Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:42

General

  • Target

    2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe

  • Size

    380KB

  • MD5

    837c0fd552356df3d2305046cc7d3d4b

  • SHA1

    23cf430ffb0c039c39500fe2aa072dcdd34d9d93

  • SHA256

    ff779869f3ec1748be4fed69aeb5618d518d546933c61efd728b64f751adba1c

  • SHA512

    d1a5e7fb6af1e81da050658b37c0d137eadb2ed8c7f033b4b25567f9bb88604724aa4d3f827ecf3acb3b1883aade945b5f3d8601025881de6f1db94421cc9939

  • SSDEEP

    3072:mEGh0oFlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGzl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe
      C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe
        C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe
          C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2352
          • C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe
            C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe
              C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1780
              • C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe
                C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2640
                • C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe
                  C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1796
                  • C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe
                    C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2236
                    • C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe
                      C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2972
                      • C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe
                        C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1096
                        • C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe
                          C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{27DEC~1.EXE > nul
                          12⤵
                            PID:600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6B8BF~1.EXE > nul
                          11⤵
                            PID:2452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A1D1A~1.EXE > nul
                          10⤵
                            PID:1640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7B755~1.EXE > nul
                          9⤵
                            PID:1772
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{76BB6~1.EXE > nul
                          8⤵
                            PID:1972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D09BE~1.EXE > nul
                          7⤵
                            PID:2688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5084D~1.EXE > nul
                          6⤵
                            PID:1996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{552C4~1.EXE > nul
                          5⤵
                            PID:1032
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CDBC6~1.EXE > nul
                          4⤵
                            PID:2388
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{77CD1~1.EXE > nul
                          3⤵
                            PID:2636
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2860

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{27DEC9A1-8DAC-4882-91DE-FDFF851DFF6E}.exe

                        Filesize

                        380KB

                        MD5

                        ecfa67ca309dcd91067482210fbc5acc

                        SHA1

                        4ed2fd71943e7201a7299588877e6bc15a340be3

                        SHA256

                        8e9ad34c2b3bd026fdb5de263d56d6c59aebb7b29a5bc5b14fa0a40518a4216b

                        SHA512

                        88ecdc92cd85d885d2f2babc2f4e5e2c423c8f9d70f6b776d443f8259b2d1093fdd54c0b4e7ef8ee73117f5523985812ac687125691207c6ebc0e841b71e64fb

                      • C:\Windows\{5084DCD7-41FB-4d2d-9FAC-44C558D9FCB4}.exe

                        Filesize

                        380KB

                        MD5

                        606ec459a4b6e3bd1207bd9f95b5e6cb

                        SHA1

                        2f1b89e60ba4c6eaa489b2913807e64b436bb0f5

                        SHA256

                        2b7dd6a4f0c21c7a3d1a7510497696062d88904510d7494b73d6627764776722

                        SHA512

                        093d41a0ba1325288a5136ea7b7bddc04b3f8e6e08710203899b280ecad91de908d9e895e2adcafe65e9cfdc3d1b2c0572f9722d667ae1c648fb64dc4509eaa2

                      • C:\Windows\{552C4C99-FF3B-465b-BA8D-2677E978339B}.exe

                        Filesize

                        380KB

                        MD5

                        2777fa5e1be5c605e5fd6f9440d0baa4

                        SHA1

                        e0fba6a706320d4f170c5d696ba30eee8aee7351

                        SHA256

                        b76a14689b09ce1bd70d2dd550da3f3a512f1f87636deba606ae1847b9b9cdb3

                        SHA512

                        e31cae8fa14a6224d1527d3d03fbbfb36caf6cc567bc1bf67575c437b51e4b99c64f77e928be1a157e28da98041d442be6fd84b4a5941d9e6d650901381a3cdd

                      • C:\Windows\{6B8BF25E-AF64-4106-B440-CB9B7D25E01F}.exe

                        Filesize

                        380KB

                        MD5

                        61222317d009b4b6cac9003d1f166e08

                        SHA1

                        24da2b0e6b15468c9b45f0ce3071e9cf2c9a6998

                        SHA256

                        7d2811fe8a42c3a0f60accac941a0c68e7f02e6dc5102eb4b85695ca9069c10f

                        SHA512

                        e367a7e16f1c9dce20516cf4dd46de19274a0e6649f6ff8c320bd3ad0ddd3021481ba900f22af1092ab9ce8ffbee2d041fbf8ab0757f224f588841651be26a9e

                      • C:\Windows\{76BB640B-575A-428a-BE82-C5786FAD51B9}.exe

                        Filesize

                        380KB

                        MD5

                        bc185c4496e190b3b9195773a4c6cce1

                        SHA1

                        48718264dff644847a29d526fcd67f6cde9dc83a

                        SHA256

                        7534c9685edfd1c3942dee12f5cd57ebcf7ed58cf1d1e9139f3a3728eadb65b4

                        SHA512

                        bd09df3132d134566817d8ad4d5f1d273ae34cca06227e1b3336ae0776966605836a7957617007dcb50fd9e0418eb38be18145395809b980e0a5c76202e5333f

                      • C:\Windows\{77CD1F87-2DF1-423f-AC4C-DA4FBCCAF966}.exe

                        Filesize

                        380KB

                        MD5

                        8119276d91f4b40b60adce6c21f71219

                        SHA1

                        b63287e100b2cfa3116a0d3ef2db616f691cdcbf

                        SHA256

                        cf6f4ce7e613fcae276d50ca2f69f367ddd8f02b65c97cb973b6024579293e95

                        SHA512

                        11ea2c286f28e0252e89aaa0927f7b439a86fcfbd68ff31b01c0f62f951019ea14a4b2dd063d310a4a8a540a1952a9ec437ee21d4543ea37c485217b90ed0d2b

                      • C:\Windows\{7B755DF5-4E59-4cca-897E-FB39F787FD9F}.exe

                        Filesize

                        380KB

                        MD5

                        5a794c77f05bfa80939af48e2ed512e2

                        SHA1

                        1591a153627a0e003b165375e45fff9f3a5544f1

                        SHA256

                        5da35fceb0fea8246f18968acf0bd991fc07f4fa129be35a4638538abfa19a04

                        SHA512

                        9aad56d130cd778ed884191edd36330d5da47600d313ec922b6db7f3150b18951033b1efbd689348fd7f609331ae28b26872381ed46c853604c8490ec737037f

                      • C:\Windows\{A1D1AD90-5180-40ab-BFC7-3E4EFDF903D1}.exe

                        Filesize

                        380KB

                        MD5

                        d1a27f97a01b3dd2d390063e96b7fae3

                        SHA1

                        e8724a98c3bcd2a980cab66a25eb47a87ab938aa

                        SHA256

                        78d24c1cac5b0c701eddec1d08e60f81a101dc27e026c909272cba1276025c45

                        SHA512

                        99f1b4f7ffab9c111d3901eb2ae359b7381eda31effe2c42ef231cca45cb4deb4a86d607c48dc3ff06db28e47db5607cb4ea3384f967f3a51476ca1e936468db

                      • C:\Windows\{A4D4A3D3-B8BD-4026-9893-456F0CB3161F}.exe

                        Filesize

                        380KB

                        MD5

                        81f52e039898ec0933e7b58d350ae348

                        SHA1

                        1cd8cbdce585b3c78a714d12e48d8dfb05c8f9a6

                        SHA256

                        14a099c3994ca6bd0202ca995999e65c3b4025245514292c6850aac8662e7ded

                        SHA512

                        c1ddb2b4fc2c57656f3caf08605236efe1dd938e1586af5942a2aa6076d6f61f65e4c719e37c222118636853fb22aaccb168e1ddb61cbb0ca8b79a558550fbd5

                      • C:\Windows\{CDBC6046-A1E5-46cd-AE0F-E45A3334504B}.exe

                        Filesize

                        380KB

                        MD5

                        1ba8316b339c048e713544a6e277a9f4

                        SHA1

                        24c01ecfdb09578bd776bf1a45775766465531cf

                        SHA256

                        fefa335cf3babb286be5cf274fd1696729ba30013dea193a62d6a7de2d19f0a6

                        SHA512

                        3d34278b5968cb560808662510ffc408aeae5ead12beda3ee321e93ba5c51021551d0f323cf210479d5136f470a841a1782cb9f70b6d72cb431a097f40b6bcfb

                      • C:\Windows\{D09BEC34-7243-435f-8B72-74C5DBC25840}.exe

                        Filesize

                        380KB

                        MD5

                        3456312515fc86c9e6c61185dfe845b1

                        SHA1

                        d38203b6777979800a19ec64e7070d0c0c89f337

                        SHA256

                        c7270ee7923058514b091f8d35b433884581702aa1646ec2c93afebcba755471

                        SHA512

                        d6844cc0026409abc52ee57b97bb046038830fbf9932e868e06dc0e0c7ddea4f1965d99cd383755a93b6c05322783ae41f97faa5038ba40627d13fd91bc079d5