Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    163s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:40

General

  • Target

    2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe

  • Size

    408KB

  • MD5

    6f29dcdc7a7f53d474224d34ee51fa0f

  • SHA1

    b81b05f21fcca70fd8991138c83490c53beba0d1

  • SHA256

    f7e5eaf69fbc116974ea24609d5d6bd6848e9c0f99189287eacfac2adf37c68b

  • SHA512

    64329cd588b0a71009260b3d6c83bff27b554fe0a0510b36b0529bec10b525361ce00064225f7c56e45184118429bef488b6100490afb8a7aac9edccd742ab9c

  • SSDEEP

    3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe
      C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe
        C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe
          C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe
            C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:324
            • C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe
              C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe
                C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2660
                • C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe
                  C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:292
                  • C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe
                    C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1780
                    • C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe
                      C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2088
                      • C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe
                        C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2880
                        • C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe
                          C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2964
                          • C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe
                            C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4D208~1.EXE > nul
                            13⤵
                              PID:1864
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B9863~1.EXE > nul
                            12⤵
                              PID:1420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A7573~1.EXE > nul
                            11⤵
                              PID:1896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0510C~1.EXE > nul
                            10⤵
                              PID:2968
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1419D~1.EXE > nul
                            9⤵
                              PID:1668
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D39C0~1.EXE > nul
                            8⤵
                              PID:1396
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AC01F~1.EXE > nul
                            7⤵
                              PID:2348
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{289F9~1.EXE > nul
                            6⤵
                              PID:1756
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{78484~1.EXE > nul
                            5⤵
                              PID:2768
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D30BD~1.EXE > nul
                            4⤵
                              PID:3008
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{31EDC~1.EXE > nul
                            3⤵
                              PID:2464
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2548

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{0510C931-7787-43f5-86D2-F76C23F61058}.exe

                          Filesize

                          408KB

                          MD5

                          962982c8da1afd70ef63c7cd2d731695

                          SHA1

                          669316b28babfaeab874f4612380df9110fd04cd

                          SHA256

                          08775147dd00f2d1376a759d71d7705b425762b0138b274ea640f26787ad16dd

                          SHA512

                          88b7152438e571e6fedb018fd301acfd55719a5b704434750c32ee449eff5008843257f96f6e183e1184d8d91ce52218d127dca481a1c0efe01def5ac86e5765

                        • C:\Windows\{1419DB5D-EA81-42e4-939A-0C03F53CA380}.exe

                          Filesize

                          408KB

                          MD5

                          0524e94e140a4f10ae9208f42b9790b3

                          SHA1

                          626aedde7aef8026797980014c33429a7a97b27a

                          SHA256

                          f711af600968c46e924dc61d4a8c11315b8ffc753d1abfba2d25b58a587efe3a

                          SHA512

                          461d0b8aae01da5b9fcf0dd491ceebb93e47054ab736a104de692c700b99acfb74a15e1da18795ac11da8648e61c114b12b382063f1de6b5c57213be57c2f656

                        • C:\Windows\{289F9504-EBFC-49d1-B678-6B78A87086CA}.exe

                          Filesize

                          408KB

                          MD5

                          383e2866d8cc201072cdc493ed1a02ca

                          SHA1

                          ef1556be60261314b0780daf445c62a4b85f3180

                          SHA256

                          0838341c9fadd825f2e67576c17881b48f407636513ec708272de0edd31e173c

                          SHA512

                          02ec7e662b2279a4525f46805d9f9c25d06e9ca512a764758b3cd557ec6339c8df73a3c343f7c1ca7330ed4055b29b95103c3a959e2cb65421649a133edc5e31

                        • C:\Windows\{2E766309-DD79-40b5-9A84-6EE9AE596652}.exe

                          Filesize

                          408KB

                          MD5

                          977ef1cdbcb78e597ce72b239dbd08df

                          SHA1

                          40413f9afc2eed244a0c736cde105bbfcc85ff0d

                          SHA256

                          ea22d994b8471e7796cf4435ca4d12102a0cd76d8f572ea8e9f8766acd083e15

                          SHA512

                          3eb2f15dc1f4fa8ad9761b32212ea815ce371394365e9b3963aa6e3647df20f3433349bc0c0d9a7a5eccd6793b301c144800d4f55f758191a0c28c4c6ca6ec7d

                        • C:\Windows\{31EDCB23-44F4-4da3-B945-B35B3D0236B4}.exe

                          Filesize

                          408KB

                          MD5

                          7689595531ea672dbb29fac6fc052269

                          SHA1

                          8fb0df82a8e0faa68a63b6052e794e4dc981bd56

                          SHA256

                          5fb6ad8d732b2940743f5cddf5f1051e15220671034191c858190f868306e582

                          SHA512

                          482ac7cbc2db29a39c9469a9fa1de57f0e874ec5f21e5926ed9059ac9ca66b9fc2daaff92411cdafa3d4ff9fb698f189faff4eb8859403c25cdfa50cd0e6451a

                        • C:\Windows\{4D208725-A94E-4af5-8FD3-D4F616AD043A}.exe

                          Filesize

                          408KB

                          MD5

                          fad800facc29938f76e1ee926a25407f

                          SHA1

                          83fd88182035f6408001177bef87cfee78534a54

                          SHA256

                          ead50335570b7bdf3de932b15a0aedecad8dad344a799d93de5d03d25cda4116

                          SHA512

                          9006260d88f8594aa4aa29b6cc42be667fae9e758317c6593f0f9d4c1760b2ded3a82ab43264c428d68e66a6db809ef93d2813c075038b6da7c41e62c93758d2

                        • C:\Windows\{78484906-3E05-4eb6-B854-DF5D89173846}.exe

                          Filesize

                          408KB

                          MD5

                          7b50aaa143a9c4498534114e1f56e450

                          SHA1

                          351f12aadcf0ee7fbffd57f659fd2c3b81c75b95

                          SHA256

                          f5c33997049d86571e3d695fbeab04ed9413f927a3f412badf0cd601e8ce377e

                          SHA512

                          ced64ee9780770e4300e8e21494ad345d0d537d2a3f01ecaa9342ac12a915a624d33c1bbf1d2da54afdeb351bd6d6c5fe96fd05a1db71ed9f5c1525e49128400

                        • C:\Windows\{A7573E6A-AA59-48b6-83C9-7270C1D9F8EA}.exe

                          Filesize

                          408KB

                          MD5

                          23c6942b3c53d4e39c196efad9662465

                          SHA1

                          80134f769f3db41ba293a18ca5f79a6a5b0fb412

                          SHA256

                          2859b788901e2dc8af921a99a01df3b87d9bf825935de556208e45a26a5db3d6

                          SHA512

                          0a45d736ab500d95cfb4465c7a6322110118fc29f6049fd452eca1636653791fe15b85d9f952bdaaac884fac41ea0fde716da3b113d8b2ae7013ea4529177265

                        • C:\Windows\{AC01FDFD-E4A1-41f8-9C34-E1FED628E8C0}.exe

                          Filesize

                          408KB

                          MD5

                          62d4a4a8d65ff93857cfc66b7b6c679d

                          SHA1

                          8f5aa31fedaba9233253bb898d7e0fa9e736c42b

                          SHA256

                          b4d7c0f451d67c85f0b5108d0ee6b9163853092e708db3234e579aa8db4daaf7

                          SHA512

                          6594cd104181029febcf8fcb8a27f4f081cf6491aaf2ae4fdf03e768577ff17f2a79347a2bb27c6346bc214887f9b95cedf31625e3744ebf0fdde36b54d81d45

                        • C:\Windows\{B9863AAC-F9EB-4ca6-93CB-6C97771A3852}.exe

                          Filesize

                          408KB

                          MD5

                          1ab6781c23aaaa88997d67176b7c52fd

                          SHA1

                          69cea32e4839fe91ddc69181050a0bc920094d3c

                          SHA256

                          eda45470074110f80234f19ff7974f35e8d014197dac9429bf7e4582467fb4be

                          SHA512

                          4f0fa06266886658e66ea4fa854d18ac726c1e3194f90ba7f37a359ad7a852abe0e23ad96e0f2cdf653827595ed66503343edfe78d7e7aa40f75d576973d2d06

                        • C:\Windows\{D30BD1FB-9454-4021-BC8A-807F2B48262E}.exe

                          Filesize

                          408KB

                          MD5

                          0fe3c75beadd952595bf8c8a70d22c72

                          SHA1

                          9854e9640bf1aa0e536f7754afabefe94743bf7f

                          SHA256

                          11ec3f7804e0c156266614a38543c6c8f39388b9b817ed882679d1b5c0d7fedd

                          SHA512

                          396a975fe11a2c3794103f44bd2c4029657a7323bd0737891c5f98b24777ac50e2f01bb6c60be3e389c56c8ef401ef284deeb561a49dee35152ed81e936624ce

                        • C:\Windows\{D39C0DB2-CCC3-4243-A40F-3448C59DB9C0}.exe

                          Filesize

                          408KB

                          MD5

                          b09eeb1d16ceba63be8408082137da1c

                          SHA1

                          4b81fc0809084593e377bc4a068742e458714d84

                          SHA256

                          17bc719d37008d954d6080a8cc6ef8718012314b23272164f4157e8c651cfe95

                          SHA512

                          22e1cd90af383d5e627fe7b2114dc78832e99303b59452619da3f0175e87d45884b3d3b462f56dc96e59ba50bc8f6b6c22c22d8b42310e876bbb6a2f02c5a06e