kinsing | 973e10c1c7f7f0831b7471571f8b882dbaa2ccf7176295108c22e7f482995deb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Size

180KB
MD5

fdcfce7e3b70c3aeadd26e39048dbfd1
SHA1

2bb5e66ab5f69c58e8f0d6c2107892ce249fa31d
SHA256

973e10c1c7f7f0831b7471571f8b882dbaa2ccf7176295108c22e7f482995deb
SHA512

b3e769b66f326fe05c72aa2fac37d31aef9e31d0983f22d4be65f6a9d5b97916589ecbfb5fb3345722ad8dc92aa5f2243d90128f3d055fcbde87f0e234219030
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGel5eKcAEc

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0010000000023223-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321d-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E29C99-CC0C-4882-9226-C8A561819249}	{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93E29C99-CC0C-4882-9226-C8A561819249}\stubpath = "C:\\Windows\\{93E29C99-CC0C-4882-9226-C8A561819249}.exe"	{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00703033-7E5C-438d-BAE6-2EB773242E4F}\stubpath = "C:\\Windows\\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe"	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4CBB889-4433-471c-95C7-FD14DDE58C40}	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}\stubpath = "C:\\Windows\\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe"	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}\stubpath = "C:\\Windows\\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe"	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}\stubpath = "C:\\Windows\\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe"	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}\stubpath = "C:\\Windows\\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe"	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}\stubpath = "C:\\Windows\\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe"	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}\stubpath = "C:\\Windows\\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe"	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}\stubpath = "C:\\Windows\\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe"	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00703033-7E5C-438d-BAE6-2EB773242E4F}	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}\stubpath = "C:\\Windows\\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe"	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F9285C-F801-49be-AC3A-9042749D7EEF}	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F9285C-F801-49be-AC3A-9042749D7EEF}\stubpath = "C:\\Windows\\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe"	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4CBB889-4433-471c-95C7-FD14DDE58C40}\stubpath = "C:\\Windows\\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe"	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
1608	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
740	{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
3068	{93E29C99-CC0C-4882-9226-C8A561819249}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
File created	C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
File created	C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
File created	C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
File created	C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
File created	C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe	{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
File created	C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
File created	C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
File created	C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
File created	C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
File created	C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
File created	C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
Token: SeIncBasePriorityPrivilege	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
Token: SeIncBasePriorityPrivilege	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
Token: SeIncBasePriorityPrivilege	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
Token: SeIncBasePriorityPrivilege	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
Token: SeIncBasePriorityPrivilege	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
Token: SeIncBasePriorityPrivilege	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
Token: SeIncBasePriorityPrivilege	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
Token: SeIncBasePriorityPrivilege	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
Token: SeIncBasePriorityPrivilege	1608	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
Token: SeIncBasePriorityPrivilege	740	{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4620	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	96
PID 1032 wrote to memory of 4620	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	96
PID 1032 wrote to memory of 4620	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	96
PID 1032 wrote to memory of 3580	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	97
PID 1032 wrote to memory of 3580	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	97
PID 1032 wrote to memory of 3580	1032	2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe	97
PID 4620 wrote to memory of 4736	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	98
PID 4620 wrote to memory of 4736	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	98
PID 4620 wrote to memory of 4736	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	98
PID 4620 wrote to memory of 1900	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	99
PID 4620 wrote to memory of 1900	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	99
PID 4620 wrote to memory of 1900	4620	{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe	99
PID 4736 wrote to memory of 3516	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	101
PID 4736 wrote to memory of 3516	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	101
PID 4736 wrote to memory of 3516	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	101
PID 4736 wrote to memory of 2780	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	102
PID 4736 wrote to memory of 2780	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	102
PID 4736 wrote to memory of 2780	4736	{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe	102
PID 3516 wrote to memory of 3948	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	103
PID 3516 wrote to memory of 3948	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	103
PID 3516 wrote to memory of 3948	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	103
PID 3516 wrote to memory of 4916	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	104
PID 3516 wrote to memory of 4916	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	104
PID 3516 wrote to memory of 4916	3516	{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe	104
PID 3948 wrote to memory of 5036	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	105
PID 3948 wrote to memory of 5036	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	105
PID 3948 wrote to memory of 5036	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	105
PID 3948 wrote to memory of 528	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	106
PID 3948 wrote to memory of 528	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	106
PID 3948 wrote to memory of 528	3948	{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe	106
PID 5036 wrote to memory of 3652	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	108
PID 5036 wrote to memory of 3652	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	108
PID 5036 wrote to memory of 3652	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	108
PID 5036 wrote to memory of 1584	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	107
PID 5036 wrote to memory of 1584	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	107
PID 5036 wrote to memory of 1584	5036	{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe	107
PID 3652 wrote to memory of 5068	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	109
PID 3652 wrote to memory of 5068	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	109
PID 3652 wrote to memory of 5068	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	109
PID 3652 wrote to memory of 4556	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	110
PID 3652 wrote to memory of 4556	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	110
PID 3652 wrote to memory of 4556	3652	{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe	110
PID 5068 wrote to memory of 1452	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	112
PID 5068 wrote to memory of 1452	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	112
PID 5068 wrote to memory of 1452	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	112
PID 5068 wrote to memory of 3388	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	111
PID 5068 wrote to memory of 3388	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	111
PID 5068 wrote to memory of 3388	5068	{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe	111
PID 1452 wrote to memory of 5048	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	113
PID 1452 wrote to memory of 5048	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	113
PID 1452 wrote to memory of 5048	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	113
PID 1452 wrote to memory of 3144	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	114
PID 1452 wrote to memory of 3144	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	114
PID 1452 wrote to memory of 3144	1452	{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe	114
PID 5048 wrote to memory of 1608	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	115
PID 5048 wrote to memory of 1608	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	115
PID 5048 wrote to memory of 1608	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	115
PID 5048 wrote to memory of 4640	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	116
PID 5048 wrote to memory of 4640	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	116
PID 5048 wrote to memory of 4640	5048	{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe	116
PID 1608 wrote to memory of 740	1608	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe	117
PID 1608 wrote to memory of 740	1608	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe	117
PID 1608 wrote to memory of 740	1608	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe	117
PID 1608 wrote to memory of 4140	1608	{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fdcfce7e3b70c3aeadd26e39048dbfd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
  C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
    C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
      C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
        
        C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
        
        C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0AE7~1.EXE > nul
        7⤵
        
        PID:1584
        
        C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
        
        C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
        
        C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28E2C~1.EXE > nul
        9⤵
        
        PID:3388
        
        C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
        
        C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
        
        C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
        
        C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
        
        C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe
        
        C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe
        13⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4CBB~1.EXE > nul
        13⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{183FB~1.EXE > nul
        12⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00703~1.EXE > nul
        11⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92068~1.EXE > nul
        10⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBEE7~1.EXE > nul
        8⤵
        
        PID:4556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81F92~1.EXE > nul
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FABD5~1.EXE > nul
        5⤵
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD471~1.EXE > nul
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{065A1~1.EXE > nul
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00703033-7E5C-438d-BAE6-2EB773242E4F}.exe

Filesize
180KB

MD5
ca44decdd150aed6a116586ac7f29d75

SHA1
0bb83ae686f5b699a02ff00d566afad6b95e2168

SHA256
7cfa90b4a1b4424ff53403cfb4cde594c694133e18c34b9baa82db272b9175db

SHA512
dc7c623f48f919e7f6ba3cdd9381f766057a277e9e7004e43d3fe0c01d86b55374af3a22cb7d470b43e25975469c4b1ac361c3ed3728320d7b1376ec1df7bf24

Download Submit
C:\Windows\{065A1798-F69D-4c5b-BA90-0D652A9AA5F4}.exe

Filesize
180KB

MD5
4a3ee0055f2362239d6ad09ac58ed64b

SHA1
94c04530a8f93289df8882b79a80a546fffa7295

SHA256
ebbcd9d2790c55fc6bf3f99a09df7230721aac75906f065b53497bb957cfbcc2

SHA512
a004516dbf3efb1365f5738471d2f7362092144bd7516192bcaee11fdf55fa66c94bea46d26aef5f6c69d1e12cd0e4339b883e54dc2bca21288ca5712c7dd104

Download Submit
C:\Windows\{183FB2B3-5177-4ecc-9090-8D2EC0FD8C1A}.exe

Filesize
180KB

MD5
4c39ffa8ee16a301c7c34284319d3096

SHA1
608692d083e8923d79bb4deed4f5c2e32541ae5f

SHA256
fd46a93bca1ec5092a2d8283c86278ea54977377327d104c79571fa0d6902a6b

SHA512
d2c6cb5d0526bafe33ce450e1956db223ec5e040da19056443fa3caf11cef202d57edb9f9a39f16c7289f36fe567e383d26754bbee5b0b07941e2ccbced814de

Download Submit
C:\Windows\{28E2C0EC-DF0E-414b-81D2-C4BF498BCB61}.exe

Filesize
180KB

MD5
b431706c8217d008bd767bed4f6ce37b

SHA1
653dc19d89cde4895064a0acb8d3f02d363da62e

SHA256
752f279219055ec6bec46636b5af0d1ec683f3e18222184f625a963f8baf3082

SHA512
0d4a918a01b3ca7a05b19d3426a02830cc76a225035597cce9bf033465df4d71c030b5de6ccefb7a20c4c79c80a6859bbb6053186cbc74c486330f24affbac8f

Download Submit
C:\Windows\{81F9285C-F801-49be-AC3A-9042749D7EEF}.exe

Filesize
180KB

MD5
4720368083a5d5591b1de5e9d4827249

SHA1
0151f789a5c768971e733a28c4e62a977a445892

SHA256
3b33a78293d9622d8f9f05f856012a2ebc4e50d28fe46f60bb42e1877e439acf

SHA512
fce80234e1d7fa037576a1880aaf064a7c4c5ab3379bac740c84bbec2dd4fc87aad4c94d4032e8be337fe90b0a9075a5b268b3cff32e12f572f79aaca6f18228

Download Submit
C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe

Filesize
84KB

MD5
0cc5b8825c3c0f78aaa30cd983c8ab62

SHA1
f399b7ebdf1c18a58847e5cdb10e86fc830a3169

SHA256
fed0fff0121ae2f0c337efbb0cadc7849d78ec5f39809ba75814bf3053f5641a

SHA512
2247bf4431246622472f54865d7a34dc65ccb36f24d9d348ec15cce7516afc25e4c7d7fa7cef52a72dd625a9c752e8a19a2e8696c37bb51cb08f1aeee385a5c3

Download Submit
C:\Windows\{920681ED-41F9-4cb3-AE19-F8DD42C6E182}.exe

Filesize
47KB

MD5
89fa8bb025318fc33ee0ed6e0c074ee1

SHA1
a991e0f6c34281419bdb38fe51d25e7b4ffdbc71

SHA256
70d989d2b28ab2cf7972ac76449d760b2d81c69e9229ce95c55b93fac571e98f

SHA512
b5a292c6979ed215c808b90d8ddd706239e5a6e85db094629be6c06c7c67d09c256b88e5eac46fc8ca187106782feecfa94d780160f4a429114798a7359f66f5

Download Submit
C:\Windows\{93E29C99-CC0C-4882-9226-C8A561819249}.exe

Filesize
180KB

MD5
d5ea2d3a0a3862ada4b0de4abb519431

SHA1
c3448ce6745895a8e4370eb735ee2bc2b7d41b8e

SHA256
6e6cab4872e90d4f7bdf1f2bc6b411e03789b0fb822da1a0593c70a73d6c5314

SHA512
4b94eb8d3fa3ba5d5d4749855fb9dd22ce1b6b7fdb6412ecadfe0535c372a4fa9feadfb52214af587a3eeebb1aea7935dbcc947273c418054da9cb5515cc5edc

Download Submit
C:\Windows\{AD471ABE-5972-4376-ACCE-89CCA4A1646E}.exe

Filesize
180KB

MD5
aa033ff65407c2d3c64d68264df23d37

SHA1
9ebe41e4ac3fc654d35d5185b5a4b93a5464406f

SHA256
7436a0c3ca311136fb5565402105593b798b580a366ffccf87ae11b278ac0f5c

SHA512
d597e8f0680917220a1d732db8e249d1e0afc83abe54b6a4d785c50852dab24c9bd6073d7bcc08164de73e597c3f2c35b16252b70dd2bd7dc0dd2abd711a6d16

Download Submit
C:\Windows\{C4CBB889-4433-471c-95C7-FD14DDE58C40}.exe

Filesize
180KB

MD5
c0c0d74515135c0de97f9fc0bd9e36e7

SHA1
29a5646f710f7374e6e7713f00adfbfe1a93e4f3

SHA256
c387eabbdeb4a2b6f1342e5cfbd479f47454c3998fc718920b61fb199a0e93e1

SHA512
f0072496151525c7e613256aca59f76650665fd7b22866678c55b0853e5a4a9388a90bb781c79b1ceda72861f929c2aea91165886ff665e7da31c341b592264d

Download Submit
C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe

Filesize
21KB

MD5
b06460a92205e06ec0f669a656ba539c

SHA1
6907efa54a21947adebae8291dd69c0e1e1d2b48

SHA256
3a852daa5d4e96c821742d5b7a85134628005bcb5cb9e55fa592eb97deb00e86

SHA512
b733a784b3f5ed9bd54e4a5839e6735c58e0d1463ba7d9f0a221541d984b9528d26544749c06fd33a166876215c8a96b32c7d4c400d1a6ff13ecd88504a43c27

Download Submit
C:\Windows\{EBEE7697-AED3-45e8-BC25-0B8446ED54A6}.exe

Filesize
180KB

MD5
e2efe6049ab30ffc576bc1b9da25e27a

SHA1
d01bca096f2198c52275c0610bc5c811547dc3aa

SHA256
fdf493c1b32938197a9abde692ef2a3967af75f5490da089e3fedc7fc4d746af

SHA512
2806ab0328122053dc22e7188d5a98d38cbf50b49d26f1a3230fe034d6eb580b276c140a54042d3d9f667c9b9bca75bd5d9feceb88df688285c0d56ed14acf9e

Download Submit
C:\Windows\{F0AE7BF5-9E86-47fa-9436-F183785D88C8}.exe

Filesize
180KB

MD5
c4ea2773de53806fa3285843f344fb35

SHA1
8493aa93bdb4f6a0500fe459fe69d0b056dcbcc4

SHA256
5f3016f9740f61b9f10c0908311ca470797636befaa709b32ad49a258eae42a8

SHA512
3dff82e9249d8966896434423bca7c2731078c57647697148bdd7b1daf54f86ec8099b61d01b4ea2227fb00c3c01105edc3b9b1c99d2f5235806de5f016fcaaf

Download Submit
C:\Windows\{FABD5D66-64AB-4fd3-930E-C295C1EEEA9E}.exe

Filesize
180KB

MD5
61fc8f269c210e6d18998af84564ae14

SHA1
32a8bad0d96cc7f2e3b0bda157cdd193b811ee52

SHA256
3b6a22cff13100c025a0cbd8fd29f5a9da23639605e277787783099c16e58395

SHA512
e07e63b79102b54c63cfc61764ef1d59edbe01c8fb34d131a033850378fe3ee62843abe463449a2e965b67414be3cefa9dfdd25c9d71affaa0b68eef33fc2968

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads