Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 18:22

General

  • Target

    2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe

  • Size

    192KB

  • MD5

    233794f132386671cb917b52ffdfeba2

  • SHA1

    66b1488954ac92ec1239e5f33b6cfe653053b51c

  • SHA256

    6de17e4669f441ab917414dc1a9eb4abc2ee683cd66dcd16c5f7f07c370353ca

  • SHA512

    03a405485504be6b14cc4c1441e24e5c7e374e3779896c806ad99c2fa1751da41fae35690ae721c27026eb9c716d80c7d4977ea407b2ba66f13d66dbd77e274f

  • SSDEEP

    1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_233794f132386671cb917b52ffdfeba2_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe
      C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe
        C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe
          C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe
            C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4320
            • C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe
              C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4524
              • C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe
                C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1560
                • C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe
                  C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4716
                  • C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe
                    C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1628
                    • C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe
                      C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3732
                      • C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe
                        C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4568
                        • C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe
                          C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:4976
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5F733~1.EXE > nul
                          12⤵
                            PID:4112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59C44~1.EXE > nul
                          11⤵
                            PID:1792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F4D~1.EXE > nul
                          10⤵
                            PID:2952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CA393~1.EXE > nul
                          9⤵
                            PID:1824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E42~1.EXE > nul
                          8⤵
                            PID:4672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E9F~1.EXE > nul
                          7⤵
                            PID:4816
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{95A02~1.EXE > nul
                          6⤵
                            PID:4008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC529~1.EXE > nul
                          5⤵
                            PID:4492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D47D7~1.EXE > nul
                          4⤵
                            PID:3296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6D7C3~1.EXE > nul
                          3⤵
                            PID:3572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:3120

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{59C44764-5C87-4468-A42C-D836DF05A5D4}.exe

                          Filesize

                          192KB

                          MD5

                          b5e10c0a47bc761fd755e8aad08a9520

                          SHA1

                          52d96215d832c45e6b25b0629a9474c841b4ee48

                          SHA256

                          d0df1486908d612e9953b046ed4b5348377a3ca16655a765a392447ad38559d4

                          SHA512

                          06d5076fac92caf32acc9ef73874a1dc7cf3d1ad1e05643fe9ed983ef83683f2d220add8ac85465a86a1a239c7143a4165e4a1a46ec12df55e0eb003bc52ccf2

                        • C:\Windows\{5F7331A0-22A3-4d27-B823-055FFA12AC0D}.exe

                          Filesize

                          192KB

                          MD5

                          40e419d87af1172b6eff3d04d6ceab03

                          SHA1

                          cfb743bd2c67bbb3baab81527f1c00507a4d8984

                          SHA256

                          12da1d069f2eeaa344d5919549ed0d8bf0c9ddaccb131e6880016dd2cbadcc63

                          SHA512

                          58c48acff61304c9f4fafe8c77c6b3c9bee9c42f5ec7d38d62505b64cf725f45c9641a1902a9dc42967b1a118497835f1d0eae529b5d25b657c6a6f3e57a52d3

                        • C:\Windows\{6D7C3036-39D0-482b-A0EF-5790F7F12DA9}.exe

                          Filesize

                          192KB

                          MD5

                          11d2b39fccbe57dca31891393a28d152

                          SHA1

                          4c33468352fba8a30eedac7e8c8d763c4c569208

                          SHA256

                          36aad4d4de6a7b1675775b0b6360b768c5e8142258c2b870ee5f201e7deb2235

                          SHA512

                          d50f8261e3ad14c9c01b411c16083193f39c0b40ce454f8d70b389561f82133184984d353ebb1e241dce04936c833be471a7255351067c8031c21eea102fe84f

                        • C:\Windows\{95A02336-7808-465a-945B-FC0D58D8A9D0}.exe

                          Filesize

                          192KB

                          MD5

                          c11423d5a54c00037d1a5b4d19fdb531

                          SHA1

                          f8b6b3a22eca8f315158bdfcf09429a159b052b9

                          SHA256

                          b10192135acd888895fe3f6bab0a44ed2f06522521ac6153b4eb3ea5fcd64968

                          SHA512

                          12526c6e05f21df6e38482e68b0c83d8ca7c3af39a5ee5ed2781dbbf4e39fbc42e08d57f72a099a5920ede934e453750b35255710368dfb66d569e23b4ead6fa

                        • C:\Windows\{CA393A86-E956-46ea-925B-787B479810E4}.exe

                          Filesize

                          192KB

                          MD5

                          b27c86063d111ba48a6e5f6ec5cf1528

                          SHA1

                          d09f8f32e69b2edb501233df06c776df5a1979f6

                          SHA256

                          cf2f91ca33764e7066120e12ba1640accd50629fcd31502c81a163c18b1de98e

                          SHA512

                          5679ab49c1f301438565ffba6014f18c868f1f59c8885dff218e67ea42711e81ecdcb143b58a5e8bdd5e596cbffd262fc40fc8f1a7a9db5badeba055189ef7d6

                        • C:\Windows\{CC5299B3-C7F4-4185-A8AF-F8497BA198E2}.exe

                          Filesize

                          192KB

                          MD5

                          eea200ab71ba0ff81fb96bb6cad11538

                          SHA1

                          82669fb5cd75a323ac92ea78213adf3ade36e12e

                          SHA256

                          d668d722711ca94a99aaf69b1d578a9dd9eabc7fddca00f704c1cc2add19de54

                          SHA512

                          6ad812b850dc15a641d565e7fa0731c42364e2790efe4f2bd0d2cece5c7b3013dc7c4ce2eb015e53bfeb41c44bcb6a0cd02e7d99d68d562d4402a3d1aabe7761

                        • C:\Windows\{D0F4DCF4-16FB-4520-B476-3FCE91156985}.exe

                          Filesize

                          192KB

                          MD5

                          8869666a938433ecde66844bead44af0

                          SHA1

                          345556f4bea6f7d869537af803f7095e0563d021

                          SHA256

                          7fb565d6f9fa817d6ecb5b17ca6bf6d16e16966604f3737b3a946b070127774e

                          SHA512

                          7593f375385f6d0c443811768804e3ba38f654d0e018b668afc5948e2268b080811281135a77b7b888112840c9cc0021b79e6bfb7c356afa5c6e147fe5f0b9ac

                        • C:\Windows\{D47D746C-470F-4e7e-9D13-F2BE78D394B6}.exe

                          Filesize

                          192KB

                          MD5

                          b79783a7182f5c7031557d98e3e79bef

                          SHA1

                          e376f07929ccf6b06f7e18dc3dc78e9e27c980c5

                          SHA256

                          8893998f9145355fe7051ebfdce77b01d2488b546e279ad91af114aff8d3e937

                          SHA512

                          0c709f93656b8660b55f73b90beac1bf8951072e701fd86ad88bde7c4ae159ff609425ede530c9f5b485e46177ae4fd1ea5354db21d307462efae7ca58ccd046

                        • C:\Windows\{E1E9FA08-FC4C-48a8-AD58-F639787DC0C1}.exe

                          Filesize

                          192KB

                          MD5

                          f6e4b2d6e2dea2d17563ad4b6fb697ff

                          SHA1

                          a0e35b5913c5bf802738ca58f812193f788570dd

                          SHA256

                          43a6f449e8d573f68f9462c16f0769e5fb4a41e09491f6468dc26b26601483da

                          SHA512

                          2cccbb3395d5922d394e2ff43833ee1ec237495cdbba1377540d407db3457a0ce9ca4642a9a5c77ac999e7c208a39645a800cb7a9786428d8bf4aacc913804bd

                        • C:\Windows\{E2F2D5F7-8BFE-45bd-8EED-E914BEDF2A19}.exe

                          Filesize

                          192KB

                          MD5

                          685614506e1e41cfc951ac56ccb37de1

                          SHA1

                          c7621451c55831f90872d771338eaaaca3a4dac5

                          SHA256

                          549922d1bd43b1c0654e1089b5e391e9847633a0d29a0d8af437b5df9d48dc2f

                          SHA512

                          ff920a4b57f8d1f5d0e4d767cb99aaae99824dda8c3e59f37dfc20459feff7a41ba8793f16b760f5e2a6bed50786ced2645fa5926d5eed55b0b2212bfdc172d4

                        • C:\Windows\{E7E424EC-42B1-4de9-A241-7DCD48B1DF72}.exe

                          Filesize

                          192KB

                          MD5

                          4a11989bf4353c1a27d15beee5438d59

                          SHA1

                          efc5d170b56be7564d0782ba1fa752641fa0a113

                          SHA256

                          d6af72a489964c8afd0d2f340590b2d334089a9dd0109543da376f327ff45a2d

                          SHA512

                          834deaba0c12277706f9441174cd6a0a2bca10867f170baeecf78b975da1a37f8984fca3d5724ee34e6f7098a6be75cec47ec6f23b14982d31eca8dc6b914f71