Overview

overview

10

Static

static

10

2024-01-25...ye.exe

windows7-x64

9

2024-01-25...ye.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2024, 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe

  • Size

    372KB

  • MD5

    ba912d46e1acfaf79d03097f09a2702c

  • SHA1

    5498bf61a4d1dd745ffd368f4322cd1fd2484032

  • SHA256

    a0dc464d4cce80c660597babf8923ad92308d4a14fafaa54cdc7670e09dd7955

  • SHA512

    d2c2ae47d101fa2645acfe9a7e4c04fc6d05f6820971cf8f8fae396c17ba8f2345c62b7e1908bc6848601c94ab07e6ac63296a382e35dde2130855fc057b5f44

  • SSDEEP

    3072:CEGh0o1mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG+l/Oe2MUVg3vTeKcAEciTBqr3

Score
10/10
kinsingloaderpersistence

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ba912d46e1acfaf79d03097f09a2702c_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe
      C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe
        C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DAD82~1.EXE > nul
          4⤵
            PID:2560
          • C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe
            C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe
              C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4104
              • C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe
                C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3280
                • C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe
                  C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4412
                  • C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe
                    C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2300
                    • C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe
                      C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2160
                      • C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe
                        C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:220
                        • C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe
                          C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3756
                          • C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe
                            C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe
                            12⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3848
                            • C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe
                              C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe
                              13⤵
                              • Executes dropped EXE
                              PID:5032
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{72980~1.EXE > nul
                              13⤵
                                PID:4552
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{8D832~1.EXE > nul
                              12⤵
                                PID:4952
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{2F97D~1.EXE > nul
                              11⤵
                                PID:5044
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{31A19~1.EXE > nul
                              10⤵
                                PID:864
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{255AE~1.EXE > nul
                              9⤵
                                PID:2752
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{26002~1.EXE > nul
                              8⤵
                                PID:720
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{687CE~1.EXE > nul
                              7⤵
                                PID:3660
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{EBCCA~1.EXE > nul
                              6⤵
                                PID:464
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{8551C~1.EXE > nul
                              5⤵
                                PID:3700
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F1E~1.EXE > nul
                            3⤵
                              PID:3376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1196

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{255AEA71-27D5-465e-B041-DAB523135730}.exe
                            Filesize

                            372KB

                            MD5

                            d160ea73dc890acf1245521155bf6a48

                            SHA1

                            89139413275bbb67d4c4a939d262b5585b03be3b

                            SHA256

                            6013169d6982817f32312926f38291ac21a4a7e544f83223a5e311f8bdebf5d1

                            SHA512

                            5c2d6ca02a77bc6f319cd72b090ebd9b8bc62cea1d351eb864ca0e1965b37f5366de5738ff9284979f1cd98cc243958db11d04523aef139c1314ba2504de45cd

                            Download Submit

                          • C:\Windows\{26002FD4-506F-4c36-8D6F-5EAF6055645E}.exe
                            Filesize

                            372KB

                            MD5

                            d60d062cc485e375ba2ad9cda175ced9

                            SHA1

                            144120e50323979917ddedbd72c49ac11e0802ec

                            SHA256

                            f0c25b0909bb1a23513e7e0dac60f9e3fa9278e2f18db111f2326e34046a5fb7

                            SHA512

                            71bd8c206d5793c95f2e3ef6501ccf46d1f9fc958d8540bda7b4f67aa4273a9807a8c0328949fe7624d207c4a778e00173be0e59a238a896116d5dabe3d4cf7b

                            Download Submit

                          • C:\Windows\{2F97DB11-74EE-4363-97E6-0374FBC59718}.exe
                            Filesize

                            372KB

                            MD5

                            1c6c74ee0d04faa923a568d63c572f08

                            SHA1

                            22dc23ee26b8725c040fef1e32830ccc54d5183e

                            SHA256

                            a53fa27a6f9cbd5ad4ad58a1742ed74c3ef7037c5a2b78c60bd2d0c83c22342c

                            SHA512

                            80a4aef67625aad40398c89ab987806b305bbf28ad3e29789d246517fbab1aa6aae8fde2e5c7cec6aac58aea0df8de8ff0c78c92ff3484a92f48a1ff935bb93f

                            Download Submit

                          • C:\Windows\{31A19E2F-6C67-4d4d-AE58-83CACB738BF3}.exe
                            Filesize

                            372KB

                            MD5

                            e3547d30411c2e30d3a4174a6195cc3a

                            SHA1

                            a7c1a725a99d9ee4148d5daee50a0ee820f0ae80

                            SHA256

                            34ef292f1c40b6207386e04f5d82599d62894b688f865e369a5e5e846ed4d4fc

                            SHA512

                            9c829c0aa971a35db5ee00adee66f46ca8d2530735b1bc0ca591bf51d3f357793b3d825435f061d113d8dc71a7e7a99e84f49258e44e653c75ef2dc0dd11f98a

                            Download Submit

                          • C:\Windows\{5426CA61-0DFD-4660-AA3D-8F7AFE38BBF5}.exe
                            Filesize

                            372KB

                            MD5

                            06afa3ebb3b5a8927b4b33a65407d62a

                            SHA1

                            04e33eaaa56b0aa4fa68a2c8ee26fa347ba41396

                            SHA256

                            8eaa31fe0505c2933b1c719a18bb8bd2dc8bbcb723dd79377d6b40f4caccad13

                            SHA512

                            e74fc7e6a54804c0ca0020f1787a5e4d5537585311ce3db519239276e3dc8975e627ef1b0f4edb1b00172ceb9b29e4b5b10def2ef32ae63dda6f1d8fc4308050

                            Download Submit

                          • C:\Windows\{687CE137-DE99-4efc-BED3-8623A85FCF29}.exe
                            Filesize

                            372KB

                            MD5

                            2f9de40965eaa1f04679fa3b86b41e42

                            SHA1

                            74442d5c6a5b5a94f517e70860eb1628d4278202

                            SHA256

                            2500fa0707570997c2397d8562b3aca6e9ec573c1ecd052a323221bdbcf494e1

                            SHA512

                            e2445bfc1886cc33b09b3a56cf1310abb864d8759d23133f9d85713d6c455d1294e29d8a59724b87f5a17d4ea67f889bc0158d76740ae57161ab0044ccccc779

                            Download Submit

                          • C:\Windows\{72980CFE-CB37-40b6-9963-A224BAC4BB16}.exe
                            Filesize

                            372KB

                            MD5

                            3f6ab3fae6a914c5136b267790288391

                            SHA1

                            6d1d9535f7ecc53e441aa4801c6d69636b443b89

                            SHA256

                            605cfbdf4946f9360fdbc9e5d13cd1a34240ed9990dd65ab286d89a919b50e6e

                            SHA512

                            18a36faae95cefcf4e4f380f52edf888f2c44707d58dd59cde4f571772c0531d32cb2edae1913cd4d718dc37fe5a728640b170729ff017b8553d4d9d3f7f8549

                            Download Submit

                          • C:\Windows\{8551C881-BBDE-4ced-9E91-39DF7869C7E0}.exe
                            Filesize

                            372KB

                            MD5

                            c6d99bca47238adca0caa6f6c8cb5224

                            SHA1

                            1efd167492fc97c2ce82b033dbb6e3a72135af20

                            SHA256

                            6abd9c9eed6f609b22cb67eb8979bfc515733af26995b309ee63af0022e2a72b

                            SHA512

                            eb8ff37dadeab539b323ad421debf7b5cb9c6ea579d36dc836575f84dccb00e441365e64143b451bba94ac5f2afa2242930f2f9adc1d6984d8e70f01a8f66528

                            Download Submit

                          • C:\Windows\{8D83283C-F091-4629-82A2-D8E726D4E244}.exe
                            Filesize

                            372KB

                            MD5

                            319047231fc6b8b37797b25610084c5c

                            SHA1

                            eacf06566d10b615488506fc6ced14d760d5f97e

                            SHA256

                            945c1022d3aa74a9d84a53e025292d20ff7cbbf884ac611a4bd5042ed42bf3ef

                            SHA512

                            76bc7c52ae0e8ff3ce96b800e8b49e68ba8817b545a99c1d572ac70149e980b9a8646606e099194aa01202380ca9591980c98791bae8dfbcf1575b57e9a79570

                            Download Submit

                          • C:\Windows\{D0F1EA7A-2F1B-4efa-B788-AC2990267966}.exe
                            Filesize

                            372KB

                            MD5

                            3f2c8847ba1bb9983a21e2a618b340eb

                            SHA1

                            c1eaa587ec107df27b11de37b9d20eaddaef5a99

                            SHA256

                            f2fdd9b736294e72966c2ab1a8175d82565ec965135e9eac053f67744f843a3b

                            SHA512

                            416c231ef17236c2c779df6309a796a4c7098d5ec1911d53f1084aab26a1a05de6f58d8e5289d2105dd91f82bd63778f3cc8dd62c95e6e98dd8f60d9f4504562

                            Download Submit

                          • C:\Windows\{DAD82DD5-53A4-4bf2-BEEF-2BFB20BF160D}.exe
                            Filesize

                            372KB

                            MD5

                            3ad93555b272340ce1c232a8f6e90636

                            SHA1

                            c31bcd7ea04d78e5aa27d44bbeffb2809ee72b03

                            SHA256

                            bb169600d6a69eebef5f748d13b3a74de68bd54f732456aaa26096c61402ef9f

                            SHA512

                            29f855402656acc2529153c0fc35809ea71e7319682444d16fd16a2acb32ab5a11d55a3c2c9ab885b89f67ae5fb238e23f379eb00ff1377b9e78d1597e4844fa

                            Download Submit

                          • C:\Windows\{EBCCADB4-7C44-4862-AB2F-34C1966E9F24}.exe
                            Filesize

                            372KB

                            MD5

                            d78716954c68dbd11f79d23d871628b7

                            SHA1

                            9528d6680e522804b965ac27a13122278ce3f27b

                            SHA256

                            045a754c7e47a503c1d331d914a4f3eddc4ec627b2d09f87fc7c7a0d6230667c

                            SHA512

                            5f95d490edd55176b15c6fd851bd3c90170661e6554a600f484bef0587e66eecebe890ef2bce3dc9c72373c0ea9441e105ad8233e0690dea761ab953293f60dc

                            Download Submit