Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:22

General

  • Target

    2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe

  • Size

    192KB

  • MD5

    233794f132386671cb917b52ffdfeba2

  • SHA1

    66b1488954ac92ec1239e5f33b6cfe653053b51c

  • SHA256

    6de17e4669f441ab917414dc1a9eb4abc2ee683cd66dcd16c5f7f07c370353ca

  • SHA512

    03a405485504be6b14cc4c1441e24e5c7e374e3779896c806ad99c2fa1751da41fae35690ae721c27026eb9c716d80c7d4977ea407b2ba66f13d66dbd77e274f

  • SSDEEP

    1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe
      C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe
        C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe
          C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe
            C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe
              C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2788
              • C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe
                C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1116
                • C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe
                  C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2600
                  • C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe
                    C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2940
                    • C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe
                      C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2944
                      • C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe
                        C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1492
                        • C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe
                          C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1468
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E39D~1.EXE > nul
                          12⤵
                            PID:2844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{019F3~1.EXE > nul
                          11⤵
                            PID:2248
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9B834~1.EXE > nul
                          10⤵
                            PID:972
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2746D~1.EXE > nul
                          9⤵
                            PID:880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{32703~1.EXE > nul
                          8⤵
                            PID:2604
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{12D27~1.EXE > nul
                          7⤵
                            PID:2716
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C2470~1.EXE > nul
                          6⤵
                            PID:2896
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6F24C~1.EXE > nul
                          5⤵
                            PID:2452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{07E15~1.EXE > nul
                          4⤵
                            PID:2428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE4CE~1.EXE > nul
                          3⤵
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2112

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{019F3C91-6F1A-4f21-87A4-8A5903704DB3}.exe

                        Filesize

                        192KB

                        MD5

                        e52e3649da71475abb261e2dda37fa0a

                        SHA1

                        c442fb2123bc7be8e8c69855b3246f10f7709501

                        SHA256

                        ccde3e736ea1d2a787cc40d27a3ff31ad8810a2909ecafa44f3f22a5eac03eec

                        SHA512

                        6bcebbf23af1c58d9314f42f4905af1fa3b34d13abbaf31ad7d1e0c22d17f39d47d8ca9e946bd657385ad6a30d91cb133e3af82d4ef1778e535a547780ee6e74

                      • C:\Windows\{07E15AA0-838C-47af-9BE8-F985E6E52703}.exe

                        Filesize

                        192KB

                        MD5

                        fcc76f62220ac0e273afc83c450419eb

                        SHA1

                        472e8b3b030577072e7a236e820535ea9c5a756e

                        SHA256

                        14611197552b7b0455564a8e6ac2647758376a91266859b99639dc3523cf6a6c

                        SHA512

                        a5cc822187ac9a331d7e19646825ac607577e17269f24bcee55c5ab73af268e1a6c7b1f5a65fba605860aa8bcc5e6e7153cc4f9aa675d0460672233814912e8a

                      • C:\Windows\{12D27777-47F4-4cb7-BC8E-BF5AD1DA4A7B}.exe

                        Filesize

                        192KB

                        MD5

                        b17387195f4f5fa928621ba6f145506e

                        SHA1

                        1d632f21e5342fc817f29c6d5098b42f683fa6a6

                        SHA256

                        1c6d498f3b55eaab7d5534e16721f3d1c3553c9d4100c2e72ac9f4ffea4d7388

                        SHA512

                        2782bd4f5d0251b0f1658753bbf8111bc978ab5fd5f18640e67e48ac18240217dd3b91e245095cfea3f4e94348b20b160034d4c6ee7dfca2e22ae9dc6be74ba2

                      • C:\Windows\{2746D8FB-E5C5-4ff5-B434-98463ADD32BF}.exe

                        Filesize

                        192KB

                        MD5

                        956755c3bd08eacf22f37378fa468ce4

                        SHA1

                        9f0e14720df41b06a5f8741307623a7aba27ba42

                        SHA256

                        bb642811efa6bc6813056b207e13a1f70140ebd1d1d40a38b84c15a04fa28a11

                        SHA512

                        741b42446f74aa5eca458735fb049342a4b7411bfea946b8103c186c0a3d8d5a86e6789a9bef38e7827108011f4ec420b1a6375cdc134cf6b44ddff15746ca50

                      • C:\Windows\{327039B7-8EF7-49ca-A627-81846274F320}.exe

                        Filesize

                        192KB

                        MD5

                        ba6399440727e6fde997e76d9edce870

                        SHA1

                        484a44d10205bf1e225014551661baf802c5d091

                        SHA256

                        87ac8c5685d21226d25e9748c92915aca9788ad7fd2649599cd0c152d5a2d6b0

                        SHA512

                        9d54049c61894499d17191e635c418f8671d52a7af48a7ce7b1babb351ad1d3d8db173a90966c7acb26274bed1be8e95210a949ef887526f2542b3b71b340d1f

                      • C:\Windows\{6E39DDC6-65E2-4d09-857A-B99563E4B957}.exe

                        Filesize

                        192KB

                        MD5

                        bf9e801f4e10fa6d8bd791a5df81b479

                        SHA1

                        69c9190fe5c56a224b3d970e5b3a05a55cdebee7

                        SHA256

                        f626653ceca8c02588f1169d635508a5bef8b895de91a232a4bb0d2a8943168b

                        SHA512

                        0fe72330fdde0571d2e8b0a6eeae72891e28d71c92720d246e565ecd9fa0e9dc33177f157df8229382581cc75a0bfe1a0ddf4acdb6954da55206cbf9b79e7794

                      • C:\Windows\{6F24C8CC-B788-4fb2-94E5-C68AE6FC91A7}.exe

                        Filesize

                        192KB

                        MD5

                        4ec2d8c10373c496f77aff3c54e3ffea

                        SHA1

                        ac4a3edfabd218da480672a829ed48a6470fc2ce

                        SHA256

                        4d6818b7694ac9a2960a9685825c15d45a2d38357d62e33bcc933ed804aeb3a5

                        SHA512

                        3d07243823a9d779c9c3cbefefe6932c575e86a44a99dd3de8784fba7406fe9a19f5232ca0d625c8d0bc5666f8985defc6c9a8084cea63e1f5cefc22edc4460a

                      • C:\Windows\{9B8340F5-3E7D-47dd-80D0-7B6F7D73F21E}.exe

                        Filesize

                        192KB

                        MD5

                        2d7ee6f42bcb302c56fb9405b9964661

                        SHA1

                        b11280e53cfa351fc48e755f6f9063464244e9df

                        SHA256

                        1b0bb2ecf75f63722f5b054828c5a28bbce5b045e93db71c1039b15658d670fc

                        SHA512

                        38e23e44dc62160e73610bfe024ccf89e0573b3fd62e6d37958fc0b45bdc290cb96ee48131efb19c1927a77b48b0a74f6e4441328c557ca175cdf3d1a4201296

                      • C:\Windows\{AE4CEC87-B9BB-47c0-9D16-5DE9D8EC9F54}.exe

                        Filesize

                        192KB

                        MD5

                        da816347c1013cfa70d2ebe71552991d

                        SHA1

                        24046358bee3c6e74202bfd40e95bd50bd246bb6

                        SHA256

                        821fa7840ac63da0fa1b55efa79f7c11b0044f7f3e01940cafaed3b3bf8ae405

                        SHA512

                        9cc80dae8a7595f1f592f6ecc9314783d5d35a39bb6b91b024265d815bff9a70d789347454df351d505bc70804eb77521376ec06d228b93d72c637280b1e1ea2

                      • C:\Windows\{C24709C6-1087-4996-B4F9-63619F204394}.exe

                        Filesize

                        192KB

                        MD5

                        0a1989b04d1f92d1741d4d9c3eef5ad8

                        SHA1

                        0600da15f20bc802af832c455d06107e6e3d7d7e

                        SHA256

                        eb7ecd5b6eb02d44d797cd9e72e4b1e1c8395b287248ad232d160741259e80fd

                        SHA512

                        1a474dfb12e9de9044a3f9e7dda99d7daefb468e89905e272d74207c9a596268f6859e2c9c7d1fa1513e8e0b25475af64cee3e0548fbea877d7a9ebb5afe07cb

                      • C:\Windows\{EA3D2D6A-73E4-4353-B3D3-79710853549A}.exe

                        Filesize

                        192KB

                        MD5

                        92e021b594efea11035e5a1f6f8f9214

                        SHA1

                        b16e290caf89e2ec4a25071e2792744ed0e37905

                        SHA256

                        bbc65b7decb29e5f6192c30288a5408ae137288da509617890e7496c8bf72f3b

                        SHA512

                        9bc0c096cae020689862937df90c24e0da8354d0c0c1da0d8215d5e9a131b6c878f9a5cc68421f6624ba3f6478e408cf8667abf1df1e6bf283859770b9c41462