4932	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
PID 4380 wrote to memory of 4932	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
PID 4380 wrote to memory of 1620	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	cmd.exe
PID 4380 wrote to memory of 1620	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	cmd.exe
PID 4380 wrote to memory of 1620	4380	{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe	cmd.exe
PID 4932 wrote to memory of 4960	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
PID 4932 wrote to memory of 4960	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
PID 4932 wrote to memory of 4960	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
PID 4932 wrote to memory of 2816	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	cmd.exe
PID 4932 wrote to memory of 2816	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	cmd.exe
PID 4932 wrote to memory of 2816	4932	{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe	cmd.exe
PID 4960 wrote to memory of 1324	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
PID 4960 wrote to memory of 1324	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
PID 4960 wrote to memory of 1324	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
PID 4960 wrote to memory of 2752	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	cmd.exe
PID 4960 wrote to memory of 2752	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	cmd.exe
PID 4960 wrote to memory of 2752	4960	{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe	cmd.exe
PID 1324 wrote to memory of 2356	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
PID 1324 wrote to memory of 2356	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
PID 1324 wrote to memory of 2356	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
PID 1324 wrote to memory of 4044	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	cmd.exe
PID 1324 wrote to memory of 4044	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	cmd.exe
PID 1324 wrote to memory of 4044	1324	{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe	cmd.exe
PID 2356 wrote to memory of 3760	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
PID 2356 wrote to memory of 3760	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
PID 2356 wrote to memory of 3760	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
PID 2356 wrote to memory of 4688	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	cmd.exe
PID 2356 wrote to memory of 4688	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	cmd.exe
PID 2356 wrote to memory of 4688	2356	{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe	cmd.exe
PID 3760 wrote to memory of 4464	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
PID 3760 wrote to memory of 4464	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
PID 3760 wrote to memory of 4464	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
PID 3760 wrote to memory of 4304	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	cmd.exe
PID 3760 wrote to memory of 4304	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	cmd.exe
PID 3760 wrote to memory of 4304	3760	{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe	cmd.exe
PID 4464 wrote to memory of 2188	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
PID 4464 wrote to memory of 2188	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
PID 4464 wrote to memory of 2188	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
PID 4464 wrote to memory of 1092	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	cmd.exe
PID 4464 wrote to memory of 1092	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	cmd.exe
PID 4464 wrote to memory of 1092	4464	{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe	cmd.exe
PID 2188 wrote to memory of 4844	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
PID 2188 wrote to memory of 4844	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
PID 2188 wrote to memory of 4844	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	{98D123DF-83CA-42ab-8728-222606583AD3}.exe
PID 2188 wrote to memory of 4888	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	cmd.exe
PID 2188 wrote to memory of 4888	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	cmd.exe
PID 2188 wrote to memory of 4888	2188	{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe	cmd.exe
PID 4844 wrote to memory of 3836	4844	{98D123DF-83CA-42ab-8728-222606583AD3}.exe	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
PID 4844 wrote to memory of 3836	4844	{98D123DF-83CA-42ab-8728-222606583AD3}.exe	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
PID 4844 wrote to memory of 3836	4844	{98D123DF-83CA-42ab-8728-222606583AD3}.exe	{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
PID 4844 wrote to memory of 4500	4844	{98D123DF-83CA-42ab-8728-222606583AD3}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_aaa58d116e01e3fd4ab9c1f65efa3583_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
C:\Windows\{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
C:\Windows\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
C:\Windows\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
C:\Windows\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
C:\Windows\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
C:\Windows\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
C:\Windows\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
C:\Windows\{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
C:\Windows\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\{98D123DF-83CA-42ab-8728-222606583AD3}.exe
C:\Windows\{98D123DF-83CA-42ab-8728-222606583AD3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
C:\Windows\{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe
C:\Windows\{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe
13⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{231FF~1.EXE > nul
13⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98D12~1.EXE > nul
12⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3429A~1.EXE > nul
11⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C12B4~1.EXE > nul
10⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2DA81~1.EXE > nul
9⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F413~1.EXE > nul
8⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4C3AD~1.EXE > nul
7⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E68~1.EXE > nul
6⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96DC9~1.EXE > nul
5⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5FFDD~1.EXE > nul
4⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C8E81~1.EXE > nul
3⤵
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{231FFD69-401D-4136-BF85-2C1B6293664A}.exe
Filesize
408KB

MD5
761d01a7f45be78a547f4348625d1d20

SHA1
86be7a32ea609e9220d62e5fcfc877a6363d3c63

SHA256
6572f0eed79d9e15979815a72bd3f898c73cc7fb10d9cfc1c0094aad98f2da02

SHA512
254e41127cde03ae8a96c6b06ab3a370fb4b185c1484e517853d061cf8b179f9a581f296e1ddcadc9e8e82b5f88d38dcd4bb5f366683fa6561b3e82058ba34fa

Download Submit
C:\Windows\{2DA816B5-7283-46f6-AFC7-FEFF44C92026}.exe
Filesize
408KB

MD5
5db538efed4eac98e84548ba0ae008b7

SHA1
881227fdcde305ba3ff002c7f31961dfaeb61a6c

SHA256
16c08c03f7acef401b8116fed76b6b318b1cf4f74446bc49e36c23f5dbfa12e4

SHA512
24960d4d15760e2556d3e1b8e9f32201ea0ab89eef30f2e930bac340e7e7f9b33879a206eb0fdf868fcce4a49bfa7cd7f1208a4075d44565f49f161e3265cbea

Download Submit
C:\Windows\{3429A6FB-7908-47a8-9DC7-BACA293E50CF}.exe
Filesize
408KB

MD5
a9d8dae39e79629200a4af22b19587c4

SHA1
a3690eb06dbd74215855c51a51a45a24991e8ebb

SHA256
69a1c71ba72289fd6fe1f99cdd0b0b9428e1897ef3ff798924388fa68ddf28f7

SHA512
8b8195ebe608a84a4b93a76dfd32de9aba8d8e61611125146667e2ea5e3d9e36d4478d815c96e5812d1278bb9ffb95663e10c7e2adc233e0327df7d774213cbd

Download Submit
C:\Windows\{4C3AD7A9-9CE3-49c3-B718-0ABC7AA1935F}.exe
Filesize
408KB

MD5
9fdf780718834f2614296b5ca35e13b1

SHA1
308698376325ec1de949f969fa132f5a90ad4604

SHA256
e22202c67912f30b10953080a0182010ede2d04f341e18310fce01139b9d43a2

SHA512
e1401c6ea2e0191d6761fad9cb2244dba0f1d6bf013dcf29d77fd15340750626f17486ea2e98a256d7be5756ed917ee6797db0ecadc73efdeba1531c9aa7743a

Download Submit
C:\Windows\{5FFDDA8C-3B0D-4239-9D0F-DADA7C5198F4}.exe
Filesize
408KB

MD5
45ade2b9d22ce4257c95f8bfb118ac8d

SHA1
af12b0e38897ee38d3a6955b23ba2ccd5908f527

SHA256
5b4aea185cc2b0e83cae924c6c72127a2650c35daef54c70c0247c507d51329c

SHA512
f715c08f9b1568da6b512a8ba86c675c4390dafeae6acc9b60530b59dbc7d0833b2f99cd107f1603064e48f8e4626420caf81d84126d9ea5c6461aa62d16e8ac

Download Submit
C:\Windows\{96DC927A-52CA-4d43-8FC3-840DC7BAC3F0}.exe
Filesize
408KB

MD5
1a6d6edda9430604f154ca885c0082e3

SHA1
5a360c4f017ace4205619319cc5fcbfdd17e909d

SHA256
21789e15ca194c909c468abf654d2af2000fec7193063c4f707b63f129cdfbbd

SHA512
0f8a80354c1849a075df715cba7cceea92d6490e76c012cd5b5069101e9f71452af8f634e5ba4503c19b65bb72f305fda577b72f5e6c7b022462022f8d2278e8

Download Submit
C:\Windows\{98D123DF-83CA-42ab-8728-222606583AD3}.exe
Filesize
408KB

MD5
f48ec47ebca2e206c8488d4a8c71afbf

SHA1
d6190910947454ec68bb6adefdb04b460c3fbc7e

SHA256
659ad7d4a5c1d27bb4dd6f79e203551506a7ac2a45a01dd233cdbe64f77e95c9

SHA512
0035b02962343a80ad8f5a22b5e313f7bcf22d206783139b7941095c7ca94c741bc57c824eef73169ad588213b2c7a802681a56fcdff3689915051d23e5857ce

Download Submit
C:\Windows\{9F413A30-20A2-4a2e-9D75-EA1E63E5BB4A}.exe
Filesize
408KB

MD5
393374028adf782ef3422f695b5eca67

SHA1
4fed01b4ead94546b459a9973c0abc6fbaf18982

SHA256
df9ff4c425171f07e2113cca32a4c1e5cbde13cc92976d8a6416622a2935a1bb

SHA512
4fd2b56208ad7756050642ede9d59ddf9496e39b4dd9eae509036d31fe8d722ba8e11e59502b81589726ef7b041851b6b85bc579f208487fe40390d6d91e8497

Download Submit
C:\Windows\{C12B4554-14AA-4706-AF43-9DC5721224D0}.exe
Filesize
408KB

MD5
b280409c7dfadc28b07da0081467ca37

SHA1
9038eb560f9494683fb1a9dcb8ba679f0c1e3d1c

SHA256
17edcb615cce6411eb1d89b70072ae71fb51c90be03de1b868d6c5b883e107ca

SHA512
e258bc67d5c4a75d0cd0d01ff6b35ce487504346392c3662284f14851732eb5b2d435eaac4859ac12bfec0093f618691d1b19520b8e19d72b74e28f6aadbc355

Download Submit
C:\Windows\{C8E8160F-8D63-437d-AD4B-016280A28788}.exe
Filesize
408KB

MD5
3aab1228a1511b6cef7abdbea8a5193a

SHA1
85cd022db16682f57381d5e7a710a69e52b78c72

SHA256
169692ec48534761ccdeaa31573e702e6e4f11f623875a4cb2aeda7b412c166f

SHA512
07b5447181274d48bcb238147a5b8ae18ff9243da5a1cf0ba693725a5b9bbae4236443645cebb2e17ed85a16da2525689b931f5ece95b723d113e1afdb9c773e

Download Submit
C:\Windows\{F9E68C2E-E84A-420a-87F5-2F9CF28290AE}.exe
Filesize
408KB

MD5
0e37a9bdda175233f48c26d3c3bbbd09

SHA1
cf72e7c55e19bf0e946710ee98f2c1a25d1bfc16

SHA256
680aa489438e1932039bd79dc9dbe8ae97b303013dad3a91faf8215eacf8ac28

SHA512
49003f9742b8c2277c4b59735e3478b6f6c8564d713accbc3b69a8caa063b57154d06211ff84742cb310933bbf5152bedf8fd2cb762f36c6f1b7e9fbfd65219d

Download Submit
C:\Windows\{FF7E98D1-E24E-4b0c-A090-B2C980175305}.exe
Filesize
408KB

MD5
37fd390ad7b985a2d5ff61c870ede3c6

SHA1
699f96d54ab066280c5ab60b86f29daba0f04d72

SHA256
c5195e7d2843fdbae0253bc2c1e5a3450b81a6ca226bc4d62fb6d9d555959e1b

SHA512
bb47f533aff21ecc01193ee232210339767c9364353eae2e496fddc2e9da5eb72305ad30fc288cd5f4448c8ec06261efc85c0933c2ac8e234ca4dd198622b8c0

Download Submit