Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

21/02/2024, 11:43

240221-nvrlysef4x 8

21/02/2024, 11:40

240221-nsy81sfb53 10

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2024, 11:40

General

  • Target

    2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe

  • Size

    372KB

  • MD5

    9bf351853b70dc260a5baac08d6fbaeb

  • SHA1

    77430875bf961ab9e1f0c81892476b2164df5287

  • SHA256

    66ef52467495a8042844dccfdaefabb7d3c690c3f29b3ec29a2c292ed766e874

  • SHA512

    d56c700b6424a44b49ec7dad44dfef639c89a6ffc828b2cf9e214ea43184997cdd3a826ad4045b0ceae4deacd1cb8180c6b9441a04800b80d090c41a17f0ed52

  • SSDEEP

    3072:CEGh0oVmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGKl/Oe2MUVg3vTeKcAEciTBqr3

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-21_9bf351853b70dc260a5baac08d6fbaeb_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\{425541C1-9EF5-4255-B9F2-6CE883301DD7}.exe
      C:\Windows\{425541C1-9EF5-4255-B9F2-6CE883301DD7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\{B9C6A167-84AE-474d-BB75-3B187F077B45}.exe
        C:\Windows\{B9C6A167-84AE-474d-BB75-3B187F077B45}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C6A~1.EXE > nul
          4⤵
            PID:1620
          • C:\Windows\{C79B1FA6-F16F-4d0b-B450-CAE5466474B4}.exe
            C:\Windows\{C79B1FA6-F16F-4d0b-B450-CAE5466474B4}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C79B1~1.EXE > nul
              5⤵
                PID:2528
              • C:\Windows\{D570C405-6C64-460e-8CBB-942F4FEB1160}.exe
                C:\Windows\{D570C405-6C64-460e-8CBB-942F4FEB1160}.exe
                5⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2428
                • C:\Windows\{8F1DD5C4-D9D1-4cf7-A3BD-F0AA46E2C481}.exe
                  C:\Windows\{8F1DD5C4-D9D1-4cf7-A3BD-F0AA46E2C481}.exe
                  6⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1552
                  • C:\Windows\{1D4CEA67-C585-471f-B20B-FDFCA095565E}.exe
                    C:\Windows\{1D4CEA67-C585-471f-B20B-FDFCA095565E}.exe
                    7⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1848
                    • C:\Windows\{A985B6F0-6C62-468b-B404-82AFF2B84F40}.exe
                      C:\Windows\{A985B6F0-6C62-468b-B404-82AFF2B84F40}.exe
                      8⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2004
                      • C:\Windows\{01EF3918-450E-4047-ABCE-DB27EDCAF86C}.exe
                        C:\Windows\{01EF3918-450E-4047-ABCE-DB27EDCAF86C}.exe
                        9⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1720
                        • C:\Windows\{BC1288EE-A221-43a8-8D26-9036C0A599EC}.exe
                          C:\Windows\{BC1288EE-A221-43a8-8D26-9036C0A599EC}.exe
                          10⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2772
                          • C:\Windows\{8A901F5A-5792-4afe-864A-600136B373F5}.exe
                            C:\Windows\{8A901F5A-5792-4afe-864A-600136B373F5}.exe
                            11⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:596
                            • C:\Windows\{8370D4B6-909B-4b46-BF05-B29BA00795CB}.exe
                              C:\Windows\{8370D4B6-909B-4b46-BF05-B29BA00795CB}.exe
                              12⤵
                              • Executes dropped EXE
                              PID:2116
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{8A901~1.EXE > nul
                              12⤵
                                PID:1712
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{BC128~1.EXE > nul
                              11⤵
                                PID:800
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{01EF3~1.EXE > nul
                              10⤵
                                PID:1528
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{A985B~1.EXE > nul
                              9⤵
                                PID:828
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{1D4CE~1.EXE > nul
                              8⤵
                                PID:2040
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{8F1DD~1.EXE > nul
                              7⤵
                                PID:2028
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{D570C~1.EXE > nul
                              6⤵
                                PID:2012
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{42554~1.EXE > nul
                          3⤵
                            PID:2592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:2700

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{01EF3918-450E-4047-ABCE-DB27EDCAF86C}.exe

                          Filesize

                          372KB

                          MD5

                          fc0d9486c544779920bec4cd7b7be1a4

                          SHA1

                          63b1e0f3e308798cde18809302b0595dc5563fcd

                          SHA256

                          c73b4e80bb3364ddf4ab1db880332e3063d3c77615167994a98a339ef22ec507

                          SHA512

                          18469bffbd77fac412354f86bb082831a631ff5f308f4a60e8232784f059dd8dea04f22e3166c466ffe74aa6c609bafb8108719853912eb9d726c0ba8d89896c

                        • C:\Windows\{1D4CEA67-C585-471f-B20B-FDFCA095565E}.exe

                          Filesize

                          372KB

                          MD5

                          948e9236eded84f89e31b8a7d587b0d0

                          SHA1

                          be67ab4058097f12b1ac6deaadc198cdfae8853d

                          SHA256

                          e680dbbd707c3166ce85ccdbf68c7aaa4ed645e0ce2086406228ff153397565e

                          SHA512

                          64dc6a0465795b4cbbf5be55efdaafeaef0ae2a7a6e38d62fd26b6c2da7be690ddff044d68da357f26abe3500ff6ad767ac9b8a826714a6175b294265834e2dc

                        • C:\Windows\{425541C1-9EF5-4255-B9F2-6CE883301DD7}.exe

                          Filesize

                          372KB

                          MD5

                          e47311f408bb0e0a2144de4062f3bc6b

                          SHA1

                          6aae75c767e159969ca51ac6fe33f4029d4dc84b

                          SHA256

                          89dde51d70c0e01b94137f72df7929bdbcedc6b20c9bd758737d34d5ceacbff9

                          SHA512

                          66dddd131dac9239b95cf3bd8c905f797ec285e2596591fb7d007b28080e1f09f041444016801c12dd3fd42c52c796fa69d01ef11aec97eed899b47e0191f4a2

                        • C:\Windows\{8370D4B6-909B-4b46-BF05-B29BA00795CB}.exe

                          Filesize

                          372KB

                          MD5

                          e6eb09ed25ac11c5cdfa6540ab28cb3a

                          SHA1

                          b8293d32d14fd6e392cba4904b454c0eb13fe264

                          SHA256

                          e872fdf5faa428d267c22b387d4b703e1684b91aaa05db43fbfd30cd2823ce5a

                          SHA512

                          bef9ee80df9639b767410dd596fbb6773411e00dc701fc7724016bbc5272224ce280f60e16da3312243ad041e427f6522603ee8c7087d60e32968213a5882d93

                        • C:\Windows\{8A901F5A-5792-4afe-864A-600136B373F5}.exe

                          Filesize

                          372KB

                          MD5

                          b8c091f2e66c9398798591a7194fd9bd

                          SHA1

                          59dd76b2d116cfcdcb98627b6dce034ab94d53ac

                          SHA256

                          6100d5fd0036a77a595f22d8cc62af587902b79f7754d4413161af6ba527edcf

                          SHA512

                          3341eca4721bd49840b32d391126d2b593d30d0ee7e5e4dbcccf5094be727ad44133398359355c20c903e2eab31a707c526fd329613b1f1536cdf637787fb932

                        • C:\Windows\{8F1DD5C4-D9D1-4cf7-A3BD-F0AA46E2C481}.exe

                          Filesize

                          372KB

                          MD5

                          7aafbe49fdcf29117533fb0d2bec8261

                          SHA1

                          ead379075f30e085d903c9bf003cfacc74fe65da

                          SHA256

                          c3192b9d825e7e463769cb1e180433abb225d17efa6bef7f8474614ed547512e

                          SHA512

                          debd525b0330ce404fc3230432c49dca093dc481556f0c84286519d8f2427195effe47db13d09f7ac4ff6ff6ea3188ce84b717cff319226ad094180f5d29989c

                        • C:\Windows\{A985B6F0-6C62-468b-B404-82AFF2B84F40}.exe

                          Filesize

                          372KB

                          MD5

                          c8b421142c9928012f236c0c83dbba42

                          SHA1

                          58a298d6718ee372d3303fb25e120de738a1e700

                          SHA256

                          9833adf5a8c868cbd399b983100c4239cd86c5284be383d2f992cca2e030b4ad

                          SHA512

                          ec1ab8cdeda63aa71f082ca3203d64238abc4f5693a3d5382e9fb1edcdd4c8fc6ac121f31940b911cc3b7311c8264c69a48e2c1eabb039b2b2fb1bae67483b05

                        • C:\Windows\{B9C6A167-84AE-474d-BB75-3B187F077B45}.exe

                          Filesize

                          372KB

                          MD5

                          0e9912bf6af7f6fe1f6dee5d4b48a53f

                          SHA1

                          b203efe5b332ebdb732e17c4fdad9109ddd4905e

                          SHA256

                          2604d3623d0203e0730c520ba106e0c881f81c3df55a17e28b414f4a6941c6ef

                          SHA512

                          309193d897c7786f53ceaa88bdfe1621a5f707cd79913cca401e1a67bd6970fba56499d6ae5066478e634bc94e3e3c59ad3821dc8d86f1d9029681327c5a410f

                        • C:\Windows\{BC1288EE-A221-43a8-8D26-9036C0A599EC}.exe

                          Filesize

                          372KB

                          MD5

                          d0d33229b85de58b75b028a537f7be12

                          SHA1

                          db3300d39a561a33b8b98926e4223c01fe897252

                          SHA256

                          826bc9e0ebac231e591d08db6d2f7df7acc2a6fc7449466313c20d21b0c3b8b7

                          SHA512

                          d34394e92d35417f1d83a38decd1bf7522e2430407a72388a58a2f61628eec70465bf2a04f9d904abf945b297cdeb09c57dfb92775bd010193e49e0f11ef1574

                        • C:\Windows\{C79B1FA6-F16F-4d0b-B450-CAE5466474B4}.exe

                          Filesize

                          372KB

                          MD5

                          4f4d89f289dfec95f20cafb9fd89ba0e

                          SHA1

                          9a3737283cb6c6290a40d7d13057679c84e2719b

                          SHA256

                          8a152465225f92f0c538c0bc3200c64ba71fa296a864f62147b8fce768c0ff2f

                          SHA512

                          c202b5291b945b12b7acd6a4a0ff8d115f054541c2153eddd06f0b1fc015749d1bd21ae0032a2c5453dd54300a241c2a32c13bf8dd49005027bee73466ad27e8

                        • C:\Windows\{D570C405-6C64-460e-8CBB-942F4FEB1160}.exe

                          Filesize

                          372KB

                          MD5

                          8898083c164d38f0aa357f3246ef57d1

                          SHA1

                          3a1cf580ebddd7f809a43420365df3eabbb27c11

                          SHA256

                          cbcba6b21417c1eb4af78c7ac925d20e6065260d042f000f91db44769c646585

                          SHA512

                          e263c0bc81e812b30cc846c1f3048a813a24027e12947807df57d90963beed647b5bd026f9fd0788b56da872f83f3be64b450cb7a6ad364fd2f300b49b5fdf58