Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 14:42

General

  • Target

    2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe

  • Size

    408KB

  • MD5

    346d60fa715d70c9f021f642ca8c062c

  • SHA1

    80861531b692c44698e5e540d68070ab917444f8

  • SHA256

    f7dbac779b8522a98628c9b63c741a5041282fd62e6543b6cd96237a778c0e73

  • SHA512

    cd46e07b06cd52f62b4825437d9016e5d3cdfe8f8a1b39bd7c9311a7d9fb3e031e80f2ea720355dc134cf5273bd3933f5d064b2b9ecfbe71356c1ae8c1f1ee36

  • SSDEEP

    3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGEldOe2MUVg3vTeKcAEciTBqr3jy9

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_346d60fa715d70c9f021f642ca8c062c_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
      C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
        C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
          C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3080
          • C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
            C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3328
            • C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
              C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2644
              • C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
                C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3036
                • C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
                  C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4196
                  • C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
                    C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2920
                    • C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
                      C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:644
                      • C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
                        C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4388
                        • C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
                          C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4132
                          • C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe
                            C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D210A~1.EXE > nul
                            13⤵
                              PID:4852
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B3276~1.EXE > nul
                            12⤵
                              PID:4736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{570DF~1.EXE > nul
                            11⤵
                              PID:3960
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9959A~1.EXE > nul
                            10⤵
                              PID:4316
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{15EC8~1.EXE > nul
                            9⤵
                              PID:2408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{314C4~1.EXE > nul
                            8⤵
                              PID:4792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE3FF~1.EXE > nul
                            7⤵
                              PID:4292
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{88A40~1.EXE > nul
                            6⤵
                              PID:2124
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A59D8~1.EXE > nul
                            5⤵
                              PID:1800
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{61E6F~1.EXE > nul
                            4⤵
                              PID:3168
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1BBA~1.EXE > nul
                            3⤵
                              PID:2516
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:3004

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{15EC8FF2-EEB8-43ca-83BD-F847DA61DD05}.exe

                            Filesize

                            408KB

                            MD5

                            137289282035a413a86a74e5ac09da39

                            SHA1

                            75bd7b4bff84b7196d7d2ff6f1f7768a8d874209

                            SHA256

                            2989088fb07460d1dc257cf7903e7776a592be04beafba6a72077a9f728d2ee3

                            SHA512

                            9c5c69d2e55b1790ea80daeb6e73985f8006e70a2064c4e6417c76de4cc261fa4d95a63aaf541686ff3d9a231aabab839bbd46e9c140521b98deaaa97bd00b5f

                          • C:\Windows\{314C46C8-A4EC-499b-8809-8F09720846B7}.exe

                            Filesize

                            408KB

                            MD5

                            4d7474c3aeaf8e85c0324cb950d9b032

                            SHA1

                            c2d041b1809492a40276c3c115314db8580fb127

                            SHA256

                            3bca392a8d4d07a0f9d13e77f26190116c440325bf42bb242ae8b69383bfe724

                            SHA512

                            516eb5a24e63fbdb6428f0df18a051706c15dc6f27743c3fa884ae550fac121707d4438bdd5ffd627e8bd9a1dad16aa808fa5ff819372ef3734073a34349ef3d

                          • C:\Windows\{570DF862-43E8-426d-8284-1BBFC22F34E5}.exe

                            Filesize

                            408KB

                            MD5

                            72c1f258ca58979ec6ce70478daf5edc

                            SHA1

                            7d16e46f4d578df35431efdb6a7168d3e31cc2f5

                            SHA256

                            4ff65f920bb44c26e9ca0ebc055a7b7adb84374f6340194e652e783a9b774c65

                            SHA512

                            3d22644dbc8a277b1b4c9f0313b8c65569d835d09ff283c37dce0012a89d2ee1fa8d62a7c0843b761a8fb78b70df520b10b67aa23cc51efe528adc2e4dc2e34e

                          • C:\Windows\{61E6FCB0-54FE-4241-A422-DE4889ACF246}.exe

                            Filesize

                            408KB

                            MD5

                            515cf1649174f66ab4eee6b997b49b62

                            SHA1

                            81f2b1fbe71575017c26db5945114e5bc0c66fb7

                            SHA256

                            167fc171af80760c75d224e812600ad08e0392876451da957955993e5aa30ed3

                            SHA512

                            36cc0ab66659689e60d4e8e47b00effc88bfcfce42909c0bfe2c16902764405a745d708bf41b07f3759d3dc1afb6b6fb403bacaf3061d318e184314407809a00

                          • C:\Windows\{88A40BB8-2626-4bba-9549-D6ABE66006D7}.exe

                            Filesize

                            408KB

                            MD5

                            d9d155435f2cd540813ea0f8a35f1453

                            SHA1

                            bdc0b89ea420bc24a235e2257370e34d7f123b20

                            SHA256

                            970a03bd611cc35293acc6ee094ea1725a78e434be442d1420a8e78b38261d0f

                            SHA512

                            04a221fe9420a3daa7653886020356cc2a374840f3960a836da42d1309a8566da612b5a8a53cd8c9625044edd70a445a14c35adafd2b206685c3bd6d3d8d5e6c

                          • C:\Windows\{9959AC73-6AE2-4c5d-817E-ACC467BC940C}.exe

                            Filesize

                            408KB

                            MD5

                            e8bc5464718ff27d0e45a6361b34e481

                            SHA1

                            0faf46aae8e3726868c0bb57afe47b7d04420149

                            SHA256

                            50729c89cd192a5f122c3e8025597ed74f87316295eea30de722ffbb2d782882

                            SHA512

                            fd5e2e19d14dd1842feb45650838324b32266ce082e0a6668543ed005bf018630aae3c00d518627191b5189c903e65d7e561d0c8a2a81a9d676b8f946c31f412

                          • C:\Windows\{A59D8249-F119-436f-AC42-B0E63C996DAC}.exe

                            Filesize

                            408KB

                            MD5

                            d4a60d4081a06368a51298af0d52be7a

                            SHA1

                            e545eb93c7a047482aafb8788bec0e7759bbe7a2

                            SHA256

                            6d311f2b7e26062a3d27cac84e6f4d793503e4b3f303923b2cb056a861eba1db

                            SHA512

                            25787df952015e4211da8e7d4150227c601f617483ede520b645279583f0def2ad31f40c43f2c8d57683e63430171d107150b1980a8b6cf26393005b9d144e8c

                          • C:\Windows\{B3276F67-DC73-4800-A7A1-CDADC9B7953A}.exe

                            Filesize

                            408KB

                            MD5

                            88fea583604f60b4180925d980292692

                            SHA1

                            8a183fa243fd39bc0b42ec91d1aab05612ebde70

                            SHA256

                            52458ed9bd7d64541f04079d6c55efea76faa2317df6e016e8aa780056c243ec

                            SHA512

                            fae54f84437f6411dd4b6e2ad4b05d68cf7e5c83bbaf8320d8ebd8eaa90cd895f77c0217bf08b0f0f8620c113e8f5c94c24f8ef10cf00604278b9596718a6a86

                          • C:\Windows\{BC0C82B5-B6F3-453c-8150-00C98E7A79F2}.exe

                            Filesize

                            408KB

                            MD5

                            262d88851d72d5c3802afe65bacdb0ca

                            SHA1

                            50adb5e5ff4317628300ce45bfafbcd679ea6d8f

                            SHA256

                            acba00a9f1580c55f4ebc285e485566d6a97d2c34ac6961713516ce5ad1c48fe

                            SHA512

                            73f5fce36d240e369fbe71453c5a997ca2f9ae63ed0c69e093f3df900972f9910fde145facefab3b89e5a3d8bbc5df276b822f885321b168309db55eaca95551

                          • C:\Windows\{D210AEE4-35E9-4e5b-83DB-88CD307CA5C4}.exe

                            Filesize

                            408KB

                            MD5

                            0a937690d89886e87fa356050fcb4eee

                            SHA1

                            12d52711b3b67df7cfa3bbeda14fe641c963efb5

                            SHA256

                            115a904b7996e652d5695c32d228945ee17d1564a396b77d0964345501e60f40

                            SHA512

                            4ef2d401167616c3b01e3284539870474b0db59480e3e1fa3a6cca1f5132bd3297a15a3413aba5e756f581fda21fa8867ef4827de07eec81cbfb0a87e7bb897d

                          • C:\Windows\{F1BBADA1-963E-4f9e-8602-000E1E31D923}.exe

                            Filesize

                            408KB

                            MD5

                            560739613c1a854cb343dcf04aa4acce

                            SHA1

                            ee5885b9c619c9ff6183286450a6a1d5f716f1f0

                            SHA256

                            cd690125196f4855d8f2bd122f5b05e05584f0ef1cee3589c4f6eb52c4e462c2

                            SHA512

                            fe5467c92c855efd2699b76cdd40a1eb13047c74e283241fd48177a03aef8c928b9813455a1ba4430647a35689faf4ab77cbbdca4e3d191c3cbc206a4ce362d8

                          • C:\Windows\{FE3FF8FC-3AB8-4eb8-85CE-77261D2B5B23}.exe

                            Filesize

                            408KB

                            MD5

                            6d6990a596a8e9fc5fc8093c744b847b

                            SHA1

                            d18b8e53ed7ce3c475fce52b534a1a0480672c37

                            SHA256

                            7de63034ed618e534fa677829b2fdc03e626194c84f590a70e264581516bf546

                            SHA512

                            1a7021f71771025931e94bd21594c3c085022b49d6e480a6c7fbbf94cbba6eaaa0ad65efc6f4eb5b059be6a1ff2edcdd8ef8b7d0d7ab84441f6016e52ca2ac0c