Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 00:45

General

  • Target

    2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe

  • Size

    216KB

  • MD5

    786572ca4d42e88a1d44537c9487762d

  • SHA1

    e64594ee1358fc262798bfb2139c6064d8a1cf1f

  • SHA256

    637e79041b2e3a238c80fbfc5202e45327f02667fd94f4ef62622fc8f19a5f3c

  • SHA512

    c3831968b55b7a236085f01c74690d9be7a417d9c3e180992e5ffeced8439365adc7435fb8884e3ab6499b2e446e999c609d67d63829c03a8e73df797b4664af

  • SSDEEP

    3072:jEGh0oAl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 14 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
        PID:2488
      • C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
        C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
        2⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CB5D8~1.EXE > nul
          3⤵
            PID:4676
          • C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
            C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
            3⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0BC~1.EXE > nul
              4⤵
                PID:1032
              • C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
                C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
                4⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1560
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E477F~1.EXE > nul
                  5⤵
                    PID:4792
                  • C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe
                    C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe
                    5⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2516
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{90631~1.EXE > nul
                      6⤵
                        PID:4932
                      • C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
                        C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
                        6⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1660
                        • C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
                          C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
                          7⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4988
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FDBFE~1.EXE > nul
                            8⤵
                              PID:4152
                            • C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
                              C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
                              8⤵
                              • Modifies Installed Components in the registry
                              • Executes dropped EXE
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:232
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{A166A~1.EXE > nul
                                9⤵
                                  PID:852
                                • C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
                                  C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
                                  9⤵
                                  • Modifies Installed Components in the registry
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4436
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{69D3D~1.EXE > nul
                                    10⤵
                                      PID:1504
                                    • C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
                                      C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
                                      10⤵
                                      • Modifies Installed Components in the registry
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:4432
                                      • C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
                                        C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
                                        11⤵
                                        • Modifies Installed Components in the registry
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:3248
                                        • C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
                                          C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
                                          12⤵
                                          • Modifies Installed Components in the registry
                                          • Executes dropped EXE
                                          • Drops file in Windows directory
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1224
                                          • C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe
                                            C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe
                                            13⤵
                                            • Executes dropped EXE
                                            PID:724
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3DB5D~1.EXE > nul
                                            13⤵
                                              PID:1776
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FE7~1.EXE > nul
                                            12⤵
                                              PID:4292
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c del C:\Windows\{82CA3~1.EXE > nul
                                            11⤵
                                              PID:4544
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{35BBD~1.EXE > nul
                                      7⤵
                                        PID:1192

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe

                            Filesize

                            216KB

                            MD5

                            c7a10765fa0432cd63557cca32966972

                            SHA1

                            978b11261dba10f2db09865b4647baf1f89ad690

                            SHA256

                            ab12e9c3531168282032d8ed1cb6536c1d4b833e762abd0548dfbe187214bdf3

                            SHA512

                            3f190792a3737ea64bfc60f16e5adbe45c78b36afc957445ed1acf3e29e4ab659a35577b7a62ace3f17350eb8de97e99e02a889a6a019826fd00e5ef78b4127e

                          • C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe

                            Filesize

                            216KB

                            MD5

                            09b92c8016f3e1ff7db42b9001914157

                            SHA1

                            f24e9b80597864f9dca6dcfde2028769ad207de6

                            SHA256

                            3f903acf73cc6653c76bbfa98f48131074549dc6ba2e10af5b85d4ca12b27c2b

                            SHA512

                            0a205a4be90b754a49a0153759e056f4ceb973491ff7971569f23f2574c5db31c07c23d4b99b4a44772cf72042c8acc8c8d90a12fa508cd718c95c9ac6e6c50e

                          • C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe

                            Filesize

                            216KB

                            MD5

                            10b19607917c08a4220c7ba5c618d900

                            SHA1

                            e3ff788fda9638d3540000ca2ea25fb86bf745ef

                            SHA256

                            98c39adb7648fbc847d4cf1e2a12ef398ce952cad371fbd84194ac94786bc099

                            SHA512

                            31e8d5fa648f66676e3342ca6497ff439dfba613991949c0fea2d08383e6978108c34ae5fa7513ef14af20ceadf67ad8f290e89f8ce8023bd44f6ad2af7052f9

                          • C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe

                            Filesize

                            216KB

                            MD5

                            362f57fea95a20d4a1be0e30cc2166ea

                            SHA1

                            305f89a7b6fb11197d968c5044010ea149481dac

                            SHA256

                            d49fcd0e23bf4ba978a94a150f539590910271be723fc8a71ad1d976eabafd0d

                            SHA512

                            0af7324bc2d74760d053f7bdd85d11ac004444be04c9a86dac2b3b6f532bd3fab9573230a0c5ab320fddc8df9c77bf2f59b6d8cc720c51f005820d62164da975

                          • C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe

                            Filesize

                            216KB

                            MD5

                            0a0547263d38bd17eaebaf02a0faa40e

                            SHA1

                            75b4ed47746ad219c0aad17769ef76841e055179

                            SHA256

                            ba4bc10e0b8c9a26398a1c57cffdfcbf095b70d6aaf34c00e0aa9d79954b7383

                            SHA512

                            1a34c7d2570da912dca25e564b436e86fa5e6da1fda1ad5883ffd782ead5a5bb8c4da93cecfc31c1932db71355e8874411eda9849567ef9d1649885cc22b3921

                          • C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe

                            Filesize

                            216KB

                            MD5

                            eff1ec3d2c05eb1d04ee47cf144e05e7

                            SHA1

                            f5c99b2a9da6dc92285859887cf5b94264702ec9

                            SHA256

                            52e31f7de723a04565533bb22799aeede8477e80eddaa198d1942fd8302712ce

                            SHA512

                            63980307d70a7f354b0b3b0b3967476d6a6224117d95cf700dcbb9cecac584c57e8806838f7998fc8d76d09a9909797e89037aba2d2b45b8369e4147ab490bf4

                          • C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe

                            Filesize

                            216KB

                            MD5

                            b31ee961b9d04486dfdac832fc53d198

                            SHA1

                            e76eb159c9704c49b7c0e69baaaaed98221fffe6

                            SHA256

                            e0b391729ebac2fa326d0ddcebd05064a75822a935db887019e23af0d0c070d2

                            SHA512

                            331fb23131cdfa97509a80b1732f9e12f2cd52dd6ba854a26b1a9d7f7cdc62fadf5d1d2a0908f30569f0c34b3c8a39975de2c7db896256535d47f229928ffbe3

                          • C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe

                            Filesize

                            216KB

                            MD5

                            c4a73008ec858442fa2e304b72959179

                            SHA1

                            dbc3b545952b48747a29b71f648f98c1f313d0b8

                            SHA256

                            124170ab45717ec69c58d1b19e69ccb3d2879882a1929beb8388933e86a27b4b

                            SHA512

                            2943f202ea889f6c2eb9463e985e52a1a24a29e3320f2956212468aa13783fcde3c657d9e9c231791ca216811e5601860e764dcaa6b545147df1fcf9353f528d

                          • C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe

                            Filesize

                            216KB

                            MD5

                            c06708a7ee3d9beaf40b5e1fa9887819

                            SHA1

                            853266e2d352a459afd5f2646185644c94537695

                            SHA256

                            b440fff7c2ad175b3fadaa2a59afc812acb5aa14ea97f084ba3306684313e7ba

                            SHA512

                            a0219566290261bab446bc68a4223b3ec575baa4b6a1041c27a15940601379799f98af6c203325378fe2e3a10e7ab4093ada06064fe19dae91bb914ce415aecf

                          • C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe

                            Filesize

                            216KB

                            MD5

                            fa74123c4d42ccb29b5eddbb644fec92

                            SHA1

                            b28abaa264ffb025a9fd2b17b01718d6bfaaeeaa

                            SHA256

                            36456212b84774971e4b8a3f5143c49a0ad63b4ab9870ff523ab790631a2bc7c

                            SHA512

                            3e906f81efbfc460eef219baf430d96b280a52b9544cebd54f708728808f3ae2a9b0b1b7a0093fc9e3070e0c1863ff914acd03ac5ddcf5ff837ff349006c7d7e

                          • C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe

                            Filesize

                            149KB

                            MD5

                            ab4251560d591a16595d57fafbec3f23

                            SHA1

                            d4a0327b571e72632cab1f62ec1abbcff5ee3fcb

                            SHA256

                            ca398c6e58be97b8c5067e66f7cae8d13469958c931e8a298009839fc8e16c4e

                            SHA512

                            a36309be9b1a6ef6bc714af04990713dad6e13ff63015566536ef1ebcd2f061ab61aec4b4b4a03c9a184cd9ccb0b9f0606264d99e7e8a063075f30a6780ec279

                          • C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe

                            Filesize

                            193KB

                            MD5

                            a05e2d4ab667e304fc6fc9d2d033fde2

                            SHA1

                            95363472c7d8bb7ffa9498301ea6265b782fdab2

                            SHA256

                            6a8782c24a59012f65cb820084e79f9398fc0d65b753f0c8a36ef5bac2918802

                            SHA512

                            71b87119bd7d2f394e4c12646e7b19a4b473d7aeb4fbe4ed7620497d170ad4c1de7ae7f15a4ffff9e35123a016b4dd32e437393527e30c350b13b7dae3a18e00

                          • C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe

                            Filesize

                            184KB

                            MD5

                            c162c79643acba6aa8a7f58b648d44ee

                            SHA1

                            346575c368cc83ed62044595c9d575fcefadeecb

                            SHA256

                            60cd348c6434edd8ca9309bdb6f34e4503b27e98747a061c6e93b54fa3b21829

                            SHA512

                            22b85531b6f5cb910a96ead443fec4918b4281b8533d8766b6f51ca1032a7c5300c31cfc4a2e3d1da36a708a54d6f5ca914dd00b3cbff2adab6c6dc8a8692b79

                          • C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe

                            Filesize

                            216KB

                            MD5

                            6e01c83d6ed1417feff6d51e632af5b4

                            SHA1

                            cfbf15359be83bf02e22dd01792175cf3e9a253e

                            SHA256

                            ccb1480e31dc4f3d14b1b2b2054e153fd522632dc64bf576789b9c1eb788b438

                            SHA512

                            fb6ddd3ba63176fd7316ba2e7ec2cb4b0480d7e877530822f69764b861db0019b2df8020d451c26ea8e85919a2a50a6ffd6ade5d4c830ff791ac64e92ac96c9a