Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    62s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 12:13

General

  • Target

    2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe

  • Size

    408KB

  • MD5

    9022259a9a557ca9471301f0225ac924

  • SHA1

    990c820f56b8cc608693ce19dcade1f6cf375135

  • SHA256

    b4f32d5bcf21bd1d3b25053c653aec40b8f98dcb3ae68667dbba5be4f633ba5a

  • SHA512

    c3eaac7dc81ec4876a0a3ea3ef26920f4133a55a1b4487f099fe839cc83999c58ca2f0639f11aa4418d947fd4c17da83083bd5bcca00c3f202f1a3976c566c43

  • SSDEEP

    3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG0ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 10 IoCs
  • Executes dropped EXE 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
        PID:4488
      • C:\Windows\{F707115D-4630-42a6-9665-0EB7F0BBC4F4}.exe
        C:\Windows\{F707115D-4630-42a6-9665-0EB7F0BBC4F4}.exe
        2⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{F7071~1.EXE > nul
          3⤵
            PID:3532
          • C:\Windows\{CC501AB2-9805-49e9-BF37-87A2F9F46C86}.exe
            C:\Windows\{CC501AB2-9805-49e9-BF37-87A2F9F46C86}.exe
            3⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3172
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CC501~1.EXE > nul
              4⤵
                PID:4572
              • C:\Windows\{8CEBC275-086E-4840-AF7E-8AA6DF3D7982}.exe
                C:\Windows\{8CEBC275-086E-4840-AF7E-8AA6DF3D7982}.exe
                4⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3116
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{8CEBC~1.EXE > nul
                  5⤵
                    PID:3472
                  • C:\Windows\{D0F2D579-8BBA-469c-A600-7862596FBDD2}.exe
                    C:\Windows\{D0F2D579-8BBA-469c-A600-7862596FBDD2}.exe
                    5⤵
                    • Executes dropped EXE
                    PID:3752
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F2D~1.EXE > nul
                      6⤵
                        PID:628
                      • C:\Windows\{6C37CDD0-D654-47cf-B163-D38877B8070B}.exe
                        C:\Windows\{6C37CDD0-D654-47cf-B163-D38877B8070B}.exe
                        6⤵
                        • Executes dropped EXE
                        PID:4556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6C37C~1.EXE > nul
                          7⤵
                            PID:2728
                          • C:\Windows\{D7C67FCE-C341-4f4a-A20A-C4280F627D5B}.exe
                            C:\Windows\{D7C67FCE-C341-4f4a-A20A-C4280F627D5B}.exe
                            7⤵
                              PID:4592
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C67~1.EXE > nul
                                8⤵
                                  PID:3908
                                • C:\Windows\{7F61C145-9F10-4ff7-8A82-A97AC12CD664}.exe
                                  C:\Windows\{7F61C145-9F10-4ff7-8A82-A97AC12CD664}.exe
                                  8⤵
                                    PID:3868
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F61C~1.EXE > nul
                                      9⤵
                                        PID:4820
                                      • C:\Windows\{26A88C99-6025-4a90-B797-FE733F50B700}.exe
                                        C:\Windows\{26A88C99-6025-4a90-B797-FE733F50B700}.exe
                                        9⤵
                                          PID:4788
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c del C:\Windows\{26A88~1.EXE > nul
                                            10⤵
                                              PID:3444
                                            • C:\Windows\{93F3C868-821F-45a0-B615-FB2F9AABB59E}.exe
                                              C:\Windows\{93F3C868-821F-45a0-B615-FB2F9AABB59E}.exe
                                              10⤵
                                              • Modifies Installed Components in the registry
                                              • Drops file in Windows directory
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:3752
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c del C:\Windows\{93F3C~1.EXE > nul
                                                11⤵
                                                  PID:3976
                                                • C:\Windows\{D8BE0893-8E20-47e6-B93B-FE0D517DCAE2}.exe
                                                  C:\Windows\{D8BE0893-8E20-47e6-B93B-FE0D517DCAE2}.exe
                                                  11⤵
                                                    PID:1432
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BE0~1.EXE > nul
                                                      12⤵
                                                        PID:4812
                                                      • C:\Windows\{7A7AA67E-B225-4699-907C-20270A0690B6}.exe
                                                        C:\Windows\{7A7AA67E-B225-4699-907C-20270A0690B6}.exe
                                                        12⤵
                                                          PID:1768

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads