Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 08:02

General

  • Target

    2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe

  • Size

    197KB

  • MD5

    4dbe5698a8ed98a0ff32405470ecfbdb

  • SHA1

    864efbcf74c8a9835805b8016214fba7285119fc

  • SHA256

    62529e2d48959c64889c5b9ed3335da2c9f18f110a2ff3541e2c0d3262cf20fe

  • SHA512

    f45907a5f29fb44fc77f3af49a08d2713ecba9d77f22a39ef4e71a9056a8db84a7edaf37c036e9ddad61d4f468989c086ca95292bcda27f53eab68920c75c00f

  • SSDEEP

    3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
      C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
        C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4708
        • C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
          C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
            C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
              C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
                C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2992
                • C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
                  C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5068
                  • C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
                    C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1696
                    • C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
                      C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2664
                      • C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
                        C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1324
                        • C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
                          C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1600
                          • C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe
                            C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CD7D5~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2B345~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3640
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F9A2~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1944
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F602~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3240
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{16AF9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1808
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{283BE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1680
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{129D9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1752
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5219E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:696
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0D0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2460
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{644FC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6F0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe

    Filesize

    197KB

    MD5

    21acff72f037f495b301118e11d90601

    SHA1

    8d611c9d248a2dd7053ac22476de15edb9137bbe

    SHA256

    5cf3e3f0ebe2bead4e211b2b7b7adc30d2fee127e1cff471980d92e9bdac2b65

    SHA512

    96ee17ea7260dcbb01bee23822c9583af4e7625ece8666f7791319da4dc6a91b49b3cd396d279b08a01b979bd69f8292d3487f7f3f02013456f6838c406f21ee

  • C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe

    Filesize

    197KB

    MD5

    7b682d5ae72c21ad4f7dd07890d6461f

    SHA1

    102aebc0d6fc8444648d5272446e87599d976184

    SHA256

    b687ead78bac890f7cc3995fdaadf9c1d3a6c498d344fa36b047ff8ccc0b4573

    SHA512

    3e37c5b0784f3f7cf6cd3c793d51b55a09dd3a16f402729dc04124b99301637afdf022779534b4d56130f9b4fbe7917ddf6e75169082ac4261c24af9727c01cc

  • C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe

    Filesize

    197KB

    MD5

    7292121b26ff969179c55832e6b9c5ac

    SHA1

    75bf220d603b24ff7a5d5553301f9878d333d91c

    SHA256

    2cc0d39a5e4d67d6713fe38f2ef94844d1ad56033c6fda07169657aeffdcb755

    SHA512

    e18708c5f9fa230c65b92c9e01f7f4dcd46ff1febaa5382c2d45a1fe2633732b5b960be4c9144eee3cfa2a1602676fa843baeb9fa6f51ec247d66580d924432f

  • C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe

    Filesize

    197KB

    MD5

    5171f2ad2112748c830d200062bc5933

    SHA1

    b45b3333c09382b41dfc9a0a9df59794ebab4af2

    SHA256

    44ed8726c84d2604af81eb58bc91f46885106b0a5674a4b3663d42f33ad013b9

    SHA512

    11133eef523e7f60fd386b6f5fac1dc5fd51b8229fa579a6d3c3ba8508e7c2acf2c65e68a1198401d058e888dde57e56c3a0ecb8e20476b2347ce207ec32baf1

  • C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe

    Filesize

    197KB

    MD5

    38934e09e257d6b4a63dd038e0f56004

    SHA1

    a57cc807bc21f36fdd6c8d7de0690ad9eee132df

    SHA256

    f773f101ef3d7376ea81feffeb0b8bd66874fbcf99cf9f2354ab910283a55ed7

    SHA512

    0512810e5386d70cce09b9376c71a0bd1daa9b06fd9de66e8f25b09e968f73ed90ea3b6df539010ef4da80ef6faed8ab246803503f5b74111c9135b153c227f1

  • C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe

    Filesize

    197KB

    MD5

    cd53b07b2c50974a7b20d4d89ee13efc

    SHA1

    d37386da443e25a6a59d4d42e2998a390e4d241a

    SHA256

    05e300e74c601bf86f34970fdb5fc51aabb090a3a2b09ada7c23327a26d1f277

    SHA512

    f7a3e88b3cdf0685be90e37b4cc592394460c805db9c76655e7885b9d0068bf6a5f1a2c7ff8c749281045fbeeaafcae06952a16c360e0c9ce5e7d9aa2c1438ca

  • C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe

    Filesize

    197KB

    MD5

    a0e33f853f52a40491b01ce417569586

    SHA1

    49b9d52337f6c57d1dfb627d710c2c2736b5c0f9

    SHA256

    5424a162e96b23c5f67363cf5567615d7a0fec7c839bb80706f223ec05e66783

    SHA512

    7855acb482c0867512c7296197e9aca5340c6f24627db396e34d01ba72d8349f10ad5b7213c5739061ef2388e71bfcc5fddc15faea9a15bdb2b83c8f5edcb4a8

  • C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe

    Filesize

    197KB

    MD5

    27164f71f44d1998fbfa7c0e44676a4b

    SHA1

    948c2d0bfadb774f28acf5b953b860680a4bc682

    SHA256

    3253cbf3c3bc5acf5d12bcca10f380be3c3d655744e0ad35081ce9a431e0aa13

    SHA512

    75c98292e59986f3fdad9c76c216bad7d00296bca9dfdec51f290a9db600c0ba940ce619ca51e6953f636be6845cc76b7f8c2e1d7dbee4a76a3deb5222bfe83d

  • C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe

    Filesize

    197KB

    MD5

    2f389002e70ab688b196700dc5e799d6

    SHA1

    316e8e4d9df583a4f2bfc26005dc909cdc88c8b4

    SHA256

    2c9ab5db765a28461c225b70989a5b6fdfb446e096e557c95c02e1ab9135cd86

    SHA512

    1c4d4e50caf0e8f53ce66c241976f5124f968b1d594183e9510d312b4d1bbd56e0684cf4ef82adf44c34e08a1edeceb2be6b9730f19da065fef1ded5cc28ef6e

  • C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe

    Filesize

    197KB

    MD5

    c1bdc9d3fbae086ac18b6054a1f5fbf9

    SHA1

    08974050a294172a66606bbf9da6c74995424742

    SHA256

    c38dcb99d0008544ee1692cd851377ade369745985aceee0ac54aee9090fed1f

    SHA512

    6e2c124a5e01a6e4daab96a625ce9bdf17aecb044f8e57918c537bad8cd3e54e42e30d7d135340f60bf727af658c9868ddce5f3b3ac59f22964ea6473f1bf0c4

  • C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe

    Filesize

    197KB

    MD5

    e6b31042d3af356bf467c5f90c85c39b

    SHA1

    e3bf89630e886ee8e2c502e3bded2d34fc820dae

    SHA256

    b7bf9a1eeaf34bd99ea48e9e3f0e9c72c93ded25c12159d1986023e5a082e55d

    SHA512

    f3881f086e440f6d9a0a9d3ba8592e83d6459a007ad2ca371bc877082925936e93dfd320dc0d688bc3f501f7d52b599848a8133a1588e814769c6f25ab2e16af

  • C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe

    Filesize

    197KB

    MD5

    68a656c894e8c5831633a8dcaa76add2

    SHA1

    601472e846fd3a14428049d6315c3aa3ce5e06d7

    SHA256

    718af2e07515037737746a46d76606dbb7b8430ac6921e3faf8288eaff301c2c

    SHA512

    4449a0134bef7111bf924af030fdc7d58351008f48533c0a990dd321c2bef41b3319d089123ed267b042809d6ab36615838fd997252fee98f8fbc718703d679e