Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:42

General

  • Target

    2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe

  • Size

    180KB

  • MD5

    8d82a2b777d782e76bfac9ed6d45addd

  • SHA1

    5c9fe416cf462ab504a214ad40878e31e3443624

  • SHA256

    969c106c3de921e51dcf8d9ed004be6c297ec89e1524c38622425cf687cbd4b5

  • SHA512

    bdda495669ac9472b57e5a5c5d1254fe6218bf0aa4a0083af896f75a4b0c15c6b2604b639ae43cb56848e59bd0d6b91572cdecbdd9f00c69dc6aa6b6ce0a88ec

  • SSDEEP

    3072:jEGh0oClfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe
      C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe
        C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe
          C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe
            C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe
              C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2684
              • C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe
                C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2672
                • C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe
                  C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2648
                  • C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe
                    C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1248
                    • C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe
                      C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1568
                      • C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe
                        C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:688
                        • C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe
                          C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{02EC9~1.EXE > nul
                          12⤵
                            PID:2444
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8A52C~1.EXE > nul
                          11⤵
                            PID:448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D93FD~1.EXE > nul
                          10⤵
                            PID:2388
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{57FA5~1.EXE > nul
                          9⤵
                            PID:2216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{381BB~1.EXE > nul
                          8⤵
                            PID:1552
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{40704~1.EXE > nul
                          7⤵
                            PID:2748
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{34239~1.EXE > nul
                          6⤵
                            PID:1564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C08CF~1.EXE > nul
                          5⤵
                            PID:2928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0E037~1.EXE > nul
                          4⤵
                            PID:2420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9F212~1.EXE > nul
                          3⤵
                            PID:2440
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2604

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{02EC94C7-DEE2-45b0-8CD2-299380742F36}.exe

                        Filesize

                        180KB

                        MD5

                        21bc7436d9478f9131e14f9855d72401

                        SHA1

                        d6c7d683be20f50389fc5a29c9628d4e3c1a1864

                        SHA256

                        88f9059cc843fb1d8d5ca4541340113d9adcd967a2868b2ad9a034713a7a3374

                        SHA512

                        4ef6b6e267cbf712c89738a351e11edcce79ac11b18bdd05a59f716c36136a70937883c41c434bdaca184baff9ae6d0c7544e2210875c890d43287fc181862a3

                      • C:\Windows\{0E037E02-F335-4fed-AB31-E2C49B1E0823}.exe

                        Filesize

                        180KB

                        MD5

                        5fa0084ea6a69bf7e98516fecf8ef6c5

                        SHA1

                        d5edec9d8854bf3153e0eac32f5e36ca5afd051f

                        SHA256

                        78916a038b4f035deb02ab14ba0caa75c732ebc1a2bbdabea5d934764f7fad04

                        SHA512

                        fe6147065847c6ddc6bf33e52a61234b4595f49bcedaf3ff130f37041f98e227364955aeeca464beae6bd3bed8518e7dfe3d4230f8e7e752fd7f6f0b30e4e344

                      • C:\Windows\{34239C63-5A02-4f46-AC44-CA746C59DFF9}.exe

                        Filesize

                        180KB

                        MD5

                        d4187015c4c16bf2de929c7891f689d9

                        SHA1

                        d7bfccd8c1927c2721c527c0ef254ef3c3250f5d

                        SHA256

                        d873681be2a38c8a4fd14acba2d81bb20bef850012b03780dae52d9217683b11

                        SHA512

                        d632cc1ceaf5327c09515011e22a09228587191973180f2d346c0e4d0762649d7b1d920d33515e0c61a71fa0d2b2a655202fc16e8eebf5e4f4ac4addd0678b3e

                      • C:\Windows\{381BB032-87EC-4fc7-8A9D-6F34A9AB38AC}.exe

                        Filesize

                        180KB

                        MD5

                        4651cd0b5ef1a128f28fe22b5d611f70

                        SHA1

                        80b8937e2b2eb9328aeb8129fcdc3bfd30f27a8c

                        SHA256

                        d3c656b9a7f22dce8b388f065513106b41b403c6ba9b1032bc0fd834d4505bb2

                        SHA512

                        7b33300fcf3f8de865add60a4d1ef67890e25e2d138cc7d0375b6c57aededc82db40a05b4a161b321431d696ab728c3568341725eba7773d7b656ca857290465

                      • C:\Windows\{407049F9-154A-4f38-A988-6DCF262C8374}.exe

                        Filesize

                        180KB

                        MD5

                        5392ecc05f6cdb9a359c2bfe70d15158

                        SHA1

                        5d18789c6df531bd6db2b6b896d4ca13978c20a8

                        SHA256

                        f6208bdc71d71f5920a2741ff139ca6b5747abe0b505b317e4f8bd1359b282b9

                        SHA512

                        73f24e93f46a9a0daea02872fb34bded30282649e5af782f0a12e7967367588770f9be5df6a42a7aee76c9929c08d3f55497968fb8c3689407990ef5beb2fa53

                      • C:\Windows\{57FA58AA-08CF-4bbe-94D0-3225F96FADBD}.exe

                        Filesize

                        180KB

                        MD5

                        d269e90beca3d45f4244adfa7011f427

                        SHA1

                        29b73d5d1283c61388cb9de1c83575d43528b1ae

                        SHA256

                        3143bea3e4379d83d6a66f0c57982cdb43e5f60d6d08a0638045b2de8fa2b127

                        SHA512

                        a0e199ff4b5fd6e112bfc9e88b3a4c734b33ee5f47dd5f99ed5775d1816abdc19924f6d4f58108c1c0208628eeaea63d616d432ee53a3b8705cbc85260b310f7

                      • C:\Windows\{8A52C194-A382-4a98-8D16-46270DCD1027}.exe

                        Filesize

                        180KB

                        MD5

                        6cea902fc332e2c74cba3f05f9d314eb

                        SHA1

                        4fbd768f83add22faf116b126ab602743ac7fc85

                        SHA256

                        05a2f099f6882fdbd39839f0f35eab7953f1a0815635f2e73587cd224098685a

                        SHA512

                        9e541791d428c722b381d31f0d38ab9aebd7bf37ff31cada3f5e12921cb776635ff4ea503c621572bd9b8457636eec2e654278f9b349c1327449137d19ca21db

                      • C:\Windows\{9F212FD2-E7F2-47a7-A344-2C22C2665C91}.exe

                        Filesize

                        180KB

                        MD5

                        f5982fb9bf7efd7d07b9abd717c1d524

                        SHA1

                        a42b25d2d7a2ac8abae97ca23a04dabf49d77a7a

                        SHA256

                        3d3d79d15a598a7bf0047f26022645f04374e187d71751533d45fe08755eefb8

                        SHA512

                        48999ebc379680246d1ca2262698892167591f9d3011870c8be09e5c1d6563363d84c1b988929ecbf32fe5a5b5d44531b66c68b7cb258a8198ceb3915e268221

                      • C:\Windows\{C08CF7C7-C925-4c1a-BACF-4EB1A2A00144}.exe

                        Filesize

                        180KB

                        MD5

                        645f1e94b9481f93d97252ac617ef36d

                        SHA1

                        252a58b7ea7d003505b539ec575b013d882810bf

                        SHA256

                        c9eb0804423967adf6b6052447924168bde170e6a1da01c2f92e7b2c27e4b61a

                        SHA512

                        668c890a2c397160c640d9e0ea64863634cc7b2f74cdf283f34747161c61c511bb1a4046d1e3f30dd0716d928dc93a577f7fbab19a6d06dd8e7dee36c4eba530

                      • C:\Windows\{D93FDDD8-765D-4767-9B22-8C43F8147A6C}.exe

                        Filesize

                        180KB

                        MD5

                        708a4a2b231b6715d1fa392392001e32

                        SHA1

                        5c4acdfa9020eca54a073b9d032c666744c4f167

                        SHA256

                        9b7f051c49f6e993879c889ae8e7c6837ab583769cb4f41d849fa346928fd63e

                        SHA512

                        fa4e3fe0713e89f892a3d39f295598cb340e09b1e10dcbff7dc4cae7f240df5b65998781586708719e28e70d9cf8addb5ff9865c3c5211fad381cbedad093212

                      • C:\Windows\{DACC91CB-61D7-49c8-8271-B3BC73B132A4}.exe

                        Filesize

                        180KB

                        MD5

                        f125b894f3c72dda6670c1c3d4936fb0

                        SHA1

                        5a488bbd79f9cbf3f4aa0b9aae8b983637bf87bf

                        SHA256

                        61f3aa50b5f3aea2f004b555f9d347cdb5c2798507fa9cdd1eb9ddffcc8591a7

                        SHA512

                        2df315d36c4ead43b78c090f5f64fe4ade5d3b4f6aafe25133123644e6950cb0050d5d0ca4d40325cec141c9a997fc74533a5d5278e5cbff25df7edce80309b1