Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:38

General

  • Target

    2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe

  • Size

    204KB

  • MD5

    6030608dbda6f24061302a8b96132583

  • SHA1

    cd1e19ddf03775d138f6fc00ba20572f68d2690d

  • SHA256

    3c8f713770473a68fa2f70b65f1c2298547b78ca26462e0d7db89518b8fbe950

  • SHA512

    bda887b542d4825d6583addc4fcefa68ea03e67e2d093ee85d5bc9c6291899add0486f616458619a55b1eec9b2ff5debad8e3f4202aa29ae324c1bf63f1cdcbe

  • SSDEEP

    1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oGl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_6030608dbda6f24061302a8b96132583_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe
      C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe
        C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe
          C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe
            C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:800
            • C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe
              C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1976
              • C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe
                C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2636
                • C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe
                  C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2316
                  • C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe
                    C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2292
                    • C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe
                      C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1508
                      • C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe
                        C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:660
                        • C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe
                          C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B856C~1.EXE > nul
                          12⤵
                            PID:2916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1186~1.EXE > nul
                          11⤵
                            PID:1764
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{55DF4~1.EXE > nul
                          10⤵
                            PID:1216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B37BB~1.EXE > nul
                          9⤵
                            PID:1640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3B859~1.EXE > nul
                          8⤵
                            PID:2312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5150B~1.EXE > nul
                          7⤵
                            PID:2280
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0B4C9~1.EXE > nul
                          6⤵
                            PID:1624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{264F2~1.EXE > nul
                          5⤵
                            PID:1484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{881AF~1.EXE > nul
                          4⤵
                            PID:2444
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E10E4~1.EXE > nul
                          3⤵
                            PID:2400
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2856

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0B4C961A-EED7-4a39-9D5D-C5168275DF5E}.exe

                        Filesize

                        204KB

                        MD5

                        36f02598c6d56eee278b9f9cbb72d619

                        SHA1

                        1c088df7d7b2d6a121ac4982ed15e6b98d7208e4

                        SHA256

                        bb112bf0e18ead7674a99c86639645ee7d9bdd2b27eba718ca563cd031d01f57

                        SHA512

                        0efa2578240a2c58310e6aaa89547c8224a33544784d07199bf751f1995461f89b9076559ac5c5589dd559039ff9cd89dbc706106bab7d1a2e39c5362f715869

                      • C:\Windows\{264F2785-FCDD-43e0-9391-59585FD2D279}.exe

                        Filesize

                        204KB

                        MD5

                        949d98d35e97b835f28f078d72b69aca

                        SHA1

                        d30326be9bbc81eb790305396723dcaf8e437334

                        SHA256

                        781fbe67a844a1d559fe4074e29a7905db24227d43acb037a98f13dcbb3f4251

                        SHA512

                        dcf17491f6fe5f65c8ef933c09916477eb640ec80c47ac9f8cc113c55cef637fd4c043af815535fbe87afc064c6b12ed4e25aab2508eed2bcffad5c7cf86b021

                      • C:\Windows\{3B859A2B-4CBF-4780-B9B8-741BDECC7CD2}.exe

                        Filesize

                        204KB

                        MD5

                        e26a794d2045114c83298d8d5875c7a0

                        SHA1

                        93bb6506be8b5c338f821b93b8b59821837ab5d6

                        SHA256

                        d6a33b1f57e29064eb24893b7a277cf86e741fa9dfc39fd3a1ba286dafafbe98

                        SHA512

                        a769f85d8036d072a3060452f3ccce781a41a2359c81ae60c8cdeddfcf21f3fcbe487cf02c7be854bf45b8c2c7c5b8f5280b87f98b11bde6c75e2a70e6062a87

                      • C:\Windows\{5150B930-5E72-4a46-B950-332CBB906302}.exe

                        Filesize

                        204KB

                        MD5

                        b082d0ff4877e40a9bfdfe9095343976

                        SHA1

                        8ec80b079bd4ccd4328ff396b784826c1e5b9c5e

                        SHA256

                        65888e3d4bcfff0ed93ec0dcb43c7ff16ad4efa0c9d5b635e0cdb3a7b26570fc

                        SHA512

                        1a930232afb7e35bf2491cec6e67c6998b9ad916da699b1031ee62f5289c829190293e7dd321b38eff19aaf4d6ac02ab53be23a6d218dbd2e506d6bd82fca964

                      • C:\Windows\{55DF49BB-C557-48a3-AC23-D1507FB4642B}.exe

                        Filesize

                        204KB

                        MD5

                        aaa61632abfb10c830613246cc942e7d

                        SHA1

                        36b129240db280b7258b61265d5e289b92cb53a8

                        SHA256

                        c7c14b18c0c34f3e5529077079d5e72cb213f260e856eccf349712cda1ea7a0b

                        SHA512

                        ab0bb8f6da304feb85e72722ae1b200307d1ab83a69c185f2b70ffa884001a416747345eb35d109be82a26c45955b9494db067e461cca66c0f6b5851cbaef333

                      • C:\Windows\{881AFE50-BC32-4b7a-B555-0CE23EAB06F1}.exe

                        Filesize

                        204KB

                        MD5

                        d5dfc78fbb73d6edc7c19703fabf77d0

                        SHA1

                        095c2933296358889b6e10d1f43c51a73b2808a7

                        SHA256

                        8063779302b9bcc34e6d29c7224fb30fa477fc39e672a4c9b2bf783b3a54e3dd

                        SHA512

                        a0c64d5cd0fb5fc5c6d2dd0d4a40336485f12da1f66610747450b9b45816ffcc0124fbce6b8ac6830d7c6962589b9ea003594f270a1cadb3d0aa292537b89b55

                      • C:\Windows\{8EF93032-56DC-4257-B6BC-A36CA443290A}.exe

                        Filesize

                        204KB

                        MD5

                        f40535bdf5fe9ea5e925c63184b35c70

                        SHA1

                        b87bbe67df2126d9790e605eeaaa9523ecaba931

                        SHA256

                        335b6786a780f2a5d625286b68820df1d196f90111618456f967e163f5b8a5d1

                        SHA512

                        18b2c452ba5fca45980a81b9f54af2f9f7e179bd16e25ebcd67234912e54f012ce5ab0bed8c3e3afaba7602562e16f9543863f2501400335d73675c41b8d5315

                      • C:\Windows\{B1186066-2F68-49c8-AD03-A226BCBAF6F7}.exe

                        Filesize

                        204KB

                        MD5

                        f60190a92486c66674a30a333a4260ee

                        SHA1

                        e2b9ac2507f6ae85677ca3afd0b6f081a9c8abd2

                        SHA256

                        4537a0bde08f4e89cab3c9207605386372710f51a5412a37d42d7407e9a89e00

                        SHA512

                        5a2146e7a9bba075ea9fb192cae3ab0ee3abc3fff3c3bcd25bb680991a09191339a2db984e8b0019eb27296601c80d509f7986767a7e1491d9ae66a2405f0c5c

                      • C:\Windows\{B37BB6C0-DEAF-40ef-BCF2-E4FDC05B640E}.exe

                        Filesize

                        204KB

                        MD5

                        f1df4cee614b9fc836baff4035c6336a

                        SHA1

                        9ff7f16f8f42d70ac77106df11363279ecbc5cab

                        SHA256

                        5a2e8dc2799f9e0f485b6120d7134945b63f4a0319556cd6c249114b3f97ec3b

                        SHA512

                        1227393d1fd94ec42e37b98464021bd028e7ce3e86bd93d3ecd1952fc2b62105d30a7946ae98b04005957e43a5a7182d187579456bdff26068cca901f4723d00

                      • C:\Windows\{B856CE78-B9D7-4af9-A331-19E9FAAED1AB}.exe

                        Filesize

                        204KB

                        MD5

                        9b866c5f58afe88e9fa73e459457f5f8

                        SHA1

                        dfd0b14b459bd1b358da13b99eacf484d928eb5e

                        SHA256

                        a5adf49280dd4ec4307da85f48e5471ece791d26f192dd7977c8f670eb4343bf

                        SHA512

                        54c6cee3298a3f1c0a21387ff491cc6a90dbe79e6fba35e3cf9797e773b90f9463251477d10d938a99a90cea6cb5ec85ebe50e12e63d0027596c8d40717ee2d2

                      • C:\Windows\{E10E4A0B-590F-437c-905E-3C783C71CDA1}.exe

                        Filesize

                        204KB

                        MD5

                        4014ee03f77db1a15d6f5e8cc36be755

                        SHA1

                        5eb203ae6e495b8a481cb4e9eb3e99fa38c21bca

                        SHA256

                        bb7da3229ce37a17d13f83c978a56da1e8bcbbf37f7311b9a52dcdd5ca4b32de

                        SHA512

                        90a8f8dd327b030318ed05ed44b436a32e05bff30efa42a85f7081b627c516895eaa02a93f99e5d158c78b6316fcc94c57d68f8020b25bbdb1a57eb3ef725cdf