Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:38

General

  • Target

    2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe

  • Size

    372KB

  • MD5

    5dafa0615125a3ba50e55994a49633fa

  • SHA1

    8e9722fa468434a42a756be6e92b8193a73282db

  • SHA256

    69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354

  • SHA512

    db0e0ecf2dda507800c456cefd6a62f6fd42d63158e0682b2dee300e841bd71420e0b5cf48441524f738000c4e4f947e95bbc1b7260d517217736e4da596508f

  • SSDEEP

    3072:CEGh0omlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
      C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
        C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
          C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
            C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
              C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
                C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1428
                • C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
                  C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2288
                  • C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
                    C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1916
                    • C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe
                      C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1708
                      • C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe
                        C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:768
                        • C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe
                          C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1276
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C9AC8~1.EXE > nul
                          12⤵
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69263~1.EXE > nul
                          11⤵
                            PID:2428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD29~1.EXE > nul
                          10⤵
                            PID:1772
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0730A~1.EXE > nul
                          9⤵
                            PID:944
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA72~1.EXE > nul
                          8⤵
                            PID:2304
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A456D~1.EXE > nul
                          7⤵
                            PID:1840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{18989~1.EXE > nul
                          6⤵
                            PID:1096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5263D~1.EXE > nul
                          5⤵
                            PID:2988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D4613~1.EXE > nul
                          4⤵
                            PID:2332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{32148~1.EXE > nul
                          3⤵
                            PID:2608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1324

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0730A1E0-E3F3-4be5-AA2A-155FFACA25A0}.exe

                        Filesize

                        372KB

                        MD5

                        0ec921de00125c0e0d29a4a151cce93b

                        SHA1

                        4837eddf7f55b735c305b4bed0ebf0a2cf515bcf

                        SHA256

                        06c3c1803790c4cdacf511664f0e354ab4224341fd5957a208bc7c9393d31435

                        SHA512

                        db33ad44cfe7b785f5a32d30eeb4f60e8147f9e162ebc8c47f2ed484e521207b7344714fa2e1aba22be8f55533fb0d961a8ee90524a0f5fb537653b5add18234

                      • C:\Windows\{18989597-ABEC-4ae2-AA1A-22CFEA3F033B}.exe

                        Filesize

                        372KB

                        MD5

                        4d8830f5f658a7d6915f962f4cf5988a

                        SHA1

                        b087991b8c1daf93b302bf3b873685985d78eb1d

                        SHA256

                        ff80f6d554870899610bedb675a147567d86bbba5284726677e0bfa7e927568f

                        SHA512

                        0a8782cf0b4cc5930cf9a547bc8e99bae8bb1c4e1e98fb075ae7a424e396774a2bacaf8d4a08b21a8b67d30726228edbac8225ef093e355c1cc3441dc57b6f5e

                      • C:\Windows\{32148707-3305-494f-A23A-AEC08124CDAD}.exe

                        Filesize

                        372KB

                        MD5

                        190ecf2346d1cf1c06ef7b2568c1b169

                        SHA1

                        f27fb3a360382555204b2326f6e0e68b3c108d36

                        SHA256

                        600182a0f0903851c273f9ada3acdbf46b981928aaae0b818bd050c748bd490d

                        SHA512

                        4c5243b13a50b797e80edad29a4828af0afe3828199c4aff4af3e2b936ceea61202c381de498378e8857748e89be7afaadd1884af5ae253b7c4499a1e8080e8c

                      • C:\Windows\{5263DFA3-8555-4a39-962D-E3CE219F7BC2}.exe

                        Filesize

                        372KB

                        MD5

                        fb81e0977bd32db128c631a40b40017f

                        SHA1

                        33679f47fac44fe2eee18df4572a93d316b400a4

                        SHA256

                        ea00e8f312f87e8f1053ed1045a68ab8c2181b98b1503ca05ac22b5f6110c506

                        SHA512

                        4e666f6c157e37d3980e7de592cd8311d16f90d29182baaa239c9c2a4007f39513572c8f0a5e3e58eac503aceaa484679afff4d66cc44ccfd2bbeda80427bf41

                      • C:\Windows\{69263369-47D9-4e42-A912-82A0B11DFD2A}.exe

                        Filesize

                        372KB

                        MD5

                        0dbe3f48b6db8372dd88885c02ee2982

                        SHA1

                        46c4e48c0add4717a248c60d64c54933d04aafd8

                        SHA256

                        a11ea72bfcd6982ba932d182b492349d300d731f978356bb45679ff9c0f8e584

                        SHA512

                        82fb02b77c322203ccc6c90ad66215c6cbadc9acc4cd737950a6580e6a8c9487acf670dc89bd2ac2ddc971ef9adff3fca68a1d7b940c9eeb21fa0d299a085cf1

                      • C:\Windows\{A456DE95-8899-4f29-8DCD-9B3337BAEB3C}.exe

                        Filesize

                        372KB

                        MD5

                        c7c1b9f3f20a6434b03a2bd1ab17dfaa

                        SHA1

                        3c983702424f15eb34d868ed3a0176fa3559393a

                        SHA256

                        c30443bd9c407ab25513f93eb5bb96dee05da2d6effcf0a06530385d05d83d69

                        SHA512

                        b0b3af8dd22926ea8eb1c98111e86719cada262b2a152d59ed4004b2d3bbcf4bd62242893fdb6023e575b81ce68db87655408ae3b0d1c1024c6d9b3db4518246

                      • C:\Windows\{AAA72BC2-D132-45dd-914C-DF62A2F70AA5}.exe

                        Filesize

                        372KB

                        MD5

                        48335daceca2d6f00a9a62aa59fa60e6

                        SHA1

                        db6c7246029ea1dafc5670ea0aed3cbe8cf0189b

                        SHA256

                        a1228f18fb50ab3f62ab97ec04d7e33f242e9d4d849fc61f878c38165abb8aaf

                        SHA512

                        54238c425dfb6f7f9e5b4d92a946fa0975aa2a1bfe363693c87d4b0670c6f5ec15118724aeb04dae60927e62df12ca4997ea962eb9b7877ef6c39aed0ffcef2d

                      • C:\Windows\{C9AC8D36-F11E-4a01-9E69-E2C26A7F4008}.exe

                        Filesize

                        372KB

                        MD5

                        a390168c82f61a9cad66b1e70d98c0d1

                        SHA1

                        93e2681e2f28c2e16e71cc7dc716187b6483ff17

                        SHA256

                        99af0a45597f486cabda6bf6b7847182519389366ae66677ea0840c6e6ee539b

                        SHA512

                        d21a3fd57a6f561854e9028c949ea7e1a5456efa032be420e0263f8cdf1a9db603a208171a6febab7ed5a7e3517bc74de3f9c931d9806533f7bd79c60fe06a17

                      • C:\Windows\{D46139DD-DE2D-4650-BB17-228C544F5084}.exe

                        Filesize

                        372KB

                        MD5

                        9db1deed3fca18618d279513b0b4db91

                        SHA1

                        e86495b346354027b07fb216601428f5c4ea9b72

                        SHA256

                        baa8975c164495389e1abcc302eb19e97350c8447d0d19bed991ae4132979f24

                        SHA512

                        6e13b855341e41d11ec0a8437432ab5e78d495b562e92e44cb67dede92748245ec50819962614b5a41cfd9c85ede9f861b2898eac491a0f66e5ecf496d6063b2

                      • C:\Windows\{DCD29460-11A4-4d46-A081-02C2CD14383A}.exe

                        Filesize

                        372KB

                        MD5

                        b717fae994ac25bebb414a416d5895a0

                        SHA1

                        cb0e64bc03a2df43e60c5ba3cb76ee92674fee0a

                        SHA256

                        9e227a39a161cef1d6e51d57fa690f0d754425d74b90fe73d738ad4849c899a1

                        SHA512

                        21502dbb78f98985868f3c1c7670979fd5204061b86537d199071f619332d42e5cf791bee3b93b0a22a866b1edd6f80f45d88d544484d9faf4f2e01a835b1ee9

                      • C:\Windows\{DD100092-BC6E-42b2-B60C-35DABFEA50A3}.exe

                        Filesize

                        372KB

                        MD5

                        7a7c3f6c91d22f3c99f65de5bc1e4965

                        SHA1

                        a2eb92e01876d1d864aa81a5fb4acbcfd77d1e47

                        SHA256

                        e21d59a0640b3d3f940a09dfff4f49d3c34d7df305edf7e4c8cead8086842dba

                        SHA512

                        8a5994b51ee5a3852d1819f4402bae4dc89d6b2dd9054ae755686438e3fb3d0275aaecdcb324e06f37610a95d564b95c0e7e34c883da7adc19fb5b3047a64f52