Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:23

General

  • Target

    2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe

  • Size

    168KB

  • MD5

    7ad159816e5e1b401a70f0c9ca3f4b07

  • SHA1

    d95d8f2aadaf3afb86740a04d14dfd68ce06cbd1

  • SHA256

    eda374791495b6b2561c090e690301fdde0c80634a1cc4b6ca9ac954f6c78ec3

  • SHA512

    1618b23f7ff4b3f41be7982b0256177324a4c212328d5ead5af0ead8e1bac4e962fcd7e8ea0dcfb4ddffff2720dcbb612042ffa13c6b02171f460f2fd5b41e11

  • SSDEEP

    1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe
      C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe
        C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe
          C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe
            C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe
              C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1656
              • C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe
                C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:948
                • C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe
                  C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1608
                  • C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe
                    C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1128
                    • C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe
                      C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2280
                      • C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe
                        C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2804
                        • C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe
                          C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFFD~1.EXE > nul
                          12⤵
                            PID:396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E6420~1.EXE > nul
                          11⤵
                            PID:1724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FF432~1.EXE > nul
                          10⤵
                            PID:1924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A26BE~1.EXE > nul
                          9⤵
                            PID:1440
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9E609~1.EXE > nul
                          8⤵
                            PID:1456
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0D45D~1.EXE > nul
                          7⤵
                            PID:1780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{64038~1.EXE > nul
                          6⤵
                            PID:1624
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{51A55~1.EXE > nul
                          5⤵
                            PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7D93E~1.EXE > nul
                          4⤵
                            PID:600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8470E~1.EXE > nul
                          3⤵
                            PID:2852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2384

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0D45D587-C400-4b07-9134-FCC176FC66A3}.exe

                        Filesize

                        168KB

                        MD5

                        c5ccbc5ee89aea588b524d942ee03a2f

                        SHA1

                        8781e754a25ca036f3b349296bb01c8021f4b236

                        SHA256

                        886cd89cf2969aa13236b1bc3402815f762d5a621e0e13fef184267ada09606f

                        SHA512

                        76c5bb2d51d1c839f86e9d6dd3909ba08c47d1b88cb5dcee145c6f2b4de59ec0b288cbc91e2037ddc3b3a60cd266b409721b61b1ae5617ebe154a8ce36d9093c

                      • C:\Windows\{15E27CE6-1188-420c-AEF7-6047D39942AE}.exe

                        Filesize

                        168KB

                        MD5

                        7a3ff86e790b353c3a26167391dd4817

                        SHA1

                        29e40afecb7c11d759b51f62ee778a48b93b9a5f

                        SHA256

                        125d2c028bc0492cf44ab4c1c88219fb0dd4f55e96b1c48f808c47dc3e81970b

                        SHA512

                        4d745518f64bc10d0defe3c252ea1aa869df28901fd7e369446aa03658aa88afc61518fd2eae3d58307c18b93bd66660a4ff163003e48ba29084565f32e06414

                      • C:\Windows\{3FFFD432-C4C0-443b-A4E5-B116B93A2E6F}.exe

                        Filesize

                        168KB

                        MD5

                        80381f9ac50e64ab0493c081315b6eb9

                        SHA1

                        3bcf1b50614b62d89cab23b3a2b808f3a6bf09b7

                        SHA256

                        21190f29e8894cc0e71e4ddca2a56e4897c977d05052d1e987cdfc58ce53ec83

                        SHA512

                        f4c96620c3a0928d021e2a780ff53a563479725bbe32ea712dafacd7de509fc171567e008c6298776095e5c978979737c25f92ebb3237decf66047ea0a9057c9

                      • C:\Windows\{51A5582B-2AC6-4a4a-B3AD-E5E3F654654A}.exe

                        Filesize

                        168KB

                        MD5

                        ecb1a9eb50098d769eb13c67a7511256

                        SHA1

                        337e7f7804c208048d47a1e8a7ae12b29ea42e66

                        SHA256

                        d2422ada1c1385300f8a878db5b8ed31d8985aa69a438e308475527b24b7fce9

                        SHA512

                        4b0f32ad0aada592fcc5ee22ac3997c2f47b1792ce9c8ddbba8da55b814c5bedd15f28092942eff62048fbc7bee8ae78d496ac0ced34572027e72b5eddfce86c

                      • C:\Windows\{64038816-6A41-410c-830D-3310D11BCF74}.exe

                        Filesize

                        168KB

                        MD5

                        9fbc6ccae42d24ac96aa3d4fc68eeaf3

                        SHA1

                        12166e5ccf5f6132c8e6469d432b2e5c9487bc21

                        SHA256

                        f79ddc955e9741e0f8ecc11057a82a6fdb99ba494b716d249c47551811d81241

                        SHA512

                        3295b8d4a0562344c6acb5dbb66597813ddd3d2a9ec7d7adbeaf330c052118258e2afd14cb00209099fcbcce20fb7135e76308855af712c978af577a0d9b2ea5

                      • C:\Windows\{7D93EAA5-B0E2-4522-B1D9-50801528D9CA}.exe

                        Filesize

                        168KB

                        MD5

                        65f7c2942d872112124195b593d9433d

                        SHA1

                        9c07dbb1e374a0e37284ccabecf294d0ff02a168

                        SHA256

                        9051c6af65f837a55ca1f54fd651933e0b04c4ea119180c4d8312c64bae64560

                        SHA512

                        3ff17a6b09e4597eaf7e8830f83bcafdf88dbf2efdb69a9f00e2fcc0def078ae9824659392c31b12f7caa4ddfcb0ce8b7503366ed082004e7d7e36e0207b6e37

                      • C:\Windows\{8470E077-C3BF-47ef-9FEB-2DE604ABE6E5}.exe

                        Filesize

                        168KB

                        MD5

                        f4a8e845859d14c6ffadf3779ef2e731

                        SHA1

                        fb67091e6b293fe97b01448f1ea676b81b6e92c8

                        SHA256

                        1b74d76ddd26a36b6b04fa1305068177cb74621e6996ced4e3b442bb4b0813bc

                        SHA512

                        584e1956516c4635fd3377a5046db617d5c96af7dd8b30fe70dcdd984927d42778d8515bbdfa1c349d61801507b760b06b04d08bc11f9e067533008ff1f33881

                      • C:\Windows\{9E60938C-E3C2-48f3-AAE7-31DDE19CBE87}.exe

                        Filesize

                        168KB

                        MD5

                        a1273f46227b4e757098b20c35cb53c3

                        SHA1

                        801a04bf7de8115408d0215c166e11868886c1cd

                        SHA256

                        73e9c6b778f01d11e6bfb30a846fd51af219466d130627239d579012c9f2f37a

                        SHA512

                        ed36743e618cec74b651d38b6c42cf65fde3d14c5a4c8af1cd7180009f6a40d56e876a68e42a9f701da1ca5de0fe994fa3b9b1e42c3a7332717f21c0f8f09957

                      • C:\Windows\{A26BE6C3-B30B-4ee4-8B02-1A97DEBC3F02}.exe

                        Filesize

                        168KB

                        MD5

                        6350e1b5b1ae3574fafaf564160ebc70

                        SHA1

                        250c3862efb21834c3ecaf47e8566e75b41dbbb1

                        SHA256

                        cf05edbe421a3bbee08f6f146eb384a605c42adf8a764d109de1b9a69aedebe0

                        SHA512

                        4174a8b9670875ce4a7b791f2333b8dfb68ecfb27ac440034d8778d240297ccc6838599d3946b7cdba57a7e74e6dc711f0c89c887ed5953e4120e330ce1f4592

                      • C:\Windows\{E6420383-AB6A-4459-9096-2E40920878A7}.exe

                        Filesize

                        168KB

                        MD5

                        2e706ee3fd9da98ba0ef0e2bbede2b92

                        SHA1

                        08fd3cd7c6cba9c60534093c9b1d6061341ca470

                        SHA256

                        e30c37b886079a605c55ffc78468e498024b539ac856b23d55cd5c11ae8881c0

                        SHA512

                        e9b9778864b62583e69bd965de358dc38a260da7fa1ba08594ae77dd42c4d6c3f07fef3707cd92df59b0f4919b3b5c8a24fe0f7c7b51185412467f2a7be1e59f

                      • C:\Windows\{FF432A0C-D213-4d50-BB60-63F4C97E296E}.exe

                        Filesize

                        168KB

                        MD5

                        45437f355196faf835ea5416c7db2c51

                        SHA1

                        fd2d5d061f49e625713c32eb96020ea7e3c7f01a

                        SHA256

                        1d23b586fc15cc5c57e3fb8e4877786605874abb3b989953611f3e8c5b6cbc88

                        SHA512

                        2215a8bdfce6197cf5e26d97316190669fb1de000edd2505392089b845dbecf62b0227700c8573f6f0daf5843b7bcf1bce61db1c70128742c13b8fe00394b625