Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 12:48

General

  • Target

    2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe

  • Size

    380KB

  • MD5

    dde8214497f9cce33bb255611157fe5a

  • SHA1

    a5923cd70d864604958ce40b1b894a0e7633ca2c

  • SHA256

    f9e28efa88dac35f0a7b9ff99e0c7b4827cd6496e4be9bf6a7cc2d54501957af

  • SHA512

    3a68d87e1a5e2be19e272b7b07e0dff487f8d23559f1c7b4a37761ee840cd92c26b497083c92d67793b07e2456c34b745fa63442a91fb3300659912f5f4fa261

  • SSDEEP

    3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
      C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
        C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
          C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1168
          • C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe
            C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
              C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5044
              • C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
                C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4204
                • C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
                  C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:852
                  • C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
                    C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2944
                    • C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
                      C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1452
                      • C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
                        C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1768
                        • C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
                          C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3724
                          • C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe
                            C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1208
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1676A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9E7C0~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:5064
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{726DC~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2504
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{49CE9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4672
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EBE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3784
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1A506~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2680
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0DEA3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3940
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E7916~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4264
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{91514~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4912
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC9D~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4307E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1864
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3168
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
    1⤵
      PID:4272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe

      Filesize

      380KB

      MD5

      b9eaf83cb463d546c87cfa421fb4ea7d

      SHA1

      068f972b0100a71d175b6a1eb31901ffd014f656

      SHA256

      ee0f7246b8e85e4489cd73ec8bc87324f2199ebc18c476aba96ebc0695b99356

      SHA512

      8cad7b2b9733a1a7503b86f3a4fccf20c4f97ab3c8ea697114ea048bf1fe0029e996b1e2a9f382deef2525a67248266b6974958c6d62ff34a1b2b607cdc7375c

    • C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe

      Filesize

      380KB

      MD5

      c9b6539e7d482c53d877ace410594592

      SHA1

      3c9d342cf606fc139d764ac0344489e27b041326

      SHA256

      02f1d3e13c7f645c15aa82178e164cc934c51f38e82025bd113093ed36920035

      SHA512

      7bca5cca26f0ae639f0bcd0f4cb46b00edd9ae5b24a22bb024213b3ef75c5789f42923db0b520437aedc6139a3e000fb5cfc52ddf77ce89e9820f7bb5cd1f4cc

    • C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe

      Filesize

      380KB

      MD5

      e18bed81a8f24bb1bb795f445bb250c4

      SHA1

      32f8acffea4ce099a1c09c60f282fe79518bea4e

      SHA256

      f03c715d06940b3e6517b9a1cc5694ee8edf4b055a7eb4b87e3839c354741392

      SHA512

      e0bb6764352ec06a3b99708fb22fe2519b08b85ee39fe8f75aaecbdc69989a80791ba5938d58e6e4596d25b447c81a4a3aeca9d14a7c1f134ac0ccec99d792dc

    • C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe

      Filesize

      380KB

      MD5

      f4c8108c33ff1d30054807ea72fc09c5

      SHA1

      938788b53e78ec6e988508314c50a39ace546905

      SHA256

      3970f29f2ff9a81aad04de176bd5488779600726c00a658706541ea3dce41337

      SHA512

      7ea4cc78a6cd9527794704069c8e7c4138f568f5ecc2c6b3c325552cb86864bf48f6e7d2c5b418a42e06dc5f60218153c753efe366a00edf4558168ba8174bdf

    • C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe

      Filesize

      380KB

      MD5

      77d873cee7b19a1e0cb82bb8dd63a695

      SHA1

      c590ae8b41c3ce35835acea6cb1885de477a4320

      SHA256

      0f858c6bd92319632df96d9c4a364302f39c142d93a36c6b39c2dbba9365c313

      SHA512

      1938c8bcdccf44f84328e925ffa445ab34071d2bbd584f38967754f4a9decf07d8ab222aae1b594474d24f0cef7cae1e1cb36f7cb6f5be85dcaefb4b9f496c2a

    • C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe

      Filesize

      380KB

      MD5

      e894bb303b4f07d569073df7872e770a

      SHA1

      abe8c530022950fda70b2c736ef1b1dc6fa08756

      SHA256

      ce2641ff809a9e6e8ed0f2588df8fb85a7f28f0f128979c57a70854a5a0054e5

      SHA512

      0eff516354a28d62d17a32a91fe2dd8dec46050f5256cc2197ccf203398d481af63604bd5cd39d956f02d8f28a75486817ded09f207441f15e66d43bfa5cf3e2

    • C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe

      Filesize

      380KB

      MD5

      25dc0c313d5d6f39b0dfc3b164efdcdc

      SHA1

      2755047321406a0f3183218d409f4b57e856e821

      SHA256

      197170174770ee423b3beaa19815fd2458877e5068d79d6f7b9d6f6b2460a411

      SHA512

      45dee2c2ae51be85e773b4844b3e2fa3d5dd1d05f6047350fd3db815078e07b768428594aa4fd349469dcb09194f7fb00a9f1153b1904d5a1a10f988c9a26d40

    • C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe

      Filesize

      380KB

      MD5

      0c9477684289370eddd1bb66f00f2444

      SHA1

      5b953ea10024ee2f4a1beb905aca8e3e8828b334

      SHA256

      c434c5f5d1fe487dd425cda53518cd27621d1835f8469d3ed3cd456f636a1f15

      SHA512

      d3f5c32fe6b2fb5ea990fc9b19f2feabb83adaa5ce85eb97e1d928db1171125c471c821f01d1394b2b37dad52911d25870ab9a566b5972b707bdf016e714cfeb

    • C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe

      Filesize

      380KB

      MD5

      520e1a8728caa57fd627a3df284fe3ba

      SHA1

      e1f288bfe0b37076279b76f518a904fa06bf8d9f

      SHA256

      f8348e1ea57dffefdb5feae8d1e3bccc95164d62f600a5bc09801cb418d5fca1

      SHA512

      d45a99ccfd194280a4f22101d7f6cfd5206151187fe78715a30ec1f6f1a798f21efab1dae19f69352a7289912f8ae0b34c2f6386df3bb16dc5091a38cb5881e7

    • C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe

      Filesize

      380KB

      MD5

      e741393d459fbc72380153b9bd618d49

      SHA1

      d286494fb803431892a4806ac84322d02f382394

      SHA256

      3a9108532087ecc5125d15664dee21f25797ca22deddedc2947bfc02214a5c6f

      SHA512

      a731c6ed0d0756105e532edef50c1a0732d7104094a22c90f5ad97a831c56dfdbd85f8431a5a887057ad89333b5e3a6516ce7b7a21408ec3057ce325c2c49bf8

    • C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe

      Filesize

      380KB

      MD5

      14c82d83db01e382d9ee4bf8197316c3

      SHA1

      6b8bfa35be77870e906a6091c4b55cc806ae650c

      SHA256

      a35ce6e4d5fc33b7510198e8eaeed13b04f0ecec5cf548aeaf75a448bee99fe1

      SHA512

      78aea24c24454f48cdea63a414d4f8c98a8d8a11acf990a50ec00f44893c3c5cb0cf689888efdaaed9b785cd2b1d3bbbb684eeb90fbf10fc798732213938269c

    • C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe

      Filesize

      380KB

      MD5

      ce8eda04262d64093f50b0f88e6328d5

      SHA1

      1f95fefc4b6813195a452d6465dabc85b9837f2c

      SHA256

      14308251529fb926b36c227bf66a8ac0bdaad9437831bee52f6a82919a61b305

      SHA512

      954c9672cff707df9418292341ab1f870ca566cd9a5ee20d28445a2eec1c1da7c401e2699945fa003ec797405eb43f45c496a19804eaa1887237d16cff9af5e2