Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    169s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:41

General

  • Target

    2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe

  • Size

    168KB

  • MD5

    7cef5df66ff7e58f9788b662f6f660c6

  • SHA1

    3be730923e04347c9b10dc89f65d08b4619d4517

  • SHA256

    4428b755338c423f4b0d8e3273b77918208171919fc3cf38b86df7565eb6bfe5

  • SHA512

    49d07f6427139419338d4083e78b6787e7f1b0e2be447b2cbba96630948a039862813ac5afbe759345a2e4fa75ed28c7b500256dca2c8382cff9fda75ec805e9

  • SSDEEP

    1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_7cef5df66ff7e58f9788b662f6f660c6_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe
      C:\Windows\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\{B290045B-5532-43bd-98FA-0A3BB423928F}.exe
        C:\Windows\{B290045B-5532-43bd-98FA-0A3BB423928F}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Windows\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe
          C:\Windows\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Windows\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe
            C:\Windows\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe
              C:\Windows\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3540
              • C:\Windows\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe
                C:\Windows\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4456
                • C:\Windows\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exe
                  C:\Windows\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4408
                  • C:\Windows\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe
                    C:\Windows\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2660
                    • C:\Windows\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe
                      C:\Windows\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3684
                      • C:\Windows\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exe
                        C:\Windows\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2800
                        • C:\Windows\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe
                          C:\Windows\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:4632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B6F4~1.EXE > nul
                          12⤵
                            PID:4688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{816FF~1.EXE > nul
                          11⤵
                            PID:708
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD0F~1.EXE > nul
                          10⤵
                            PID:4284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA7A~1.EXE > nul
                          9⤵
                            PID:5084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF38~1.EXE > nul
                          8⤵
                            PID:1312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB9F~1.EXE > nul
                          7⤵
                            PID:3660
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{81C6E~1.EXE > nul
                          6⤵
                            PID:4560
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4FC3~1.EXE > nul
                          5⤵
                            PID:540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B2900~1.EXE > nul
                          4⤵
                            PID:3280
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FE9EF~1.EXE > nul
                          3⤵
                            PID:3384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:4576

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{2B6F47B7-2361-4aa5-8956-A18046597B13}.exe

                          Filesize

                          168KB

                          MD5

                          cd733128c0e308b72d72222c94b7df49

                          SHA1

                          d63211e6561d74a474fa5d83afdbfa1047d40279

                          SHA256

                          b49a1daa939d5ee5adb9e8c1d710b3b221dce4f8d9149c46d7ec9ff577655cb2

                          SHA512

                          d7a17f5cc3f2c05f3fde58aa4c6b500f8ab90b7ae026d7c409bc49150c065d601b4cd85e95b311f4cfbb8ea89edabfe7a480fd91decd60a1ff6169f27e9bf254

                        • C:\Windows\{2C5EB3D0-1A95-4f19-A3B7-DCDE96F24897}.exe

                          Filesize

                          168KB

                          MD5

                          029dc6161c26613d96a7a4b4b3b4dffc

                          SHA1

                          f6cfa08b40be15beb674318157fadb8bc7930a5e

                          SHA256

                          48e94e75da5d03856746a6c20c33d54110952455be23db508cab33b47d3ee8bf

                          SHA512

                          3408a17161380faf3929d0fc38a813a4eb587ea75dff543437ade8118a13360ac1cd07e35936ef50deb063b86aa6a31c42734d6936a239752f8063e7bff79a3d

                        • C:\Windows\{3BD0FDE5-F562-499d-88A6-1D5175C70E3C}.exe

                          Filesize

                          168KB

                          MD5

                          04497063577ac5a95296566c7ad41fa1

                          SHA1

                          14c4d6465c6040e665c8b66d746e8506a88b7a16

                          SHA256

                          31430a180b9adebf350f22120b41a9c78c8abbc69571392d5a45793dce2448f3

                          SHA512

                          a7a7f77bd7ee2ff00d027532d7ebade3453795d7628806844f52a7f9d3952323cf7c0fea8fc7fc2ec0e693a3603b32cacdbff500baf13bf8fe89c0de37f26265

                        • C:\Windows\{3CF3882D-C162-4d6b-9EE9-07EB5F538427}.exe

                          Filesize

                          168KB

                          MD5

                          51b9e0edd23e855abe00127f213902c2

                          SHA1

                          908ffe1ab99c0b2b68d5a49a1a504eefe4591b27

                          SHA256

                          88509b9fcac24bd64e34c03ad7cc07ca96cf8f98204b4554c40268564dfa706c

                          SHA512

                          83991a48260008315c622c83c177015587233e4f88e1c9db8054ff3d2e4562d3326606d1893f6997082b54fa59fc8c885b301c19307c224b4fcbce3eb6284f00

                        • C:\Windows\{5EB9FE7B-DF6C-48fd-BBC9-5B6EB8C68B78}.exe

                          Filesize

                          168KB

                          MD5

                          0a2f616a3cb2851665c93247b25e3fb8

                          SHA1

                          0f78c94ba3c86c39b66f520a8653e1ea934a71a6

                          SHA256

                          471effea6aa8be6445590d5ba28aa326d2e6b90eac08e0d1e4bd1e9856817ec7

                          SHA512

                          b0a6799084b29bd2fe9e0771b43e169c3fd16a0a677772f5f9506a2986ea5be87e8441f96ebdf0941a296d310104e4028ea8fbfa7ca4e46f271d7983ff2e9b5a

                        • C:\Windows\{816FFF5D-2CCF-4c92-BD44-AC5AC5EE0A51}.exe

                          Filesize

                          168KB

                          MD5

                          e7226646e3a60ed64eaf74a723fc91b5

                          SHA1

                          ad4b18607ec0157cb63d5f8fb591088fc98d53ab

                          SHA256

                          92de6be66c6f7f9e363843331a2361f2af403fc5ac377961f7a688ea50b11f24

                          SHA512

                          bea75621fd739becce980d13631e21a946640c3c4a6dc58a3626d492eab4b7a911a8950b35b9115f6aaaf99003ba73f5255357c5e6d9f3f620289dbb62ff770a

                        • C:\Windows\{81C6E9F4-005A-4192-88FD-CA506FE4B2B6}.exe

                          Filesize

                          168KB

                          MD5

                          aef776603f0dd0a09b80414f7df2252d

                          SHA1

                          9b80f2475fdee3a3b367b945f01aec659bb5af66

                          SHA256

                          ef2deede31c0aa96b8783361f4b9f1c75bb0e9dc8e4e43ef5a116547427e04b5

                          SHA512

                          864e5424f5ef724cd7241018d2fd8511c4254edcc4ccc25ed7c29d95db81f4799bc96835f6aba157e6e00c0f586e4fe2e5ff8cea592b6d02bf1d2e717bfc6f8e

                        • C:\Windows\{AAA7A391-3447-4ff6-9012-41295DFB015D}.exe

                          Filesize

                          168KB

                          MD5

                          718dc2cf5a98528a5415bcbff57d7329

                          SHA1

                          f56c1f84eb3bfe3f73d68138010e534f507b0742

                          SHA256

                          b048cfa954f123550f0dbdd757649950755024239d84bf09ca6965997d17a4d6

                          SHA512

                          270da870ce22a28e1e60bca66b8afa30bb7d6d4d1f27b8f37d130a522379cc3ed6095d951621f32461c92d4c21f34833fd91ef5d57de9d217d3d1894856fc6ac

                        • C:\Windows\{B290045B-5532-43bd-98FA-0A3BB423928F}.exe

                          Filesize

                          168KB

                          MD5

                          e010487ac22595ac10b9487eb4153f9c

                          SHA1

                          4fcd5f6be77cce6f42ce37dd58f9dd5f3179ff2e

                          SHA256

                          d0149d9aeaca624841d732eb6ee40b2e033ffb1ac0a5d5302a917adcd6a48535

                          SHA512

                          9cbebcd801cada5fd97a2cd29d25a1c448fd64360e094a977402e86e6f0fef6e81f90e929ffb571739ffb735d1c9cca484928d605a0e869c3f677377e46f43a0

                        • C:\Windows\{C4FC3941-895D-4be2-84B6-DB75E1DC8DC6}.exe

                          Filesize

                          168KB

                          MD5

                          317b45dd22b9cf6f71f4921bc86ccf0f

                          SHA1

                          d2c411ba3c3ad236f152adde3a9073e2b32e6e79

                          SHA256

                          48b904043bcbb79a7e8c0486c5f5cf090c1177bf60a169abc651ef8712f95c2b

                          SHA512

                          3b544d219a9c6366245a5e27055d4221308994806f278c1a75d470c14d665464a2c506dbe4115c5de916ac7e6ff0118b7ea5fd069e33b5e9356041987f91c530

                        • C:\Windows\{FE9EFBFD-8CF3-40b9-B243-7EA11CB1C7D7}.exe

                          Filesize

                          168KB

                          MD5

                          49770e2c1f3f9e88b846d31fda13dd7e

                          SHA1

                          4f165ab1cd861f514eb4351ad9cb38cc50bedaac

                          SHA256

                          e0ccb8a3ec8149214d1d5c46fa4a2455b3ca40b5347aa568c55ea36d6af07a4b

                          SHA512

                          ce4ed586dbc90249fd0ca63c4fe7abf5b4c17951c9327aecc5ba299b007ae1a177d9e35463a63a378a1d80698fc88cd0bcf627e7b8604d438bd98a3a3a5aee5c