Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 18:23

General

  • Target

    2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe

  • Size

    168KB

  • MD5

    7ad159816e5e1b401a70f0c9ca3f4b07

  • SHA1

    d95d8f2aadaf3afb86740a04d14dfd68ce06cbd1

  • SHA256

    eda374791495b6b2561c090e690301fdde0c80634a1cc4b6ca9ac954f6c78ec3

  • SHA512

    1618b23f7ff4b3f41be7982b0256177324a4c212328d5ead5af0ead8e1bac4e962fcd7e8ea0dcfb4ddffff2720dcbb612042ffa13c6b02171f460f2fd5b41e11

  • SSDEEP

    1536:1EGh0oQlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oQlqOPOe2MUVg3Ve+rX

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_7ad159816e5e1b401a70f0c9ca3f4b07_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe
      C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe
        C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe
          C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe
            C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4488
            • C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe
              C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3496
              • C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe
                C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3204
                • C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe
                  C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4848
                  • C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe
                    C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4756
                    • C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe
                      C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3372
                      • C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe
                        C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4900
                        • C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe
                          C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2104
                          • C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe
                            C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3C3~1.EXE > nul
                            13⤵
                              PID:5000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5D45A~1.EXE > nul
                            12⤵
                              PID:2796
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2E06F~1.EXE > nul
                            11⤵
                              PID:3648
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D38~1.EXE > nul
                            10⤵
                              PID:4956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D53~1.EXE > nul
                            9⤵
                              PID:3604
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{35A60~1.EXE > nul
                            8⤵
                              PID:4876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{02BB0~1.EXE > nul
                            7⤵
                              PID:4400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{478CF~1.EXE > nul
                            6⤵
                              PID:3240
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{38CCB~1.EXE > nul
                            5⤵
                              PID:4960
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FD14D~1.EXE > nul
                            4⤵
                              PID:2784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{93ECB~1.EXE > nul
                            3⤵
                              PID:1296
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1844

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{02BB0D67-6F54-40d5-B6FD-84FD2BFB146D}.exe

                            Filesize

                            168KB

                            MD5

                            442ba02b0fc60d8ec9025a3de7a40621

                            SHA1

                            e2e971882a86c71df35822ef6cedd79e1c6dc4ac

                            SHA256

                            a7212fb19199a9cd6a538ff07e0ef5a4b90f8fe59e91dd03307aee9343ecc462

                            SHA512

                            982e6a79d31fc13e75ae0d645dff4ab7570581637576943d8e32769dc7aec51a6511c169e03fd37e74eca36d42cfd33270cc454fe05779eb9e816c825a65c38a

                          • C:\Windows\{2E06F327-5D4F-4e68-8387-1D5328A27369}.exe

                            Filesize

                            168KB

                            MD5

                            cac6a19afb5a85b397b20ab2c55667be

                            SHA1

                            b89070a24d8a33bbb3b799856fc8d0a91e6a1cbe

                            SHA256

                            16856d1e09482f808f79cf63d00b82ef093fdece23a340bacc88bf90d6579744

                            SHA512

                            5d0310eef18cd25d12256079739264b6987d3c96035949652a66de5fd2ef5f74672f7db5aadccc72be8e553812f343bfa3f43c1d381d3b5cb647a74496ec7e37

                          • C:\Windows\{35A60DDE-1BD1-4f67-8B91-255000FA6F9E}.exe

                            Filesize

                            168KB

                            MD5

                            a820386440c8597080a7510793a4d722

                            SHA1

                            e84cd5a5136f5f475a9cf0e32c9e97ba66390c35

                            SHA256

                            0b8e69fb07a8d2684462ebabb3b8170f52f1862682eda6c27a2b3fd0431b5ab8

                            SHA512

                            7ec013fc6217686ab8fc755a911123ffa4fbb99cb3564344359bc12ec80a3b60fa944f38287cbbda0a90b8f3b02d4d4eb626d1497ba2517d460c29feab61d27d

                          • C:\Windows\{38CCBEF1-2638-4f86-8B98-8B76C4121DEE}.exe

                            Filesize

                            168KB

                            MD5

                            018533f2a5c4df62a711ab7d535812dd

                            SHA1

                            7d2c4954b2eff5890e64d0c9a4acb200fd2d8ea7

                            SHA256

                            a870090c75cbebdfc8e7baf15e263a851dfcd8d9728d07ac0d523d479e429a0b

                            SHA512

                            1c07886fdfc9d82ac2a89a4f43eb67e09753b37109d3704580a2836eb7e3b0e265418928630ee28060625c5564f5178fff5bd5753ddc6808e52f44838e14ba8a

                          • C:\Windows\{478CFFF3-CD2A-4435-99E9-F3D2B0853296}.exe

                            Filesize

                            168KB

                            MD5

                            14523da205c2d3bdfc27917b8654c3a3

                            SHA1

                            25eeba50e052500db4f644c47b029347ccb82543

                            SHA256

                            1cadcf5ce6457158444b2829d10dc8a65f0c88498ad31e1162ecb64744e93285

                            SHA512

                            1e21566c55ce16a1001c617194175cb60eea1addd3054d62827ca4e298809b3e09e8545c0ef13ee23cb594e47bd3fae45ae6484d0e145e95096b51d97e8c4bc9

                          • C:\Windows\{5D45A8F0-7AC8-464d-9383-3D77086BEB4F}.exe

                            Filesize

                            168KB

                            MD5

                            6f709c40613213d9697bae4d07aefd52

                            SHA1

                            8e40d14cfb7d59ff4615e2d95d87d8049b21e905

                            SHA256

                            029b9bacec91a9e24abec7a8ed75620ca94d4fec3624c29c42cce5fb2f431914

                            SHA512

                            68dba71f7058d705c47a3ee0748f4ef5b4bae067340758332703658c7444c9c2f0b028f313aa96080de1247d79ca0cd21c61f0542ccc4d874eb3d2f451ef7570

                          • C:\Windows\{73B21AB4-3146-494c-B43E-9B5541D83E04}.exe

                            Filesize

                            168KB

                            MD5

                            5de47c55a843866b26900c5e72b932db

                            SHA1

                            80d5e75394f7b8f0e7baeb9c652ff95476e9f2a3

                            SHA256

                            fd8f7722f687e73dc8fb222e2bb62b573375c79f242ec08de4c6770948a6407a

                            SHA512

                            e01aa63e36ce4b6057b8be4533f2fd3fdac0631ebafef1e10ecedeb4c82910848b5f180e1cf06d806b17a630e05adacd34e718933979c9a0111dca8ae8efe78a

                          • C:\Windows\{8D3C3E23-1948-4c2f-8AE1-FF6203FBFDB0}.exe

                            Filesize

                            168KB

                            MD5

                            9cc922f34c35da7811305abe5d5d9d8a

                            SHA1

                            20a187ed0742238eba88cd2f6e954acdbf4ce93c

                            SHA256

                            1d8f18a26802c29a40ceae2225eb93d02efcfcef78f757bf19b1e912463e6ed2

                            SHA512

                            9d1a9650813d040eefcf6e1a2f746226feeacdb2355b940ab6089301c380730b71a31455d60ed794e92c817a27c950dd9e0d5b09cbc389d9feb1d0073b6ad303

                          • C:\Windows\{93ECBC45-3C60-4a0a-A855-CCD1E7BCDE1A}.exe

                            Filesize

                            168KB

                            MD5

                            92260aad30abc24d4d2867afaa505ce9

                            SHA1

                            1df1f4a694af652584907a3c5b345974f3e40428

                            SHA256

                            d631c247f56230d194dfbb762a4d951125faa05408a76401198c0ea07f202516

                            SHA512

                            bc37a39f597c411bf76f71d69ed1c7be85a1407b1be167e8efb676c6d42851b7ad52b0b7b4962a8f2a14be9da10e949f7cd3cd9340a8481fa15a2f98bc6da336

                          • C:\Windows\{E1D38934-28D1-44e9-AE67-2158241E5D40}.exe

                            Filesize

                            168KB

                            MD5

                            f7fb956999653c261c27295a0a3d7edf

                            SHA1

                            41e51c1f0529987f83b62d48813f4d4952bfd5fe

                            SHA256

                            d9f2f990b6dc806da9360ef1fd3c69f7e496b42ff0569ceabe05acb20af7230e

                            SHA512

                            d9a5e36665a574575880405043c5a732ebf14d8a39ac43d3152c579001decc849276af2f9b3b12529f4bacbb10bb9916acae3da9953a4d1e155daaae631a4662

                          • C:\Windows\{F4D53829-DD5B-4b13-AE7C-DAC616EE9CA2}.exe

                            Filesize

                            168KB

                            MD5

                            123fe34a2bd0b0bee2518ac2b0e11567

                            SHA1

                            b6887013c8ec63f52c769d0ce24936eab057e8a0

                            SHA256

                            987b7f223f4a06e63dac73ef1a934ea2073c24b23a30d346dfbe008a82d277c1

                            SHA512

                            164ff8cfeff64213cbb428b5599d2bc8e4cd3349b260bd41b32150db8e80acb87287eee2593350df47b5b7d143ee390916e395efc519b938fc23e2c1c7a2861a

                          • C:\Windows\{FD14D6EB-1968-4b20-82E4-5159168E442E}.exe

                            Filesize

                            168KB

                            MD5

                            5615a4d17c4d6cea9351113073262b88

                            SHA1

                            fb56aaa89c14305a18f4abfec4896be05c088f95

                            SHA256

                            cc14e8a1b82f9129745fc36b4fe11d05d09ca7f5df995ec9d8591fd8b6fd3563

                            SHA512

                            2eb625299608ee3fc8f4dfa51bdca07a1479acdc4c0fd8c3ad11f74f1e64a0184e1d2ad1a3cecd7c1d7fe4e7860c1dee4fc7e758bf8f482231bfcd96251389a9