Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
23/01/2024, 20:26
General
-
Target
2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe
-
Size
197KB
-
MD5
54b75c41945967a4351185745e053f43
-
SHA1
d0ee100ca1b87e7176c927891fa9f4a5835dd6eb
-
SHA256
0b1a9425274d717d5cd5029747cb31d414be5e1e73b25c397e6e63fa3c5899cd
-
SHA512
16be7bdd37b31fc7bb8d45e00922a7ae6d178b115f734c7b90be88ec886d138b5bddfa058440347f6df1071442117e1943cd7a465d28beb0548418e1f4c080f4
-
SSDEEP
3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca
Malware Config
Signatures
-
Auto-generated rule 11 IoCs
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6BBDDEEC-145B-4f62-95D7-F45AE3815376}.exeC:\Windows\{6BBDDEEC-145B-4f62-95D7-F45AE3815376}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7546F38E-5666-47e3-84FA-6A894319B6FF}.exeC:\Windows\{7546F38E-5666-47e3-84FA-6A894319B6FF}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7546F~1.EXE > nul4⤵
-
-
C:\Windows\{FD8879B1-5A99-4615-8A64-3BA1F51595EF}.exeC:\Windows\{FD8879B1-5A99-4615-8A64-3BA1F51595EF}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{FD887~1.EXE > nul5⤵
-
-
C:\Windows\{807A5FA2-902B-438e-85E6-D7CD4AF044AD}.exeC:\Windows\{807A5FA2-902B-438e-85E6-D7CD4AF044AD}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{807A5~1.EXE > nul6⤵
-
-
C:\Windows\{7A531BFB-FDD1-4159-A6F8-74F3E7AA5165}.exeC:\Windows\{7A531BFB-FDD1-4159-A6F8-74F3E7AA5165}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A531~1.EXE > nul7⤵
-
-
C:\Windows\{6EFB9DD6-4AEC-4764-AE22-57773952F72E}.exeC:\Windows\{6EFB9DD6-4AEC-4764-AE22-57773952F72E}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6EFB9~1.EXE > nul8⤵
-
-
C:\Windows\{27277BA2-3C87-4c81-AC2D-55F734D7CBD1}.exeC:\Windows\{27277BA2-3C87-4c81-AC2D-55F734D7CBD1}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4FBC7550-B75D-4428-9DBA-7E90EF060D11}.exeC:\Windows\{4FBC7550-B75D-4428-9DBA-7E90EF060D11}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BFBAEB1A-3115-4185-9333-DCEE7D79B34E}.exeC:\Windows\{BFBAEB1A-3115-4185-9333-DCEE7D79B34E}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{C26C254B-ADFA-47bc-BE91-7B21685A9F00}.exeC:\Windows\{C26C254B-ADFA-47bc-BE91-7B21685A9F00}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{A49DD9A1-0784-41ec-8E5D-E12ED57ABE6F}.exeC:\Windows\{A49DD9A1-0784-41ec-8E5D-E12ED57ABE6F}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C26C2~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BFBAE~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4FBC7~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{27277~1.EXE > nul9⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6BBDD~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5be5d0bcd51c56ab4fce2c641c18c4676
SHA1c814c12c4fa6812203a990b4b1e78b23b92c154a
SHA25688505072e331fb7fa6664a3ce1becd9d94bfd67bc6ed39076bd32ecbfab6abbd
SHA5123058024547e629190e0616b06183698d4fc6b20b32e53cd1558267784156f5e3f16507b36f9976c49b8768ebfc2445447cd1bff99d111c0898883f48e1945f6b
-
Filesize
197KB
MD540b38227c809a42ffacc983fe2175f45
SHA1fd36d7576189dc8b5207ffef2e105294d7775466
SHA2568b1b1b99ff115d780feaf25b97ca67820f25cea85224e2637b43dcdfdb81b79c
SHA512495418ebb05c0b3d696d57441a1040d6ddc6887472c7d11b4fcadb47a23247584203b85c0680fedf7c5d0d13e1abc5e28c5196530d4c72399b4d48d996aab064
-
Filesize
197KB
MD53993689ddf38ad63e2ffc3862f3021f5
SHA10ca96967fcbf66b6b6823498da59f2e81d2e4f4d
SHA256cf24a61ff0b2968fe83110c17dcddc92ab2490279e110d48606a64c04deec18b
SHA5125d0dcb55febdc211d640cf504080bc6f62926cdb915a0d133d94d0af05480f01a1ce96225fde389085acd1aa99a9d0bf10844140c2fcafd32acdfc71bc8670c0
-
Filesize
197KB
MD5d835bb843e6283e7cd1cddcc9010f974
SHA1a5dd7836560707252c1b053ce44d51916da72e6e
SHA2565d5e4894e20fc8b6712e9e1d14780925fa1bc53676afc2e6603b4f62376acbd6
SHA51274424f917b18953885732b671c783c555fc042d0537560e3e5868fd311804d672cf9b4e2356d497cd60519c2c0ff9d1a6d5c61cec91e880436225af600450f4d
-
Filesize
197KB
MD570e8866d7636404832e5910685df05e6
SHA134e950cea90adc0cbcb5737bdd422fa952c6cd33
SHA2564440371f0e51ff354712cf29c9fb5a92191e6bc0bbcb3dc0662e94516317a0bb
SHA512318f0dd57a8881694604bea5e09a42ae831d304c71c19e5ea2e474d4fc800ecf762f916f2798113b0e842451caaa0d5d78ad1a5c232adec278ef44b34040dff0
-
Filesize
197KB
MD528d744931b77398251f892aeb7f655a5
SHA11263326dfc89c798392ecfc6ccaeec5d1af78fdb
SHA256d344f973cf38c699de19ad380adec3301509b233d22ca1649935977ffbd290ff
SHA5123253232c76b008c16c4ec8c525a12c62191791fdae828e4bb7513eed3aa0899cdfdbd4e1eca84775777cbf2fb46989843449ed38fbaad4889c96a10037f5bd26
-
Filesize
197KB
MD5b2b5f84ef68c5ce380b1ff32420e3a00
SHA15a6e36f22881818c91ecdc8923b7dc9856dd990a
SHA2568d4bf164f418933d528a83de57828f38cb7d671439409fe070e2a98d123bf53e
SHA51232c79a67baacfb04223625999c71a3deef1ec1c32a5ab97f36142a3a220dfde3d6c61e23f5ff4ec74d7a6cd9ebc2ae9b040577d5dd07280db51e07c8af4f082e
-
Filesize
197KB
MD5a7b42ce37a581ed985f10de420a89999
SHA12d6c41d1d1f1682601d5e60b50437b07b653b5d6
SHA256e776d8c1691e70d51afff067e5275797fe8ef7841888cbda421295323c57a1bc
SHA51223ed7d64d08c4cfcb5fd32572fd819c398d9a1886d12bc92675e891ff6388c65a4fd56216c2c67e4bd7169794583ff102720bb3fb8f92ce2f153647d84b5ce35
-
Filesize
197KB
MD50547f34bd24cd280ed71032700b69b0d
SHA18305bb5e1d76bdf4cc385d5341a25a3ac12bf4af
SHA256f55e81046bdfc997d582829119d23b46e894989c7c9fcc3a534cedcd64dac69b
SHA5123263ee80f3fee1833844b874540871b5c6259cdaa4662b045097621b8179ead49c71720e8dc2384bcb9cc5efaa8260c600ca4b38ed9c8680447a2f14fe912efc
-
Filesize
197KB
MD59594d2b271530fedd53e8582c6252952
SHA1ca1326c33d5fba3ebd4d2a4e271c01c97b9dedf1
SHA256f84f0a75698c90c6a8a3350722611b59e89cf85c73c0292dc70c7682dad0ddf5
SHA5128971eadb07931b04248e80deddcd15ba918e0a627c282ac7045ea7de6415116904354b72645dc36cb6cdf33d7f1c6302451e3631bd44adecf9066f253202a60f
-
Filesize
197KB
MD5e4e38e74d803f62f11ccbc4a388ac829
SHA1f9e3bfcc2cc8375cfc9f6f332d6ef018123d3ea1
SHA256150e14c111d9905f0a80239bf9c971179c4c16e42a79dd6b0e3aea6714a3c3a1
SHA51281ecf4be7095fd4d0203015152fd94c584451930613aa7f307de89033de5243ce89f197e579a477282f61c41499e835103a0ef1369e519273a61d0537a72e9af