Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2024, 03:51

General

  • Target

    2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe

  • Size

    216KB

  • MD5

    3c39eed2d3ff3f55ed1c0ad0e434b5d4

  • SHA1

    661e25b519026342b34027b92d57bbccf2f87fb5

  • SHA256

    ec6f662fe878a756c1acbfb24ccffb64813100da25ac08d052441135a26c6da5

  • SHA512

    e454155e1bca8f8171a484075850e976e1083436a51db65acd83d3668edbb6350f9b53f6caef8cf34acc1db3441c2f71a19cafbad53329a6524b8c6db4b7d8f1

  • SSDEEP

    3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGjlEeKcAEcGy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
      C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
        C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
          C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
            C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
              C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2872
              • C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
                C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
                  C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2704
                  • C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
                    C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3004
                    • C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
                      C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2968
                      • C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
                        C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2976
                        • C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe
                          C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E42D4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1012
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B141C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2392
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{97918~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2036
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{1FD46~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2248
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{69D18~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2924
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{AE368~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1820
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4A62D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2272
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DB1AD~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB08A~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B259F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1FD460BB-D94D-4d12-8ACC-E927271B5A01}.exe

    Filesize

    216KB

    MD5

    f295e5221e923830d43fb177d6bf7ef7

    SHA1

    d588583dc169a644f5f8ff14a802e84ff853104f

    SHA256

    964b5f2f0a8c8190b4ca744425cca34e643b2c1e6fd17d2733197933f4ae9e97

    SHA512

    a3ac71fa2ab0adc6f336998a4411ea5ed209a8a8eb5f29eb678c843a14b1d3653fcfa07493c2da2671a916e9b8c0602a51249955c81cb463f3bf0fa10a796cdf

  • C:\Windows\{4A62D5D8-463B-426f-8B45-EAADBFC211D6}.exe

    Filesize

    216KB

    MD5

    0e1f8b7191c4c1e0b28cd3befc53ecdd

    SHA1

    504abf0e6e8efb8759540ccaee2cff9649a0d369

    SHA256

    e40b3caa6c60880a542625ac00bd0705c09d74280db93f8ae5a6cc019ccfabb0

    SHA512

    24bad8596bac3403cca731060dac3b459de4d39b098c8a7d76cef1604e5c904e7e40b7c1b1f1b98c79f1ad11387d69a890b4b4b416bd3d8b1f98ffbc56bc0391

  • C:\Windows\{5E5F90F6-01C5-4244-A937-3453D0A8B170}.exe

    Filesize

    216KB

    MD5

    5cee732f045b28d42a40650aab55a8f1

    SHA1

    5d1574a93dcd6bcc005197a17c69fff5b9247452

    SHA256

    04b854826f2a6c8fc73f6bd02ff8c14a9cd93dc2459e0379ff7242967e325e11

    SHA512

    982cb1f1f3dedad1ce688e92a6be287f005cec1ae2d24d6afc755857bdbdfe07409708ebc2fae12912c5cba3cdee63f979398f18cfbc3f2a53684392ef886b57

  • C:\Windows\{69D18524-F304-4f1f-B1F8-0FACCC1CE719}.exe

    Filesize

    216KB

    MD5

    3ede77834b6cb00e8047d4e641f4565b

    SHA1

    f75f58afdd8116dd8908b92e72adb03988158c9b

    SHA256

    62132b8f24a758942e69e7ed03ce74139e73d88a70e4d13d8e948a60383b6e16

    SHA512

    7aea8e49fab2cc3e76e605a8180081c9e8344b3df5586cdf5b7411786c80322e11f39020fc0811f5a384b7b2ec8fac859893d1f8625b75f03602cc95e8afc1c6

  • C:\Windows\{9791828D-FF43-48b9-8C2E-7EDCD0EA2402}.exe

    Filesize

    216KB

    MD5

    b4b09662aabf11a0ba2db4438dc0b6f2

    SHA1

    de4c4f9449dcd0b1ac6b538c84a7dac027101386

    SHA256

    98239795f58514042a094b53415cae367dd9eb1ce266dec1e13ba87d9ea65ccf

    SHA512

    991831ceba0104d9aa038ab3db2296b56fad29dff6ba3fb65d630e24cd26281d8582ec6eeca88d30adab1cb6f462cdbcf70cf63cde3881498505ec2b28db4a93

  • C:\Windows\{AE3684E7-FF22-4fa5-A3F4-A6F122F8FD5B}.exe

    Filesize

    216KB

    MD5

    5e10cdade28a133cd333c1af47780e81

    SHA1

    03734ec47a54be55e711d7ba2bad8119dd0a525f

    SHA256

    9e41c2884534d149ae5bcc6bff5c4b50a0399770029bfd0a18357d001be22293

    SHA512

    6e63997a98a64a338e94eea90962e763f52b50845092adbd6d7035d5e1c78b55fb480412af2cd41563a674e28681031599db551f40750cbb043429ad6e5bffca

  • C:\Windows\{B141C8CB-FD82-4615-A504-44CF2D21F37C}.exe

    Filesize

    216KB

    MD5

    b50e21f89288961684b91984e3c813fb

    SHA1

    736e543aed4eebb043518462ba1982a51690e85f

    SHA256

    2208d2927ef22617b5a9eaac334d200fdc0b7bc0165ab08a80e1d45803106687

    SHA512

    189c0056e433b01503a8b8a9bb06e973f8d20f52687ef9eb996f21242d508b5af23b31c9c0eb7f0986ac111b4ac82fb37e2fb9120711df052771bdf2700d81b3

  • C:\Windows\{B259F75F-710F-455f-8C1F-1909076A18AD}.exe

    Filesize

    216KB

    MD5

    d77f68d2c2e4a21741cd8b52c558cb0d

    SHA1

    7a69a5db78bf47f75f71cac71cf784d3a2860858

    SHA256

    8c81bcd2c93f014f1467aa7891b96c7ade6da6891e1dcba33b732a1bb96a9f4e

    SHA512

    7d6f1b16f304ae20765c0000831f4bcef8aebaee3717e88f31a547c964363e39d5f9da152fa33cdabc0930b3079ae51ceeaa89b1475b43b3bcc9a2215eb4578a

  • C:\Windows\{DB1ADBDB-AFB2-468c-9F4A-369F5E860483}.exe

    Filesize

    216KB

    MD5

    b7e5bea5b0549735d11018f75215c291

    SHA1

    e7d32bc88127b0a933e2ab119fe6f69b20ebfdcc

    SHA256

    2ebbe65fc61b7b88e9c678746b89e7879bae9a8a081371558d549198e009174c

    SHA512

    cd055fd4ee722fdbeae455a6d13569701ea0323a3a389591795f7d7ab0de9e61e0251c4fbcb22404e6b090c19c2cdb0ec919f27c7382f92dc941e86e621bafa4

  • C:\Windows\{E42D4B46-0707-4f3c-BF60-06FE6C14F25C}.exe

    Filesize

    216KB

    MD5

    d708c8a856b206e2ce40e92edb454bf9

    SHA1

    625b768de6d1872320bae089ca038d8c6edc8436

    SHA256

    255e2c2ec2cf862a095ef90a48d76460a6964ddb5df771331fee99053b244011

    SHA512

    224e10db6b0a4bbf588ff49904c0c7fdb2a78300e074fa41a8788e3a011585be8304f57923e9818f5be96a9357cf3d172cb09671cd1a4c05fe9b31c52e4a09c4

  • C:\Windows\{EB08A0D1-0F50-42e9-8C82-31C8CA6B02D5}.exe

    Filesize

    216KB

    MD5

    1c6d01aecda5263b57844f185dba74c7

    SHA1

    5f2e5b4e401ca5db7a9492c11abebd71593a94bd

    SHA256

    7c2b2b9c1c52a3adc8df0b03124b0ac09dff2f182693ca147ae6c777843c7963

    SHA512

    8f8265f748df653a9539f39ec80e6b89530afd90b839eec9af9c319c8b6e4fe9e99ed8243ed946a8a79d70774f6cc921db9ec8a7a28f710321378286eb631294