Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2024, 05:50

General

  • Target

    2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe

  • Size

    192KB

  • MD5

    5e2f5924e8e7b011f89e6486a9e07f3e

  • SHA1

    f1681304f8a245b5dacc83c715254f2b633c3865

  • SHA256

    7f7802586d8a8472c44d6c32b1e5d1f146e98721b98df9e6f626bc904fd35d58

  • SHA512

    6f7222fbccf0494ceba3abede9813576fe3563f6ef00bb0b619980472f4a031ae1025c5ee8739ac02463f847152108ef1f8aa467544a954b89ec18c8e8194c8d

  • SSDEEP

    1536:1EGh0opl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0opl1OPOe2MUVg3Ve+rXfMUa

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
        PID:4432
      • C:\Windows\{9D73BEF0-1A59-4433-9EBE-1F1865A68BD6}.exe
        C:\Windows\{9D73BEF0-1A59-4433-9EBE-1F1865A68BD6}.exe
        2⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9D73B~1.EXE > nul
          3⤵
            PID:3232
          • C:\Windows\{34E36A90-1977-4111-ADD7-A6277D260AA1}.exe
            C:\Windows\{34E36A90-1977-4111-ADD7-A6277D260AA1}.exe
            3⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4440
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{34E36~1.EXE > nul
              4⤵
                PID:2992
              • C:\Windows\{53E0B365-0BAE-41e9-8C3E-568492CB6FE8}.exe
                C:\Windows\{53E0B365-0BAE-41e9-8C3E-568492CB6FE8}.exe
                4⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3256
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{53E0B~1.EXE > nul
                  5⤵
                    PID:2732
                  • C:\Windows\{E77A5FB9-6C36-4401-AEB9-6E9F19F2A808}.exe
                    C:\Windows\{E77A5FB9-6C36-4401-AEB9-6E9F19F2A808}.exe
                    5⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2096
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E77A5~1.EXE > nul
                      6⤵
                        PID:1008
                      • C:\Windows\{2DC22776-7352-47a5-A32B-2FF61C01BB14}.exe
                        C:\Windows\{2DC22776-7352-47a5-A32B-2FF61C01BB14}.exe
                        6⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC22~1.EXE > nul
                          7⤵
                            PID:2772
                          • C:\Windows\{F24331FC-DB05-463a-A6C9-54AE0DA838ED}.exe
                            C:\Windows\{F24331FC-DB05-463a-A6C9-54AE0DA838ED}.exe
                            7⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3560
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{F2433~1.EXE > nul
                              8⤵
                                PID:1152
                              • C:\Windows\{A2CFF69E-7355-4ba7-B659-8B7BCF5BC4B4}.exe
                                C:\Windows\{A2CFF69E-7355-4ba7-B659-8B7BCF5BC4B4}.exe
                                8⤵
                                • Modifies Installed Components in the registry
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:2420
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A2CFF~1.EXE > nul
                                  9⤵
                                    PID:2428
                                  • C:\Windows\{9DB733CF-544B-4082-928E-22D246F1818A}.exe
                                    C:\Windows\{9DB733CF-544B-4082-928E-22D246F1818A}.exe
                                    9⤵
                                    • Modifies Installed Components in the registry
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1184
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB73~1.EXE > nul
                                      10⤵
                                        PID:2160
                                      • C:\Windows\{D21C55A5-E2A1-426c-9C47-A38BDB02A000}.exe
                                        C:\Windows\{D21C55A5-E2A1-426c-9C47-A38BDB02A000}.exe
                                        10⤵
                                        • Modifies Installed Components in the registry
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4396
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D21C5~1.EXE > nul
                                          11⤵
                                            PID:1080
                                          • C:\Windows\{88E0ED01-6697-43b0-88E0-130FF95B1F7E}.exe
                                            C:\Windows\{88E0ED01-6697-43b0-88E0-130FF95B1F7E}.exe
                                            11⤵
                                            • Modifies Installed Components in the registry
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:3620
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c del C:\Windows\{88E0E~1.EXE > nul
                                              12⤵
                                                PID:664
                                              • C:\Windows\{4B4D47F7-E4A2-4365-B018-2ABD4FEA80E1}.exe
                                                C:\Windows\{4B4D47F7-E4A2-4365-B018-2ABD4FEA80E1}.exe
                                                12⤵
                                                • Executes dropped EXE
                                                PID:1612

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{2DC22776-7352-47a5-A32B-2FF61C01BB14}.exe

                          Filesize

                          192KB

                          MD5

                          c86e03a50c5cb58b578f43df1bc123d5

                          SHA1

                          53028ddff4af0e8bb3243e6969026b5eee74b6e7

                          SHA256

                          904d83babe7eecaa7348c3ada890c9435c6c196cf9f46705715a31d2b05eefd6

                          SHA512

                          84bb2602020f87a23e1b2dfcf80bb68f8a921ac374e03c7f5aa587c020db33c1bc91b61398678a58f063b85e5fab888bdd86b1f620691fdc19aec1cbfe72a6aa

                        • C:\Windows\{34E36A90-1977-4111-ADD7-A6277D260AA1}.exe

                          Filesize

                          192KB

                          MD5

                          26558a397d47086d3f1fc73cc13e5060

                          SHA1

                          05171a51f180c49a68fed1730ae64850516471f8

                          SHA256

                          dce3cbb7aa247b6cdc7b133f6c4c6c5ad824979417e102e2c34b4bdd28a8f573

                          SHA512

                          2573a7a9bf8968ccb898e86df0c0fb05c2a1afab41371a8829ade98c6ef1f217b2b6beb44626018cc40626ce28f0f1f781a14b274881e4d670be9ed81f5790e1

                        • C:\Windows\{4B4D47F7-E4A2-4365-B018-2ABD4FEA80E1}.exe

                          Filesize

                          192KB

                          MD5

                          8ae85683a3fba501d43819d6d5cc52a2

                          SHA1

                          95166672fd3f90ce469ada385ddf4c768ce5d10a

                          SHA256

                          36d1613f8c341bd5210224648120bf2d1438a83f0a97ca381cdccd8a82a24028

                          SHA512

                          856dcfc1b60d1ca8397aa44d28a9676bd34e9f7e2610a400b431622c0dab2100e70a049dad0bf9d9f19be1bb8c595625e7777787f9082ea8ea7878bd32b52b04

                        • C:\Windows\{53E0B365-0BAE-41e9-8C3E-568492CB6FE8}.exe

                          Filesize

                          192KB

                          MD5

                          48461a32be69db512265fe6d0e974656

                          SHA1

                          2d4ebd9712404e6fa41681125a6b307cf2a076e4

                          SHA256

                          18432707f05c1ca3fe693eae24883ac7607f9949304cf5d61d9a25cabe4a85a3

                          SHA512

                          6a980a753ad8f738d8c90b3135e2aca3bc92682ed3c789452de291b6cb6bf22285ac36fefa42ca9e1604c0e5d0840d2c80537356fa300b20c3f63aafac0c32f7

                        • C:\Windows\{88E0ED01-6697-43b0-88E0-130FF95B1F7E}.exe

                          Filesize

                          93KB

                          MD5

                          2f99fe8b6d3d952d0da57e9fcbaa0c93

                          SHA1

                          4655aa69ef631f03838c0ba5b58398f66cdb753c

                          SHA256

                          9f6dd9d1669ffcb193c316e0c5af8d1b9500996a1b110a9ec67333f89be6d1f1

                          SHA512

                          789f943b36c3814432e573c8663afbcd0862c114d6c3ab352bdd3fd54888e0e2f53383703139942cc3fefae469f1ea9a23561d6719addf94d0533aba4faae34e

                        • C:\Windows\{88E0ED01-6697-43b0-88E0-130FF95B1F7E}.exe

                          Filesize

                          192KB

                          MD5

                          a2a0cfb3d38a4b2fd9c949b79577606d

                          SHA1

                          037a6bec20306ad7a37865882a639455bcac8dca

                          SHA256

                          bcf7e0934eb777df3ac00c4f638f2913048be3fe5866cbee6aa64e9252952fda

                          SHA512

                          0563abccfcd150054af54c98a6ed62c7d77d38f454a2548236f9a3c1c937a02903eaf8b39bde1ad7498b08cb623edad8533defebd765f2eb8f1ea38a1c91cdca

                        • C:\Windows\{8D6C0037-8753-4b03-9D64-47CC068D7E9E}.exe

                          Filesize

                          86KB

                          MD5

                          74c8e1888072687c65b872536789ee58

                          SHA1

                          b4db19cf9e590be4561c579ba737ad6fca03d523

                          SHA256

                          7050a90141a5c10ac51eedf9a5ef64c3eb290f777310bbff60928e60ba98f961

                          SHA512

                          11bc97b5b451d7f2e71a5ea5f400233d7b87e3d41174c7ca5970e1299e9c54bd5762a226e89e76e3cbc1545f2aa8bf1ceef8c737e0dd0cdc51cd00be6f0f0995

                        • C:\Windows\{8D6C0037-8753-4b03-9D64-47CC068D7E9E}.exe

                          Filesize

                          85KB

                          MD5

                          0e50241b2eebfc970029df5782c05abc

                          SHA1

                          309e5e86e460de776f9f1909aaeb126236ae97e4

                          SHA256

                          910fcc1eab7368545c64a640011ed27aab63938046c48d8c4a374c24c2474056

                          SHA512

                          813cdb54030881d36f0b08d11a125511955c5690f7c377c1dfb5a4b7a1866bf55b37d8674feaf97cb2612fe294720c9d9035374a7ac50ddbbdb4827c625aa649

                        • C:\Windows\{9D73BEF0-1A59-4433-9EBE-1F1865A68BD6}.exe

                          Filesize

                          192KB

                          MD5

                          bd1305d787f418d2a06c694fc22d58bb

                          SHA1

                          7e51e24d4bce7b16b747d0c1faa1edc8aec850ed

                          SHA256

                          1e9bee1b1b9625ae649be3f7f9c6ee8f00238aaf43b895feae2afd07ccfa7405

                          SHA512

                          0bf41cde4d6463d0394349683cde67ec50cc18047d56f4f9f4394cc12bb7cfaf3996664f6e8a825b6fd67b344fc622753089669201b85f4d6bf1d014f9ffbcc2

                        • C:\Windows\{9DB733CF-544B-4082-928E-22D246F1818A}.exe

                          Filesize

                          192KB

                          MD5

                          02d4ebe80a53d44678e529333a3b4f1c

                          SHA1

                          e1ada217674e8864c9bb5dcc3593de94c4782a3c

                          SHA256

                          5b4a74d6043b50526f03398ef137d0a05cc880e358a39ebef79ab226a65b9499

                          SHA512

                          0424fd63693901132034d04b6e68bdb7c7056378dfb4ca46670ab3b4542933b76d680a1dfb0ddcb2cb428dcf5224486f8e0b06842372ab8fd417f75fae7a8b52

                        • C:\Windows\{D21C55A5-E2A1-426c-9C47-A38BDB02A000}.exe

                          Filesize

                          192KB

                          MD5

                          60b2c0914bc659beef95aa5d8b4df800

                          SHA1

                          c8b1707ebdbbe4af9f1d68cfe78e11ab41121c81

                          SHA256

                          f10156afa6de9ac1bee1544a105b67a0e0bfd12bebd7da1654ce620e2e6610bf

                          SHA512

                          f6fa44939b0bf1b2b78ba944e07d68a86efe55dc6cc95e938fefad253a985e8afe58e8599bf30fb8a411ff9fa58875c139018b80f8bda8aa3fdc066e4b304d7f

                        • C:\Windows\{E77A5FB9-6C36-4401-AEB9-6E9F19F2A808}.exe

                          Filesize

                          192KB

                          MD5

                          e1da11539b3b5f785980de225b5a58ad

                          SHA1

                          5f75c6e131dc0e4d5154ee268aba15cb7a071c1b

                          SHA256

                          39c7d2533b84f635a01fa4b1060783182d6d14946a58329a19fec3cbf2f638f7

                          SHA512

                          8415035df3531bc14be649b2b053ea97c36194ba075935a92f7aded94479a600971b84641a3ddc1e677776ea5b2574ff985e50d32a5914dd5db4593d4f1babec