kinsing | 5d9f1973f2ec098801c0e432c5452fc74da5cf7a5406e70d535c85f9b71e66a5

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
Size

180KB
MD5

c38a1ee7a2fc8a8b51794c4507367763
SHA1

9f7ffbb73f95484b306909a9335aa354f78ff6aa
SHA256

5d9f1973f2ec098801c0e432c5452fc74da5cf7a5406e70d535c85f9b71e66a5
SHA512

ad2c3c48ff14544f85384f94b4e3ab9628b610fd7794b1dbf3dff04a3fde73b603043ba08c680070a8b118c5f64a3251068233651f1b110206090b27933ff01d
SSDEEP

3072:jEGh0omlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG4l5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe{237B8235-A692-4210-8215-42138B313AD6}.exe{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe{56242C18-F26A-4019-9438-F64128E548A7}.exe{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe{51E70146-1B83-4898-9822-863C03A3DD16}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}\stubpath = "C:\\Windows\\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe"	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}	{237B8235-A692-4210-8215-42138B313AD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}\stubpath = "C:\\Windows\\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe"	{237B8235-A692-4210-8215-42138B313AD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}\stubpath = "C:\\Windows\\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe"	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}\stubpath = "C:\\Windows\\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe"	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}\stubpath = "C:\\Windows\\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe"	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E70146-1B83-4898-9822-863C03A3DD16}\stubpath = "C:\\Windows\\{51E70146-1B83-4898-9822-863C03A3DD16}.exe"	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}\stubpath = "C:\\Windows\\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe"	{56242C18-F26A-4019-9438-F64128E548A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}\stubpath = "C:\\Windows\\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe"	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E70146-1B83-4898-9822-863C03A3DD16}	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237B8235-A692-4210-8215-42138B313AD6}\stubpath = "C:\\Windows\\{237B8235-A692-4210-8215-42138B313AD6}.exe"	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56242C18-F26A-4019-9438-F64128E548A7}	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56242C18-F26A-4019-9438-F64128E548A7}\stubpath = "C:\\Windows\\{56242C18-F26A-4019-9438-F64128E548A7}.exe"	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}	{56242C18-F26A-4019-9438-F64128E548A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}\stubpath = "C:\\Windows\\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe"	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237B8235-A692-4210-8215-42138B313AD6}	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}\stubpath = "C:\\Windows\\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe"	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

Executes dropped EXE 12 IoCs

Processes:

{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe{51E70146-1B83-4898-9822-863C03A3DD16}.exe{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe{237B8235-A692-4210-8215-42138B313AD6}.exe{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe{56242C18-F26A-4019-9438-F64128E548A7}.exe{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe

pid	process
4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
4500	{237B8235-A692-4210-8215-42138B313AD6}.exe
2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe
1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
552	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
3408	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
3132	{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe

Drops file in Windows directory 12 IoCs

Processes:

{51E70146-1B83-4898-9822-863C03A3DD16}.exe{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe{56242C18-F26A-4019-9438-F64128E548A7}.exe{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe{237B8235-A692-4210-8215-42138B313AD6}.exe{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

description	ioc	process
File created	C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
File created	C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
File created	C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
File created	C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
File created	C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	{56242C18-F26A-4019-9438-F64128E548A7}.exe
File created	C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
File created	C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
File created	C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
File created	C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
File created	C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
File created	C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	{237B8235-A692-4210-8215-42138B313AD6}.exe
File created	C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe{51E70146-1B83-4898-9822-863C03A3DD16}.exe{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe{237B8235-A692-4210-8215-42138B313AD6}.exe{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe{56242C18-F26A-4019-9438-F64128E548A7}.exe{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
Token: SeIncBasePriorityPrivilege	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
Token: SeIncBasePriorityPrivilege	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
Token: SeIncBasePriorityPrivilege	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe
Token: SeIncBasePriorityPrivilege	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
Token: SeIncBasePriorityPrivilege	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
Token: SeIncBasePriorityPrivilege	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe
Token: SeIncBasePriorityPrivilege	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
Token: SeIncBasePriorityPrivilege	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
Token: SeIncBasePriorityPrivilege	552	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
Token: SeIncBasePriorityPrivilege	3408	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3960 wrote to memory of 4480	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
PID 3960 wrote to memory of 4480	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
PID 3960 wrote to memory of 4480	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
PID 3960 wrote to memory of 3908	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe	cmd.exe
PID 3960 wrote to memory of 3908	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe	cmd.exe
PID 3960 wrote to memory of 3908	3960	2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe	cmd.exe
PID 4480 wrote to memory of 2260	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
PID 4480 wrote to memory of 2260	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
PID 4480 wrote to memory of 2260	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	{51E70146-1B83-4898-9822-863C03A3DD16}.exe
PID 4480 wrote to memory of 4860	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	cmd.exe
PID 4480 wrote to memory of 4860	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	cmd.exe
PID 4480 wrote to memory of 4860	4480	{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe	cmd.exe
PID 2260 wrote to memory of 1424	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
PID 2260 wrote to memory of 1424	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
PID 2260 wrote to memory of 1424	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
PID 2260 wrote to memory of 3556	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe	cmd.exe
PID 2260 wrote to memory of 3556	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe	cmd.exe
PID 2260 wrote to memory of 3556	2260	{51E70146-1B83-4898-9822-863C03A3DD16}.exe	cmd.exe
PID 1424 wrote to memory of 4500	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	{237B8235-A692-4210-8215-42138B313AD6}.exe
PID 1424 wrote to memory of 4500	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	{237B8235-A692-4210-8215-42138B313AD6}.exe
PID 1424 wrote to memory of 4500	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	{237B8235-A692-4210-8215-42138B313AD6}.exe
PID 1424 wrote to memory of 3656	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	cmd.exe
PID 1424 wrote to memory of 3656	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	cmd.exe
PID 1424 wrote to memory of 3656	1424	{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe	cmd.exe
PID 4500 wrote to memory of 2780	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
PID 4500 wrote to memory of 2780	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
PID 4500 wrote to memory of 2780	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
PID 4500 wrote to memory of 3228	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe	cmd.exe
PID 4500 wrote to memory of 3228	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe	cmd.exe
PID 4500 wrote to memory of 3228	4500	{237B8235-A692-4210-8215-42138B313AD6}.exe	cmd.exe
PID 2780 wrote to memory of 4440	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
PID 2780 wrote to memory of 4440	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
PID 2780 wrote to memory of 4440	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
PID 2780 wrote to memory of 4612	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	cmd.exe
PID 2780 wrote to memory of 4612	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	cmd.exe
PID 2780 wrote to memory of 4612	2780	{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe	cmd.exe
PID 4440 wrote to memory of 4840	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	{56242C18-F26A-4019-9438-F64128E548A7}.exe
PID 4440 wrote to memory of 4840	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	{56242C18-F26A-4019-9438-F64128E548A7}.exe
PID 4440 wrote to memory of 4840	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	{56242C18-F26A-4019-9438-F64128E548A7}.exe
PID 4440 wrote to memory of 3632	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	cmd.exe
PID 4440 wrote to memory of 3632	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	cmd.exe
PID 4440 wrote to memory of 3632	4440	{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe	cmd.exe
PID 4840 wrote to memory of 1136	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
PID 4840 wrote to memory of 1136	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
PID 4840 wrote to memory of 1136	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
PID 4840 wrote to memory of 2424	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe	cmd.exe
PID 4840 wrote to memory of 2424	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe	cmd.exe
PID 4840 wrote to memory of 2424	4840	{56242C18-F26A-4019-9438-F64128E548A7}.exe	cmd.exe
PID 1136 wrote to memory of 4400	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
PID 1136 wrote to memory of 4400	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
PID 1136 wrote to memory of 4400	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
PID 1136 wrote to memory of 4876	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	cmd.exe
PID 1136 wrote to memory of 4876	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	cmd.exe
PID 1136 wrote to memory of 4876	1136	{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe	cmd.exe
PID 4400 wrote to memory of 552	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
PID 4400 wrote to memory of 552	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
PID 4400 wrote to memory of 552	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
PID 4400 wrote to memory of 3780	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	cmd.exe
PID 4400 wrote to memory of 3780	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	cmd.exe
PID 4400 wrote to memory of 3780	4400	{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe	cmd.exe
PID 552 wrote to memory of 3408	552	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
PID 552 wrote to memory of 3408	552	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
PID 552 wrote to memory of 3408	552	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe	{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
PID 552 wrote to memory of 2340	552	{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c38a1ee7a2fc8a8b51794c4507367763_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe
C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{51E70~1.EXE > nul
4⤵
PID:3556

C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe
C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{237B8~1.EXE > nul
6⤵
PID:3228

C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2CE~1.EXE > nul
7⤵
PID:4612

C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe
C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86AEA~1.EXE > nul
12⤵
PID:2340

C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{774B8~1.EXE > nul
13⤵
PID:2380

C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe
C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe
13⤵
- Executes dropped EXE
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{133F6~1.EXE > nul
11⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BAABA~1.EXE > nul
10⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56242~1.EXE > nul
9⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F25~1.EXE > nul
8⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{549A3~1.EXE > nul
5⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB16~1.EXE > nul
3⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{133F6D0E-34CD-42f3-A145-3E0E68096AAA}.exe

Filesize
180KB

MD5
f00a1b5da2a72a8906497ac192f2126d

SHA1
6bb1a8c49646ace37c42b1f0b639e729b2a698e3

SHA256
629dce38daed1e6ec1a83e7f64de992ca8199f882cf79c814047679e17b84f97

SHA512
a1a3aa556d32e6f4071e0f32ef0e62263325dcff078966a730dcb71b7953e800ee1e6b1ae54be646bbcc7ee2420cff14099f465518e200add8c8b4c1cc2ebe1c

Download Submit
C:\Windows\{237B8235-A692-4210-8215-42138B313AD6}.exe

Filesize
180KB

MD5
296ed0340ba14ff991d342dd933b4e1f

SHA1
eccbb2a734839a79ad25fe83a62d3fe8071475af

SHA256
ede5fc8d5c583c9870d9e7bd335a4778872949c061aa2ecb8b4fd2390e996035

SHA512
a9f153b7fdd7a133a68617007a7ef78857d5f047f884941ecf4deb260dfa58b8a8d827d0fb60d8af2a7aea5a1f8fdd256b524aeffdef21b7db22a6d7020e5777

Download Submit
C:\Windows\{3FEA1975-C641-4f35-9CE4-DE5F802BEBFE}.exe

Filesize
180KB

MD5
91a9c1a8af8f5220b14c03a97b1ce6d0

SHA1
fab379ff06ab67f7fabdaa9bd8fa6f6e696f41d5

SHA256
8e8fda1a9bdea89bc292a996d959c6a0a376c4fea204e131eb57665917e76480

SHA512
7d7ef0ddc2dde9a4e79c94b2131e756e782470c32b7ec3adc5c77d86bd23c3a9335863e6f9005f1625f52b9c8c64bf5dc0b57632d25591f0ffa46dc9ff5dfd03

Download Submit
C:\Windows\{51E70146-1B83-4898-9822-863C03A3DD16}.exe

Filesize
180KB

MD5
f4169f68df5592f8b3c1b57aafa84102

SHA1
4a47ff6c0f68f724e326e638f2f151d4f54a5cac

SHA256
6e669720a2f6ce76d8f82b0b36c047d6af90fa780925a1a66ddcd01af0e78c76

SHA512
c02e9926fa4a70db73d5572daa0d2842531caf814f6d909964828fb923b2c8a0f6ca9c5c6f565f4c608f8c2208a12111d32fe6a58d1e6b7283f14fa890f87a3a

Download Submit
C:\Windows\{549A3C51-9BDA-4b62-B9CB-4F53881B8A4C}.exe

Filesize
180KB

MD5
46ce47fde58aebfcfefaa51ce237af85

SHA1
87dd40ad6ff2c5fdb69314305857e819674b17d3

SHA256
babcc30ae6a7b72d767eac88ca3cba6584c85798005a2c85f2f0c7eb4fc227c0

SHA512
f0f4aba4f854e863355a1d42bfc817d47fbec9c2a81749ea51f61a3727c75c444f316d0d66aa9113aa6fb04e5fb6957d4300b1ed2f2fe77f75fd65a2a156677f

Download Submit
C:\Windows\{56242C18-F26A-4019-9438-F64128E548A7}.exe

Filesize
180KB

MD5
93a94bb56336c24d3576d8419d6cb5b9

SHA1
00f299788752363f2da5af8f99c2fe85b056b5e0

SHA256
ef063e7127e1b1e881fe2e143504e3facad312205afde650a6f42ed5dc8a969b

SHA512
03c2083fbca8fa099deff99b732ead1dc5c5e13213d9c7a3329d2d674df5b627c0ddc527cb9e11a0946c38cd10a03b4278c92b37772eea3fd2820dbc45c50668

Download Submit
C:\Windows\{774B8040-6332-4a12-9EE0-A7B90CB78FB8}.exe

Filesize
180KB

MD5
c598a79b03182a3a806eec04d467cecb

SHA1
1b94bdf992054194b660038dae0f1a025a01dc87

SHA256
ea690e33899bc973dd1cbc9fa2121db0e281b6763cca03c7111449ea2f81d7f9

SHA512
475111bab9ea85c7b5cdd239e0657d679e71370e020a564302717ee043a5773d54e75ba2cfe9043cb0686b2aa0da50d70d08d1a64b4dd1fa2f959af1b80d349f

Download Submit
C:\Windows\{7EB1622B-68A3-4e32-B4BA-ACE2C54AB75A}.exe

Filesize
180KB

MD5
26165d1498b4136eb952c3d5042cd3c3

SHA1
451bc93acc40f762bcdd5486e5603ef73a391a52

SHA256
c6a78393b269b48b87d8fd89a0d2a42afb17ede5bcb026999c973ad60352ee37

SHA512
02430b061cdd2db89010cef2ae3ea1de51c6052e83062d487d9c91d6471bbcae908c1d9f10646cd4d362bb132e26d76f459938abad140db3c15e260962de6782

Download Submit
C:\Windows\{86AEAFEC-2EA7-46a8-B822-B02868EE48DA}.exe

Filesize
180KB

MD5
d12244ab0b732477bf4d99e465cc672e

SHA1
757f0091489154699fe0fa4f75169de074357623

SHA256
91198cd4606f299bbac5f57d04a12d225175d95545ccb5365c280216d66662cf

SHA512
cc65536fa38f7177a8e56a1dc78d8d2e2019d9abe5ece7e4056bd2c4121aa38d98f9edbf6cdd67c9a36d7d6c3cd2109aca15da7f5c8ef5037d44c566e68b417e

Download Submit
C:\Windows\{9E2CEA35-0C0A-42fc-9076-07854D2D05E9}.exe

Filesize
180KB

MD5
9c0189b6fdadd7b6d51c2d74f7a02648

SHA1
c79ae3b32dd46bb01420697406d80daf2215160b

SHA256
5eb3140d9f420d736ee309b74e6ef848838d81767601058a2baac65bf7452c0c

SHA512
ab21119c44eb20b8aa6bd13f1b3846c23fb50ac306e4f09fddfbf79c4d7f10b1959fcbc880a3a82d71b8ae0c972ac8b182c2e2cc488e46b9757462039b8a31f9

Download Submit
C:\Windows\{A1F25698-5C55-4306-A01C-0351A7E8B4D1}.exe

Filesize
180KB

MD5
0c7dd4473744c6ff7cade67a334ffdad

SHA1
1d015f424c4957510e98286df3bd511832cb16a5

SHA256
a686575c57fbb4cae369415ac88351b22b8e0eb4b6851888a98802da958eb606

SHA512
b514bf3f3e61288e39c0090c43d9dd3c38eed00cede22a5dabf69def77141e862d49d2639e3ead2a550887b3f2e922281247792137cb264f9ad52cd26130fa21

Download Submit
C:\Windows\{BAABA5AD-D1BE-43ba-AA9B-E6AA152F276E}.exe

Filesize
180KB

MD5
0da60c59bcf98d48b3da20889df95eba

SHA1
80e637bfecba573a4617d2b304a0014ecd616d90

SHA256
c140a85f10fb40f9bae747686fdbd01de82f3a7ecf6adb0f95d79f8f8514e4c4

SHA512
784c1e22600c2d316408c28ed05fb12c136274b19df00a0c924a7297d164652a0e2576d25fc3338d2ec28311c7986445bda7522c54100095c67fbd8e880aa95f

Download Submit