kinsing | d26080a461a5eb56caf12e0974071d9e8615dd18b8f66f8851ca0de7f5ebb995

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Size

180KB
MD5

add0c32186c6990912bc0fe959b309cd
SHA1

54b5d13a34914aefeee12ad82ff03a4042c384cb
SHA256

d26080a461a5eb56caf12e0974071d9e8615dd18b8f66f8851ca0de7f5ebb995
SHA512

80ded41670d213d6f6e79127027910faff01463f513ebda22336db7d2d6bdf4c72abea6395f2ba9c5b0bd1e89e13f0ad72d94ad82c6cd65f8d596825205491aa
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGpl5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{2F413665-EC41-4c6e-B039-D817C543336E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{116FB92A-6319-4f99-8BE3-308C70796983}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe{2F413665-EC41-4c6e-B039-D817C543336E}.exe{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe{116FB92A-6319-4f99-8BE3-308C70796983}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F413665-EC41-4c6e-B039-D817C543336E}	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F413665-EC41-4c6e-B039-D817C543336E}\stubpath = "C:\\Windows\\{2F413665-EC41-4c6e-B039-D817C543336E}.exe"	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03FA358D-2438-49fe-B603-BFCFA0938E99}\stubpath = "C:\\Windows\\{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe"	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}\stubpath = "C:\\Windows\\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe"	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03FA358D-2438-49fe-B603-BFCFA0938E99}	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}\stubpath = "C:\\Windows\\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe"	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04E19DCF-712E-48ab-888E-C2408EA937F7}\stubpath = "C:\\Windows\\{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe"	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116FB92A-6319-4f99-8BE3-308C70796983}	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}\stubpath = "C:\\Windows\\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe"	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1338BA78-E92F-408f-88B0-01D02BB3CD87}	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1338BA78-E92F-408f-88B0-01D02BB3CD87}\stubpath = "C:\\Windows\\{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe"	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04E19DCF-712E-48ab-888E-C2408EA937F7}	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116FB92A-6319-4f99-8BE3-308C70796983}\stubpath = "C:\\Windows\\{116FB92A-6319-4f99-8BE3-308C70796983}.exe"	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D870548-F840-48f3-8C3E-936DA6CDD30B}	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D870548-F840-48f3-8C3E-936DA6CDD30B}\stubpath = "C:\\Windows\\{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe"	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}\stubpath = "C:\\Windows\\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe"	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}\stubpath = "C:\\Windows\\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe"	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}\stubpath = "C:\\Windows\\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe"	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe

Executes dropped EXE 12 IoCs

Processes:

{2F413665-EC41-4c6e-B039-D817C543336E}.exe{116FB92A-6319-4f99-8BE3-308C70796983}.exe{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe

pid	process
2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
4920	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
4844	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
1084	{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe

Drops file in Windows directory 12 IoCs

Processes:

{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe{2F413665-EC41-4c6e-B039-D817C543336E}.exe{116FB92A-6319-4f99-8BE3-308C70796983}.exe

description	ioc	process
File created	C:\Windows\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
File created	C:\Windows\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
File created	C:\Windows\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
File created	C:\Windows\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
File created	C:\Windows\{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
File created	C:\Windows\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
File created	C:\Windows\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
File created	C:\Windows\{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
File created	C:\Windows\{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
File created	C:\Windows\{2F413665-EC41-4c6e-B039-D817C543336E}.exe	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
File created	C:\Windows\{116FB92A-6319-4f99-8BE3-308C70796983}.exe	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
File created	C:\Windows\{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	{116FB92A-6319-4f99-8BE3-308C70796983}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe{2F413665-EC41-4c6e-B039-D817C543336E}.exe{116FB92A-6319-4f99-8BE3-308C70796983}.exe{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
Token: SeIncBasePriorityPrivilege	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
Token: SeIncBasePriorityPrivilege	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
Token: SeIncBasePriorityPrivilege	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
Token: SeIncBasePriorityPrivilege	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
Token: SeIncBasePriorityPrivilege	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
Token: SeIncBasePriorityPrivilege	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
Token: SeIncBasePriorityPrivilege	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
Token: SeIncBasePriorityPrivilege	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
Token: SeIncBasePriorityPrivilege	4920	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
Token: SeIncBasePriorityPrivilege	4844	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1272 wrote to memory of 2652	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
PID 1272 wrote to memory of 2652	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
PID 1272 wrote to memory of 2652	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	{2F413665-EC41-4c6e-B039-D817C543336E}.exe
PID 1272 wrote to memory of 1828	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 1272 wrote to memory of 1828	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 1272 wrote to memory of 1828	1272	2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe	cmd.exe
PID 2652 wrote to memory of 772	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
PID 2652 wrote to memory of 772	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
PID 2652 wrote to memory of 772	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe	{116FB92A-6319-4f99-8BE3-308C70796983}.exe
PID 2652 wrote to memory of 2044	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe	cmd.exe
PID 2652 wrote to memory of 2044	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe	cmd.exe
PID 2652 wrote to memory of 2044	2652	{2F413665-EC41-4c6e-B039-D817C543336E}.exe	cmd.exe
PID 772 wrote to memory of 4464	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
PID 772 wrote to memory of 4464	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
PID 772 wrote to memory of 4464	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
PID 772 wrote to memory of 2640	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe	cmd.exe
PID 772 wrote to memory of 2640	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe	cmd.exe
PID 772 wrote to memory of 2640	772	{116FB92A-6319-4f99-8BE3-308C70796983}.exe	cmd.exe
PID 4464 wrote to memory of 3204	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
PID 4464 wrote to memory of 3204	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
PID 4464 wrote to memory of 3204	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
PID 4464 wrote to memory of 3672	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	cmd.exe
PID 4464 wrote to memory of 3672	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	cmd.exe
PID 4464 wrote to memory of 3672	4464	{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe	cmd.exe
PID 3204 wrote to memory of 3644	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
PID 3204 wrote to memory of 3644	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
PID 3204 wrote to memory of 3644	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
PID 3204 wrote to memory of 3996	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	cmd.exe
PID 3204 wrote to memory of 3996	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	cmd.exe
PID 3204 wrote to memory of 3996	3204	{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe	cmd.exe
PID 3644 wrote to memory of 3728	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
PID 3644 wrote to memory of 3728	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
PID 3644 wrote to memory of 3728	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
PID 3644 wrote to memory of 4236	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	cmd.exe
PID 3644 wrote to memory of 4236	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	cmd.exe
PID 3644 wrote to memory of 4236	3644	{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe	cmd.exe
PID 3728 wrote to memory of 3976	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
PID 3728 wrote to memory of 3976	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
PID 3728 wrote to memory of 3976	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
PID 3728 wrote to memory of 3376	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	cmd.exe
PID 3728 wrote to memory of 3376	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	cmd.exe
PID 3728 wrote to memory of 3376	3728	{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe	cmd.exe
PID 3976 wrote to memory of 4584	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
PID 3976 wrote to memory of 4584	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
PID 3976 wrote to memory of 4584	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
PID 3976 wrote to memory of 2660	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	cmd.exe
PID 3976 wrote to memory of 2660	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	cmd.exe
PID 3976 wrote to memory of 2660	3976	{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe	cmd.exe
PID 4584 wrote to memory of 3476	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
PID 4584 wrote to memory of 3476	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
PID 4584 wrote to memory of 3476	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
PID 4584 wrote to memory of 4036	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	cmd.exe
PID 4584 wrote to memory of 4036	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	cmd.exe
PID 4584 wrote to memory of 4036	4584	{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe	cmd.exe
PID 3476 wrote to memory of 4920	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
PID 3476 wrote to memory of 4920	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
PID 3476 wrote to memory of 4920	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
PID 3476 wrote to memory of 3460	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	cmd.exe
PID 3476 wrote to memory of 3460	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	cmd.exe
PID 3476 wrote to memory of 3460	3476	{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe	cmd.exe
PID 4920 wrote to memory of 4844	4920	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
PID 4920 wrote to memory of 4844	4920	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
PID 4920 wrote to memory of 4844	4920	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe	{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
PID 4920 wrote to memory of 4596	4920	{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_add0c32186c6990912bc0fe959b309cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\{2F413665-EC41-4c6e-B039-D817C543336E}.exe
C:\Windows\{2F413665-EC41-4c6e-B039-D817C543336E}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\{116FB92A-6319-4f99-8BE3-308C70796983}.exe
C:\Windows\{116FB92A-6319-4f99-8BE3-308C70796983}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
C:\Windows\{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
C:\Windows\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
C:\Windows\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
C:\Windows\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
C:\Windows\{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
C:\Windows\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
C:\Windows\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
C:\Windows\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
C:\Windows\{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe
C:\Windows\{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe
13⤵
- Executes dropped EXE
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1338B~1.EXE > nul
13⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0FF6F~1.EXE > nul
12⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8D336~1.EXE > nul
11⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF85D~1.EXE > nul
10⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{03FA3~1.EXE > nul
9⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E9F3E~1.EXE > nul
8⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1959D~1.EXE > nul
7⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD9FA~1.EXE > nul
6⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D870~1.EXE > nul
5⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{116FB~1.EXE > nul
4⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F413~1.EXE > nul
3⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03FA358D-2438-49fe-B603-BFCFA0938E99}.exe

Filesize
180KB

MD5
8cb4edae61b7ab9fda7f3196bdf703c5

SHA1
f7fb72c884c6c6bafa08ca2ed3d03623632974be

SHA256
6dd3647dc2f4c98bd09eb48140ac54981d86b83faac083b67d932059b50dda9d

SHA512
8b686e9e512ac9ff8ebb5a9dec0012ffeeb5adcfb4266f29ff0da6f4979037a951da8e1d0e5d5ffc2d3007aff39ce164e1184cb3900e93001182decdad715e11

Download Submit
C:\Windows\{04E19DCF-712E-48ab-888E-C2408EA937F7}.exe

Filesize
180KB

MD5
7a4b26eec8b77b128e0cb3c7978f4292

SHA1
4e566e07e98272b4da51fffc4869634bf7ba2aa4

SHA256
7ba4b20b8bc7cac9bcf5753e8cc41160a0ae38679887c56773e0387150e5737d

SHA512
5ac75e6101233bea2e3eab2be1c5bf1d5b22305a6a9702935d2bb660e7530286ce236d72c3dfb379a3553579778214370851fc8b1c0862eb0011569bb0d6ecfe

Download Submit
C:\Windows\{0FF6FB0C-3F42-45fb-AD0F-84884DBDE717}.exe

Filesize
180KB

MD5
5680265e3dbf4c2fd0bcec5df647f070

SHA1
0903cc5999394a63a4545c6149d5b6a85a152529

SHA256
4d3c3fb7a107b92fb1bddee2775a4c53f9f245fc63caa3e1f4cecf14c219a65f

SHA512
877eaebcd20dd987cfdacad422097cc5f2d4cab883bb2869387d00323e6dea5d43c35fd33824ef226331be40fa3a568de3f383fb6a43e5a01cbb58efe93202d8

Download Submit
C:\Windows\{116FB92A-6319-4f99-8BE3-308C70796983}.exe

Filesize
180KB

MD5
5f9da5f0ab78789f830216024647fe50

SHA1
b245e872d73adf26be589e5cf7bf2e0e6f34374d

SHA256
920bce5c41ba8e93a405436bf7b1fce6f402ee6ef1f508ff5de3e83448ebecd9

SHA512
b5f6aee557593522058f0dc91544e5986130bfd4ed2112b2380474376b4883d66eb5e38b3e90162894e105cbe7b3550f84d0e760afc0916186ce851994afe475

Download Submit
C:\Windows\{1338BA78-E92F-408f-88B0-01D02BB3CD87}.exe

Filesize
180KB

MD5
c86bdce07b2ff10815a1c9f2576d4f7c

SHA1
d868df7effcd5a34c0a866b2abfbcb5003e58b7c

SHA256
95f2cc247ae9dd7eaf28fe02e15ec77dd4a3a50ac8e3688ba34e609567b158d9

SHA512
6b253894d61e6c27b78d8d4820a6132da56457239f467ab8ea2a20bccec15a4342d7e92bee1370c23da90e9bb4b4817fcb1cae5bd3dc0dee577f8b5434e979db

Download Submit
C:\Windows\{1959DCA3-3AEB-4abd-AFFE-D42F5F4628C5}.exe

Filesize
180KB

MD5
8b94ec755fb249e10af3dbc55a1312e5

SHA1
57fe8d88204dd0c0ca7278719c613c496618f3f7

SHA256
7704850bcb8a802ce882a9e23b1963bb42054a62d14f3c64313f8aa97b1e22e4

SHA512
c139279c4ee7e82652c27fd01399237be8393745ef4c91e2abc1c8f56f9bf51be7245ce025fd9fc14b0bb442c99da2b7b9bf68134784d972ebb9b6effc13bc95

Download Submit
C:\Windows\{1D870548-F840-48f3-8C3E-936DA6CDD30B}.exe

Filesize
180KB

MD5
73664a12432f2c299caef966554e9c26

SHA1
6e0260fcb746972cc384ae90d7f244e56b1a9da1

SHA256
b6193fc40576440e0fc4ab2e54cd044dbc0b723eba6b6c986561f9302268f61b

SHA512
f818089723c64e707ab45544023b80c020e1aa7b255aae870e3a426bb8e601069d4cfb037a670af823fc7d046c55cd51edaa4cb542c8e506b5464165ccba3663

Download Submit
C:\Windows\{2F413665-EC41-4c6e-B039-D817C543336E}.exe

Filesize
180KB

MD5
ff444886ddf0c51fde6f0d892cceb040

SHA1
2625bc8e8373801ee2fce848ccd278d2215efa69

SHA256
07b63c703dd37f0ed6d4b6a4d529b231b865a381bf6e5f8166d13fa941849b5a

SHA512
4da9441899bf4d7ad14540c759e4065392486960413a38db004ddc042d3b9eb70d1c00657bcfc1f828529ff116e713f74e7025ec0c9e548e1e2aae6cfd0f3948

Download Submit
C:\Windows\{8D336D07-A4FC-45d1-A63F-4F8E1F2FA62C}.exe

Filesize
180KB

MD5
55bb0e69006d510b1ea3ec4b5abc6464

SHA1
7059d4b1a3c0f353e42270b535f04737c62907c5

SHA256
4f4dd9a4c14187c8546f624fa36303288bc5ae5f3c35c6567a92369de64158fc

SHA512
f317baee9b83061406bbc6f82e11f27a3cd9ba3107f2514853252d27a8249bb5a6457a73be1e89d18c7cdb3ae685c06e0d4a13b64f1411cc428c217d58a7052a

Download Submit
C:\Windows\{AD9FA93D-3E88-472b-9AEF-4AA147F6AA4C}.exe

Filesize
180KB

MD5
e3ac1d46514658e9eade11305b79c573

SHA1
158db02162580ba8e25bd92d816035713404188f

SHA256
6bdc86023a950a85df7310f4d441d9767761f4776e9b5b5e4c09a11a447e515f

SHA512
bda7f3002513eef6201dd3861af85447f2522afb67212f13b68b2bc92f74a5c9a84cac48ef77165e8f4efd31083e8d7adc585eb8c7808879136825da4c94e836

Download Submit
C:\Windows\{DF85D7FF-4D8A-4798-B1E9-2702772A1617}.exe

Filesize
180KB

MD5
58902b082ca67df52655479f9681559b

SHA1
655a39d1da76fc4fc8b65bcb17059c87c9a58e02

SHA256
c53b586152eb9925a854f04f313d5a4e36284b14df0863f97c4ce6029114988e

SHA512
1b2fcb671f17fb107c61d835a4d657cb381dfe064e4f2aad9b7caf2e9bffdc2283037ae022e9df99e7ba857ac742744d25dd3e686ae5289b811d70d90d594a05

Download Submit
C:\Windows\{E9F3E190-74CE-4e71-9ECF-B590ECB3460F}.exe

Filesize
180KB

MD5
5eab7c88ed574ab4112fb00c1dbfe0d6

SHA1
b4e2c6285ef0c7c8a2ade111e381db0f6f5df041

SHA256
a3d4f196918c8ed507f33a07bffb5953f9147cb4ab6a5ef9079f3e1182be2bbc

SHA512
8400c3b1ee3a97d6bd17f0f9f0468b130b6163b1fdb7a4b88f3c882f905167bdaa39d320f00dad74b1e984a91ebabfd71aa4282bc4354968e042e7b818f64322

Download Submit