Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:38

General

  • Target

    2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe

  • Size

    372KB

  • MD5

    5dafa0615125a3ba50e55994a49633fa

  • SHA1

    8e9722fa468434a42a756be6e92b8193a73282db

  • SHA256

    69f8d2729f10a3baa0c24d80a87d75539948803740042403638221db2d151354

  • SHA512

    db0e0ecf2dda507800c456cefd6a62f6fd42d63158e0682b2dee300e841bd71420e0b5cf48441524f738000c4e4f947e95bbc1b7260d517217736e4da596508f

  • SSDEEP

    3072:CEGh0omlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_5dafa0615125a3ba50e55994a49633fa_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
      C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
        C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
          C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3376
          • C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
            C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
              C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3208
              • C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
                C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3032
                • C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
                  C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:660
                  • C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
                    C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2288
                    • C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
                      C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3592
                      • C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
                        C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3236
                        • C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
                          C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2288
                          • C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe
                            C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{00FB8~1.EXE > nul
                            13⤵
                              PID:3224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{191B3~1.EXE > nul
                            12⤵
                              PID:1828
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{56499~1.EXE > nul
                            11⤵
                              PID:4176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{064EE~1.EXE > nul
                            10⤵
                              PID:3916
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{44B3F~1.EXE > nul
                            9⤵
                              PID:1912
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{03379~1.EXE > nul
                            8⤵
                              PID:532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A4691~1.EXE > nul
                            7⤵
                              PID:2500
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AD77D~1.EXE > nul
                            6⤵
                              PID:4588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F69FC~1.EXE > nul
                            5⤵
                              PID:4092
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{943AC~1.EXE > nul
                            4⤵
                              PID:3236
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2229~1.EXE > nul
                            3⤵
                              PID:2532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1584
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=752 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:8
                            1⤵
                              PID:4788
                            • C:\Windows\system32\rundll32.exe
                              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                              1⤵
                                PID:348
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1288

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{00FB8A83-1929-4527-B482-52FE748E1DA8}.exe

                                Filesize

                                372KB

                                MD5

                                57aa700d1116b61bfa5b237c9382ae99

                                SHA1

                                173bd07bc03fa86308ed3550b34a84294bab1896

                                SHA256

                                0fe9bd515988976da82e09658fbb54c2a2f45d3250f18c94b31646cc2924e58f

                                SHA512

                                86d1a78b4739f309546b69a09449cb5f19e47af22a099d341d118e306eb28da5a9dc6a2602026c37a3cdfa566c76507c790bb4630d24c17bc9b52c4f23acc74d

                              • C:\Windows\{0337974D-4A2E-41cf-A858-73B338422D3B}.exe

                                Filesize

                                372KB

                                MD5

                                3b4e8a1f6e1c8a12c43e381f22598686

                                SHA1

                                2ad0890605c9cbbba060dff691790d5df8865de4

                                SHA256

                                4130b91efd72fe0259b4a95626aead81b4145b993cffee596179e75efd34d8cb

                                SHA512

                                9bd671449c3169602019e03d7637c1c0d8e5a3895fa06c1e628bedb53f26163a3e8489602dfd82f1019347d25c3d7c7d1ee4d2eaaa940e401f4e381bfa0986ae

                              • C:\Windows\{064EE90B-8AD5-4618-BCBE-3A1A57D2B63B}.exe

                                Filesize

                                372KB

                                MD5

                                c24b48c3ac6557e15815464a42254674

                                SHA1

                                8d18b56971fe377748aa151b9b74a727f9b66fbc

                                SHA256

                                48969e88f95432f3672bbdfbb5909b89824100182edcafe5e4c1ce1cde93239b

                                SHA512

                                d5587ef12d68c514963ca5c106aa13ec5b9e1df0dfc41f1e05d57e2eca8760f708032ba8d83be004976f3bfb043da498116db86f27d3e146bb1719072ba6f646

                              • C:\Windows\{191B3F71-7970-4902-B7A3-EFE70330C04D}.exe

                                Filesize

                                372KB

                                MD5

                                2b272c690240919495450b3427dc3e9a

                                SHA1

                                720f1f228cab367707bca34677fbfaa53ec938db

                                SHA256

                                7fa542690232729d30b8fd23d37a7e5e11c90cb8fa63841862290b6bb34cde82

                                SHA512

                                3c20c5efd2d0050630d21eba534b4ddd8f270d7441158568a96166fa117dd0bdd902ce82c847093420fb6cc3267c53c6694f52594904417c90f702f9bbcf2889

                              • C:\Windows\{44B3FAA9-D431-4b8a-BEC9-7A43D10B5325}.exe

                                Filesize

                                372KB

                                MD5

                                570ab4b81dcf8c188a6c19d79fb7c2e3

                                SHA1

                                618059626acf1427e916ae1850a1cd29400db13c

                                SHA256

                                82bb9d7f5aa73aba450673caaf69d722e80e0d5bf754b2087a3ed5fde20c2887

                                SHA512

                                98089631a444adc5807847d6616958cd460da98d68538490db3d8eddac61835958b931c95820cc6535d31287061d81f4be4e5b6955023dd3b86efebd12a63553

                              • C:\Windows\{56499838-EC57-437d-ABE0-DD03CAEBB0B3}.exe

                                Filesize

                                372KB

                                MD5

                                7025e0b7edfcea9cdd346bcd3a991665

                                SHA1

                                ade87526547148340fb4dbf6071630494e033d84

                                SHA256

                                e47da23c2fcea4847aaff9d1fc615fc23ec9aeb0c11f2fe587643834ddd72f67

                                SHA512

                                cecb3a0e5c72b3f072e9538fc31c02c47cf1e645f0b0f8cc02041fb44c33bf35b17731a33aab77bd5cf81ef44564db4b6e77ea914cc92115067d2fb352c0218d

                              • C:\Windows\{77394D0A-5BA4-4714-9358-AB426C82E561}.exe

                                Filesize

                                372KB

                                MD5

                                e1debc602b8ddfec01bc2adb2deec164

                                SHA1

                                78777ff37514a55cccd358022a2f889c6eda6337

                                SHA256

                                5861226d0b0eee913159d43f6d4ead3f984b56ac89be272a5470ae94e326a697

                                SHA512

                                fd52a9ad79da533bbcbcd333ddb1e8ee7cf97f73a7d288cb7f039c0edefca715555b21e9675ca24c2b6735ddf5aaa09e06dd7bcb91d41b0284475d47a3a584f2

                              • C:\Windows\{943ACD8F-78FF-46cc-A15F-A2983D3F4965}.exe

                                Filesize

                                372KB

                                MD5

                                73c5337ac5141449eb55bc204317912a

                                SHA1

                                319227bf9b4d978bbfe496802a67df4cc6af9fd3

                                SHA256

                                7b18ef2fb540e9682432f1ce02059e635106a48deee17a1f20826e23c2682f0d

                                SHA512

                                2968530b0ef244649b40f0e674df9caf408ef04318fe16482ada6087bfb77d0785811a4534dfda40c430a1c9507a66216ddc69b80f4c290f9b5ce09330f43907

                              • C:\Windows\{A4691274-0DA5-4348-BC86-6BC95A0EC9A6}.exe

                                Filesize

                                372KB

                                MD5

                                7d9205e27d90261aa3cea7df75708474

                                SHA1

                                674912209c7815c755cfae75357743347abc3f42

                                SHA256

                                383a1a0add457c8c07affc7d42c7350a8474808a25c94ad10c5372343bbfcf11

                                SHA512

                                85979df49c5f17789d940b8c924c719b1fa93dc2e7e83497332a4fba9beca4616ae2ecb913c2b2a63750e16d8b5bed653d45c392eff0cd3635cc8b20c08546b6

                              • C:\Windows\{AD77D935-85C1-44f4-AB99-A3D881D025B3}.exe

                                Filesize

                                372KB

                                MD5

                                ff01f72e93b9c1784531e3755fedce3c

                                SHA1

                                32e600631fd9a9de8d76691c60a9f4923a2a447e

                                SHA256

                                5405e3e974a000fab114d71fd42eb6f9a63070a3db0fb1065f266d084bbf7331

                                SHA512

                                7b9c5c989824a0a8d1b192588ea7b6886825ed7b539b3f32eabe74f5b5c9c2015785f9fc168dbff2e0c98875db6a6dff1162575624b8436ce4b9d38ac151ab14

                              • C:\Windows\{C2229C46-9145-4bf0-BB56-3FC1C8820666}.exe

                                Filesize

                                372KB

                                MD5

                                887611bb37aaefc95bab4d078d051c62

                                SHA1

                                d01d8b6c5b76900d1c23c2cbab1b323adc1b3f6b

                                SHA256

                                33d518d02a0150de36d2a5c64d5f1f50234e48ea190052edbba574a375399073

                                SHA512

                                2229485b5c791dc117b6439d1e94b81d086ca5472db9390aad79e433c8234173ef458ef6a79ff6cf6a715e30d33e64e0b743426ac00c6095a9c73a4b782ff6c1

                              • C:\Windows\{F69FCB09-3716-4af5-9A80-2AA2C2F02467}.exe

                                Filesize

                                372KB

                                MD5

                                9390f36d7e90fe0eace05edc032af3f9

                                SHA1

                                9c0cee219a4bbd44862e8c884a0eec997b75e5d1

                                SHA256

                                0eff6419b35c29231ef363908bc3ab496032a513b1b8f8f5a6aee035331051a5

                                SHA512

                                d541c03ee435c7824d8c8266fb386591eb35a591e6021a61051bb37d8efd70adf16c596bc722238d3d4cd1b340484af34e08e666596e8c66a940915a7e3dcf09

                              • memory/1288-48-0x000001FB42E70000-0x000001FB42E80000-memory.dmp

                                Filesize

                                64KB

                              • memory/1288-64-0x000001FB42F70000-0x000001FB42F80000-memory.dmp

                                Filesize

                                64KB

                              • memory/1288-80-0x000001FB4B2E0000-0x000001FB4B2E1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1288-82-0x000001FB4B310000-0x000001FB4B311000-memory.dmp

                                Filesize

                                4KB

                              • memory/1288-83-0x000001FB4B310000-0x000001FB4B311000-memory.dmp

                                Filesize

                                4KB

                              • memory/1288-84-0x000001FB4B420000-0x000001FB4B421000-memory.dmp

                                Filesize

                                4KB