Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2024, 18:24

General

  • Target

    2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe

  • Size

    380KB

  • MD5

    8c67995833d225fec4058ef2767ccfc3

  • SHA1

    86a19b8865a11660c4f7124cfb9acb5343aab9a6

  • SHA256

    40f2319621aa36a8441100f13eaac93c1ba6b95eaa59a2a5ff95f4a14cce7d90

  • SHA512

    945aae6b041e6fb6f0481f9a8098155705ff11e7bbed8dd07a2d00d1e51dfb5c1a14e47e3900be66aefa274dace6a274cd61d1ccb5609fcdf804fe649eb291d4

  • SSDEEP

    3072:mEGh0oxlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGTl7Oe2MUVg3v2IneKcAEcARy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_8c67995833d225fec4058ef2767ccfc3_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe
      C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe
        C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe
          C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3100
          • C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe
            C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2196
            • C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe
              C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1372
              • C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe
                C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1972
                • C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe
                  C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2280
                  • C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe
                    C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:216
                    • C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe
                      C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4384
                      • C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe
                        C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4116
                        • C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe
                          C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1352
                          • C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe
                            C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3116
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2F5C8~1.EXE > nul
                            13⤵
                              PID:552
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D9833~1.EXE > nul
                            12⤵
                              PID:1632
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9669F~1.EXE > nul
                            11⤵
                              PID:3392
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{51D23~1.EXE > nul
                            10⤵
                              PID:332
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{20796~1.EXE > nul
                            9⤵
                              PID:2624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{46494~1.EXE > nul
                            8⤵
                              PID:760
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{954C3~1.EXE > nul
                            7⤵
                              PID:2508
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B124C~1.EXE > nul
                            6⤵
                              PID:2000
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6E78C~1.EXE > nul
                            5⤵
                              PID:4016
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9AEF2~1.EXE > nul
                            4⤵
                              PID:1216
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{69AD0~1.EXE > nul
                            3⤵
                              PID:2608
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1452

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{20796186-C809-46e9-AA62-FEE02AD318A9}.exe

                            Filesize

                            380KB

                            MD5

                            638e397f7fe47de270e0220ce4b7ba20

                            SHA1

                            3e09eb275628d8e178832486db75c94d5e1fcc83

                            SHA256

                            3330a2d2249afca14cccae0273b4a62d72bfacc2302479e885119e408f38eff7

                            SHA512

                            048b2a802c43a93a5f09c4154f14b7371ac84ad66e66f5630e4f97ce4dc105235a4d131f0ae624fb93695b15add73e52b9c3c47b57f0eb22fbf489543df28838

                          • C:\Windows\{2F5C8348-657F-4cbf-B8D1-4AEB182933DC}.exe

                            Filesize

                            380KB

                            MD5

                            ae76382ad8378c2c87874091f255b0d5

                            SHA1

                            2972fb2a946c240c59b848855086d9c4adf6998b

                            SHA256

                            16e203977448b20094136871ac2620bfb111d32950e765a674967d17d1a73a58

                            SHA512

                            47fcb8f19849afc26f8517f5126a5c1f01a0ef6f6746ffd53d891ae5e233053c47e83ce84f3e0f13834b5a986ca0df292cb93eb7056f7964cd56bd42b5f24146

                          • C:\Windows\{46494377-F956-473d-8783-F4D6CB7DF16C}.exe

                            Filesize

                            380KB

                            MD5

                            ca7109822e6cfaf2a1af577244f2920c

                            SHA1

                            5d80052b368c2ee9844c8b520fd1d78d74289009

                            SHA256

                            795e91e405957dc4e8f14dd581cf06dcafcff227ace3edeb7f72d28ab3d1ab23

                            SHA512

                            5b68b3c17e517320960fba33f925bfa709e0aa108767f690dbecb5cb4cd74d39c2bfee3f240a0e4388734dc133fbb7857099378cbe8383898f23a5873d945471

                          • C:\Windows\{51D23301-4294-4d2d-8B11-DA2AC8834B14}.exe

                            Filesize

                            380KB

                            MD5

                            e02d46a1fde63d3d7e9dc98635590596

                            SHA1

                            2f15c4c7c5f792b61860e116f1523012951f766c

                            SHA256

                            a7cd600a3cc97d1f6ebfeb316298898fd7620fd19e0875325779f7bb6451e5fe

                            SHA512

                            48c60b0f99f736fa33c600e8d038ed9e3fe1a9583a6b4fb301d92b8303fc60db797e47163c5d63f98a79f47a68cc4cfdf84498a7dcd74fd697f8c53e71241e3e

                          • C:\Windows\{615AE48F-379C-474b-B573-CA8696803F47}.exe

                            Filesize

                            380KB

                            MD5

                            7271f7fd4216b79aad1ba93621fb8cf3

                            SHA1

                            7d976676e12cc7ff39f016ab3f8b47993a616ce1

                            SHA256

                            e6992493d49ada8329da39ceb3a51e99a30d338ad30615facee18372922ebe25

                            SHA512

                            b474c76b29eba4348cd89d124b052d334adbd44e7b6dfd90212079595bb78c6404c39f94a59ac1572cced13836ce40317913b71d69b3bda3987344a594bb382c

                          • C:\Windows\{69AD0E30-5C72-4972-8ADA-033698153D5D}.exe

                            Filesize

                            380KB

                            MD5

                            dedbb4a21c8cb96e68d8a48afce9dc4b

                            SHA1

                            4ec0e5c76f9c0b0d3b5cdb7085d5556656652f47

                            SHA256

                            4bfd8d53825d21e5cccdc7d624e910dd498ed189a8547d1a40cceb7dbc4b03f2

                            SHA512

                            48cd4b5d3c67e55c76a428d5db5cca833a4b69ce4a011f6e4480eac22590407826e2e21bceeeae9ff01a741cdb04091dba43cec443ec9b831ac43ad1d90f2542

                          • C:\Windows\{6E78C6A8-413B-4ea1-B195-043BB1A4A5A8}.exe

                            Filesize

                            380KB

                            MD5

                            72add08a7fe4edbd9f6f8f772955fab7

                            SHA1

                            ac3c3c2bf19407c0b6bd2321e3224e6a69e0fdce

                            SHA256

                            1ba82af1286fe44240ee11fafc10fe0b41dbbd3e4c341cbecfa46455b9cf9625

                            SHA512

                            ef982069337e7d5e09b01181133470714f2f09b453e77987a801e6a7fc72a589a065159cece4189a9a7982926f9c53cd278e752734bfc269f6052e283047493c

                          • C:\Windows\{954C3D71-5268-4731-9EA8-0B74D2B76E09}.exe

                            Filesize

                            380KB

                            MD5

                            d2b3cf41526d12a408ead0393d256516

                            SHA1

                            f7febde408852e80876b9ff1711216f0c6bd81fb

                            SHA256

                            48e60085828790b7da9e699d8d25417ff67b525684ad0c96f886b55ae628f88f

                            SHA512

                            3e7c6567de9b390ee2b28f6f9bb48fff525efeac91c57dfde8cfece5e0eea03d0c9754d6c43c2df72abe24292c4629e0ee163c0d6dae3f88abdf6c27f5c06828

                          • C:\Windows\{9669F571-58D3-457d-99A4-C87C7DEE27A5}.exe

                            Filesize

                            380KB

                            MD5

                            7bb1314b66001ae9f3756898ff3d98bd

                            SHA1

                            1ee8f75be0374fe1a303bdc115ae9b7fc330759b

                            SHA256

                            a56331ba3f5f0cc3ab2534f390dc9bb5e7eb4dd9cf941d7895c998e1bfda0858

                            SHA512

                            e1cb46fc3c8ef58904ca409d5a05506f027e10b8910a294ac2988aa6a846cd445c861f0ff160cbd766e3e31f437c7f9f263f7e1325575a569ee7e28d1f766e18

                          • C:\Windows\{9AEF254F-F43B-44ba-846D-AA9A9C1FB1AC}.exe

                            Filesize

                            380KB

                            MD5

                            8764ca4173ee3854370d419746d02be1

                            SHA1

                            0b5dca907685159ab3757f2aef7ddfa804571d6e

                            SHA256

                            96fab3c27830489548a207897067003a9bc8fd141b9086f0772c45acf0a5d2b0

                            SHA512

                            5321b81dbd73d7bd6f8a30b73bd2a04d3eb85943678b711bb17984c1ea6eb45814528defc9d66151bde575d278c1c35a6c156aee3d5653f62dc51680bd8709bc

                          • C:\Windows\{B124C05F-AA98-4252-8045-A96047CF4392}.exe

                            Filesize

                            380KB

                            MD5

                            89b710518ca00d5a34c44030f2361c72

                            SHA1

                            3dcc5b83709086a09f316fbc4d4266f66fca5da2

                            SHA256

                            87d4f1d589e1de32641619052e61eab68aa4d24022420913032821ca82983d5d

                            SHA512

                            82a909dbb185b2e4d2c750fdbc670c2d16dbd2656f115b3e5d31a686a98dbfa701b261a11b3934a336746a401d5c9cfcfcec0dc43a23f45dcb98893684317dc1

                          • C:\Windows\{D9833F14-AAEF-4134-AB6E-04A6BC67D24C}.exe

                            Filesize

                            380KB

                            MD5

                            0e50b84893c33492b3919db64f7fe0bc

                            SHA1

                            49cc65d91e7e9d35208e34469cd9979308852305

                            SHA256

                            38d6dccff438e42184318c7c565400aeaddfd3c8387f654edd06ffca4d5600fa

                            SHA512

                            29d252027aaa2ba133c0607a34af5ff26793d59c6f82d17950cab06a92e0f4855bbbe2d8842eb05cfa06bc3f48267be41b944a49f3bc07bfa57c7e965eb1de12