Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:42

General

  • Target

    2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe

  • Size

    180KB

  • MD5

    8d82a2b777d782e76bfac9ed6d45addd

  • SHA1

    5c9fe416cf462ab504a214ad40878e31e3443624

  • SHA256

    969c106c3de921e51dcf8d9ed004be6c297ec89e1524c38622425cf687cbd4b5

  • SHA512

    bdda495669ac9472b57e5a5c5d1254fe6218bf0aa4a0083af896f75a4b0c15c6b2604b639ae43cb56848e59bd0d6b91572cdecbdd9f00c69dc6aa6b6ce0a88ec

  • SSDEEP

    3072:jEGh0oClfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGkl5eKcAEc

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_8d82a2b777d782e76bfac9ed6d45addd_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe
      C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe
        C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe
          C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe
            C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe
              C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5072
              • C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe
                C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3400
                • C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe
                  C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2204
                  • C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe
                    C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4648
                    • C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe
                      C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5020
                      • C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe
                        C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:932
                        • C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe
                          C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1528
                          • C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe
                            C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:5012
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{146E4~1.EXE > nul
                            13⤵
                              PID:3160
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{86D80~1.EXE > nul
                            12⤵
                              PID:332
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{32886~1.EXE > nul
                            11⤵
                              PID:2436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC2B~1.EXE > nul
                            10⤵
                              PID:4580
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{41EA5~1.EXE > nul
                            9⤵
                              PID:4040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{76ED5~1.EXE > nul
                            8⤵
                              PID:736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2E60B~1.EXE > nul
                            7⤵
                              PID:628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C79A6~1.EXE > nul
                            6⤵
                              PID:3816
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{65629~1.EXE > nul
                            5⤵
                              PID:852
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{278AF~1.EXE > nul
                            4⤵
                              PID:1564
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5BEBE~1.EXE > nul
                            3⤵
                              PID:2132
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3112

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{146E4933-B102-4ed9-84D1-0DDE11C40ED8}.exe

                            Filesize

                            180KB

                            MD5

                            2912d1caa77748e5fa3f95c8c1d15ece

                            SHA1

                            db8cbc93b83849ec11f09c88ec0e923190c4a4d0

                            SHA256

                            83e2b8bfdbea0fd79c8d2c47aa4c42656c41bd7bb4f03bac74481e33832e7d39

                            SHA512

                            dc80ad65af21d30d983451b3cc21ebbb6ea42bd6b3412545346a098a4be32ef866fd1cdaf9dea2efe67333707a150003c4bcdfcf890928769745ef219894b4ab

                          • C:\Windows\{278AF669-9213-44bb-9714-726BA685660D}.exe

                            Filesize

                            180KB

                            MD5

                            6134450ece3c6d582608228f58c337ef

                            SHA1

                            bb582bdd6750e1e3859439960b70b7934836ceb6

                            SHA256

                            49146285394797f80b71c0492c3f168d2ae4d370d213082ff57679679ca7b08a

                            SHA512

                            d1bf87d478e45827bd7e39372af8cfbbb7c09d85f2473f78dcaf36c3726dd4744da54dcc1f8df92e083372577cffc73ea8e9a93534150099cf5071733b22db27

                          • C:\Windows\{2E60B719-3A63-4176-AC7F-62BBF397CBF6}.exe

                            Filesize

                            180KB

                            MD5

                            fdda85422879f69397e1a4e738e35513

                            SHA1

                            df718d254fdc4a14184878e7a030e5ba431c7fde

                            SHA256

                            c4bdfcab796b7b3e015f12e1f9340381f55e9be1b1a76bdd88e30512be17de36

                            SHA512

                            3909cc67a0cd6a0627a0738a3eccf3eb9d7e6c002c393277ee1990d69b97080b97e13cfdbee2185a1d07cc9d4b4345e3a7968d7ef842d2be55bc38acb7ae59ad

                          • C:\Windows\{32886B16-178B-4b18-98C6-C3F4595281F8}.exe

                            Filesize

                            180KB

                            MD5

                            c3bf9dba1a2ceb13acd410db4d726d06

                            SHA1

                            1d03a136a91008e0fcf438648f490c6c8d3236d2

                            SHA256

                            36073b13e36eed30738c8c7b171b28a61715350fb63030be7c9d8178d7d58576

                            SHA512

                            3da1fdf906ddd32d12ee8a30c141952240bdacac451e5253c080a90247845b4a75c383ecc1a33a676ddfb1bec5f4fc19aa7e6b20555bacfe551c9495eb405095

                          • C:\Windows\{41EA55C0-93F5-4848-83C8-9421A078FE23}.exe

                            Filesize

                            180KB

                            MD5

                            a9cdfafa97c40058aac892fb6e056a0d

                            SHA1

                            effa6a53b8fecd1681cd48b3817ce8e888391e2e

                            SHA256

                            3f694aaf56a0aee5f73f42002917873c2c153ad0e09417a7ff64c7a75c0fc5f1

                            SHA512

                            dad7eb6b476007a5d4235d4446d805fae6182a9d978f65babdc6ff306428714729a1c59593cf4be7e48fbe05162da00a1f2fe04abb84801f20a7c77bfc27e6bc

                          • C:\Windows\{4CC2BEF2-8C7E-41b4-9E44-62F7047A4B2C}.exe

                            Filesize

                            180KB

                            MD5

                            793408a61333c587995894434376d967

                            SHA1

                            8f9b450063afef9a35736bc2b5e871d40353ff8f

                            SHA256

                            bbc6b690e7928a39972ef0ae7aa541680380138e39dd75759f5717814e70ec67

                            SHA512

                            521bdb7da053190ed8ddc722829c233ec66c82808100f17cb935f8f0f6805d3c79021c7d77848f85eb00b2c2d5b6c8efcf8fba936386dc43802460216c095a12

                          • C:\Windows\{5BEBEA82-0AAA-4c3e-9060-46D85ADA8DE5}.exe

                            Filesize

                            180KB

                            MD5

                            a58b04d8ad755a69f26444cfdd8b463f

                            SHA1

                            c8d3504bad61c2a725983e0e8dd1ed74890899fc

                            SHA256

                            546ac77cc07ed72cf92395814b1c824e6fe9f58e4f3e18efeacd127f4d9343d4

                            SHA512

                            47941f06e601ea0b4b6c2114a6c936e5273ed02e667968d75ced5bda2f49a4bb0bc6e0444e1b1b6c304b5f8ee85a98aab15e5a3a08a90939e6b83192d3a47ae4

                          • C:\Windows\{65629895-740A-431b-BA87-438EDD33690F}.exe

                            Filesize

                            180KB

                            MD5

                            56011916d51e8109cc76cbd32484a527

                            SHA1

                            94a94613bcf13e921342eada13dd127a835647b6

                            SHA256

                            f852a61d47bb80a38d819d44dec712a9eacf14ccec3c3f4ee7e4e8574d3a5cdf

                            SHA512

                            b438ec82b2063e969b64db150e1cb367774ca22fa949192263aa473f702a7de996bdaee6f910ebc0c076e8f8dd915b1c4f7bb9e91e4fb95b597069fe23b9e817

                          • C:\Windows\{76ED5798-F50E-49f6-8587-1BE750C57253}.exe

                            Filesize

                            180KB

                            MD5

                            fbc9859664284baf51a3f311b5b0e975

                            SHA1

                            38431c941aefccd091eebd44ee3afeb50beaaac6

                            SHA256

                            ccfd8d9b18f6586aa9294b81d759610ce6729a33bad2c4f2d881a71128c88165

                            SHA512

                            0dd93ad300f2b983807e92f905cb8f29b9f182326da4a122186f7464538339927c16dce660af3f2c344a767602495be1d8a6c74d80a1298ae33b73889682cfe9

                          • C:\Windows\{86D806EB-98D7-452a-B4D5-AAD7E91D8C96}.exe

                            Filesize

                            180KB

                            MD5

                            078d6db615d52707787b75e92450a492

                            SHA1

                            642859694f6de0ba28a1874ba8dd6fab0efb608c

                            SHA256

                            7334ae862cd657f138d0fcb9f9ad21f28e4862d8d3bdd8de1ad1eadd45300c37

                            SHA512

                            42a8c44a546e1f63c30468e89a36d1bbf61d824d0466d86d0e36f15b1b639f9a58c1c32a1aa046762343bd4ad759dfee2c6e8fe4ac04277ff1b8906ff7282b15

                          • C:\Windows\{C79A6706-EF0B-4b0f-B50F-97EFFE5B3C09}.exe

                            Filesize

                            180KB

                            MD5

                            7e67e11a2ad8cc6b0651a6334072a49e

                            SHA1

                            673102eebe297978b5554a7cfa14acae2b22ac69

                            SHA256

                            2c56417f56f48eead0c1d97bb2fa141e217845f87e52c4cc668121cf75d945dc

                            SHA512

                            43dcae046ce295464ddcc1f9eab22295fb400942bd324d4a2ea3e1a3bf91b6926a5b06ce3228dfa09aacd76fb01b4d2b78fbe6d88b67fb0cb97e5924613e7d92

                          • C:\Windows\{F2A73444-1137-4ab1-934F-4C02ACC6BA76}.exe

                            Filesize

                            180KB

                            MD5

                            0bcef92b08a98cc4ae625dcb42d0ee6a

                            SHA1

                            a17cbe88d8f645d1a733fc6dfb4b3ae0745f2e86

                            SHA256

                            320e2ded66e4129fe2119b585e7caa58f5c24078503f652cf9334443e25096df

                            SHA512

                            c1f010455d2b03f6cef518b2261a481e9cc54f3a27f729446f2d2c1fcfa41cc0398c057e160f89f7d2c0f1563d0f0f6ff38f399695ae8f2eca16c7bd32456cad