Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 10:11

General

  • Target

    2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe

  • Size

    204KB

  • MD5

    e842df2e149d65afcc8e40a43d7ce684

  • SHA1

    575594b48341bc6ced47314c0e3bbc43ccb2276b

  • SHA256

    17df57b00bf37994bcb9fdb61ee02bce1f0eeaf87c6e130d77630ab33c57cbcf

  • SHA512

    5b442f23b41ca36b4dfc41bd5635c6078ffc096291ae5a48d27d480fe975ae1085d0194df820ff131e91a2fbd993ea25edcf03a45af50b49916acdb781de3015

  • SSDEEP

    1536:1EGh0oJl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oJl1OPOe2MUVg3Ve+rXfMUy

Score
9/10

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
      C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
        C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
          C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
            C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
              C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:544
              • C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
                C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3800
                • C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
                  C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:844
                  • C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
                    C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5004
                    • C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
                      C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4180
                      • C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
                        C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2904
                        • C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe
                          C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:964
                          • C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe
                            C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4832
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3C099~1.EXE > nul
                            13⤵
                              PID:3952
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{AD354~1.EXE > nul
                            12⤵
                              PID:4412
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{71EB7~1.EXE > nul
                            11⤵
                              PID:2724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A812C~1.EXE > nul
                            10⤵
                              PID:316
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{5B201~1.EXE > nul
                            9⤵
                              PID:4408
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{19D50~1.EXE > nul
                            8⤵
                              PID:4520
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C7489~1.EXE > nul
                            7⤵
                              PID:3376
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F6963~1.EXE > nul
                            6⤵
                              PID:2972
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4D1E9~1.EXE > nul
                            5⤵
                              PID:2720
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A7ED2~1.EXE > nul
                            4⤵
                              PID:3108
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{345E2~1.EXE > nul
                            3⤵
                              PID:4456
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                              PID:1048

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{19D500C2-8E06-426e-9B50-C84D578D4607}.exe

                            Filesize

                            204KB

                            MD5

                            709911eab13453c4f02e943517cc77f7

                            SHA1

                            3d1da046718dc4ea47e946c99e1971ffe0769247

                            SHA256

                            a8ccb361314a77c2c877a76e47b2040f1f70a58651f2dac2b69382077fb3da69

                            SHA512

                            36b91b3316c775dff56d8d0726af17d23483dcba9c094c0e9ed351dd3345c9ace2a86f06cfb9b2fb55c156d95ffbe0a476a87e89a765ea6a94450ee4657b12c8

                          • C:\Windows\{345E2A4A-3A27-4cf0-A77C-52B173BF641F}.exe

                            Filesize

                            204KB

                            MD5

                            cdca339734aef7e9a84ace28ec3136de

                            SHA1

                            cde9f4fe4ffd6491e74ae45b183b9a7a8d106352

                            SHA256

                            56aaca9d3bb399439d9ab9f233f000dccdb2388ecd67c73a1039f8f3c7f5bb66

                            SHA512

                            784b0feb054b28731d8c09967bd560d86f90c584188c8364439247f1f7bace4c44c96817ade48749758b9ebf65fcd4ff35002650357a570343bf22b85da69be1

                          • C:\Windows\{3C099825-A05A-420f-B455-2876C2468E84}.exe

                            Filesize

                            204KB

                            MD5

                            8483c06c714eb160d829d42f6df7f121

                            SHA1

                            7b44875036de6b8ee5df027f62e86fbb879dc905

                            SHA256

                            1b41701f62d751b757c3c5b623cddbab09247e32efc779e2210056fa26b64cd7

                            SHA512

                            fc259b6785cd545689256e59b4008264371e24c810689359034e46cf1325cc26183aa590ca23096d0e38f52ecca74692d43d196070c8f8b98d4d89fc51b0a41b

                          • C:\Windows\{4D1E9B79-52F7-43fe-9C0E-2D1192677E64}.exe

                            Filesize

                            204KB

                            MD5

                            6d5f2e52bcb9a592ce1308487b6ed072

                            SHA1

                            de82d328381940745355c29605647d8cac910c44

                            SHA256

                            24ed129a7fa95131928af5b73d15dc5adbdf87cb3794a7e70d1ba043e8d9edd6

                            SHA512

                            f308e923edcea205748c48f6b707ee75d9d5762efa1585cec56080455d62573000a671d6260572c84e068819e673826154a512da3da654acd584ceff302b34b7

                          • C:\Windows\{5B201E1F-A7B1-459b-82A7-713BDB56CD3C}.exe

                            Filesize

                            204KB

                            MD5

                            230681d0b2dfcd346d5f5c5a33882646

                            SHA1

                            7849f9a3e922888b4613b4c6e455ac6c1e8c1632

                            SHA256

                            9f42842f75ca0e26c25586c4698ac7cb3ac4942d4a3cc1cae947832bb4781df7

                            SHA512

                            dd173987e5a4e6d9918ed275d41fad794a18aad1f24b52b076eb2f355689ecf98e6577f3300034adde5b37c0a92e85130dc2184d8b28c7b9c1ece0b88ac7474f

                          • C:\Windows\{71EB7C62-5B37-4d80-99FF-0FDC862119FE}.exe

                            Filesize

                            204KB

                            MD5

                            a3c83d0ac16ee4206e70ee44c9627db0

                            SHA1

                            ade97a691c0a898e6583af7e5ef2eb9f368d5dd5

                            SHA256

                            064aed618a7aa9a885a5be2fe4e2f2674dba165c2821f8a91c74ec9ad6ac543d

                            SHA512

                            ffdf1d7a12be15ee4fba7b65cb47de10ccbf6066d2384ec9edf92104d11e3665b847eecd4f3822dda13f174279e01a8573a44c637729df660b14e91b59091621

                          • C:\Windows\{A7ED2262-A856-41c1-9D63-C7272058F542}.exe

                            Filesize

                            204KB

                            MD5

                            ac09cffc9558ff6e75dee5cbf6063d3c

                            SHA1

                            addd7066c5bb1c6d98121e307e1dc29e42d8ec3a

                            SHA256

                            de868084e7c38a8761b8569b4592ec929e1b362c9d4f4aabc4b130bf9ae92d90

                            SHA512

                            b00cb406dbc67f8bd0643254f5e604f7472aa03c00c7ac00d3670018c4d6f4a1a67b053443114778dc3dd529111f936b59e1d9ab93ecdf16b63a1e9bb2bb7239

                          • C:\Windows\{A812C004-38C6-4039-8970-731EA3C7E7D2}.exe

                            Filesize

                            204KB

                            MD5

                            7c0378196e963f0dcf3722d8083c76ac

                            SHA1

                            1fdd7e7dd428410e26ca5bfab9fbf6554985b39f

                            SHA256

                            7e5c11c5a7a3f1757402304c98662447927f2cbbd02f22f6b9aba0a75b31ca27

                            SHA512

                            27f37baf57fc52dac603ceaa46bd8dc98c5828064f0f8416a22a1cfbe600c3b02a4d5e5dbcdac017ff29b6a2ee6a3331d04f894dd3dc94a2bb4c2623635d18a7

                          • C:\Windows\{AD354967-21D9-462c-AA76-DF0473EB92CC}.exe

                            Filesize

                            204KB

                            MD5

                            01a4e84da04ba8f114976697b9c18ff8

                            SHA1

                            3e7f3bce2956f0b9429eca3c1e2181268765df6c

                            SHA256

                            17769c03cb20df8e05b0cd8d40a43cdea5de734a3f3e7fb109da5b59d20a9967

                            SHA512

                            0c7df1ce744902549c3d193489a936432c329ae00c59a87d0377163c58da45a2db0901b05702c02a374a1224a65bab969bb0d228d5c2f1af117a92544cd82e46

                          • C:\Windows\{C748985B-D33A-4072-9478-84AC8E6487C0}.exe

                            Filesize

                            204KB

                            MD5

                            da3c83fb9bcb2eb443c47a51049e5d8b

                            SHA1

                            a6c14dd9cd0e6f06b7e1a1c30b7fab0b699a1fef

                            SHA256

                            d171ff89a2d2de6bd6badd04666f26ef1908c50d9f48edaad5c0c79fd4c7bd15

                            SHA512

                            e9f404d656787c999b37062288bad4323d6a43e7526657105591fda5cbf8969c13e23223b35fe11a01a34d3d4fe3be0380236ca4df69c55ebd633047edd3f82d

                          • C:\Windows\{F6963D39-19AF-4de6-86DD-AE61BF4F8328}.exe

                            Filesize

                            204KB

                            MD5

                            628b2478e61390445090aedcc8951dde

                            SHA1

                            e9a956ce9a301cd2c0a15ae7729a0ce4d9d56f6a

                            SHA256

                            20a228a6e536fe54f4f63ced0289d1b4c59976c21101b7e43070fed16576cd05

                            SHA512

                            2cd1073e00ffeb5286b850dc7deac504f4384ce23b735138b4d1783b2d53abf39020522828fa78a29d6ac9c6e1ce81b4f03220a8c93495a645b929f0f23eba9d

                          • C:\Windows\{F8B8770A-174A-4d3a-BA29-99F7FEF32E0F}.exe

                            Filesize

                            204KB

                            MD5

                            575b9daa0ab273147588a077e9af3a0a

                            SHA1

                            031ba05532a7036ed83392602c937957100121c6

                            SHA256

                            617f300516ea289901889f89a700341c78b526ac9a114a1d9f2ca1c6b3124c56

                            SHA512

                            4569933810d34d70035f78554a6ebfde374a97140cb1b3975bfbf442b462417b2c6e05a22ec3ff31417ac613b9b672feb886aae1459a8395563cd47ad249f525