Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 18:23

General

  • Target

    2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe

  • Size

    168KB

  • MD5

    54ce192027ed3fdc340f6646a9ae6bab

  • SHA1

    1978009c2929cc4c5f2f7dd1f79490bbcb1d64e2

  • SHA256

    109b34023a9cc232e0c95081a5c482107e459cca1cfa877c5f2f112ae980bcca

  • SHA512

    adf3b2dffe314738c081fa3bcbf402c128432b5eb47107abad6079e138b78bb64dfe1383cd81338185a61e4e0d53939a569e2dcf5e067a6c33b2ea53e452d313

  • SSDEEP

    1536:1EGh0oclq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oclqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_54ce192027ed3fdc340f6646a9ae6bab_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe
      C:\Windows\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe
        C:\Windows\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Windows\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe
          C:\Windows\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3472
          • C:\Windows\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exe
            C:\Windows\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5024
            • C:\Windows\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe
              C:\Windows\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:804
              • C:\Windows\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe
                C:\Windows\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4556
                • C:\Windows\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe
                  C:\Windows\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1340
                  • C:\Windows\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe
                    C:\Windows\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1984
                    • C:\Windows\{962A767F-57F4-482d-86A8-532E764053D1}.exe
                      C:\Windows\{962A767F-57F4-482d-86A8-532E764053D1}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3600
                      • C:\Windows\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe
                        C:\Windows\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3108
                        • C:\Windows\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe
                          C:\Windows\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1760
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{19D7A~1.EXE > nul
                          12⤵
                            PID:3608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{962A7~1.EXE > nul
                          11⤵
                            PID:2008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0F2CB~1.EXE > nul
                          10⤵
                            PID:4380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9C238~1.EXE > nul
                          9⤵
                            PID:3156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ABDA1~1.EXE > nul
                          8⤵
                            PID:4928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CFACB~1.EXE > nul
                          7⤵
                            PID:3960
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B962E~1.EXE > nul
                          6⤵
                            PID:232
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{67EAA~1.EXE > nul
                          5⤵
                            PID:2416
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFDA~1.EXE > nul
                          4⤵
                            PID:4524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1498D~1.EXE > nul
                          3⤵
                            PID:3608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:3228

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{0F2CBD14-7366-4e33-98B0-BEE679E075AD}.exe

                          Filesize

                          168KB

                          MD5

                          5c7f63a4eb985d118a92dab446bec139

                          SHA1

                          2bb07108fe5b69b96c2d5cadbba647889a78076f

                          SHA256

                          2ff59dfd8e34aae2f2eb4f2921b873e6ebccfc238573b824c46367ff5faa6d63

                          SHA512

                          979e79f78ff5e378437732467d79c9a8714d301036855ec838e880d7a965fdb84ec059f2a75316e4ae97aff2644453fe7f48c026b3e03cfe7bfeb993745766ea

                        • C:\Windows\{1498DCE8-EF36-48fc-8D91-91D1A16EF10D}.exe

                          Filesize

                          168KB

                          MD5

                          04b8ab2968d4b33b2bc940c1918141f2

                          SHA1

                          3901c2f344973e7dc1da78253a0d4c75b18fde56

                          SHA256

                          49ab269a7d4ca5f3af525252a82d86d75b7dfa5bce09c219689a63cd10328ff0

                          SHA512

                          94ae286a4e920d5178349bf78019255f47211b8a5a8516c5e26685480daa96628ff9e394a3d5f231017ebf92d5ebe45a46057fe634449feb8ea0b76c94464614

                        • C:\Windows\{19D7AF7A-3ADD-4020-9E31-F3598C9E51C4}.exe

                          Filesize

                          168KB

                          MD5

                          49f487763d9d74f7022b5846fa3ffde6

                          SHA1

                          93a615333525d7eb111573960cc3fe2d1f25e8ad

                          SHA256

                          670f0e2198e80142fbab8b050791dddfa3fc66d5f6d34fc36c497c4a32ed5993

                          SHA512

                          ecd779179d1d59736624d0efc90c2f6e79c237147f4d5a610c8ceaf02eb6393b5cbe160fa13be0308749fa4157e1c640f8ce8cc000443e2ae4f3d92cbfadb348

                        • C:\Windows\{4DCAEC6D-AA1C-4983-97A5-AB49BAF5D747}.exe

                          Filesize

                          168KB

                          MD5

                          ca20851455ac1d699b439482df8a97da

                          SHA1

                          b43fdce22682e8e0ad731cb37d805938b2bf395d

                          SHA256

                          b9fbc83214a3fd35497d0d471dae05cacbeb54fcc23d4a0d78cad05a0eed35c0

                          SHA512

                          252d1b163342db411c055c21ebc296d76c35dd8ce18753b2aa76afb5f1b1a19fdec30d390118dde7e13167d023b0896b90424d1a12bc9c024d85411108f609b2

                        • C:\Windows\{67EAA18A-04BC-46c4-BA82-266FE5E2001D}.exe

                          Filesize

                          168KB

                          MD5

                          ebc16e03c1fcc23d2bea45e3a5da7909

                          SHA1

                          4eec56b3db24f21465ac8232997e45a7c980b68d

                          SHA256

                          5de45a8c3069c0a9745c33ede6a11af55604f8b64f3b7a679cf6e925f935f2db

                          SHA512

                          fb8d542741f1133be6b8ee4047e83c946d50c6da8664edbb983839dc30e218af48c46e6edb92560185c1464977560eb59b58387f25e71a29b20d834b0155ebf4

                        • C:\Windows\{962A767F-57F4-482d-86A8-532E764053D1}.exe

                          Filesize

                          168KB

                          MD5

                          e940294304353c9ed3f25169f766b6cd

                          SHA1

                          1e913fbf5cf17b45abd212afc324dff8b3c0eac7

                          SHA256

                          0fe268abcb7c56e1e63b6f324e2f5b08910302a9f26b2b605545946bbf238c17

                          SHA512

                          3157f49fa96fd17a4d2a0e9806c7d187fbc623170515c412508037d8f340c650ba5feaf4d9fab4ebdfa4e2540a28e9fb197d7e0d73f9448a8e685e6405b11d72

                        • C:\Windows\{9C2389F7-41EE-4ab9-A72D-737E0CED85E7}.exe

                          Filesize

                          168KB

                          MD5

                          6d8a1d3b4f205dd523f3f2b8826c4a2a

                          SHA1

                          3f2faac7d1137a1c622c907693569d06684895e9

                          SHA256

                          a28879395229265a6777b3aaaab859b412b262bc8a7a959e29b0b4046d94e473

                          SHA512

                          a5e188303b4d2a6d5cccb1fc0cc316cf526ebba3f4b4e27f0059d5eb7e63fa7294b14f9edc04916acefbcb3d8c7d0e88b5836b0842f22d080169756820816662

                        • C:\Windows\{9DFDAD25-5B04-43e0-8990-B3D1D508A04F}.exe

                          Filesize

                          168KB

                          MD5

                          b0300be7b6883bea12af49a01a98a15c

                          SHA1

                          94ad95cf09f93d2fcc3490996c29b6112373dafe

                          SHA256

                          87b2d783a7aaf0069277eef0bfe726f56263c0d5dd361f2eea24ffcefd03b766

                          SHA512

                          961c46b6a37f09e9200af3f7723c3ac73c49a71dc2f567041a4858bd0efc96ffd77b8d33e94a0dff357bd0f20a366794b1807fdc89e857ce94de3ccdd1e7b4ec

                        • C:\Windows\{ABDA1398-CE29-4ccc-A954-31ECA73CA80B}.exe

                          Filesize

                          168KB

                          MD5

                          707b0115e8e6288da9bb20d14b3e3c4d

                          SHA1

                          ede39849418085a7eee1ef2339e88387fc108765

                          SHA256

                          1e0347b1ebeb63dc454bba392846afbf20bb41df9a213e3882b8444414f0d25e

                          SHA512

                          23d4bfdc5eb1c64241c5245266a8eeb4b806b855ab1bae2dde754239f6213477361a3f2e20940fec7a294c0ff5d56234ed7508d4157cea8d5312ee02546d3077

                        • C:\Windows\{B962E929-D87D-4fa2-8417-2F922E5991DE}.exe

                          Filesize

                          168KB

                          MD5

                          ebb128339cb02cd6f183f0e221d9170f

                          SHA1

                          8f5841f800b216f48a4d05c64175041194caedb5

                          SHA256

                          e3fbe5723c2e04d22c4f3e3997456ae868721f358fee321c6e999e4a0adc9722

                          SHA512

                          a1ceca48f0cc0cab034eaf77fd04cc99d134066c7515a0b446032fdbc914566dfab8f5e99018c9f2d562c49145ba51508835e94ece013b10297582a113def00e

                        • C:\Windows\{CFACBC31-C29C-45b0-9F23-2A64502A9F44}.exe

                          Filesize

                          168KB

                          MD5

                          8f6e4326d5f1f1f9e71378f210df3e94

                          SHA1

                          46fdffcaea2f31f7f628fe8181b48e6ec0c53be0

                          SHA256

                          b40739a35a0c27039f782ee1f00d88e96a1fa4fe6f104afc860b2393182ef600

                          SHA512

                          c7cdd2cc27c7c485f5adc9cbcdf9684b414224cca4871a6c69916554e5fce2f64862a1bc9656e9e440e6b174f9b0acfb42bfcf9b6e5430ac6a46c51ddbfcb5e5