Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:23

General

  • Target

    2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe

  • Size

    168KB

  • MD5

    54ce192027ed3fdc340f6646a9ae6bab

  • SHA1

    1978009c2929cc4c5f2f7dd1f79490bbcb1d64e2

  • SHA256

    109b34023a9cc232e0c95081a5c482107e459cca1cfa877c5f2f112ae980bcca

  • SHA512

    adf3b2dffe314738c081fa3bcbf402c128432b5eb47107abad6079e138b78bb64dfe1383cd81338185a61e4e0d53939a569e2dcf5e067a6c33b2ea53e452d313

  • SSDEEP

    1536:1EGh0oclq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oclqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe
      C:\Windows\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\{210A6396-2554-4879-9390-D502CC668292}.exe
        C:\Windows\{210A6396-2554-4879-9390-D502CC668292}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\{907FE030-4B94-4658-B184-1215277D7E1C}.exe
          C:\Windows\{907FE030-4B94-4658-B184-1215277D7E1C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe
            C:\Windows\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\{5F3A9788-2CB3-49f3-9707-518E38884056}.exe
              C:\Windows\{5F3A9788-2CB3-49f3-9707-518E38884056}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:544
              • C:\Windows\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe
                C:\Windows\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1648
                • C:\Windows\{9AC28808-B49C-4346-A083-B9C0C126D898}.exe
                  C:\Windows\{9AC28808-B49C-4346-A083-B9C0C126D898}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1084
                  • C:\Windows\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe
                    C:\Windows\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2712
                    • C:\Windows\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe
                      C:\Windows\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1536
                      • C:\Windows\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe
                        C:\Windows\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1992
                        • C:\Windows\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe
                          C:\Windows\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          PID:2224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FCCA3~1.EXE > nul
                          12⤵
                            PID:2820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FB931~1.EXE > nul
                          11⤵
                            PID:2216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB3A~1.EXE > nul
                          10⤵
                            PID:1940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9AC28~1.EXE > nul
                          9⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7092~1.EXE > nul
                          8⤵
                            PID:760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5F3A9~1.EXE > nul
                          7⤵
                            PID:2752
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BF4B2~1.EXE > nul
                          6⤵
                            PID:2744
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{907FE~1.EXE > nul
                          5⤵
                            PID:2360
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{210A6~1.EXE > nul
                          4⤵
                            PID:2412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D14~1.EXE > nul
                          3⤵
                            PID:2504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2948

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{210A6396-2554-4879-9390-D502CC668292}.exe

                        Filesize

                        168KB

                        MD5

                        58611829034c594cf41404bb571a3118

                        SHA1

                        9e6f96c03f14d21bc95fc4ad7a615592dec7daf8

                        SHA256

                        37f9134758f865d902c80fbe7692866f48f6fddfb7c3bf062bfd513ca717f293

                        SHA512

                        8de323edb14c5fcaf01f194fd3a5d1e02ea7b1bf6d0ed1156ef4be3440615f731e0e65ddd4171b9c618517173ea96b20e3506a75b10799092ddb2ee0ff94abf9

                      • C:\Windows\{5F3A9788-2CB3-49f3-9707-518E38884056}.exe

                        Filesize

                        168KB

                        MD5

                        c6dda87db59cad47ac3b5f9dd41fcef9

                        SHA1

                        e2e083d8906ec8f100244c56afe21177ed5b3a45

                        SHA256

                        35415f97c38f3afd7ed0954257a08c783e6eec99c50a204bf1daefdac04fcd3e

                        SHA512

                        38d8bebe273dacf1977436af05ff169f94c3e2332edc51ff8010045b4dfed87c095e5666c6fc8002fdb68a25dcdf691209e8ab10e5fd89a564c8d37db27107ae

                      • C:\Windows\{6AB3ABEE-3679-4160-A8D5-9C43073BC6D8}.exe

                        Filesize

                        168KB

                        MD5

                        43740ff40c188de30e88f4c340073184

                        SHA1

                        8629676c0c1f5a079cd583756c2d14fa89fccbf1

                        SHA256

                        e30d758d72aafd338e498d7f18ddfad108a476ae08b50232b46d956875026dd0

                        SHA512

                        88c74de0bf5b2d3a90840e4d5b9c86927bb9f210605e99aad0d8ab66b95987f2f2cc3b44db4d891fe0094faeb93aa821f9ae3911aa5ebbf6cbb272093b06ee4e

                      • C:\Windows\{8EF7A5A3-585D-46b2-8E97-06D2C5605488}.exe

                        Filesize

                        168KB

                        MD5

                        33faf0436973ad97b9657bf97c612a8f

                        SHA1

                        14c7af03fb8ba6617abbf4b0b1219ed21cc4fe80

                        SHA256

                        023e652b5e980655be217c0f9d377292817c508e9ae3015329b02756f51d73ee

                        SHA512

                        286f4b6471ff1144d627fdaaf3763c33a2aaaab4ca2814136860ebd8ecaefe1c605384c4fb08f729ef90d41e1731906287930e81ae64f810c50e26fd8472c086

                      • C:\Windows\{907FE030-4B94-4658-B184-1215277D7E1C}.exe

                        Filesize

                        168KB

                        MD5

                        6bad7b14bf02fdda10d7d934fc89d5d5

                        SHA1

                        bd9696f47c45dc29f8037e302372cd1a91cc2fe3

                        SHA256

                        7483e294768a7a6a119a7a0730de4ccd6c318ffbf53e3e720916972161ab82dc

                        SHA512

                        0437c63edcebc89aa05e477f384e64e7f9bbfb0caf8b66fa3f1eb058f7020768080e9b4bd803b9613462bc726049aaab1ce0459384416fedf281101c944d5a81

                      • C:\Windows\{9AC28808-B49C-4346-A083-B9C0C126D898}.exe

                        Filesize

                        168KB

                        MD5

                        4e11639e653c1a0fd2998408b1264a78

                        SHA1

                        62248825ceb0768e299088d5b8b079ff0e610f91

                        SHA256

                        e9212b0e55595b9535600bc12b9ed60adcb23cde64b50548ae0bca4f88217f2e

                        SHA512

                        87fcf3f7bc5b617d09eae0b7025dafceb4f405d94b528cc62d1276314c53696b1263a78f5d0fe679c29f1e3dc3237ce7d22a2dc08a82177d508a51816bd66190

                      • C:\Windows\{B5D14ADA-0524-4e26-BE2F-498CC4D9B1DF}.exe

                        Filesize

                        168KB

                        MD5

                        3d70680ca82973c967e2b5848b923582

                        SHA1

                        24d3c1df47cd2e0df547da1d5ed400af730f7cdf

                        SHA256

                        e1919c1c5d8ef52d9f30031758a0a9c5f310b614695621c9db71eb39676bec5a

                        SHA512

                        f7d93d0e58932c815ef910c155f28cd3d325d70135a2e28a98fa42e3af48ae4544d73852d750ef20eb22438923c69a945e759525ca9c6ebd455796acc11d0909

                      • C:\Windows\{BF4B2FC1-A838-4da7-B08D-F92533F6EA4D}.exe

                        Filesize

                        168KB

                        MD5

                        15025d93b71e579a2e8d72c925a97ed6

                        SHA1

                        885d56f547e80dc314767ae25a6a9816dbfcd325

                        SHA256

                        89a0ff10c81e7b72678ffc20b8898d88c871cba91c8f3f25ba1bb9e771e58112

                        SHA512

                        0bbee332ccabd1d182ecfea5b9de6d993045cfd1a2cab239474a7ba1882ba2ec47e61c6c9c4aea9607d334bbc8d0ca2858bd38f50d2cda1e8173e39c90339ee2

                      • C:\Windows\{D7092B21-2618-4960-8442-8EA36BF4CEB3}.exe

                        Filesize

                        168KB

                        MD5

                        296fce1141a975d834165700256492b7

                        SHA1

                        9d1a0e8eaf8166a08212da9489f04b6179030296

                        SHA256

                        a351c5b9785cdfa4536f8ba10bc50b7e93b5030d458493e655c0bca8ecca5c4f

                        SHA512

                        674a866340ae2c34c051c87149fd969157d3cbdd0f5ce5ef6dd3bdab9d04998fa77eecb5e22c3eb35ffad757608147f1228813f91b50511d142be3a6cc46719b

                      • C:\Windows\{FB931F42-EA4C-4d19-AF36-15C1D037A642}.exe

                        Filesize

                        168KB

                        MD5

                        870361acb692138bcd337165c4d647ce

                        SHA1

                        63171a263de266b8f9479e47b8c5831ad238ab23

                        SHA256

                        da37e19cdc93f1984901ad5fbe2a42a32c62ea7e9e61285e943b409a3f23ce95

                        SHA512

                        30a558bdd88d7ac867550a6b04661257030362b9ebe9b7dc0d87d6985768a4df84f55934b4b76f9eb3c2ad7d1e90cd6bdcb25f85c22b044ef127b0a2af0b0f89

                      • C:\Windows\{FCCA356F-534F-4b2f-9BBF-3F0F65D6943C}.exe

                        Filesize

                        168KB

                        MD5

                        6555767c5513ec9e06929d60b5a72109

                        SHA1

                        a145b644215a39f5d04542afb0a555a4f827b9d2

                        SHA256

                        dd39040f8f49f694cc7b8dedb4dc86dd515cd9f4a63ee2839a3fcacec2e20463

                        SHA512

                        74272a72439939a59955478e23d2a402a7bb36478f2cb77de1871372f83470ca7801229ec0f89bd97f5a54caeeee8c1dbda57942b6ffc7026ed8337f6f7d4eb0