kinsing | 2b11a28caaa1f1b6265bd919fab4c81256781b29c99db0751385fa13d1964980

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Size

408KB
MD5

adb394d19ea37b252289985445ae06dc
SHA1

aed199cd664896a5bba6a98f4d84912cdec917d2
SHA256

2b11a28caaa1f1b6265bd919fab4c81256781b29c99db0751385fa13d1964980
SHA512

0b135e4213718025ec8c77eec02ff0a3dece8e62ded3ea6fd1c7846208f4a46a82de509545d69865aaa01efc7badf45272f5b7bd917e0cd4e5e718e7cac1bfec
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023205-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000231ff-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231ff-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000231ff-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002320b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636E70C4-CFEE-4837-B7C2-348A8D80D550}\stubpath = "C:\\Windows\\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe"	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0126542-DD80-4627-8720-CBD9AC99BA44}\stubpath = "C:\\Windows\\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe"	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A149864-883F-470e-976E-FB16EFDE5BC5}	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}\stubpath = "C:\\Windows\\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe"	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2371716-3476-472f-862A-C93D98ECD893}\stubpath = "C:\\Windows\\{F2371716-3476-472f-862A-C93D98ECD893}.exe"	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2371716-3476-472f-862A-C93D98ECD893}	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}\stubpath = "C:\\Windows\\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe"	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F849B15E-D543-438f-B585-92B936DC9B07}	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}\stubpath = "C:\\Windows\\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe"	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A149864-883F-470e-976E-FB16EFDE5BC5}\stubpath = "C:\\Windows\\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe"	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}\stubpath = "C:\\Windows\\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe"	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}\stubpath = "C:\\Windows\\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe"	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D55E5BA-457D-47ec-910D-802B2781CE8F}	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}\stubpath = "C:\\Windows\\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe"	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636E70C4-CFEE-4837-B7C2-348A8D80D550}	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0126542-DD80-4627-8720-CBD9AC99BA44}	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F849B15E-D543-438f-B585-92B936DC9B07}\stubpath = "C:\\Windows\\{F849B15E-D543-438f-B585-92B936DC9B07}.exe"	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D55E5BA-457D-47ec-910D-802B2781CE8F}\stubpath = "C:\\Windows\\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe"	{F849B15E-D543-438f-B585-92B936DC9B07}.exe

Executes dropped EXE 12 IoCs

pid	Process
4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
5008	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
4068	{F2371716-3476-472f-862A-C93D98ECD893}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
File created	C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
File created	C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
File created	C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
File created	C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
File created	C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
File created	C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
File created	C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
File created	C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
File created	C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
File created	C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
File created	C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
Token: SeIncBasePriorityPrivilege	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
Token: SeIncBasePriorityPrivilege	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
Token: SeIncBasePriorityPrivilege	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
Token: SeIncBasePriorityPrivilege	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe
Token: SeIncBasePriorityPrivilege	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
Token: SeIncBasePriorityPrivilege	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
Token: SeIncBasePriorityPrivilege	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
Token: SeIncBasePriorityPrivilege	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
Token: SeIncBasePriorityPrivilege	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
Token: SeIncBasePriorityPrivilege	5008	{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4928	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	97
PID 1516 wrote to memory of 4928	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	97
PID 1516 wrote to memory of 4928	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	97
PID 1516 wrote to memory of 4496	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	98
PID 1516 wrote to memory of 4496	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	98
PID 1516 wrote to memory of 4496	1516	2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe	98
PID 4928 wrote to memory of 220	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	99
PID 4928 wrote to memory of 220	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	99
PID 4928 wrote to memory of 220	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	99
PID 4928 wrote to memory of 3288	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	100
PID 4928 wrote to memory of 3288	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	100
PID 4928 wrote to memory of 3288	4928	{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe	100
PID 220 wrote to memory of 3876	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	103
PID 220 wrote to memory of 3876	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	103
PID 220 wrote to memory of 3876	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	103
PID 220 wrote to memory of 4984	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	102
PID 220 wrote to memory of 4984	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	102
PID 220 wrote to memory of 4984	220	{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe	102
PID 3876 wrote to memory of 2784	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	104
PID 3876 wrote to memory of 2784	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	104
PID 3876 wrote to memory of 2784	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	104
PID 3876 wrote to memory of 3408	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	105
PID 3876 wrote to memory of 3408	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	105
PID 3876 wrote to memory of 3408	3876	{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe	105
PID 2784 wrote to memory of 2524	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	106
PID 2784 wrote to memory of 2524	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	106
PID 2784 wrote to memory of 2524	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	106
PID 2784 wrote to memory of 1464	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	107
PID 2784 wrote to memory of 1464	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	107
PID 2784 wrote to memory of 1464	2784	{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe	107
PID 2524 wrote to memory of 1192	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	108
PID 2524 wrote to memory of 1192	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	108
PID 2524 wrote to memory of 1192	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	108
PID 2524 wrote to memory of 888	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	109
PID 2524 wrote to memory of 888	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	109
PID 2524 wrote to memory of 888	2524	{F849B15E-D543-438f-B585-92B936DC9B07}.exe	109
PID 1192 wrote to memory of 1936	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	110
PID 1192 wrote to memory of 1936	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	110
PID 1192 wrote to memory of 1936	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	110
PID 1192 wrote to memory of 1172	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	111
PID 1192 wrote to memory of 1172	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	111
PID 1192 wrote to memory of 1172	1192	{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe	111
PID 1936 wrote to memory of 3892	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	112
PID 1936 wrote to memory of 3892	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	112
PID 1936 wrote to memory of 3892	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	112
PID 1936 wrote to memory of 2936	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	113
PID 1936 wrote to memory of 2936	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	113
PID 1936 wrote to memory of 2936	1936	{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe	113
PID 3892 wrote to memory of 3652	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	114
PID 3892 wrote to memory of 3652	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	114
PID 3892 wrote to memory of 3652	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	114
PID 3892 wrote to memory of 4624	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	115
PID 3892 wrote to memory of 4624	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	115
PID 3892 wrote to memory of 4624	3892	{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe	115
PID 3652 wrote to memory of 2780	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	116
PID 3652 wrote to memory of 2780	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	116
PID 3652 wrote to memory of 2780	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	116
PID 3652 wrote to memory of 3544	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	117
PID 3652 wrote to memory of 3544	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	117
PID 3652 wrote to memory of 3544	3652	{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe	117
PID 2780 wrote to memory of 5008	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	118
PID 2780 wrote to memory of 5008	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	118
PID 2780 wrote to memory of 5008	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	118
PID 2780 wrote to memory of 4172	2780	{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_adb394d19ea37b252289985445ae06dc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
  C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
    C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{636E7~1.EXE > nul
      4⤵
      PID:4984
  - - C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
      C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
        
        C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe
        
        C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
        
        C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
        
        C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
        
        C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
        
        C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
        
        C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
        
        C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe
        
        C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe
        13⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8560~1.EXE > nul
        13⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F85A~1.EXE > nul
        12⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFBC9~1.EXE > nul
        11⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A149~1.EXE > nul
        10⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC1E1~1.EXE > nul
        9⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D55E~1.EXE > nul
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F849B~1.EXE > nul
        7⤵
        
        PID:888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61DA8~1.EXE > nul
        6⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0126~1.EXE > nul
        5⤵
        
        PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDE0~1.EXE > nul
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A149864-883F-470e-976E-FB16EFDE5BC5}.exe

Filesize
408KB

MD5
6cdd6483e161fad6c90da67b316dcfb8

SHA1
eab4e54b3bc6182107c391250faece059711f7da

SHA256
fdb64b58b2e6c87b63e44f04059dca284b9e2b1349ccccb85ad601e209d79864

SHA512
e0596ddb5288e52af425059a9e0baf813a9ce12e9ea7f5e950bf7b772c7309915307409c0ec044013bb0db4b8e4a60ee440e27188b7e5a7d975035632d3d62b6

Download Submit
C:\Windows\{1F85A43F-97B1-4af5-827F-C4AC085A35F3}.exe

Filesize
408KB

MD5
442afc67684a59b1b9286789ead9c005

SHA1
9519846f0e3c55f3f440cdf20db2f7b17f8a8a18

SHA256
5737fc76f83dc02eabca7b57934f764144b169cfe5144d0dfdf0a4b96fab030d

SHA512
0275098a98e8ca03ffd9dc4ab1f664e9acc51cd998683717d6d56de066a42102ded9d7126bb8d117ca145f5650547aa5c5a6e61bc9994cd1d362bd456f172ad0

Download Submit
C:\Windows\{5D55E5BA-457D-47ec-910D-802B2781CE8F}.exe

Filesize
408KB

MD5
f43f34846adcf3ae900aa8856e6e5296

SHA1
1abe06c680f2569c38fd98ec484ed1f93629db1f

SHA256
a58308d13575d833588f2ba37a4cd148edf1a1fbe247a4e6354e8635dd157785

SHA512
eca5067ac1df221b6a663ec38195ffed78ce991c365ce6e8501c1418b31b4850fba43c010f0264c3b2ab50d5adcf8b45125afe24bc3671346d6de66b003c154f

Download Submit
C:\Windows\{61DA8672-44E8-4373-A55A-C5EF382B2BC1}.exe

Filesize
408KB

MD5
b8338d2601830bb5d3addabce22faaaa

SHA1
21fd3a6d9cf26d617a8443d0c3b931107a0d2f6b

SHA256
d5bb2afbc9d339c3d4b545bc8dd3b4528646f5ffe0249748d63a322346c1b2e6

SHA512
ed4a1cad55982d7a28bb018b1cd4c30edce6ce1f8d0ed1295bfe3fec9a78f69b372b27edb89918a8fd3942b55a73455a254db34abdf0a1219db043640bb1fd9d

Download Submit
C:\Windows\{636E70C4-CFEE-4837-B7C2-348A8D80D550}.exe

Filesize
408KB

MD5
80b24e7f19a7285797adc5ae88d2a32e

SHA1
c4ae2e1bf1d135dd9a957fca478727e912e3c177

SHA256
bddecefe2c1c7768f075eecca7aafa3a8adb52508c30b29c8aad3915d337344c

SHA512
b731bac544c25826e4ad791ea1df5c99766d63135a2d168a590184c46a9e3490a615de73ca38759d08a4ea448e4f5d9d24f415281c0b11a892632562cf759d24

Download Submit
C:\Windows\{8CDE013E-285D-42b2-BEFC-A422C6D86FCC}.exe

Filesize
408KB

MD5
bba9a51b2c079aec179f49b793f5743a

SHA1
f5d5695c6f6f84e47a37af5f8716979d5fe2b850

SHA256
1d9981bc337e3e1745e0af07a07ded092dc8b3ceb44a6ea172b3dc28468644e6

SHA512
8628ae83da7dfa966d5c4e792b18b4bc35fc70aa8eff1b69c8c6455f4b7f65343dfc83b9a81a780086ca4f581afcf30297004054390a65aac65ea27b90241fa0

Download Submit
C:\Windows\{B85607BA-58F6-4ba1-ADFF-28F793B1B352}.exe

Filesize
408KB

MD5
ba10d551206caffed2fb00e1449ab471

SHA1
224cf07bf79be42afa3fd5420baa022217f52d6d

SHA256
ab6718febe4c4094c5f8deed91818bdd7e5430475b39ba527c488957826090e0

SHA512
6b7189d7c576a83828760f091d9bee62a0fe8ada51a5ac1a39486c6e64c47bdbf1d58e4ee90d3d28cadc35730bdf83a38312ed573d5dde49ff0a190ccf634b6c

Download Submit
C:\Windows\{D0126542-DD80-4627-8720-CBD9AC99BA44}.exe

Filesize
408KB

MD5
cd63f991791b11794f26a50d06482511

SHA1
2f5d67b2d24cffe5b75bb0e456a9fe6c76165adf

SHA256
268cac1b44e94a1266e0b4c3368cae37d546a320ea9a2742ef282797a02479d2

SHA512
fd4a1c65fba631d314abdadaaf926803935936f3404d18580c4693bb53980656a1a417c8d4cac1aee8811ee4bdf18f8ae9b126ea4a0522a467e99c45867d54b6

Download Submit
C:\Windows\{DC1E1E30-2688-4a9a-AC17-6D2F52E32B4F}.exe

Filesize
408KB

MD5
92bd0b7b6e37a0ca1cb4624556528304

SHA1
b6b9046eafcd6a1b724899e91e953a6df62ba70b

SHA256
5df04bc190c524110a3735d82721f139b56f1d3cbc6e1e9c2b1612cc56ca182f

SHA512
2806201571a27b8e3b7c7cf2d91daf6a36e88d2f0d31d7aa4fc3505849f5c84ddaccda272748b03c002326d8158bc7e180587c6c099b0bc19a47dd562567a449

Download Submit
C:\Windows\{EFBC90A9-5EDB-41cf-A6EB-D4904A762237}.exe

Filesize
408KB

MD5
201078f28ffd07a2353256580f77338c

SHA1
2237b79a2a2bb40df2091b3494e68fefd535d070

SHA256
1cea2445b471be92df2733eb0c75e96ba9771525e9dda493bee68483c9a25cda

SHA512
84ba9a00b3210d55c00430d15bf0deebe59558647f5c3a5b9006a89b245846798e1b38fd4a5561150f567b0031134bb6bc348b263cd668ea7615fe5ef0ae74d3

Download Submit
C:\Windows\{F2371716-3476-472f-862A-C93D98ECD893}.exe

Filesize
408KB

MD5
638a57556f0407fb9af5f9cc96d1d5a4

SHA1
f38e6ecabb584321decb422cb41a85807b1fe6b0

SHA256
17c6902aa3c5d1b23b78972f726ba83cba74ba1ffc42d6927875b5df785f2719

SHA512
78bd6faa78fe55a785b0bd0db908524fee10fa71642c997d2273a4a948fcab15946393a3db5a009ef46ed34566ce31151d4547893478a4ec40de72262ff6e84c

Download Submit
C:\Windows\{F849B15E-D543-438f-B585-92B936DC9B07}.exe

Filesize
408KB

MD5
74245409ef1384bcc93fa45a26042490

SHA1
dd858b3027f37b073a6e48e78ec16310231567eb

SHA256
9807f4d99a30caf8c080c7a1ccef871bcd62f5f262f77a575e4596c3f4a5f90e

SHA512
1479e2ee080ef9ef2dc129488e5c8e3e3ac572f2af950a08b4234d625d30ec3e6c31fcd19666c432b3e5710e9bb659ab131923f72d317385d4e5dc6e635793f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads