Overview

overview

10

Static

static

10

2024-01-25...ye.exe

windows7-x64

9

2024-01-25...ye.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe

  • Size

    408KB

  • MD5

    b25995657451cc71f73ab21b1aaba40e

  • SHA1

    82b2fe6e0f66f45bdd2ab9d34b4b7ea69344029c

  • SHA256

    f95bea8a787e5c35bc388b3ba31f06870b375a79c5ffc77637f71ff711a1eaa7

  • SHA512

    753338a85af6a16cf34bb1382a66331fbdfb42d70b468b2cf72cf44805e532250ed8ecc7f65a1399b2920083d96c05213446c3923688c49eb5ead133d2a832c5

  • SSDEEP

    3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGlldOe2MUVg3vTeKcAEciTBqr3jy

Score
10/10
kinsingloaderpersistence

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_b25995657451cc71f73ab21b1aaba40e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
      C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
        C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{802E5~1.EXE > nul
          4⤵
            PID:1040
          • C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
            C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3196
            • C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
              C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2692
              • C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
                C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1572
                • C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
                  C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2160
                  • C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
                    C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2984
                    • C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
                      C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3480
                      • C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
                        C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3536
                        • C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
                          C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4100
                          • C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
                            C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
                            12⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1224
                            • C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
                              C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
                              13⤵
                              • Executes dropped EXE
                              PID:1428
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{FB097~1.EXE > nul
                              13⤵
                                PID:2032
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{F4455~1.EXE > nul
                              12⤵
                                PID:4892
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4C0~1.EXE > nul
                              11⤵
                                PID:5004
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF6B~1.EXE > nul
                              10⤵
                                PID:4736
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{919E2~1.EXE > nul
                              9⤵
                                PID:2580
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{16687~1.EXE > nul
                              8⤵
                                PID:4248
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{74E51~1.EXE > nul
                              7⤵
                                PID:4912
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FAC~1.EXE > nul
                              6⤵
                                PID:2920
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{AC5C1~1.EXE > nul
                              5⤵
                                PID:2376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF5C~1.EXE > nul
                            3⤵
                              PID:3672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:220

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{16687BAE-30B4-43b9-A8BE-6FB88370FA02}.exe
                            Filesize

                            408KB

                            MD5

                            ba3a8a9852bf1efc8f57b00c365cd744

                            SHA1

                            dcbeed06b7d34175155de5d3aa63c6024972a621

                            SHA256

                            509abdd2297784a4d9f4e6c801136247fe209c425184415b7dbbf3853d674cca

                            SHA512

                            b64f054b576e66271ab81fe61797db903b10b94a90e0517b44f846c26e231de2c798934ddb56c97f3b26d986a805a571fea878941fdcce1bbbcd3b4d4cb527f0

                            Download Submit
                          • C:\Windows\{3FF6BAAC-2A8B-46d7-A1B5-B1A63E636D0E}.exe
                            Filesize

                            408KB

                            MD5

                            73091a021f6771c9da54f14d294b83d4

                            SHA1

                            d200f7a36e620271ab178a308bf86b58cbe9c58f

                            SHA256

                            c6d8a5e5940cd828152a69b6c0adf21e69523385fab15efb9c9abb8b7dc9f27d

                            SHA512

                            6ffab31d2e57a282aade3104803988d77b59b375ca178999a105c50da4ce080bb508ada1b8178b4c26eb716bd6f9a634c5778a16723ed9c26dd37bdccaece6bc

                            Download Submit
                          • C:\Windows\{74E51847-9B6E-464c-8559-D71CA8D760D1}.exe
                            Filesize

                            408KB

                            MD5

                            1c622e73dd1ed14f920eb2fc6966f1d8

                            SHA1

                            fd44eb1bc32243a5aaf209137d7f4d716b753119

                            SHA256

                            760584b27dde312b867eb77363220489b2cbea8c44d542e90d335b25e02f07e2

                            SHA512

                            36a10bec646bae4d980fcdb56b49157a6025b6073b636849e6c5d1eb57fd72cc417429e9660b91889a75798ddcf71c06d58075e73b460c8809d365799d6a12d8

                            Download Submit
                          • C:\Windows\{802E5D5D-C4AB-45f7-8CC7-CE905FF2C3E2}.exe
                            Filesize

                            408KB

                            MD5

                            4cf52c253e2438515a9aa31357c3d025

                            SHA1

                            602a80c58468dfa76f5ab65f79dc4d9734070678

                            SHA256

                            070436da7c3288b12d4a081398cd51c0b1055b213e173a24b8d63f1396ed9513

                            SHA512

                            5f1c159d6546e372173c4220a00b2c583a42c2e087a2316308851c09b21bccfd97bed06d6400e7f5ac8bf6cdf47ea565f8f54bf6dbea5befa5fb8909fe79fc79

                            Download Submit
                          • C:\Windows\{8C0A74C8-F535-468e-8C02-A7B6420F2861}.exe
                            Filesize

                            408KB

                            MD5

                            d070d08fe8d5a1835e7ab685993ed67e

                            SHA1

                            cd0a83285fc82b219a1ca923f97dfd99a408d59c

                            SHA256

                            34acbccebb394464b3f9d8bb5f160439d543890ee1e35351924b929d1bc228df

                            SHA512

                            900b217de59c5a00e55653c7b2daffa23a15744eb599874fbaed1c949a877847dd8e653d33b99af0289eeb4ed83e80846b4f843fe1307684b39e22c8f6041209

                            Download Submit
                          • C:\Windows\{8CF5C0BA-7E04-4766-879F-98EFFA307402}.exe
                            Filesize

                            408KB

                            MD5

                            20b6b1eb5c60693ec200d49c7b46d39a

                            SHA1

                            8723cefd3c7376bd1f62c62b879da53adb67fb68

                            SHA256

                            05ed682bf304f42891eee86d41194013309c95dd5032bc0415d0226382e1348f

                            SHA512

                            f8c5e3cd75c667246335a23021310785dd32c1b6dcdcd091ac0b23c48e4837429c307a9bd8e666eae41fc67cdc796e626e684c8330a21fc4b94b7b9939131480

                            Download Submit
                          • C:\Windows\{919E231D-50AA-4373-A3CB-57851920DF7A}.exe
                            Filesize

                            408KB

                            MD5

                            42c4962ce22f7ad87443e6e099e6a838

                            SHA1

                            58d68adcf0617b749112b9cbd4654c3e4e0184e5

                            SHA256

                            64bef5a4671bc2dce468391f62e8ebe6192b8a36681758dc5587993d4d9a2f0e

                            SHA512

                            3f1b8753d1102132d0ea9bf01988719db3178a5e212838d5cb15bb9830fab9aa913e4b637605ff998662e7f50c4dd087900c50e62d4257178900fcc6ada01dd4

                            Download Submit
                          • C:\Windows\{AC5C1588-F2A1-49c7-9A84-2190D71088A7}.exe
                            Filesize

                            408KB

                            MD5

                            11f6c73f081b3a0036e9c163c208cdef

                            SHA1

                            71c37f7887658c128ba264d021efc34738fe735d

                            SHA256

                            7fe8b6a9294f129ea2c08f92f45acb7277cefd1f5694543075d4c04897eb3bc9

                            SHA512

                            6bf74d6d3bdf1387ddcc9418ebc405fcbecebdca15a2ff09f0615ccfbd00a6d9f5e002b42dbe186d86b5c4c035b0757ff535e2a741702a876e627862ab181dc3

                            Download Submit
                          • C:\Windows\{BD4C013E-69FE-4ac4-B9EB-244C89CF8874}.exe
                            Filesize

                            408KB

                            MD5

                            18f54dc3262e8cc5ec56ef6e5eb9fa9a

                            SHA1

                            9ae30aa10b344956366ba50cce4e74af9a1ae0fb

                            SHA256

                            faf2e704d98a222f46140f2b7305985c815dfe63c8a3dfbd067e8784ee8d7170

                            SHA512

                            9f41412100e390627632167ccac047c65a2784c97ee541afbbee426f3c9c7349bc242ef6528648dc5466e226607eef9eaa220d303654092b79455b5d6113d4e9

                            Download Submit
                          • C:\Windows\{D7FAC5D4-E876-490d-B135-4D1FAFC8012F}.exe
                            Filesize

                            408KB

                            MD5

                            c7cc37cf8157663c74a2b7429629605f

                            SHA1

                            481f83c0f6923e43070a8cecc9523d3e4e8bb1f7

                            SHA256

                            5205ae9d05e5d504d88a57bde57796aeadcb221aca22e0094292e4b5805171b8

                            SHA512

                            79cd4b1a34f66c9ff32ab40d59218b6217f6292b84f502928dccdd20c7ef1ede43c5331d6b0984107a4cd3a5e472ff5a3a69cb2529847f0419f59995892d51ec

                            Download Submit
                          • C:\Windows\{F4455941-3769-4acc-8800-12209B85342E}.exe
                            Filesize

                            408KB

                            MD5

                            4b5e2996a1c41bf05ceb523cc735f7f9

                            SHA1

                            6345e6ff54628109d8b23cb19981536ca57d28d6

                            SHA256

                            2b2fa5a5f9a7129ea5c3c1a4f17e8cf45cadc1f29919a2f80ce5517fcf1d6911

                            SHA512

                            8563873aac7d67e2e6ba28d3621e36337ecd4e4b4e73fa0be568312987482b99cb774ab219687af423b2edeed86b28b4d0e78558a3ec0fb250f0db10bef12988

                            Download Submit
                          • C:\Windows\{FB0979DD-3FA2-435f-9020-19ADDB4AF6EC}.exe
                            Filesize

                            408KB

                            MD5

                            875c820a35b6fba7d71fa19f7b43a781

                            SHA1

                            82ba243ae785cc84ad4ce827e0a38678baf78560

                            SHA256

                            dad860e597b58dbefdf64ae78770c0b8d626ac1a2a16b4f5e00becf435a147cd

                            SHA512

                            e74f64fb4ced272a12ba91a607cbd84c8a2e575fbac1ac5b65d3bd2915eb6036a5fa17a6010e923dbe605025f103ce4e34bacef5e15aed1dd1ca7a2d95eb97dd

                            Download Submit