Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:40

General

  • Target

    2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe

  • Size

    408KB

  • MD5

    6f29dcdc7a7f53d474224d34ee51fa0f

  • SHA1

    b81b05f21fcca70fd8991138c83490c53beba0d1

  • SHA256

    f7e5eaf69fbc116974ea24609d5d6bd6848e9c0f99189287eacfac2adf37c68b

  • SHA512

    64329cd588b0a71009260b3d6c83bff27b554fe0a0510b36b0529bec10b525361ce00064225f7c56e45184118429bef488b6100490afb8a7aac9edccd742ab9c

  • SSDEEP

    3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGhldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_6f29dcdc7a7f53d474224d34ee51fa0f_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe
      C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe
        C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe
          C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe
            C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe
              C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4536
              • C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe
                C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2452
                • C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe
                  C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4388
                  • C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe
                    C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4196
                    • C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe
                      C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3052
                      • C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe
                        C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        PID:4200
                        • C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe
                          C:\Windows\{7587AF25-E249-451d-BF08-00CDB8CF0F2A}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2480
                          • C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe
                            C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:440
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7587A~1.EXE > nul
                            13⤵
                              PID:856
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D54A8~1.EXE > nul
                            12⤵
                              PID:3748
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D3462~1.EXE > nul
                            11⤵
                              PID:4304
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{15C66~1.EXE > nul
                            10⤵
                              PID:852
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{88181~1.EXE > nul
                            9⤵
                              PID:3784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0413D~1.EXE > nul
                            8⤵
                              PID:4832
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EB124~1.EXE > nul
                            7⤵
                              PID:4060
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1C36D~1.EXE > nul
                            6⤵
                              PID:2156
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6434B~1.EXE > nul
                            5⤵
                              PID:408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C12F5~1.EXE > nul
                            4⤵
                              PID:5080
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{430C0~1.EXE > nul
                            3⤵
                              PID:4392
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:4444

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0413D311-79DF-4b3a-A516-83117C660534}.exe

                            Filesize

                            408KB

                            MD5

                            a39610067739f57b48e06ee2c5f34a8b

                            SHA1

                            20e12a6e21abaf6b95aa9bfb9bb86bc091107e84

                            SHA256

                            4cc0271100a268d1c2143804a5fcf311a676fad922214740fd8023eaba0ffd06

                            SHA512

                            0c7a5ab84d11fd57820c91d25853168ceeb28837f2680009ae06a61bf70e3eef731236d8df0f25b7e1b2a383dbb09fa60602a2cc455b63ccc2fa1037e5272e36

                          • C:\Windows\{15C66E93-6B3D-49ec-B317-0430026ADE94}.exe

                            Filesize

                            408KB

                            MD5

                            6ec5b5d358618dedf62e751bf3890bfc

                            SHA1

                            28ba1d595367c90c92d1723e9d1bf3d757fb4cf7

                            SHA256

                            bd14821c89f79e9493eb5d05292b6148478e899a6032a2e4e9d65efdbdea174f

                            SHA512

                            4cdd674e0043e75facc512f2b9a27598249701bd0403ece77b9746ecc73a828ba7b6574aa22a883280c8259ae2583a5763cfe47dcf9987791041cd434b7570a8

                          • C:\Windows\{1C36DDC1-5C71-4d47-ADD7-2989BC02BC3E}.exe

                            Filesize

                            408KB

                            MD5

                            e6e51094eca4bedd2f1b13ef454742e7

                            SHA1

                            ea4b92e5978de3b7bff9ae8690b5c210fe18f0ca

                            SHA256

                            4c3702b1416be1933faacde794ee9f03e8b2e27bfad410ad6024048ac5320193

                            SHA512

                            d92aa36823aedcb0a35cafad4fe088780fc0edeb0ac46a3508f945c89a7a41a394fae5e5eac3a36553c04979f860e3c02076ed657c952b11079438d70e2523a3

                          • C:\Windows\{430C0D23-6441-441f-908E-103B561E44D7}.exe

                            Filesize

                            408KB

                            MD5

                            c97f744563f30f2cff976e20081defe6

                            SHA1

                            a4f58ee0e54e0127e91d0e699117c722e2167f35

                            SHA256

                            0fcca0dc8400e420cbdc7db070f9a611f7567b18f2d71fb8f89d32527edeffdb

                            SHA512

                            e7c077613bc05ed7a75aa5ee38f0e8c17ed5732b5125d21841224c68757effacb4334b18cc99e65b032943bcbf1f510f650ac37ebcd4fc7b71154a1d6991db68

                          • C:\Windows\{6434B841-0202-4607-A9E8-7C037F2850E7}.exe

                            Filesize

                            408KB

                            MD5

                            f03ea52bea24c3a0d1a198cf81de8092

                            SHA1

                            0e6b5d171389f5327d9990becf623c59ab754b0f

                            SHA256

                            f27034159c845de8f32061bebe252063eaade31a8366883a6a8c95803fd5dcfb

                            SHA512

                            ef1c87dc9bd9c5394ed9336a05cc36f0375930c75ef7911f8ac4baa20cf6cfa238785f572b1fd3982f56b2da161b8dc0505175a7d139255edd8c33e553945680

                          • C:\Windows\{88181780-0C18-4c7d-97DC-59C8EAC165FB}.exe

                            Filesize

                            408KB

                            MD5

                            531304c7fdb0bc8146f104a4adad9675

                            SHA1

                            d3875494d4a02c85e5a8632672511fd6425f594d

                            SHA256

                            cfa3ce881589ad94b0f0ae036c1c7336e9486adcf62e75dd8e68aa03e6000cd1

                            SHA512

                            efb1880f5262204bd516b46b5c7ef3b0ab4efbe2f60364d476d2c4758349236285ba89092cfa2535417ad9f32b418ecfddd87edf722b57d46fbcae88cfce2cbe

                          • C:\Windows\{C125DA88-4BDD-4e68-ACB0-5247BFA937E2}.exe

                            Filesize

                            408KB

                            MD5

                            13d0abda867b2401b429e7ce80bed628

                            SHA1

                            be63fbcb6ae198892fa576bcefee57d9fc24a653

                            SHA256

                            364dcc64baa86c6bfcf85acbfc6c5f0c3d4887351e864b350916b5a14c743acc

                            SHA512

                            8faf821ec28ccce6c9241ecd76d1458ba86cdfcd615dafd3f15d6aec36eb69fcb1c0492078aa5bd51e9041b488ce50057261c04bb6c4dc41e10abf3f4d099a0d

                          • C:\Windows\{C12F5EF4-26A5-404d-8E8F-8DBEF50626AA}.exe

                            Filesize

                            408KB

                            MD5

                            f265abb664ef4aa60c0f4078ff0be588

                            SHA1

                            ce6077253b8d5ff646428af05d8378d436512a99

                            SHA256

                            20f70f72f4ad740061c0e4c517c01b5b3693166517a8d1805dd1b55942e146d3

                            SHA512

                            ea2f02146e228299cf3c3b96858a9afca9481a7380f0cd5109c35cbe846d8087c7661f71872a10c29e43a2c4e6689a0b56d6012a8c09b0413c66446e8b359fc3

                          • C:\Windows\{D3462F47-0247-4ac6-8E5B-45AEA6C5F749}.exe

                            Filesize

                            408KB

                            MD5

                            4ff75fbdc64938bcd263958fa0849402

                            SHA1

                            514edef1ecd7a1ac5309762e8b347647e701b3c3

                            SHA256

                            d7521de6bfa8716a0038671cf2ad885f7443a4c0c9b82045298f1d88f17090da

                            SHA512

                            0324cfed26ab15f715f53bd5936fe2dabe67440e4991d6c83bc23b84558947d4dc4d9124ac78641969f14c91bbf25276c5d1c290f273341aa8de83a88073988d

                          • C:\Windows\{D54A8DF5-6FD3-4588-A326-7B20F770469B}.exe

                            Filesize

                            408KB

                            MD5

                            d8fd1cb7d56ac0a840dc966f4cbbeef8

                            SHA1

                            00f097c0072e79955342cfd60c250bce455bba0e

                            SHA256

                            328496c062585ad67b235829978f827d8ca4fa56208b4f3fa4d1abc3cb96bb86

                            SHA512

                            cee9d68c81ba051ae9a4ea043433b4ec715de374d51607f0f6da7b2f57eb2750a913f6e4f9596d2a9844f0e6b91161c9c10e21959910b72410300a83ac64278b

                          • C:\Windows\{EB1241D1-F7D7-4ca2-9FF2-B8EBE7395CD0}.exe

                            Filesize

                            408KB

                            MD5

                            fcd8d8bbaa1f5855a41c6fd8ceacad22

                            SHA1

                            c1baaa1cd66315929754756ea800b2fc8f4fbd5d

                            SHA256

                            342f98550d67769a421208462a929687da787109d4b9866e0e87e5be88ec661a

                            SHA512

                            7443fdfbc7ee7016c0edd373f396bc01a0df7c4052cdb8e775a193647d792c25b2a1231b1a095c45e4556692b40d2e55a1f6f7e9c525c5b30b2a8c646ea86030