Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    157s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 11:37

General

  • Target

    2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe

  • Size

    380KB

  • MD5

    cda6422a7356a40ac2e60140dac6b5be

  • SHA1

    61694d817e90b3fbe4a223f2e4487ec11d4c6d9a

  • SHA256

    6e2c4eeec4d859eeccaaaac5b14f818a82d80585bc2d0436093a36a62ab6ebe0

  • SHA512

    70e515599a8ca9c7ea5403059b689db00da0ca844102aabb0185a65fc4455551cd80a3d92b791c8c9b8706871995266ed1015e93c0596ae8425b7a0ab19411cb

  • SSDEEP

    3072:mEGh0oXlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGpl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
      C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
        C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A223E~1.EXE > nul
          4⤵
            PID:5040
          • C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
            C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4112
            • C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
              C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1540
              • C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
                C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3488
                • C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
                  C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
                  7⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3176
                  • C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
                    C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
                    8⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:624
                    • C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
                      C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
                      9⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:668
                      • C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
                        C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
                        10⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1680
                        • C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
                          C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
                          11⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3880
                          • C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe
                            C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe
                            12⤵
                            • Executes dropped EXE
                            PID:3408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F28B1~1.EXE > nul
                            12⤵
                              PID:4748
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7D2B0~1.EXE > nul
                            11⤵
                              PID:3388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{13C98~1.EXE > nul
                            10⤵
                              PID:1688
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B9806~1.EXE > nul
                            9⤵
                              PID:4472
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B77~1.EXE > nul
                            8⤵
                              PID:1128
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35B31~1.EXE > nul
                            7⤵
                              PID:4756
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C1CAA~1.EXE > nul
                            6⤵
                              PID:4116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{311F4~1.EXE > nul
                            5⤵
                              PID:4736
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{93FCD~1.EXE > nul
                          3⤵
                            PID:3924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:2536

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe

                          Filesize

                          380KB

                          MD5

                          0b3c4e46c85877339e03a119b0e00f7a

                          SHA1

                          66d4364e4aaa925decc707f48145742ba650f432

                          SHA256

                          7eff44c74f7fc872bedd4d35ceee047450ff2ade104c6c717c26e48b162241d1

                          SHA512

                          320ac9adf6c8878346f9922027aff5d420ee4e2460272f22fec436ca156eb3957b6429ab01acd75397b220a48b7eb0b46e4bde58038c7768795af2389fd73333

                        • C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe

                          Filesize

                          380KB

                          MD5

                          56d0d02cec5969ceb2cece2f8a2d6473

                          SHA1

                          b7b5d53fff46ce5f5ff10ca7772fa884bc49e44d

                          SHA256

                          d45f7bb4b49d89ee7d76b9a582aae5192a0338d1de8b7b760ad96e17ee3a9e3a

                          SHA512

                          e44e61a0554290a756003c2ae25b93618cb86eeab9e2681043cc91aa3ce72534ac89928a4cdfe3f9a3cedc930073e0693922b781bfcde3f6962b0af3c4c4e39c

                        • C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe

                          Filesize

                          380KB

                          MD5

                          9410524ff37f34273cc71bb053e5ca2f

                          SHA1

                          eefe1e945bec3a64443d3aa53317dc4a0f564f79

                          SHA256

                          8685fecefd3537ccfe126664d3b54006d0e6a824865f39649843b3a657006144

                          SHA512

                          1179b0dab877fefd1be39639044e8e5ceae69a6d250b14c0735db8f08eab15cd37fbeffa2dc04ef16681d25514bf5fff5172e439a78af776c42619c1329d5c9d

                        • C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe

                          Filesize

                          380KB

                          MD5

                          81107e9b95325410c801aba85ef046b6

                          SHA1

                          4518d5214b11def2a33592e7418299c9fef061a8

                          SHA256

                          a3447728c9111113c74d98340f832cb657903959e3281db669509c830a4db8ac

                          SHA512

                          1cb0e9126856b3a0ed6a6494ce2ced8447d5c116fc5c57c890972802f9295ef515a0b7d9b54c72c71614378019d5b252f98a3da0449c175689add7d9c500c157

                        • C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe

                          Filesize

                          380KB

                          MD5

                          e404c6ac4cd9c332f1ddd283d06d16ed

                          SHA1

                          337e2cda5767ccd276a262505f44d0f188583f5c

                          SHA256

                          783c79a2690e5b2f9db352e996a255cb141d56bc7c2812e942e7cb8da526b7ef

                          SHA512

                          30c567c43395c5d6a0ff61daf20064208cfa8e2b37204cdd36aee5f3a5941a6447ff6362179e9c660fd8cbce4faa6b2d7820815646334bc8de6c81fbdf8e023a

                        • C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe

                          Filesize

                          380KB

                          MD5

                          895f02cfaeb0fa5f55b42ca9562f4e1f

                          SHA1

                          c3f46d6b67dc7c70f5eb90eee21a1c3816eafab7

                          SHA256

                          86a876f6dfd742b333e86d4b091e358c642c004f04f7b29a43d9e67efc116846

                          SHA512

                          95075ac230477ec7f24a09809bcf37a68f97505db22ed526b97804208640c6f155e7ce9121c92e6c12cd2e302a1d8b1a64e0d36c5b3acbfe4ac16d3b4c2fca1f

                        • C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe

                          Filesize

                          380KB

                          MD5

                          bc8647254137bff1afd981be6f45466b

                          SHA1

                          510c3659a0b4dfad99f1cf8dce1e73c3713d7202

                          SHA256

                          4cc125f06129749a020658199e86cb3fcaf744091ee530669e506588005db076

                          SHA512

                          979eba274c4fb50febca9f4c62fd930051dfa92e467f91b564796ebc01365e7c3416d663964eef6d506b37af3cb3fa721abfe6f4238beff0890a01562e43fa81

                        • C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe

                          Filesize

                          380KB

                          MD5

                          2c1f258a9089ddd02d5fe14cd6832f86

                          SHA1

                          728d1020cebd8ba2da7fb7984816786527abbbba

                          SHA256

                          fb2aa43fa9b4845e5e10f67d5acee47dd53b6e1c5e21263be368c9863dca85ef

                          SHA512

                          840733820d785e911a750a48af859dbfcf9e38d071dee3911822c943a7aabe0bf933895944bf9f1c09dfcf7fa38c7605675d3cd7bad3c61af04fb428d77e631d

                        • C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe

                          Filesize

                          380KB

                          MD5

                          88d0d0a377b52dfd56b04e747072881f

                          SHA1

                          07ddebcc056b8fb65e0b24aea71e19de473b03c8

                          SHA256

                          e56a077311acadaa208b24fa04e7f44aab9852531568c9f007f4b130a07f4860

                          SHA512

                          be91d6e3934199b9ee5747326fee66828c2a68e8b9dfc6478e7cfd30c590055a5d531ba00bb148fdff5905864b45d47f10442c8df766c749d52051da22756ada

                        • C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe

                          Filesize

                          380KB

                          MD5

                          4f3352ba9250804bbe09fa973d062520

                          SHA1

                          0ecb8e8e8a1cd4a25d27ffb11b6cd4eecf383f36

                          SHA256

                          394f8ad7c997bca339f8b8d6bb78d3e5cc492a0c2fdc80577546370b7a9380eb

                          SHA512

                          40938569876594713fe9873757b448de3f17d84bed027f5ed4895ecf0c39183ab3b0f8906dd847e5aaded82cd64ad2fd888bd508540500c225012419ba891839

                        • C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe

                          Filesize

                          380KB

                          MD5

                          868111f0ca53401acbee77e16d00ddc5

                          SHA1

                          dbc9dae93f107c50da4f64da7201c4a4d6a3e9c7

                          SHA256

                          d45c342ca72a7eca8399fddafc46a3b6ddd5274e6b9b021c4b3011a5478f03c2

                          SHA512

                          4dc56434d481bfe25f3d50290b53eda5b451bd8cf39117905b658ee2ea34d5dcae2f9cbbedaba75560ea4a0fbd87ac587daeb97dabbc3b97c142ea38bb82a465