Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:42

General

  • Target

    2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe

  • Size

    380KB

  • MD5

    837c0fd552356df3d2305046cc7d3d4b

  • SHA1

    23cf430ffb0c039c39500fe2aa072dcdd34d9d93

  • SHA256

    ff779869f3ec1748be4fed69aeb5618d518d546933c61efd728b64f751adba1c

  • SHA512

    d1a5e7fb6af1e81da050658b37c0d137eadb2ed8c7f033b4b25567f9bb88604724aa4d3f827ecf3acb3b1883aade945b5f3d8601025881de6f1db94421cc9939

  • SSDEEP

    3072:mEGh0oFlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGzl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_837c0fd552356df3d2305046cc7d3d4b_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe
      C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe
        C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4316
        • C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe
          C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe
            C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3388
            • C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe
              C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2128
              • C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe
                C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:784
                • C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe
                  C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4240
                  • C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe
                    C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4976
                    • C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe
                      C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1620
                      • C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe
                        C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1584
                        • C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe
                          C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4368
                          • C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe
                            C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3968
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AA87B~1.EXE > nul
                            13⤵
                              PID:2968
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{62A37~1.EXE > nul
                            12⤵
                              PID:1500
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1DB~1.EXE > nul
                            11⤵
                              PID:3524
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9B2~1.EXE > nul
                            10⤵
                              PID:392
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C22~1.EXE > nul
                            9⤵
                              PID:4232
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D5807~1.EXE > nul
                            8⤵
                              PID:2872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{59FA6~1.EXE > nul
                            7⤵
                              PID:4668
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{10A33~1.EXE > nul
                            6⤵
                              PID:696
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4FBC5~1.EXE > nul
                            5⤵
                              PID:5100
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{94643~1.EXE > nul
                            4⤵
                              PID:4104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8DBE1~1.EXE > nul
                            3⤵
                              PID:1192
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:5088

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0A1DB3E5-A661-4d3f-8762-45B0C5A8D30C}.exe

                            Filesize

                            380KB

                            MD5

                            8df644c8ce934f0658a1b090a8b60135

                            SHA1

                            90c195f26893a62c79f35845176c46ad6246784b

                            SHA256

                            6f6adb49282080df9fed16035d647fffdabc5a2d1b824e52939186a98ce3b741

                            SHA512

                            d3e22bff79035845da04b048293e7a61428e73a0ea64780ee20931b82d14cccff645a43d416c108d48cfde6c95bb55dba5c0f2776a2e2a0844f166606f9c3a33

                          • C:\Windows\{10A33EC7-8B05-4d8b-AB01-443BF40F81DB}.exe

                            Filesize

                            380KB

                            MD5

                            76e2c9c89fc9018b6341ce6703d90972

                            SHA1

                            839ae26f4a7ce6da90075f04fa9a0e13a71339a1

                            SHA256

                            fc58a08dd58c46f829e56f6c5509fbfbf8cec6a4a1ef55af138973372d0508df

                            SHA512

                            1a60858f8204c90a89a654b3afdef6686318ff015320cd2546355a1a65f686d9caad525c07b9eaab105f1a802fb6ab84ef322b28bcd91bbe98b240199c062074

                          • C:\Windows\{4FBC5147-3ADE-4a23-9190-916DE8470E1C}.exe

                            Filesize

                            380KB

                            MD5

                            8640c6e630e04837db90d4b7d3e52ea4

                            SHA1

                            f796f43766f1f754d0908f87c709a50e552971a9

                            SHA256

                            1df5b4c69186780d93a1565c3106ab961490d8cfad06b15009dcf8b1f4d5b3ca

                            SHA512

                            28dfb9ff2571dcc3429c61fea867cf35687ab11cc84b6631c04255cc7948257e93880adee3486a5924ef84de461491229b4425e0fa455eabbaedcfb1e1435c36

                          • C:\Windows\{59FA6CD1-02F0-4ad9-816A-6E2BC6F23F96}.exe

                            Filesize

                            380KB

                            MD5

                            8b404d9b600bcc1ee62c08d77167c396

                            SHA1

                            dc75790484692817320bfc9da1eb9d3c0a7ea4e1

                            SHA256

                            deaa14017d304d5db3b6986c691220a779b28fca32a5954b21abb9e005e5e35f

                            SHA512

                            9a252da99de9190fd0fc9cb0144e02bfd633255ba46583f4628de384b59be8dbb4f1ad32a42a5903d2c8a207db8f3b2e7ee17952acd94cf193df98484d43142a

                          • C:\Windows\{62A3783E-94BD-4885-A11C-C39147543A1E}.exe

                            Filesize

                            380KB

                            MD5

                            6e6fb211f921abf8d847ecb17e993ee6

                            SHA1

                            5c5e3fa624a0aa875476f3818fe041656506e365

                            SHA256

                            10b8478d7cabaca7738c776a9bc25d321a3390cc478cda6e4587a50982d1395c

                            SHA512

                            8c4317df5c8136a12a058e7151569bcb0ddb78afd53530af209c88ff832c821b961dee66f74f9e34f8aefab030015cb4e8b1f1b1d83a1bcd18659946e6c2c8a9

                          • C:\Windows\{8DBE1B83-E263-48be-B221-FF8B6966EEDC}.exe

                            Filesize

                            380KB

                            MD5

                            7569f0e99dcc1f8dfaf49a4b81e30b19

                            SHA1

                            90b3674e924d0777d75dc2a2e63292a6fc09561b

                            SHA256

                            e2add24ad35a517f1d97e3add6470db553238771d20644685888a8ed46aaf6e6

                            SHA512

                            2f9e0bebbb9a0710a33eaacc4b6acf3c95e40a38370b830bd7878453e8909c01ef5e4b3692eb71c6b4c7ab2c8a0e5c886f3a72d7e345e6ef673451b28aba92bb

                          • C:\Windows\{94643B98-6781-4d9f-B07D-D48BE14C3EFD}.exe

                            Filesize

                            380KB

                            MD5

                            cd12d9f7fa73b6e961ecd6a3a3cc48ff

                            SHA1

                            938c651111b14c13ecb04a00458532a66bde57ad

                            SHA256

                            6cae6410e5f5b84ecf2d119a8f8faa3588cc1c61f1bbadf6041e656615485679

                            SHA512

                            2299c5cc17ce951f44d26ab16734e7900075f432ece5fbaed8e22bd5670f56bac9ec40f3d882d8fea5e0a84bd701ef2a99abf514674c6eb11e185ad3ecc5bde1

                          • C:\Windows\{A1C220E9-CC14-45e6-AD09-33AB41F7FC0C}.exe

                            Filesize

                            380KB

                            MD5

                            fc44709c80b4b0ea239262396eaeda8f

                            SHA1

                            12e22c6e7128675c65ee0973bfad44aed5084e0a

                            SHA256

                            0591e33c93f4ad1490d9c3fcf82e0d9031a403434de9233e499eac493939cbd2

                            SHA512

                            99b131beeb4eff75d45b4f11b7f7ec04cb97857fba9f837715f77af6c592adac6567a17a24f36db5990d794f89291691ae4aa7c5460835c36c50052f4d2e9758

                          • C:\Windows\{A5873103-31D1-41b1-89DE-A08D98A4033E}.exe

                            Filesize

                            380KB

                            MD5

                            0a2d7fb2800e4328e0835ed84484b856

                            SHA1

                            6db18d268702f1d755f5a669be3e843670f8f076

                            SHA256

                            8addf6dd0acac8521ebd55d7dc7e86ac381f4d61d66918beb5ab36c3386fc640

                            SHA512

                            c71bedc69d7689da7d717c9baec39457f05857e8f091ef93fe41b42243e7f01f05340e6dad2b169fb28dd7711118d665eca4774b161766ebbef39fc268e90d6c

                          • C:\Windows\{AA87B5C7-FDA2-4f58-8637-46322B4A3AB4}.exe

                            Filesize

                            380KB

                            MD5

                            9a5ae08cfbfaab489aec55b628da0ef0

                            SHA1

                            030dc45a77c4cd3c18195a37688c93540d48e191

                            SHA256

                            a96caaa577c50660a489477668259175b94162b1b3960b4b6cab83cd0898c9f9

                            SHA512

                            1f2e6af11391fd8098a6af5c5a8407d2311f73d775d46e9bcba5e8f3d8d16b0801a3f3073653e555394cada3af7d5b4d1c9c099629c1d4e20037a1775c64c0a2

                          • C:\Windows\{BE9B2563-BE57-46b0-BE42-3F10123ECA81}.exe

                            Filesize

                            380KB

                            MD5

                            43b4263342c96c25c18673876c7bd1a6

                            SHA1

                            e4ac2781bee86ecee7ca17897721fb26be4b63f0

                            SHA256

                            6e44ae73bd44288eba7203d1af38364dea3a15d811ab4fd16a5cbd09d8db4137

                            SHA512

                            557c0a63036cde0a440d0528bd9bd22ab043c39d272f5bca8f8b2ac18a1e523f38feb6dd0458016ce86a13cd990121ce70d27a55be5bc2cc62a17bd5d2c84d8d

                          • C:\Windows\{D58074FD-FD34-4583-B801-BEF67A2C0E23}.exe

                            Filesize

                            380KB

                            MD5

                            13ebe2192a03339802aa57a6a91e9ac0

                            SHA1

                            f4605319e28d45594b16be3c3e8a5819ee3b6ad4

                            SHA256

                            a58bab623c4aee6ffc0acd3aa3d071b9d83332523fea3ca4d2a4318a3065bba5

                            SHA512

                            867f5dfc6dff9157893ab6260f64abbbc0e07c10baa019402114ded4681810beff0c47a5094af8563b802caa35f85d0c27d87ba08ece9ff2849140f21d415435