Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:24

General

  • Target

    2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe

  • Size

    380KB

  • MD5

    8c67995833d225fec4058ef2767ccfc3

  • SHA1

    86a19b8865a11660c4f7124cfb9acb5343aab9a6

  • SHA256

    40f2319621aa36a8441100f13eaac93c1ba6b95eaa59a2a5ff95f4a14cce7d90

  • SHA512

    945aae6b041e6fb6f0481f9a8098155705ff11e7bbed8dd07a2d00d1e51dfb5c1a14e47e3900be66aefa274dace6a274cd61d1ccb5609fcdf804fe649eb291d4

  • SSDEEP

    3072:mEGh0oxlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGTl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe
      C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe
        C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe
          C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe
            C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe
              C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2784
              • C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe
                C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2136
                • C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe
                  C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1184
                  • C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe
                    C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1472
                    • C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe
                      C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1396
                      • C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe
                        C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2252
                        • C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe
                          C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2320
                          • C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe
                            C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:816
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{59215~1.EXE > nul
                            13⤵
                              PID:2112
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C07~1.EXE > nul
                            12⤵
                              PID:616
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CDE21~1.EXE > nul
                            11⤵
                              PID:2036
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0B9D4~1.EXE > nul
                            10⤵
                              PID:3056
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C3E~1.EXE > nul
                            9⤵
                              PID:2732
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9133B~1.EXE > nul
                            8⤵
                              PID:664
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{87431~1.EXE > nul
                            7⤵
                              PID:2816
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6104D~1.EXE > nul
                            6⤵
                              PID:2392
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F33C5~1.EXE > nul
                            5⤵
                              PID:1636
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB47~1.EXE > nul
                            4⤵
                              PID:2480
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1DBA4~1.EXE > nul
                            3⤵
                              PID:2412
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2088

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{0B9D4CFD-2966-4eed-8442-A0811AFABA47}.exe

                          Filesize

                          380KB

                          MD5

                          1e67d672ba4473f572081cc44b23046b

                          SHA1

                          f08b2fe030456c822b5b0f3b670bb52ad0b20f50

                          SHA256

                          7935b164bea338415261b0a91c95ef5f83a12c57909aec276b101d45d88ce7d8

                          SHA512

                          a0dd0342526a9db5cb797c7a124d93ac4fced7bb7d6ac246452dbb12e7744987c55a24f3b5d247a39cef21573f459fdeecf5b24963d2cb0fc8b4ef36beb29cd2

                        • C:\Windows\{0BB47AA6-7BD7-4b20-B1C1-8D7ACDD4662C}.exe

                          Filesize

                          380KB

                          MD5

                          986f3598c94abe8ee98a87cc60858a5e

                          SHA1

                          a1d74da3cffc30d4ed7019b40f65df1c20bde696

                          SHA256

                          e73e2e5737cb3701892a729a6f1b35bc31454da09497c7b85a79a88f6d06e01a

                          SHA512

                          380817c31c7060861b8b5039e361322da4321236bffcfd670f679979db9d6f00302ae410ea81e2169185c23c2101c3dfb5a703ca911d943b65a8ec41522c8650

                        • C:\Windows\{1DBA4D02-0C2A-432b-A45E-9F181ED58AD2}.exe

                          Filesize

                          380KB

                          MD5

                          8eb92fc46bdccb7571e2df68a386b0e3

                          SHA1

                          10805b7e859888a01b6881ccb26c13b249bc3498

                          SHA256

                          6b8e34889fe6fbf679780035fb3adbc17f175fd512d09480219d024886bc1fb6

                          SHA512

                          b5f5a60f201b0d6cf3b836583a2b669ef2716722117f385fa3fdac984590434e62d278fc93fd76ca9621da3ee1d7bdb45b6a00775bd0856e8b73de5e771bf7c4

                        • C:\Windows\{59215EA6-93A1-40dc-A8F7-E0214AAAD562}.exe

                          Filesize

                          380KB

                          MD5

                          de2e5cc37a307e545c83586be2396047

                          SHA1

                          42651372aa40208a14dbc10310824240f73b3059

                          SHA256

                          193c225da6f5d4040f479094e721485fae09306aeb2eadc7f8439ef65432b81c

                          SHA512

                          6bdb41559736fe6d0dc75f2e81f93f028e76aea5f6acd2288f311c372a996c021a38f2a74e629a819b68666e5ccbbac9806a56e1b58fa6f637ca17ae525b755f

                        • C:\Windows\{6104DD92-11ED-40af-AC72-F522DD4B55D8}.exe

                          Filesize

                          380KB

                          MD5

                          234a6474f1e552df770afd197cc8c03b

                          SHA1

                          0f592778f7e5805b5d773c7354c15864324dd44e

                          SHA256

                          d2e9491ca216f8c20ce7bb8b5a09145b88d0f3f884c0e137e45a1f48462b7fb4

                          SHA512

                          df8afa3f2b3b0fe4156f088eee9e27cabfc1d2313ae190a077ff6e8f3ac623ba87b0a2e15bf15701ab97e58f39cd62135b9e3f4c4153517d5e18b370fb6c63df

                        • C:\Windows\{87431D0F-4D1E-4a23-AFCB-C6239747F4C0}.exe

                          Filesize

                          380KB

                          MD5

                          0bbccb98b8dec5d87c9387b68467de64

                          SHA1

                          8e15fdf5e28cc967e53b12c38404c111aedcad5c

                          SHA256

                          8701ff50be69c0b1f72b97eb7b6a5592fe953198be7e41287395c30110c6ae6f

                          SHA512

                          522881606a737271ae2896081a10f479db3e46a7a5530531162bd44617e2993dc6aa933641a09a902c73a46c968fdd934fdea6df1d3c3d73d3376bcb1e88804c

                        • C:\Windows\{9133B1DE-2B4B-46bc-B996-CE3AABB167A9}.exe

                          Filesize

                          380KB

                          MD5

                          733075295c9d4f2a9ccda6e5cb372131

                          SHA1

                          3a7dfb07e29018032d85902aeaf9ef04399e9f95

                          SHA256

                          41bb38202c598f28c93c579536f86c2de3a2235084333b7c5e7949e8684525e3

                          SHA512

                          93263930dce05349af7af88a15cad3e956221d384fce5c576266d8e17814a54c5c066675bdfbbf4835958ccde1700a5acdb77e8f5ce1314ec24e32ca5a7909f1

                        • C:\Windows\{A2C3E774-59E5-4ff5-B687-FE701689EB14}.exe

                          Filesize

                          380KB

                          MD5

                          e0a4cc304a27c881abbfc01289459d19

                          SHA1

                          5f6ea5a2e1792b32c9e82519bf460e53169e808b

                          SHA256

                          7122f690889dfbd1ed4ce546d9c83e2537b8b8fdb4270e61d13a1e3bec757ee9

                          SHA512

                          f90441e6a6b9cefa3be9f618ac02f98d9c7cc9605d7af57b17e28da164adfe65e2663ab02d3fb5f27a0952ec5ae09d88c434817a5dc67bec715effee0948ec3a

                        • C:\Windows\{B8C07498-8388-467a-B213-9B5115E20186}.exe

                          Filesize

                          380KB

                          MD5

                          9738455a1098e34cfb65170366290d41

                          SHA1

                          a0522dde1ce313aa792afddc14ac5194ddbe712b

                          SHA256

                          01775becc18f72ba4f07d39b3e6957b793202ff923f9da2dfcf3a2947e00ca60

                          SHA512

                          f6df89469cedc66da82368dfe78c60315186646b111221a129cfb9b6ad2e71b4e4d11f5c8ac10f80f8408349e181e72ed63705f36241f4267e67f3fea9e6e027

                        • C:\Windows\{CDE21332-EB8C-40ff-8DA2-64CA29C2BBD1}.exe

                          Filesize

                          380KB

                          MD5

                          69bc1ab2a99e9531f7bb99886cf022c2

                          SHA1

                          b456c333b5de19a090dfec5228c81eb65ebe303c

                          SHA256

                          30a4fc80b401da0cbb771838f5f9cf8d71b9a26f1b355b5ad81298eee321e4d5

                          SHA512

                          a432aa2ba733936ad514e51176e8b1ca810cb660c49b965854434f99ca717739841f7a332b297bf570d6c2c56da897bf156d8b2daee78ddfe875964424f6c38e

                        • C:\Windows\{F33C51F8-34E9-419d-8CED-7B4CE5FCCB49}.exe

                          Filesize

                          380KB

                          MD5

                          9543d896e8aff2ab70a041aebba78a77

                          SHA1

                          472dc9b27017dcb9629cd6e6daa234fd476fcf0a

                          SHA256

                          162ffc6878676bdfbf9ceb295260438d999ec4a97f4638403a7312bc9f9bfe17

                          SHA512

                          6aa15634fdd6f892b1a44f78122b81f335ded44d83ffec6e492b3ef5b20f772d2c1a07ee37e10982935e926d6550452c0c21aa628143a3b75600a55f8193bf53

                        • C:\Windows\{FA48EB78-5FE5-49b9-AEF2-FE3F209239D1}.exe

                          Filesize

                          380KB

                          MD5

                          603a29dcd7b1592bca898f5040a886c9

                          SHA1

                          4f619dce77fdcab53dff39cc0dec7c12e15cb818

                          SHA256

                          77288278e856b01045933ce6489f8368ee054855d70546648059068b0d72f263

                          SHA512

                          b25a6f3c6968edec96bf8543260b584da9aa1ef6e4393a07bb5002bead0e71551f475ef633dfdceef9ee03cfdbdb8e00274dfd2ec189125dd29e56f3483bfc18