Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:40

General

  • Target

    2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe

  • Size

    372KB

  • MD5

    e9ce5a1b440fb4114446d8dee06b7782

  • SHA1

    037c2635b615c2e552667074c4b6ca20a2c93801

  • SHA256

    c54d81d3a282103b95ab0bd828f1f44f4bdba84b31d12c6f78c08300485a18cb

  • SHA512

    b2c33d59289e9529b26c2145cc4b1466069b6b3608c7c95c7fa656674fddeb1f480c19df2f3256e1120dd6ff24c00ee98a0eec2f585c7fda228c4d46db8d9687

  • SSDEEP

    3072:CEGh0oKmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-25_e9ce5a1b440fb4114446d8dee06b7782_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe
      C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe
        C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5D5E0~1.EXE > nul
          4⤵
            PID:1944
          • C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe
            C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1152
            • C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe
              C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3968
              • C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe
                C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2680
                • C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe
                  C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4100
                  • C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe
                    C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3408
                    • C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe
                      C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4052
                      • C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe
                        C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4500
                        • C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe
                          C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1520
                          • C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe
                            C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe
                            12⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4648
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{619F1~1.EXE > nul
                              13⤵
                                PID:1524
                              • C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe
                                C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe
                                13⤵
                                • Executes dropped EXE
                                PID:2628
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{C03BB~1.EXE > nul
                              12⤵
                                PID:1608
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{BC2C4~1.EXE > nul
                              11⤵
                                PID:2328
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{728F5~1.EXE > nul
                              10⤵
                                PID:640
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{7C06F~1.EXE > nul
                              9⤵
                                PID:1096
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{D36D6~1.EXE > nul
                              8⤵
                                PID:3636
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{84521~1.EXE > nul
                              7⤵
                                PID:2800
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD51~1.EXE > nul
                              6⤵
                                PID:980
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{BB700~1.EXE > nul
                              5⤵
                                PID:1512
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD79~1.EXE > nul
                            3⤵
                              PID:4492
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1940

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{5CD513FA-C5C0-49c5-9ACC-4CA7133898DB}.exe

                            Filesize

                            372KB

                            MD5

                            c2ab2233c82c53e02619d31f23abc401

                            SHA1

                            d69cffc5f18efd3f3ed15c237f608717234ddf90

                            SHA256

                            6f57e9ebd49558844061280b21f1d5289a5b1b5329cc3cead82ba93337d0c25f

                            SHA512

                            1d7c5804ea3199b08d2e3c034774ea0a6c42765d3d56983ce4883436a327a3a1223bbfa90cdb77e9d28006e8034c0f18a8cfa552b7f10fa820bb320031c82d79

                          • C:\Windows\{5D5E049A-A142-43d5-80BB-67C5706BBB63}.exe

                            Filesize

                            372KB

                            MD5

                            d66120a96c303c6ba40873016d900fdd

                            SHA1

                            833776a5c8ac74178e70a79b0512dbf07d5fb2c2

                            SHA256

                            f928d791f24a40b88dae28c667748804eeee6451fe4607dfe9af6d5ae1a24338

                            SHA512

                            f6ea52e6b9ab8fbbc5834ab57516a41d025a4e17b53270684b135a6689b02af70a48e1bee27570f7462dc3f91b33cafeca2fe3d6484aa731226b886c043447ec

                          • C:\Windows\{619F19CC-DE83-47b7-8E85-0AF074336A87}.exe

                            Filesize

                            372KB

                            MD5

                            928eac2efb0d97a65ffd1efa5cee8904

                            SHA1

                            16a781ced4cc48034e6d778c89c7f84d9ef25dd8

                            SHA256

                            9b387826aa866180f79db6bf22cb7a1139b6dd84af1a54688fed80a6924f23dd

                            SHA512

                            90a9e3e4f16d62e8654331a2ca90251ad1edfadbab95db21c29e3bc47618616eae98a5dc5a7e2b2ee738872d70cb8ba929a31fef291413138b76ee7f01cf4fd9

                          • C:\Windows\{728F58DA-165E-4a8b-A8CD-0DA6F82B670A}.exe

                            Filesize

                            372KB

                            MD5

                            f880468121c3099e1e5f28241aa13cb8

                            SHA1

                            f13cef84c29f10c296fe0e4e5330c8e1e253b279

                            SHA256

                            2f8d54d2e5dd9c0d99c94105e14ee45f65dab068b253af6b76f0e98f02178c14

                            SHA512

                            9cc382f6abc84166c24c58f65ee837fa1d927801c6ecdb296c9a1cf56942d5ff0f291335d8d6e523d43feb58033cb41b7fecc6f7c878a35dade7c648c33e4a34

                          • C:\Windows\{7C06FFD2-A139-4540-A1D0-2D97DF06C012}.exe

                            Filesize

                            372KB

                            MD5

                            2b5fd954b0ab2a3f5576b5889105a902

                            SHA1

                            0cdd47854cb8c809ee0f76c35d84771ceb3752b7

                            SHA256

                            0aba647d6943c8832491a816d6baf5eed5edbc4fa15023d8c4762a9a5a9c6fe4

                            SHA512

                            69ecc50dfae6223d39a6aae3fda30d25c87d5a565e38b12b94019cd1070b4e1d0906900a8b9efb33448db0e84a49851c3ea2ace758fbbc6724412088ad99add7

                          • C:\Windows\{7CD7983E-1C8B-4176-A6CC-5A3DFE00E63E}.exe

                            Filesize

                            372KB

                            MD5

                            1f166d88e5592cb46191c816e0f6f827

                            SHA1

                            c664f0f56914c73b5da806b928d6db87b33e146d

                            SHA256

                            bb1f5d6fea4a67135fe3b0be175adc383ace03519f4f8da8037c06ba5f5212c2

                            SHA512

                            eb79bc3945cda700b2faf2fc59f5ecc1727bcfccdca94b1ffbbeef97bcb36daa97160912a30b1917436daa233b08de8db86003bad89aa147f4abeda672ad501c

                          • C:\Windows\{845210B9-9A38-4f4f-B9A4-5027D11BD20C}.exe

                            Filesize

                            372KB

                            MD5

                            3543c85483a79c53f8916cdeffcd1db2

                            SHA1

                            f272a7d28099a9fa38d0f9d70ad6342d0017b7d0

                            SHA256

                            889a62e951cb3912ca8bc89e43ee867e494acd4e6f967d55a48ce801ebefa55c

                            SHA512

                            91c7be2518c7d4b78eeeb1bcf0bf28f2dddeedd5930bc69ad6fbf164277f81e412060fbc34e0d23713940bcb10417a4ffc7ff734ff3bc1c3c7063facdc9ddf4c

                          • C:\Windows\{B5D99E92-FED3-43b6-8616-677561A561B2}.exe

                            Filesize

                            372KB

                            MD5

                            75500983d267881e6840cb83dfacd93b

                            SHA1

                            a8deb2f1780d3eca7561f83ffe1ab9b3aa78a83d

                            SHA256

                            14714cc2ba02513ff5d7745b11ebd09e8fbaa6a9e164cbaeff401dbf293fe63b

                            SHA512

                            c8e3e2fc4978d7aed1423fa6d8ca673dc2f534a9314c995c733ff5807468f0db89ac8285ac0b5b3cc7846b64cad4b83aa33b13e80018476dd01caf1dfee0b62b

                          • C:\Windows\{BB7006D6-8C57-4004-A8E4-815C877D61D9}.exe

                            Filesize

                            372KB

                            MD5

                            f49f736b4876a1a48938a68096e259c7

                            SHA1

                            144fa21d28e5afd2eeb14ec372c3f08f4f9a4751

                            SHA256

                            695c7a790230b3925dab56e2589f42f0e0ae574eafa541321449aed7dedca8d2

                            SHA512

                            edebdaf91d925190fc9d51e6e0d57548c8a174e156f96d7cbf091f074b8a757be7317bb162494a28d98df94f77039b3900eeee32723a11d36a326c657e9c734b

                          • C:\Windows\{BC2C4B19-502B-4995-82D3-F9FC0983D38C}.exe

                            Filesize

                            372KB

                            MD5

                            482b736909ae7a1a558193d6ad59a1b5

                            SHA1

                            9286988db104ec8c985fcd02714b16c47bd9a39b

                            SHA256

                            7eb49b1458e0bb865d68b908aebcf1f41d91ca05dea84d3a40af66c8e80cc2a8

                            SHA512

                            dffa2998f4d8f148c71c25e956651460a0d33cff14f69d1b7a4391409d9c88bc3e6f2dda05ce0f5e17d66c561ca6d292adf1943a292a3c4b851858b3b3ddc33f

                          • C:\Windows\{C03BBB33-E183-4926-A8DA-6484885E98AE}.exe

                            Filesize

                            372KB

                            MD5

                            f16a1ffc1886363af0b777ce7c430149

                            SHA1

                            f34ed8e40e1825a1aea4bac5270dcca29fcaaf42

                            SHA256

                            04fcd30ae40503e35d8bd2d2fc6a63418e17cbcddf92e1a0ba8309eacb336f73

                            SHA512

                            55b0370b411508a266628f42015a4bb00d94dde0afb43e748ed40f1f001c1e1bb56f42920afb2ac5341faf75454d4d953ce76050f3809be23d5f278b37bf56e1

                          • C:\Windows\{D36D6168-27E2-496f-AA4B-BD1CBC3BE9F1}.exe

                            Filesize

                            372KB

                            MD5

                            1a6f7f46287918d373d2601912665650

                            SHA1

                            5a70744ea4c1137b12df1f21b7111dbdc52e03d0

                            SHA256

                            5ef0b9f9d6b5522171b2a1de17e83607c8e37703443b8d81e4bb0dd26e66ea3e

                            SHA512

                            0e89816b5d6b8297b08d39564376bd46c14c2a0943abf0ceee226c17c9434293c7c118b20f86c4d89f06f9ae2ed072f42dca10ae22d54debd5318d87fb98b50d