Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:41

General

  • Target

    2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe

  • Size

    192KB

  • MD5

    81e1743ca873a4fd9ec172c5a57c236d

  • SHA1

    124af3bf4796489d6cd7df309631e1d88b4d9607

  • SHA256

    90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811

  • SHA512

    abc65e510002bd437512fa9edf7b8329280803c05941174f87dcd6a57be15c33fc4f7ba8b171473b54130c417f828fc31748e3114d76cc729c998cbc778dfb46

  • SSDEEP

    1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
      C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
        C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
          C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
            C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2964
            • C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
              C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:468
              • C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
                C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1928
                • C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
                  C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1676
                  • C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
                    C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1644
                    • C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe
                      C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1488
                      • C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe
                        C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2476
                        • C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe
                          C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CD9~1.EXE > nul
                          12⤵
                            PID:1004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AABE6~1.EXE > nul
                          11⤵
                            PID:2020
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5E559~1.EXE > nul
                          10⤵
                            PID:628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00587~1.EXE > nul
                          9⤵
                            PID:2852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E5672~1.EXE > nul
                          8⤵
                            PID:2680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{36360~1.EXE > nul
                          7⤵
                            PID:2120
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{65A36~1.EXE > nul
                          6⤵
                            PID:2736
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{014E8~1.EXE > nul
                          5⤵
                            PID:2364
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{99CDB~1.EXE > nul
                          4⤵
                            PID:2400
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DE330~1.EXE > nul
                          3⤵
                            PID:2504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2948

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0058770B-2F97-4cdf-9061-995DBFC7E360}.exe

                        Filesize

                        192KB

                        MD5

                        3676a0b39fea3ff0550740acbabccc48

                        SHA1

                        bf75ed13abd00528ceb189d45321a16a48fa6212

                        SHA256

                        2067b5a0904ed2787a6504113ee425e5990a769b7a53479e1bee6a05dc762e91

                        SHA512

                        b69ebb1a696e4eb4e35bca678f10bf7976ff4dac85d5531622d437963558e33b3c8ca5728e1f68a3dd56da0e3766f39a5c6d9a27d05f77c411ee40343b9e9fbc

                      • C:\Windows\{014E8685-45A4-4b53-A26A-E2F47321866A}.exe

                        Filesize

                        192KB

                        MD5

                        cc88fe9641bc4dd52adfda5343d53406

                        SHA1

                        7494fbd3e57967d58bca0e384fc921f7f46448b7

                        SHA256

                        321ae1fd42e4e8365854813ebfa57f519546d116947b5bc1360e05f287c1efa9

                        SHA512

                        26cd03707ed6baed35cec44eb63e71b4e119cfcaf65026e6c816d560e47bfa06e6f27f9c0d54765fafbcd10fd1d6505e02a3ca8f728e3ac864b601f5b26d6f5f

                      • C:\Windows\{36360ED9-5ACF-469e-87D8-5C8D9FC3F4A5}.exe

                        Filesize

                        192KB

                        MD5

                        7e03607394275d6189d04533b4d0f503

                        SHA1

                        4c4d95b784b812f7fd1aca2ba44a7625a75693b7

                        SHA256

                        62e33872fe852a18df6960267ce3e1d5550a56805e6967ee1b069e96eeaa8f7e

                        SHA512

                        e148c42d3bb3a250a315c823f39ca1c6309b927bca97bffc3144bf618b6d3061fa8f2afa9fb5bb08da234af2096e0f5c5db90abfba8336fc2cf53d4cf3b21349

                      • C:\Windows\{431A6667-4647-415b-BF7D-1DB71C339893}.exe

                        Filesize

                        192KB

                        MD5

                        af2226b1f99ea6e3cef0aa350d449f61

                        SHA1

                        975ed800da6df9dd2cf07fcf9c43c75bcc3b6f83

                        SHA256

                        b671b48dce982152aaea611f2c9421e02802242c5dfb63eaa6ae507daa01c082

                        SHA512

                        427c5448196fe3f921c31725fd0aa78cfa77b7b778d71c30635fe50a2ba1ab5f211f5d2ae4f6565e27f220b9d85709b81f01c12f7b183278e68a083f5a4dbf15

                      • C:\Windows\{5E559BED-486D-4e2d-A54E-46BF8F1926EC}.exe

                        Filesize

                        192KB

                        MD5

                        7c9674bb77aa94fbbf68319a0ea655a9

                        SHA1

                        712d4a9c14a64c8f774265dfaa6e3e9371bbe5df

                        SHA256

                        0c7afec432553d1fc3496b5514654818a1a8c8a0cdc42b322d64110c75d68042

                        SHA512

                        c94e5cd8b9a78af06c074718606b30c1c1a7d7b81220b1814b71bc1e21717debf4bf9ce6dba26c63fdf77a485637faa7b9a88382a2b3307fa6e7a5c956a1515e

                      • C:\Windows\{65A368A8-9708-4512-87B1-6603EC5F97FC}.exe

                        Filesize

                        192KB

                        MD5

                        bd4ec6d4525e8b587136394971beba94

                        SHA1

                        20534777e5834dbfb4e35c3a5f94767e5458e99b

                        SHA256

                        992e6c349ba887d6218eb267c63f9e85470df60c2f55fe814cb6fda44d9de4d3

                        SHA512

                        f8015eb6404c2f97c66704dd97727c819d3c168d477597592d0dda8235b52bf169d91063c313fa136c654f134d55361b9932ab52493a68975b785681329df8f9

                      • C:\Windows\{99CDB414-CDF4-4064-9420-EA6CF103F5D1}.exe

                        Filesize

                        192KB

                        MD5

                        2e1bc942e8496036a7ec152dafb49be8

                        SHA1

                        49bdb411dab31499e68fa530d72e780b1f347941

                        SHA256

                        73cb93940dabafadafff46649320fc2890411e4bd5441c97d885afa6fd96fd85

                        SHA512

                        296430ca0ac0d68a0ef235af848b1450e4628da1a868a9389922a8559638a0a4773577f0e37e3a65478e71ee32cc44d2f44f2ddb1e9b001737fd80a0964dd555

                      • C:\Windows\{AABE60BD-C741-4afe-9545-1FF019089B7A}.exe

                        Filesize

                        192KB

                        MD5

                        6ade46bec34defa673c810246aea28cf

                        SHA1

                        19acf06bf3d8f40627f486705a5e4c3e957ea3e7

                        SHA256

                        fb925708eb0f2128ed2a63ecc7fca2314abf1376fb05cc04a4d56d6b52216ef6

                        SHA512

                        9566a754bc3a0c2d383ad2fd7a1f8139125cd45819d06922ab41a012a175bf93d58d2bbece1de52c8c770db9931bea2eae6318d5681de345352d42725157474b

                      • C:\Windows\{B0CD9923-E6E7-43cc-A2CD-A575101B7A39}.exe

                        Filesize

                        192KB

                        MD5

                        aa5b1822951f496cde3997df058ee316

                        SHA1

                        9364ed6126601c4ca70c13e99e288feb35239af1

                        SHA256

                        1cacd2d2a2202134de18e6caa101031ff05c1c8b7751642d9b371ff861612066

                        SHA512

                        52ca09ea1749678f04f3608bf4aa56048e774b7af15a1c8e984c18668f241a83fb425e2fc9d947407ecb778c8825665b04b7c873f8a66ececd243f2f157ca5ae

                      • C:\Windows\{DE3302C5-CDB9-47ed-AA83-89B78A67B2AF}.exe

                        Filesize

                        192KB

                        MD5

                        e13aca139107da106545a2d03b31bd18

                        SHA1

                        76a9425041ab4fd03cc452685a34c144361ffadf

                        SHA256

                        0046739247a69b062926e9a3865069020397c20918798c0b42eb55a690b95f88

                        SHA512

                        e94a1e446ba6b39b3094881128696313e1ec1d7ac7a0e0051f16075b37b5575ef6a1dfac11a14696f3e4284fe1cb229b65f87aca62a893c1746907da21f72e4e

                      • C:\Windows\{E56728C3-DF08-4b4e-AC1C-D395A78EECE5}.exe

                        Filesize

                        192KB

                        MD5

                        157f984840c33b695fa372f84a49ff54

                        SHA1

                        3cd2cfb10b6e8d161a28883fb78c89b91260def1

                        SHA256

                        c7bf0d2140c2737dc7fbca9aaf814e6d205c9e31c3d2c158810d44d22fa7ca9d

                        SHA512

                        0e96c5d2b96bcf6b97b6efc06a49a6c3c2e05794f76d56a05a3b3c04759690053608aa1e7bc3f1192feb5e0b91080a871c5b5ef47451f3a5a0493bc550cc6e78