kinsing | 2b11a28caaa1f1b6265bd919fab4c81256781b29c99db0751385fa13d1964980

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Size

408KB
MD5

adb394d19ea37b252289985445ae06dc
SHA1

aed199cd664896a5bba6a98f4d84912cdec917d2
SHA256

2b11a28caaa1f1b6265bd919fab4c81256781b29c99db0751385fa13d1964980
SHA512

0b135e4213718025ec8c77eec02ff0a3dece8e62ded3ea6fd1c7846208f4a46a82de509545d69865aaa01efc7badf45272f5b7bd917e0cd4e5e718e7cac1bfec
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe{F849B15E-D543-438f-B585-92B936DC9B07}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636E70C4-CFEE-4837-B7C2-348A8D80D550}\stubpath = "C:\\Windows\\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe"	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0126542-DD80-4627-8720-CBD9AC99BA44}\stubpath = "C:\\Windows\\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe"	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A149864-883F-470e-976E-FB16EFDE5BC5}	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}\stubpath = "C:\\Windows\\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe"	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2371716-3476-472f-862A-C93D98ECD893}\stubpath = "C:\\Windows\\{F2371716-3476-472f-862A-C93D98ECD893}.exe"	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2371716-3476-472f-862A-C93D98ECD893}	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}\stubpath = "C:\\Windows\\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe"	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F849B15E-D543-438f-B585-92B936DC9B07}	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}\stubpath = "C:\\Windows\\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe"	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A149864-883F-470e-976E-FB16EFDE5BC5}\stubpath = "C:\\Windows\\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe"	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}\stubpath = "C:\\Windows\\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe"	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}\stubpath = "C:\\Windows\\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe"	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D55E5BA-457D-47ec-910D-802B2781CE8F}	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}\stubpath = "C:\\Windows\\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe"	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636E70C4-CFEE-4837-B7C2-348A8D80D550}	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0126542-DD80-4627-8720-CBD9AC99BA44}	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F849B15E-D543-438f-B585-92B936DC9B07}\stubpath = "C:\\Windows\\{F849B15E-D543-438f-B585-92B936DC9B07}.exe"	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D55E5BA-457D-47ec-910D-802B2781CE8F}\stubpath = "C:\\Windows\\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe"	{F849B15E-D543-438f-B585-92B936DC9B07}.exe

Executes dropped EXE 12 IoCs

Processes:

{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe{F849B15E-D543-438f-B585-92B936DC9B07}.exe{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe{F2371716-3476-472f-862A-C93D98ECD893}.exe

pid	process
4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
5008	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
4068	{F2371716-3476-472f-862A-C93D98ECD893}.exe

Drops file in Windows directory 12 IoCs

Processes:

{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe{F849B15E-D543-438f-B585-92B936DC9B07}.exe{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe

description	ioc	process
File created	C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
File created	C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
File created	C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
File created	C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
File created	C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
File created	C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
File created	C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
File created	C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
File created	C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
File created	C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
File created	C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
File created	C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe{F849B15E-D543-438f-B585-92B936DC9B07}.exe{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Token: SeIncBasePriorityPrivilege	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Token: SeIncBasePriorityPrivilege	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Token: SeIncBasePriorityPrivilege	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Token: SeIncBasePriorityPrivilege	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
Token: SeIncBasePriorityPrivilege	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Token: SeIncBasePriorityPrivilege	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Token: SeIncBasePriorityPrivilege	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Token: SeIncBasePriorityPrivilege	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Token: SeIncBasePriorityPrivilege	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Token: SeIncBasePriorityPrivilege	5008	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1516 wrote to memory of 4928	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
PID 1516 wrote to memory of 4928	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
PID 1516 wrote to memory of 4928	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
PID 1516 wrote to memory of 4496	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	cmd.exe
PID 1516 wrote to memory of 4496	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	cmd.exe
PID 1516 wrote to memory of 4496	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	cmd.exe
PID 4928 wrote to memory of 220	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
PID 4928 wrote to memory of 220	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
PID 4928 wrote to memory of 220	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
PID 4928 wrote to memory of 3288	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	cmd.exe
PID 4928 wrote to memory of 3288	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	cmd.exe
PID 4928 wrote to memory of 3288	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	cmd.exe
PID 220 wrote to memory of 3876	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
PID 220 wrote to memory of 3876	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
PID 220 wrote to memory of 3876	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
PID 220 wrote to memory of 4984	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	cmd.exe
PID 220 wrote to memory of 4984	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	cmd.exe
PID 220 wrote to memory of 4984	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	cmd.exe
PID 3876 wrote to memory of 2784	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
PID 3876 wrote to memory of 2784	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
PID 3876 wrote to memory of 2784	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
PID 3876 wrote to memory of 3408	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	cmd.exe
PID 3876 wrote to memory of 3408	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	cmd.exe
PID 3876 wrote to memory of 3408	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	cmd.exe
PID 2784 wrote to memory of 2524	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
PID 2784 wrote to memory of 2524	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
PID 2784 wrote to memory of 2524	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
PID 2784 wrote to memory of 1464	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	cmd.exe
PID 2784 wrote to memory of 1464	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	cmd.exe
PID 2784 wrote to memory of 1464	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	cmd.exe
PID 2524 wrote to memory of 1192	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
PID 2524 wrote to memory of 1192	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
PID 2524 wrote to memory of 1192	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
PID 2524 wrote to memory of 888	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	cmd.exe
PID 2524 wrote to memory of 888	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	cmd.exe
PID 2524 wrote to memory of 888	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	cmd.exe
PID 1192 wrote to memory of 1936	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
PID 1192 wrote to memory of 1936	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
PID 1192 wrote to memory of 1936	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
PID 1192 wrote to memory of 1172	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	cmd.exe
PID 1192 wrote to memory of 1172	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	cmd.exe
PID 1192 wrote to memory of 1172	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	cmd.exe
PID 1936 wrote to memory of 3892	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
PID 1936 wrote to memory of 3892	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
PID 1936 wrote to memory of 3892	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
PID 1936 wrote to memory of 2936	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	cmd.exe
PID 1936 wrote to memory of 2936	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	cmd.exe
PID 1936 wrote to memory of 2936	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	cmd.exe
PID 3892 wrote to memory of 3652	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
PID 3892 wrote to memory of 3652	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
PID 3892 wrote to memory of 3652	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
PID 3892 wrote to memory of 4624	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	cmd.exe
PID 3892 wrote to memory of 4624	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	cmd.exe
PID 3892 wrote to memory of 4624	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	cmd.exe
PID 3652 wrote to memory of 2780	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
PID 3652 wrote to memory of 2780	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
PID 3652 wrote to memory of 2780	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
PID 3652 wrote to memory of 3544	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	cmd.exe
PID 3652 wrote to memory of 3544	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	cmd.exe
PID 3652 wrote to memory of 3544	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	cmd.exe
PID 2780 wrote to memory of 5008	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
PID 2780 wrote to memory of 5008	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
PID 2780 wrote to memory of 5008	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
PID 2780 wrote to memory of 4172	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{636E7~1.EXE > nul
4⤵
PID:4984

C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe
C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe
C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe
13⤵
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8560~1.EXE > nul
13⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1F85A~1.EXE > nul
12⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EFBC9~1.EXE > nul
11⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A149~1.EXE > nul
10⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC1E1~1.EXE > nul
9⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5D55E~1.EXE > nul
8⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F849B~1.EXE > nul
7⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61DA8~1.EXE > nul
6⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0126~1.EXE > nul
5⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDE0~1.EXE > nul
3⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Filesize
408KB

MD5
6cdd6483e161fad6c90da67b316dcfb8

SHA1
eab4e54b3bc6182107c391250faece059711f7da

SHA256
fdb64b58b2e6c87b63e44f04059dca284b9e2b1349ccccb85ad601e209d79864

SHA512
e0596ddb5288e52af425059a9e0baf813a9ce12e9ea7f5e950bf7b772c7309915307409c0ec044013bb0db4b8e4a60ee440e27188b7e5a7d975035632d3d62b6

Download Submit
C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Filesize
408KB

MD5
442afc67684a59b1b9286789ead9c005

SHA1
9519846f0e3c55f3f440cdf20db2f7b17f8a8a18

SHA256
5737fc76f83dc02eabca7b57934f764144b169cfe5144d0dfdf0a4b96fab030d

SHA512
0275098a98e8ca03ffd9dc4ab1f664e9acc51cd998683717d6d56de066a42102ded9d7126bb8d117ca145f5650547aa5c5a6e61bc9994cd1d362bd456f172ad0

Download Submit
C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Filesize
408KB

MD5
f43f34846adcf3ae900aa8856e6e5296

SHA1
1abe06c680f2569c38fd98ec484ed1f93629db1f

SHA256
a58308d13575d833588f2ba37a4cd148edf1a1fbe247a4e6354e8635dd157785

SHA512
eca5067ac1df221b6a663ec38195ffed78ce991c365ce6e8501c1418b31b4850fba43c010f0264c3b2ab50d5adcf8b45125afe24bc3671346d6de66b003c154f

Download Submit
C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Filesize
408KB

MD5
b8338d2601830bb5d3addabce22faaaa

SHA1
21fd3a6d9cf26d617a8443d0c3b931107a0d2f6b

SHA256
d5bb2afbc9d339c3d4b545bc8dd3b4528646f5ffe0249748d63a322346c1b2e6

SHA512
ed4a1cad55982d7a28bb018b1cd4c30edce6ce1f8d0ed1295bfe3fec9a78f69b372b27edb89918a8fd3942b55a73455a254db34abdf0a1219db043640bb1fd9d

Download Submit
C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Filesize
408KB

MD5
80b24e7f19a7285797adc5ae88d2a32e

SHA1
c4ae2e1bf1d135dd9a957fca478727e912e3c177

SHA256
bddecefe2c1c7768f075eecca7aafa3a8adb52508c30b29c8aad3915d337344c

SHA512
b731bac544c25826e4ad791ea1df5c99766d63135a2d168a590184c46a9e3490a615de73ca38759d08a4ea448e4f5d9d24f415281c0b11a892632562cf759d24

Download Submit
C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Filesize
408KB

MD5
bba9a51b2c079aec179f49b793f5743a

SHA1
f5d5695c6f6f84e47a37af5f8716979d5fe2b850

SHA256
1d9981bc337e3e1745e0af07a07ded092dc8b3ceb44a6ea172b3dc28468644e6

SHA512
8628ae83da7dfa966d5c4e792b18b4bc35fc70aa8eff1b69c8c6455f4b7f65343dfc83b9a81a780086ca4f581afcf30297004054390a65aac65ea27b90241fa0

Download Submit
C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
Filesize
408KB

MD5
ba10d551206caffed2fb00e1449ab471

SHA1
224cf07bf79be42afa3fd5420baa022217f52d6d

SHA256
ab6718febe4c4094c5f8deed91818bdd7e5430475b39ba527c488957826090e0

SHA512
6b7189d7c576a83828760f091d9bee62a0fe8ada51a5ac1a39486c6e64c47bdbf1d58e4ee90d3d28cadc35730bdf83a38312ed573d5dde49ff0a190ccf634b6c

Download Submit
C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Filesize
408KB

MD5
cd63f991791b11794f26a50d06482511

SHA1
2f5d67b2d24cffe5b75bb0e456a9fe6c76165adf

SHA256
268cac1b44e94a1266e0b4c3368cae37d546a320ea9a2742ef282797a02479d2

SHA512
fd4a1c65fba631d314abdadaaf926803935936f3404d18580c4693bb53980656a1a417c8d4cac1aee8811ee4bdf18f8ae9b126ea4a0522a467e99c45867d54b6

Download Submit
C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Filesize
408KB

MD5
92bd0b7b6e37a0ca1cb4624556528304

SHA1
b6b9046eafcd6a1b724899e91e953a6df62ba70b

SHA256
5df04bc190c524110a3735d82721f139b56f1d3cbc6e1e9c2b1612cc56ca182f

SHA512
2806201571a27b8e3b7c7cf2d91daf6a36e88d2f0d31d7aa4fc3505849f5c84ddaccda272748b03c002326d8158bc7e180587c6c099b0bc19a47dd562567a449

Download Submit
C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Filesize
408KB

MD5
201078f28ffd07a2353256580f77338c

SHA1
2237b79a2a2bb40df2091b3494e68fefd535d070

SHA256
1cea2445b471be92df2733eb0c75e96ba9771525e9dda493bee68483c9a25cda

SHA512
84ba9a00b3210d55c00430d15bf0deebe59558647f5c3a5b9006a89b245846798e1b38fd4a5561150f567b0031134bb6bc348b263cd668ea7615fe5ef0ae74d3

Download Submit
C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe
Filesize
408KB

MD5
638a57556f0407fb9af5f9cc96d1d5a4

SHA1
f38e6ecabb584321decb422cb41a85807b1fe6b0

SHA256
17c6902aa3c5d1b23b78972f726ba83cba74ba1ffc42d6927875b5df785f2719

SHA512
78bd6faa78fe55a785b0bd0db908524fee10fa71642c997d2273a4a948fcab15946393a3db5a009ef46ed34566ce31151d4547893478a4ec40de72262ff6e84c

Download Submit
C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe
Filesize
408KB

MD5
74245409ef1384bcc93fa45a26042490

SHA1
dd858b3027f37b073a6e48e78ec16310231567eb

SHA256
9807f4d99a30caf8c080c7a1ccef871bcd62f5f262f77a575e4596c3f4a5f90e

SHA512
1479e2ee080ef9ef2dc129488e5c8e3e3ac572f2af950a08b4234d625d30ec3e6c31fcd19666c432b3e5710e9bb659ab131923f72d317385d4e5dc6e635793f2

Download Submit