Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 12:10

General

  • Target

    2024-01-06_610fd0b97bfc22aba237692f9f90ea85_goldeneye.exe

  • Size

    192KB

  • MD5

    610fd0b97bfc22aba237692f9f90ea85

  • SHA1

    458b6d6473e14b3e74128d3f3617f39309aa74b4

  • SHA256

    6496ff44de143cdd4eee2d6e53b3b199d5ee0f4085d63b441362d16cda0f495e

  • SHA512

    d0bb484bf5035cd83396895d7026359c82e44062e843251474de776db76015b057c71554188e2894b19774ae71f3ad0f63c53cfd6e9bd6ba81bc527317032594

  • SSDEEP

    1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0osl1OPOe2MUVg3Ve+rXfMUa

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-06_610fd0b97bfc22aba237692f9f90ea85_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-06_610fd0b97bfc22aba237692f9f90ea85_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
        PID:2144
      • C:\Windows\{05140516-BC51-4846-8EC9-25CA93E00291}.exe
        C:\Windows\{05140516-BC51-4846-8EC9-25CA93E00291}.exe
        2⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Windows\{1805EBE6-16F7-41fa-9A01-6E9AB5B1248B}.exe
          C:\Windows\{1805EBE6-16F7-41fa-9A01-6E9AB5B1248B}.exe
          3⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4404
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1805E~1.EXE > nul
            4⤵
              PID:2228
            • C:\Windows\{D1822258-58E3-4bf0-A4D6-7039BC9CFFEF}.exe
              C:\Windows\{D1822258-58E3-4bf0-A4D6-7039BC9CFFEF}.exe
              4⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:824
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D1822~1.EXE > nul
                5⤵
                  PID:4364
                • C:\Windows\{9B9BCD5F-EF59-4539-9E75-4BBD16E18C1C}.exe
                  C:\Windows\{9B9BCD5F-EF59-4539-9E75-4BBD16E18C1C}.exe
                  5⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4008
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B9BC~1.EXE > nul
                    6⤵
                      PID:4344
                    • C:\Windows\{B9F6836D-D81A-4320-81BA-0014C9EEC2A0}.exe
                      C:\Windows\{B9F6836D-D81A-4320-81BA-0014C9EEC2A0}.exe
                      6⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4348
                      • C:\Windows\{A1E71F9A-D790-4ca3-89D2-536D0DC190D7}.exe
                        C:\Windows\{A1E71F9A-D790-4ca3-89D2-536D0DC190D7}.exe
                        7⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3376
                        • C:\Windows\{4A3249FB-32C5-4ada-895C-437F366A4AFF}.exe
                          C:\Windows\{4A3249FB-32C5-4ada-895C-437F366A4AFF}.exe
                          8⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4288
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4A324~1.EXE > nul
                            9⤵
                              PID:4004
                            • C:\Windows\{0739A75C-45E0-4709-984E-979F27F57DA3}.exe
                              C:\Windows\{0739A75C-45E0-4709-984E-979F27F57DA3}.exe
                              9⤵
                              • Modifies Installed Components in the registry
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4900
                              • C:\Windows\{269FAE17-D8A0-44ca-9B0F-313A0BFA444F}.exe
                                C:\Windows\{269FAE17-D8A0-44ca-9B0F-313A0BFA444F}.exe
                                10⤵
                                • Modifies Installed Components in the registry
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4400
                                • C:\Windows\{5AEEBCBA-B957-4d7c-9ABC-8B437FDB3D37}.exe
                                  C:\Windows\{5AEEBCBA-B957-4d7c-9ABC-8B437FDB3D37}.exe
                                  11⤵
                                  • Modifies Installed Components in the registry
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4816
                                  • C:\Windows\{A0AD8D3E-C409-4f1d-8684-28508C7400B7}.exe
                                    C:\Windows\{A0AD8D3E-C409-4f1d-8684-28508C7400B7}.exe
                                    12⤵
                                    • Executes dropped EXE
                                    PID:3112
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5AEEB~1.EXE > nul
                                    12⤵
                                      PID:1744
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{269FA~1.EXE > nul
                                    11⤵
                                      PID:1064
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0739A~1.EXE > nul
                                    10⤵
                                      PID:768
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A1E71~1.EXE > nul
                                  8⤵
                                    PID:2016
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B9F68~1.EXE > nul
                                  7⤵
                                    PID:2760
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{05140~1.EXE > nul
                            3⤵
                              PID:920

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{05140516-BC51-4846-8EC9-25CA93E00291}.exe

                          Filesize

                          192KB

                          MD5

                          a164902b42fb6188a0689a5d7c161fe0

                          SHA1

                          e297b4538594ed2ad5f355695fc47d59b100d033

                          SHA256

                          1edac4b30b49d236935436a5fc986ee446d6eb8356a1603ffe2d02a69966d72b

                          SHA512

                          810e648cd1d1c0bb03ac6a9f0af0f3fd02114456169feff0c6e0f80007eeed69776d3a4df6b4c92480c0b681c509ce503021c281e7f22a0dd63c3533140172a7

                        • C:\Windows\{0739A75C-45E0-4709-984E-979F27F57DA3}.exe

                          Filesize

                          192KB

                          MD5

                          0be1fced087af431568d47789903adbd

                          SHA1

                          cafde28812212008553a1d9908f659d640e5fe23

                          SHA256

                          dcf86f64e5db4c0f02dec551cb790d608ae25b208da035b48b0c3dd821669252

                          SHA512

                          cdb58cdd907daf531fad75d88ba4b22f44081677092035699d235500bb25f8966c0e9905dc52e2dee6d2014af66489e4bac07c724687c51425558cbeb00626fe

                        • C:\Windows\{1805EBE6-16F7-41fa-9A01-6E9AB5B1248B}.exe

                          Filesize

                          192KB

                          MD5

                          28c71ea12659394a5cca98676062a753

                          SHA1

                          f73f5744393f58e2f3d52ceec00b5c24b2f2e481

                          SHA256

                          96c74e1cce698b467d00cc14f33d3bcd0ad93be53334abf4edcc4b0d40a3619b

                          SHA512

                          c925956c276d80b958ed9463f600516fd51badca26ce7d2aec4cf8f29eb8a244670783254d160dbafd0e881e224bce233bfef09e16b00b72b1600a3116426afd

                        • C:\Windows\{269FAE17-D8A0-44ca-9B0F-313A0BFA444F}.exe

                          Filesize

                          192KB

                          MD5

                          c5cdc0a38c4b9546b20e48558175c693

                          SHA1

                          2d9f80d705561a8464408d02e3218382eb58cc70

                          SHA256

                          f2a4a9a0304174da573b863055ab9ed723c481c599e69fea3524265dd3128677

                          SHA512

                          eb8e75aac120c93c96eed72303b87b7a50ac257e8efa09f0a8ac6dc53fcdf34824ccb32a849fec19affd6597d11333e7c822c0d56a0684d00f426d6c29a5efac

                        • C:\Windows\{4A3249FB-32C5-4ada-895C-437F366A4AFF}.exe

                          Filesize

                          192KB

                          MD5

                          632e4bd4c796310fd5497eecb7c33ee2

                          SHA1

                          cfe675a00d3d35d694f4ec0c2171b87b181f72de

                          SHA256

                          1dc28f87d6f2f6aa097d24593cda4d2cd9446edaef77412918375b97a58efb46

                          SHA512

                          03632eaa4c09bae1a0a11e96237c5b0cd864bf228f80a6dc95364b949a7a8d089166a8dad1f566562e707393cb3e12d313611c9e047202d01da644030711cc28

                        • C:\Windows\{5AEEBCBA-B957-4d7c-9ABC-8B437FDB3D37}.exe

                          Filesize

                          192KB

                          MD5

                          68dded65c62766525dbe4ad2e75da220

                          SHA1

                          f13adf2ed11bdca2ea8f54e61191bfdaa39fde6a

                          SHA256

                          2b767d9fa225bdb76a0d53c140f0db53fabdaecaa27197243c0d32040c95bc4a

                          SHA512

                          901be06fe3512503c4bd92dce873a86c7496fd4a5c51e452b7c903d7c10a78a50868aa5d84a66d05f09ed06d65a09aeab84cf151b265e8eb2ea75e7702ccca24

                        • C:\Windows\{A0AD8D3E-C409-4f1d-8684-28508C7400B7}.exe

                          Filesize

                          192KB

                          MD5

                          0afd2261e010965dee8df4dc4b00b5dc

                          SHA1

                          d8e28ec9e5a041a9b18aada830c960b8e721668a

                          SHA256

                          f97b4771a2b87caf989a8a3ded89b6e57c30bd4a9a7239ef572440c93a00ffa0

                          SHA512

                          99623181f85fc404c990700fc331bea252f92aa062d4edfdc2ead7079af8471bfef992fa57e9443106d1be373e0b6e829c886ae7dbebcb2bd26be013043b2f02