Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 10:51

General

  • Target

    2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe

  • Size

    380KB

  • MD5

    e1b960ac52e9ece473b5221cd0a4b211

  • SHA1

    36308d9095469d2c967d22d34b28a500190a8251

  • SHA256

    486090fd53815bb5bc59e615c9b6a2188f22675f5e45b7aa44b63ef6a16dd913

  • SHA512

    e8cf67d4c0ebafc7d6a7533b1989bbe919273215941e63b3c7c1d34937456a50d94a2d9a9161adb2d8bd24fc4308bcab8ac320ade060d46cc07302ea725f8bea

  • SSDEEP

    3072:mEGh0otlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGbl7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
      C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
        C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
          C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
            C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
              C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3008
              • C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
                C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:876
                • C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
                  C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3004
                  • C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
                    C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2764
                    • C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
                      C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2000
                      • C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
                        C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1204
                        • C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe
                          C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2464
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE16~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:380
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B94E1~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2592
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA7E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1508
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF9B1~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2892
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{C398B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2864
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F663D~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:944
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{943B6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2460
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{AD679~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C043F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A9DF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{6A9DF518-6147-4dec-B7C9-F438FC075FD5}.exe

    Filesize

    380KB

    MD5

    b793a8c01c8dfa837e205aa98f0e52a9

    SHA1

    d15557c284fa63e2b9729fb25ab3a25d6181db19

    SHA256

    975fa287b12bf62bf49142b4065d837acd42b8e6814bf194f8419e620a7e7b51

    SHA512

    e841a548e7b9618ac1a1f6a3b089feb6752660cb2fbd28e8adc223d8a8949a9507fa4c19d78fa6e5524f9277b034c94eeba550a03da4a2510002bfd3292ad7e1

  • C:\Windows\{8BE1667E-E28C-43f7-8A4D-869E12D8B2F2}.exe

    Filesize

    380KB

    MD5

    ed4769eb2ede2d166cff990babe799cf

    SHA1

    6d7d57677a6f25727a8119e52317572e5de2043c

    SHA256

    78a76a4c4493450fd05c57a3cbbe38427b14e465e4bed9e30d12e161510f468e

    SHA512

    cb0c0b2835efbdaf9f0acac4c2f73e9626dba8f1b4e6b700580132f99a7cf2c88b5ffb2a499b198a024d4669289b9dd0a94420bf944838d8dca2766e0ae2e54a

  • C:\Windows\{943B65F5-1A56-4953-BCEC-AB669FD5C61E}.exe

    Filesize

    380KB

    MD5

    879ffc2a0f41c5ae1c8fb8be9cd06fd4

    SHA1

    65bc174fcc8a1eb5239c4f48a441f08a556a5182

    SHA256

    2824e7b56874dfc60b1a7a4a987bde993d86b99ffdf7aeca6987061df60bd0fb

    SHA512

    057d69833a967782c77639ebcaa7db723fcacb90f522f02f475cf95d4ddfb638f67ddc69e68d225b13aa3ee37b3ab05774f38cdf5e8967e5265491e7a1cd8d71

  • C:\Windows\{AD679067-C466-4561-9621-2B6C4E1AE0BA}.exe

    Filesize

    380KB

    MD5

    9cf0db81c6f8b606ecf2c3b4673e7220

    SHA1

    94b811926e16f491a84a6a2558551fee24990ae3

    SHA256

    87c7ef25ae24ea41720fbd2cda69174b689cbe1541ea74bc6d66875b9eaca7c9

    SHA512

    a24b1e035dea77b74203c2eb836f7096e9e49298350feb93449e87ddb17844c28bb5861688a81cfce238b109268597f9f79faea16282970cbe38bd3b16d8c70e

  • C:\Windows\{B94E15D7-1C25-4bf4-894F-F27079FD0892}.exe

    Filesize

    380KB

    MD5

    c7fd3a990a0e8ccad52359f0eb0593c6

    SHA1

    1052b03f40fea7aeb32001f6e16534f82a033c23

    SHA256

    0e8c2137c2d1cdb8b3fb4636b1dc3deb2516785b8fc10262cebd6d5bf49c283d

    SHA512

    5bd1d984838f8f10471d512174ad5042a8f96deb3a9ed614ee6b465c66d14f6bd4a406a1a6a0444dd48709556be36c8cb9a27dd4fca6e11b674ea00cf063809c

  • C:\Windows\{BAA7E5A0-7558-4c94-8AD5-9C469DCBE9C9}.exe

    Filesize

    380KB

    MD5

    7c370996249342e9a135cb85560329d5

    SHA1

    68801151708e350b5aa98c1c6d4a62e829ffdaf4

    SHA256

    2f62f1eb6ef11039bdb227b315b04274654bfbeb41360a4b6a2d4cf27b0f9b0d

    SHA512

    4a6fb1546e5dc413d86d62e68330e3412f82392e700385fa77a7a74b03a074bb535ca089bcc6e7bb3dcb5154b3d6588ea9023bc724f9c9e925a21d4234675a6f

  • C:\Windows\{C043FF1A-8BF9-49fe-8750-82C844F577E0}.exe

    Filesize

    380KB

    MD5

    208482791608e69df08127977d9a5a48

    SHA1

    257d3ec4a765025ea730ef1b556551475e27c56f

    SHA256

    ca33465f24ba279ace58fa45de302a31cdfd64840f0fd6920b95bb128bad3713

    SHA512

    ba90cdb33b45f06046ccef67f3cd12195ca104f7bd7840c59a4dc4bdd8dd67dfcfa4ef6c9208eab9215299b1cce1a60a4471b2be6235d6b2c2a6a8ce7d2f5a0f

  • C:\Windows\{C398B576-FD56-4876-8AFA-1D1BA888016F}.exe

    Filesize

    380KB

    MD5

    54aee4ae06ab9c9736b0d30013a5f8ea

    SHA1

    903579443065624408735f678aab61a60fae14dc

    SHA256

    13c0ac9ae1229aa729c8fcfef7c39bfddfa9470f8e1116ced2dbe76642d3b139

    SHA512

    d0f3e095c6f4a2f4c2f72a605e3cfdb05d0656240f8d56c652c4967316c12c43726fa8f33131602ec4ee030d50ac990d3c6c92807f2ce09b6e4579f1d621ce5c

  • C:\Windows\{EF9B16CA-EBBE-4fc7-947C-051349D74753}.exe

    Filesize

    380KB

    MD5

    2afc3c999d243adc9207fdcd3267571f

    SHA1

    d145d0d13d6b2cec83e79d3c719c937153109410

    SHA256

    4bab886f10fa3eb2f7c7fe542e7189f0ada9a969e2a50220a55a26b455f6d7f9

    SHA512

    42e49e611b08afb8d80f13468b4acfe4115e5a668cb717aeacc9ffc9c0c72d91bdcdcdae4834383602cebcd8eb6ea78cf6520413b93151c70ccba0c93280788d

  • C:\Windows\{F663D47E-D8F9-4516-8DD5-1AA825A7AA43}.exe

    Filesize

    380KB

    MD5

    f3e429e88d6d340e1f37ab8b16e5d2dd

    SHA1

    eed23effd6bc951147c54f1c1bd2bf7941d03ae4

    SHA256

    b4d09ac1cd98328903d9d9e62c777bd28ddfedf426188c08e1e4c42dddaebae7

    SHA512

    c8d7344171aa301eba8d4057ff1a004e40311705483aa12156ddb4a75b4fa4cd0c62e78a7faea793ba915f9f8a5a0e064907a633fa16383df4203b0196575703

  • C:\Windows\{F95C16D6-4E7E-4c42-8465-44466BB367C0}.exe

    Filesize

    380KB

    MD5

    68d9fc730bd6cad2b2916b9a7d55f1a6

    SHA1

    def0f4c672178e9e8306ae087998c01d77633602

    SHA256

    bf6b25f506495b7c370fb87d2c7afa15ca65c31e66f6b691a90d21d7734adab0

    SHA512

    69d1d0644b34c72d32d922f3fa92566eeffab70b37f9b93876573cb3cf42dd17cc3462480bb97f08f5beb6788af64cd511f533e2d59ed100b6fcc58f37e64f98