Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2024, 12:48

General

  • Target

    2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe

  • Size

    380KB

  • MD5

    dde8214497f9cce33bb255611157fe5a

  • SHA1

    a5923cd70d864604958ce40b1b894a0e7633ca2c

  • SHA256

    f9e28efa88dac35f0a7b9ff99e0c7b4827cd6496e4be9bf6a7cc2d54501957af

  • SHA512

    3a68d87e1a5e2be19e272b7b07e0dff487f8d23559f1c7b4a37761ee840cd92c26b497083c92d67793b07e2456c34b745fa63442a91fb3300659912f5f4fa261

  • SSDEEP

    3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
      C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
        C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
          C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
            C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2324
            • C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe
              C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1140
              • C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
                C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1088
                • C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
                  C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2868
                  • C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
                    C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2884
                    • C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
                      C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:796
                      • C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
                        C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2192
                        • C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe
                          C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2440
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{28CAB~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2180
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DDA7~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2196
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{65BCC~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1044
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4B0C8~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1208
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EE17F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2900
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{04A51~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2216
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6C158~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2400
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FFDF5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4C1EF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F08~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{04A51BAA-0006-425a-8DA1-42648301291F}.exe

    Filesize

    380KB

    MD5

    27e2b83e91efcbe05884a96bf3d67cbe

    SHA1

    bd0fb9d1592559bf273bd957661eeef0731d9cce

    SHA256

    ca58403b061f23561feebbb2b00f2b16e8a0e377a5e4b2234d7070be78840a28

    SHA512

    d805908376a16c48df37434bcbcb4fcb9370ac6df4ff02277023d9962aa54271f48aba89a3ddd524a31d29b3423e8a2e2a43638164cd0fdb847192bfb125ef7e

  • C:\Windows\{28CAB2CC-3C2E-4aca-9823-0D8409BBD900}.exe

    Filesize

    380KB

    MD5

    6d01a3542f496cc511de69ee7d590a23

    SHA1

    2d5c08f11fda1526b8a3d11e88b6f98e10ce7663

    SHA256

    11e9d298c45c2f5f1d4d577d16a7760d48bc0c2082df885555c8175be55a5d12

    SHA512

    bb380a90f91e26a20c089de36392d48818e0150a605b4b3f041a81b9448f816d442fd0edb5a6adb0f51c832a5c3ba777db45b0b2ccb16b7077994a2c18ee5e93

  • C:\Windows\{4B0C87D5-316E-44d2-86F1-A99530C5EF6F}.exe

    Filesize

    380KB

    MD5

    e81fd8a84204966c71aedf635d6ac2be

    SHA1

    ce29a6947f63873bc07447b55b369670667633c2

    SHA256

    6cee965a9e27c469ff0a5d25b932342b9bf50154ac355b01f990d11fb856881e

    SHA512

    6fed0c55752022ccd915e17c616326a62018f00ba8bcc57315c92600599bdc99d809acaaea9f57b3ed49360a2fb1932b3b254526551cdd7c2579d0a83c380ef9

  • C:\Windows\{4C1EFEFE-6D85-4c22-B943-D2521D5CED8F}.exe

    Filesize

    380KB

    MD5

    a3ff67c9567d3208a044638d8139e920

    SHA1

    bee3494f221d87a0cacdb2d568861a959d42f75d

    SHA256

    aa39f27f55f26035758c571348ed1d454ae6421b02f59de711a2bff49fbbb487

    SHA512

    0a8dff86497e4688141828cdd3991163874a27f273fe3f76e25bcd7c4fe356d22e9bc588b895e4b33de3cec0298aced14bb8bec38cc6477affe5d0a0466d6d27

  • C:\Windows\{65BCC4FE-1E59-453d-A20F-70E26B9CB3CF}.exe

    Filesize

    380KB

    MD5

    42c2307287dd7c4b83b70b548f87ba7c

    SHA1

    4e46da9f4acd798fd852769e155bd37e425a125d

    SHA256

    bc8f5626188c043e4206c9e6f717b70de3072f2183b5c52ebc4c2bddce63ef2b

    SHA512

    9a2ab50b344eaa1f48be779aa78b5e184d199767b39583e7134a48a8def300c42cc9bf5703d590f7d36c9db3dfc047be3b113a86e055c3d0ef5127e5127a8af4

  • C:\Windows\{6C15818F-CB2E-4a48-980F-6C8DE115F64C}.exe

    Filesize

    380KB

    MD5

    8174675c84ab15b9879fbc0b076b2535

    SHA1

    9f1b9ce805e19f94f26a6014e70ae26220b028ca

    SHA256

    2aa4d86129cb00ed0f6b6eb79d8bc0d9aaa475f01414bd2e6c6c6d4724ede134

    SHA512

    b8545b10a78e847615843865ead04a1a544ae77ca6fc33b3e537d9adc237185333dc8d45f468d92bfb30f8dfeac8422f29bbefc74c70637cbd08f72e3c8cfbff

  • C:\Windows\{9DDA76EB-40F9-4f5f-9EAD-C6C94B582523}.exe

    Filesize

    380KB

    MD5

    4250bf8bd00f0a099c12877d4df91953

    SHA1

    55885fed6160b7d7343b995d5a84eefd7566bd22

    SHA256

    06ca60e0fe314903f81c2f7df3f061676c3a295ae816e3bb7d6ca01d12bbb615

    SHA512

    7bcbeb36eb3c28e8afdce36ad017eb18015ef82885223971093e6e6789f72a7e4e902878a0e4c5e88a47edd07a48fcb0a6b4245c8f53f3c2c19349078f4cc460

  • C:\Windows\{BAD86750-8AC1-493d-BB60-A3ABF1CF414D}.exe

    Filesize

    380KB

    MD5

    78a8bc382181518445f76ee1a45af8cd

    SHA1

    b34189a7a7d70672c75d3e0adbb84676a1698cb4

    SHA256

    8c2a371835f57147b61483b108e1cdc2e67d3da9762e11eb118c833114bf6a00

    SHA512

    87a0ca5cb242b3be8190700234cae21155fb5d43af6266080091736933d8777a14d889ba9be7640fa703ea6e84a47647fb3783ea69a6e383f9a8896e89644151

  • C:\Windows\{EE17FD68-4F4B-46cd-928D-11C50F0E668D}.exe

    Filesize

    380KB

    MD5

    b0209e73dd89a9bc3aac69738f9dd6bf

    SHA1

    0ec3790d9a4a398c0f67d8a5d55cdc988c6e7d78

    SHA256

    4fafc6b5bf391715ad3911da58ca01a0c3b11f2ffa5487dd3220a86a2b694e07

    SHA512

    0bf4c90ce8ba01f309153efda0bc25b7a33d18380ff31b6211f75ec9f3295f30e024690110a930251b02743b41b46645cace83ce3ede72d43fd4c7bef7f7fb5d

  • C:\Windows\{F0F08177-5901-46ab-AE1A-0A307D26BFE5}.exe

    Filesize

    380KB

    MD5

    88f95700f0c834365491fb67fff84439

    SHA1

    2a9a0556359de959ee7be07f5ba1a9695b1cca91

    SHA256

    818f4247bb72b0a98e2d4df4e92d1f16d343ca53d7a7c70ad9b7ded7b5269c85

    SHA512

    e5fef2c167f6cf1ead886a247b5897cbf6766a9751b44aaff4fb3f521678d2282e8c68370e03bbc59e77e34b5fdfcca925f641d446d83ea83f7074fec889d81b

  • C:\Windows\{FFDF5506-D0FF-48b4-A0EE-CCC25018CB00}.exe

    Filesize

    380KB

    MD5

    8367e2cfec4d2d57e3673757f3c17443

    SHA1

    13d76f86292f5ed4664dc0b4dbb48e087adcce5c

    SHA256

    8f6f30e8fc94b42984119cb8e4445f8c718b9d97d2b14bd1e3dae068508d206f

    SHA512

    100d5dbdc08dced03b381376a390716d96509438f06942ba923ae1c8b18cbfaf0e3049b4722184777320bd060f84d692046494f7631a61568621aca5a6ecbc38