kinsing | f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Size

408KB
MD5

b25995657451cc71f73ab21b1aaba40e
SHA1

82b2fe6e0f66f45bdd2ab9d34b4b7ea69344029c
SHA256

f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7
SHA512

753338a85af6a16cf34bb1382a66331fbdfb42d70b468b2cf72cf44805e532250ed8ecc7f65a1399b2920083d96c05213446c3923688c49eb5ead133d2a832c5
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGlldOe2MUVg3vTeKcAEciTBqr3jy

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000600000002321c-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023215-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023223-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023215-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe{F4455941-3769-4acc-8800-12209B85342E}.exe{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe{919E231D-50AA-4373-A3CB-57851920DF7A}.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5C0BA-7E04-4766-879F-98EFFA307402}\stubpath = "C:\\Windows\\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe"	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}\stubpath = "C:\\Windows\\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe"	{F4455941-3769-4acc-8800-12209B85342E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0A74C8-F535-468e-8C02-A7B6420F2861}	{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5C0BA-7E04-4766-879F-98EFFA307402}	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}\stubpath = "C:\\Windows\\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe"	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}\stubpath = "C:\\Windows\\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe"	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E51847-9B6E-464c-8559-D71CA8D760D1}	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919E231D-50AA-4373-A3CB-57851920DF7A}	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0A74C8-F535-468e-8C02-A7B6420F2861}\stubpath = "C:\\Windows\\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe"	{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}\stubpath = "C:\\Windows\\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe"	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919E231D-50AA-4373-A3CB-57851920DF7A}\stubpath = "C:\\Windows\\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe"	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4455941-3769-4acc-8800-12209B85342E}\stubpath = "C:\\Windows\\{F4455941-3769-4acc-8800-12209B85342E}.exe"	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}	{F4455941-3769-4acc-8800-12209B85342E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}\stubpath = "C:\\Windows\\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe"	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E51847-9B6E-464c-8559-D71CA8D760D1}\stubpath = "C:\\Windows\\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe"	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}\stubpath = "C:\\Windows\\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe"	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}\stubpath = "C:\\Windows\\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe"	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4455941-3769-4acc-8800-12209B85342E}	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe

Executes dropped EXE 12 IoCs

Processes:

{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe{919E231D-50AA-4373-A3CB-57851920DF7A}.exe{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe{F4455941-3769-4acc-8800-12209B85342E}.exe{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe

pid	Process
3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
4100	{F4455941-3769-4acc-8800-12209B85342E}.exe
1224	{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
1428	{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe

Drops file in Windows directory 12 IoCs

Processes:

{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe{F4455941-3769-4acc-8800-12209B85342E}.exe2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe{919E231D-50AA-4373-A3CB-57851920DF7A}.exe{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe

description	ioc	Process
File created	C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
File created	C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
File created	C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
File created	C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe	{F4455941-3769-4acc-8800-12209B85342E}.exe
File created	C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
File created	C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
File created	C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
File created	C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
File created	C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
File created	C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
File created	C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe	{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
File created	C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe{919E231D-50AA-4373-A3CB-57851920DF7A}.exe{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe{F4455941-3769-4acc-8800-12209B85342E}.exe{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
Token: SeIncBasePriorityPrivilege	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
Token: SeIncBasePriorityPrivilege	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
Token: SeIncBasePriorityPrivilege	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
Token: SeIncBasePriorityPrivilege	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
Token: SeIncBasePriorityPrivilege	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
Token: SeIncBasePriorityPrivilege	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
Token: SeIncBasePriorityPrivilege	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
Token: SeIncBasePriorityPrivilege	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
Token: SeIncBasePriorityPrivilege	4100	{F4455941-3769-4acc-8800-12209B85342E}.exe
Token: SeIncBasePriorityPrivilege	1224	{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 4644 wrote to memory of 3616	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	97
PID 4644 wrote to memory of 3616	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	97
PID 4644 wrote to memory of 3616	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	97
PID 4644 wrote to memory of 220	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	98
PID 4644 wrote to memory of 220	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	98
PID 4644 wrote to memory of 220	4644	2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe	98
PID 3616 wrote to memory of 4476	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	99
PID 3616 wrote to memory of 4476	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	99
PID 3616 wrote to memory of 4476	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	99
PID 3616 wrote to memory of 3672	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	100
PID 3616 wrote to memory of 3672	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	100
PID 3616 wrote to memory of 3672	3616	{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe	100
PID 4476 wrote to memory of 3196	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	103
PID 4476 wrote to memory of 3196	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	103
PID 4476 wrote to memory of 3196	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	103
PID 4476 wrote to memory of 1040	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	102
PID 4476 wrote to memory of 1040	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	102
PID 4476 wrote to memory of 1040	4476	{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe	102
PID 3196 wrote to memory of 2692	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	104
PID 3196 wrote to memory of 2692	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	104
PID 3196 wrote to memory of 2692	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	104
PID 3196 wrote to memory of 2376	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	105
PID 3196 wrote to memory of 2376	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	105
PID 3196 wrote to memory of 2376	3196	{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe	105
PID 2692 wrote to memory of 1572	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	106
PID 2692 wrote to memory of 1572	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	106
PID 2692 wrote to memory of 1572	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	106
PID 2692 wrote to memory of 2920	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	107
PID 2692 wrote to memory of 2920	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	107
PID 2692 wrote to memory of 2920	2692	{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe	107
PID 1572 wrote to memory of 2160	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	108
PID 1572 wrote to memory of 2160	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	108
PID 1572 wrote to memory of 2160	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	108
PID 1572 wrote to memory of 4912	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	109
PID 1572 wrote to memory of 4912	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	109
PID 1572 wrote to memory of 4912	1572	{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe	109
PID 2160 wrote to memory of 2984	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	110
PID 2160 wrote to memory of 2984	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	110
PID 2160 wrote to memory of 2984	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	110
PID 2160 wrote to memory of 4248	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	111
PID 2160 wrote to memory of 4248	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	111
PID 2160 wrote to memory of 4248	2160	{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe	111
PID 2984 wrote to memory of 3480	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	112
PID 2984 wrote to memory of 3480	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	112
PID 2984 wrote to memory of 3480	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	112
PID 2984 wrote to memory of 2580	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	113
PID 2984 wrote to memory of 2580	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	113
PID 2984 wrote to memory of 2580	2984	{919E231D-50AA-4373-A3CB-57851920DF7A}.exe	113
PID 3480 wrote to memory of 3536	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	114
PID 3480 wrote to memory of 3536	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	114
PID 3480 wrote to memory of 3536	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	114
PID 3480 wrote to memory of 4736	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	115
PID 3480 wrote to memory of 4736	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	115
PID 3480 wrote to memory of 4736	3480	{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe	115
PID 3536 wrote to memory of 4100	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	116
PID 3536 wrote to memory of 4100	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	116
PID 3536 wrote to memory of 4100	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	116
PID 3536 wrote to memory of 5004	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	117
PID 3536 wrote to memory of 5004	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	117
PID 3536 wrote to memory of 5004	3536	{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe	117
PID 4100 wrote to memory of 1224	4100	{F4455941-3769-4acc-8800-12209B85342E}.exe	118
PID 4100 wrote to memory of 1224	4100	{F4455941-3769-4acc-8800-12209B85342E}.exe	118
PID 4100 wrote to memory of 1224	4100	{F4455941-3769-4acc-8800-12209B85342E}.exe	118
PID 4100 wrote to memory of 4892	4100	{F4455941-3769-4acc-8800-12209B85342E}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
  C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
    C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{802E5~1.EXE > nul
      4⤵
      PID:1040
  - - C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
      C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
        
        C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
        
        C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
        
        C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
        
        C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
        
        C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
        
        C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
        
        C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
        
        C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
        
        C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
        13⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB097~1.EXE > nul
        13⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4455~1.EXE > nul
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4C0~1.EXE > nul
        11⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF6B~1.EXE > nul
        10⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{919E2~1.EXE > nul
        9⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16687~1.EXE > nul
        8⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74E51~1.EXE > nul
        7⤵
        
        PID:4912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FAC~1.EXE > nul
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5C1~1.EXE > nul
        5⤵
        
        PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF5C~1.EXE > nul
    3⤵
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe

Filesize
408KB

MD5
ba3a8a9852bf1efc8f57b00c365cd744

SHA1
dcbeed06b7d34175155de5d3aa63c6024972a621

SHA256
509abdd2297784a4d9f4e6c801136247fe209c425184415b7dbbf3853d674cca

SHA512
b64f054b576e66271ab81fe61797db903b10b94a90e0517b44f846c26e231de2c798934ddb56c97f3b26d986a805a571fea878941fdcce1bbbcd3b4d4cb527f0

Download Submit
C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe

Filesize
408KB

MD5
73091a021f6771c9da54f14d294b83d4

SHA1
d200f7a36e620271ab178a308bf86b58cbe9c58f

SHA256
c6d8a5e5940cd828152a69b6c0adf21e69523385fab15efb9c9abb8b7dc9f27d

SHA512
6ffab31d2e57a282aade3104803988d77b59b375ca178999a105c50da4ce080bb508ada1b8178b4c26eb716bd6f9a634c5778a16723ed9c26dd37bdccaece6bc

Download Submit
C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe

Filesize
408KB

MD5
1c622e73dd1ed14f920eb2fc6966f1d8

SHA1
fd44eb1bc32243a5aaf209137d7f4d716b753119

SHA256
760584b27dde312b867eb77363220489b2cbea8c44d542e90d335b25e02f07e2

SHA512
36a10bec646bae4d980fcdb56b49157a6025b6073b636849e6c5d1eb57fd72cc417429e9660b91889a75798ddcf71c06d58075e73b460c8809d365799d6a12d8

Download Submit
C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe

Filesize
408KB

MD5
4cf52c253e2438515a9aa31357c3d025

SHA1
602a80c58468dfa76f5ab65f79dc4d9734070678

SHA256
070436da7c3288b12d4a081398cd51c0b1055b213e173a24b8d63f1396ed9513

SHA512
5f1c159d6546e372173c4220a00b2c583a42c2e087a2316308851c09b21bccfd97bed06d6400e7f5ac8bf6cdf47ea565f8f54bf6dbea5befa5fb8909fe79fc79

Download Submit
C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe

Filesize
408KB

MD5
d070d08fe8d5a1835e7ab685993ed67e

SHA1
cd0a83285fc82b219a1ca923f97dfd99a408d59c

SHA256
34acbccebb394464b3f9d8bb5f160439d543890ee1e35351924b929d1bc228df

SHA512
900b217de59c5a00e55653c7b2daffa23a15744eb599874fbaed1c949a877847dd8e653d33b99af0289eeb4ed83e80846b4f843fe1307684b39e22c8f6041209

Download Submit
C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe

Filesize
408KB

MD5
20b6b1eb5c60693ec200d49c7b46d39a

SHA1
8723cefd3c7376bd1f62c62b879da53adb67fb68

SHA256
05ed682bf304f42891eee86d41194013309c95dd5032bc0415d0226382e1348f

SHA512
f8c5e3cd75c667246335a23021310785dd32c1b6dcdcd091ac0b23c48e4837429c307a9bd8e666eae41fc67cdc796e626e684c8330a21fc4b94b7b9939131480

Download Submit
C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe

Filesize
408KB

MD5
42c4962ce22f7ad87443e6e099e6a838

SHA1
58d68adcf0617b749112b9cbd4654c3e4e0184e5

SHA256
64bef5a4671bc2dce468391f62e8ebe6192b8a36681758dc5587993d4d9a2f0e

SHA512
3f1b8753d1102132d0ea9bf01988719db3178a5e212838d5cb15bb9830fab9aa913e4b637605ff998662e7f50c4dd087900c50e62d4257178900fcc6ada01dd4

Download Submit
C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe

Filesize
408KB

MD5
11f6c73f081b3a0036e9c163c208cdef

SHA1
71c37f7887658c128ba264d021efc34738fe735d

SHA256
7fe8b6a9294f129ea2c08f92f45acb7277cefd1f5694543075d4c04897eb3bc9

SHA512
6bf74d6d3bdf1387ddcc9418ebc405fcbecebdca15a2ff09f0615ccfbd00a6d9f5e002b42dbe186d86b5c4c035b0757ff535e2a741702a876e627862ab181dc3

Download Submit
C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe

Filesize
408KB

MD5
18f54dc3262e8cc5ec56ef6e5eb9fa9a

SHA1
9ae30aa10b344956366ba50cce4e74af9a1ae0fb

SHA256
faf2e704d98a222f46140f2b7305985c815dfe63c8a3dfbd067e8784ee8d7170

SHA512
9f41412100e390627632167ccac047c65a2784c97ee541afbbee426f3c9c7349bc242ef6528648dc5466e226607eef9eaa220d303654092b79455b5d6113d4e9

Download Submit
C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe

Filesize
408KB

MD5
c7cc37cf8157663c74a2b7429629605f

SHA1
481f83c0f6923e43070a8cecc9523d3e4e8bb1f7

SHA256
5205ae9d05e5d504d88a57bde57796aeadcb221aca22e0094292e4b5805171b8

SHA512
79cd4b1a34f66c9ff32ab40d59218b6217f6292b84f502928dccdd20c7ef1ede43c5331d6b0984107a4cd3a5e472ff5a3a69cb2529847f0419f59995892d51ec

Download Submit
C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe

Filesize
408KB

MD5
4b5e2996a1c41bf05ceb523cc735f7f9

SHA1
6345e6ff54628109d8b23cb19981536ca57d28d6

SHA256
2b2fa5a5f9a7129ea5c3c1a4f17e8cf45cadc1f29919a2f80ce5517fcf1d6911

SHA512
8563873aac7d67e2e6ba28d3621e36337ecd4e4b4e73fa0be568312987482b99cb774ab219687af423b2edeed86b28b4d0e78558a3ec0fb250f0db10bef12988

Download Submit
C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe

Filesize
408KB

MD5
875c820a35b6fba7d71fa19f7b43a781

SHA1
82ba243ae785cc84ad4ce827e0a38678baf78560

SHA256
dad860e597b58dbefdf64ae78770c0b8d626ac1a2a16b4f5e00becf435a147cd

SHA512
e74f64fb4ced272a12ba91a607cbd84c8a2e575fbac1ac5b65d3bd2915eb6036a5fa17a6010e923dbe605025f103ce4e34bacef5e15aed1dd1ca7a2d95eb97dd

Download Submit