Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 14:42

General

  • Target

    2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe

  • Size

    408KB

  • MD5

    346d60fa715d70c9f021f642ca8c062c

  • SHA1

    80861531b692c44698e5e540d68070ab917444f8

  • SHA256

    f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73

  • SHA512

    cd46e07b06cd52f62b4825437d9016e5d3cdfe8f8a1b39bd7c9311a7d9fb3e031e80f2ea720355dc134cf5273bd3933f5d064b2b9ecfbe71356c1ae8c1f1ee36

  • SSDEEP

    3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGEldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
      C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:280
      • C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
        C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
          C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
            C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
              C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2968
              • C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
                C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2676
                • C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
                  C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2696
                  • C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
                    C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2824
                    • C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe
                      C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1364
                      • C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe
                        C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2912
                        • C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe
                          C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CB872~1.EXE > nul
                          12⤵
                            PID:1648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E1BC2~1.EXE > nul
                          11⤵
                            PID:1608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{24607~1.EXE > nul
                          10⤵
                            PID:2084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{99373~1.EXE > nul
                          9⤵
                            PID:1804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6745D~1.EXE > nul
                          8⤵
                            PID:2780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CB6D1~1.EXE > nul
                          7⤵
                            PID:1528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{64E3B~1.EXE > nul
                          6⤵
                            PID:3024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9C87E~1.EXE > nul
                          5⤵
                            PID:2296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{908FD~1.EXE > nul
                          4⤵
                            PID:1756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0211D~1.EXE > nul
                          3⤵
                            PID:2736
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1580

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0211D33B-49D6-4a60-B177-C3D2076206C9}.exe

                        Filesize

                        408KB

                        MD5

                        dce4e8e727d3ba1fa933a84a8c3bc6f4

                        SHA1

                        f71f7aeaf2fcbc11906d07986270b64963e9a773

                        SHA256

                        69c91a240a6619c6a8259d457d7558d03778022bf999059ab1dfbd88e7c6263f

                        SHA512

                        3ef90d9df5dad8dabfe50ca7bf3fb830a5a377d95028e8d2df31cf7592d8bc3730232cc5cef4491553131d612ff243f1a01f2c14fcd2740635df56f43172d2f4

                      • C:\Windows\{24607556-3412-454f-86CD-0EB280ED1E1E}.exe

                        Filesize

                        408KB

                        MD5

                        e152146427e118b2230e15424b91019b

                        SHA1

                        2b6a2403214715a5607eb067ba2895010f1bdd34

                        SHA256

                        69d19b2e9cc74b7ca079b03c8cf7d99e96bd7840191562e98d9ded705f6e26a1

                        SHA512

                        c589533548512f1ad900115692acde76b40efd5728bb0c5039f8fbbd7e74b89fdf16489378af69243b68b6a63028756ef45c7f10b61b7ab437511a5e42644a36

                      • C:\Windows\{550DBF4E-1E7C-403c-8C18-5DC37C643F9D}.exe

                        Filesize

                        408KB

                        MD5

                        f9f7e8a3221ba80b83e66a6852836a0a

                        SHA1

                        03d8e2a8708e9e6dba6884970eba44736b063c71

                        SHA256

                        ef71a3882825a498b765195ceb699591b1e7863f429736d68fa132b5a25cf678

                        SHA512

                        6ebea0766dfd240014ce86b6653fad34ebf0d384e08645a9637bd970495925953322cf4f3a4a874b063eadc0e1cc27fb704ce40d71b28e2d7a79417ae4c3b3b1

                      • C:\Windows\{64E3B3A7-0CD7-48fe-930D-33DE445C0C4D}.exe

                        Filesize

                        408KB

                        MD5

                        24fc97171619e6a892af1aa6a60ad421

                        SHA1

                        564485de8d3ef0a333f80e70d6ec0eaf38a94721

                        SHA256

                        53e4a8811aa1ef84e8c8f96321ba9f3b65b694f3312ae14443e65ba91712f271

                        SHA512

                        fc510a331c3f94f9fe343116cdb6fc592aaf819826e6bedf6a328ee9321dfaa25896f5d365fd9dbe9e09a598740aed49c1c1620ac7cc030ba91a2dd10d8c1dbb

                      • C:\Windows\{6745D736-4401-43cd-A530-9210F5AA488A}.exe

                        Filesize

                        408KB

                        MD5

                        32e536437cade2f388f78ac411f54c1e

                        SHA1

                        4586bae80be4f17e14aa68540a12ba3668d5f8ff

                        SHA256

                        1e0c8272234b4b55c2e76eb7d284e8b27c91c3b97afdc5e8617a432620499ef5

                        SHA512

                        b67448bcceb057dd7e58cf147968fc45bc0bacc5b29cbb4ea2f728fb7204de9a5bfb2846adfcf76d79e4a128948d3f0fb410be5b1431e0bc1e7312f536bc8879

                      • C:\Windows\{908FD874-865D-4f44-87FA-699F30C32656}.exe

                        Filesize

                        408KB

                        MD5

                        26d51f31bee81c85057055998cc7d4cb

                        SHA1

                        01846bd8ac7cb096045fcdb203fbf9b9418e41c8

                        SHA256

                        27e560f0abf4d09864dda1df5471043ecbc67a9facb255cc39b5fb8f8a31b698

                        SHA512

                        9aa0ab6a7fc8acf2b2ee717030470dfd6e6e11a07b38117bf8d972d91ac32702909607fd9479d1734b743a536a622d64ed9a52bb87dc569b4a5501ba9ce6d7fb

                      • C:\Windows\{99373C54-02F4-495b-97A9-65C87D956FD8}.exe

                        Filesize

                        408KB

                        MD5

                        bd26f557f376d3f9d301c038503e106f

                        SHA1

                        d9a40c33dbe30ffee391dccaee58ee33784d9bc2

                        SHA256

                        3935db407a0dcc76247589f3f86205a68922cd367128ea4fb7ab4c7a4ab0ceae

                        SHA512

                        dc7a5d6dfd436d23a31fb1803114c378cd8b41dc5911ff80fcba2b713f82f350101eaa692bda0b2a07d8f6d757f783a20b45420772b97f2c0f51239ca357b3c4

                      • C:\Windows\{9C87E636-8DE8-4a04-93F7-8CF51A0BB9D4}.exe

                        Filesize

                        408KB

                        MD5

                        9a60153d16a63fb17944c59ab0b694de

                        SHA1

                        1a2b9457b2584e7e631091a04f1d70e222804cde

                        SHA256

                        f7e798f31bea8ca86b5b272883cb38c506fe76cce9ed5437a05322e552ebc402

                        SHA512

                        ce25dbfc1a1c53c9fbdaf3d820d65f0f0e582078e97b26ebb2d18349ee5286b0acb8b31a13ba6f7d6068daa0796a78acc748bbfef247a6344f4bf2fb6dbe165d

                      • C:\Windows\{CB6D122B-7A11-4415-B63B-38CB2535F2FC}.exe

                        Filesize

                        408KB

                        MD5

                        8f18f1106410cc241aa6e22a444b5535

                        SHA1

                        70141f1019add2cce2fcd3c6ea6afce727f1ec48

                        SHA256

                        f7f28ccd94520285daf62799b364bf7519d333d9f726216b3aa6caac0510115e

                        SHA512

                        f74e7ff539c4acce91b7f17a61c9a99080d4501211488294217f4f51342e7cc5e2ec446aef0805c5f6cb81e07530cef07f1d2135d7836265cd074d8c5d6a02d3

                      • C:\Windows\{CB87218E-4D48-491f-A19C-DD567919EE72}.exe

                        Filesize

                        408KB

                        MD5

                        478958ff58825f015071757f8d75448d

                        SHA1

                        fffafab9988ad965e02dbdbcda4020956419cda9

                        SHA256

                        92d64707f479a711c1d23b3b7ca1778e0aa86fc026182f7d1d0342c1dc7bcd69

                        SHA512

                        da73e7008c5b11e1effe45c2b085ff5a26a593b0ae9c3aea8dd2810064e5b9d194da365fb49e1a717cae916f055b3923c9264c737c50e613ad7fca03e06a63ca

                      • C:\Windows\{E1BC2DED-1225-4577-9A83-B75E4A933FD4}.exe

                        Filesize

                        408KB

                        MD5

                        7a13ac389293950deec8fd8b40f7a535

                        SHA1

                        e5a102cc35eebd1ee8cfa1aa46e590a1c7d4c888

                        SHA256

                        2bf4fce610797f3873c472ffc10c5916b6c214d62623ba54807acae575cd6f5f

                        SHA512

                        82c5931785da4ab26e96913baf354a0658d479a9ab5f6bb1b5ee4048d3cff49f8418696b6b738f5373028450b078bb5f4eec2121eaf88d53435c9b12e565c8da