Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2024, 09:45

General

  • Target

    2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe

  • Size

    408KB

  • MD5

    861ba9e5160627afeb501d4344a8e064

  • SHA1

    50a89d43e608b0da5324c141357e4176f81e925f

  • SHA256

    90a80e974aa001b00076cb2bbe7f8d0fe6a5dbd942aa5f174ebcc62a23d02e3d

  • SHA512

    47a508f0a4697521bcca0d21f7c359b3551461282cfa209a16dbb2ceb441ec0bff3a7f0a5aa47b4ed20ace06bf1626b4b2898d86c0f014daec947494382f56d3

  • SSDEEP

    3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
      C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
        C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
          C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
            C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
              C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2388
              • C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe
                C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2536
                • C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
                  C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4432
                  • C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
                    C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3776
                    • C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
                      C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3648
                      • C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
                        C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1668
                        • C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
                          C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3400
                          • C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe
                            C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3992
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCC4~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5C077~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3632
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9419F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1888
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AFDBE~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3460
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8E02~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2944
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A6218~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:412
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{327E6~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4412
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF39~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4984
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{486B7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E63EF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D99E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe

    Filesize

    408KB

    MD5

    e2cd1706011ff1e6366542b2c6c973ef

    SHA1

    e1f92526739ce4fc648a5ae64f0be2941eb81353

    SHA256

    11647ae3e057bfd9d65edc85929f39b1618320f8452c74c6c9c2b2b3343755bf

    SHA512

    2a629c60462b0be6b695daddfe8df917b097c99f813169858964587708c027e923d512d5fb9b4fc306530d641c7f8f05d59dce263bbd64db340259e37e98115f

  • C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe

    Filesize

    408KB

    MD5

    e1529e4e0d9f739e89335e4143ef0df1

    SHA1

    72c5fc892e9f2cc5863a74c2ccf2f18d9f74c1c0

    SHA256

    0aa48ab0b3ffab7ed4f1c8b4c1e703b1d8468c577d324a6d403cd311f98b72fb

    SHA512

    e4dbb397f765c2b453ab2ab2a8d3f74bc35ff8d219ce8192f8ffaa0e351e79daa63b20ef0f8bbd2f9c74df2da90bcd14cee56c071b723369596f3da2c9c2f455

  • C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe

    Filesize

    408KB

    MD5

    895e2590e2e58b47fc13d79897dc83dd

    SHA1

    f00ceb9428bf78996240867b683370ca96b38c67

    SHA256

    3c445558810de6b07e8f870c3b2237c411531d2df5c877c7df6c6fc1bae39414

    SHA512

    2b48ebead3b7a39f24e2b56762c08ad28d6741a8f79196ee5091e0be5280ae9f02849063e20da72284afd365dc81f39f33039d70e071b6cbb73d7609f25e5b1c

  • C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe

    Filesize

    408KB

    MD5

    5ef749736c08dacf17214f6269770317

    SHA1

    0cc9e5f194854c157a2dfb00fa13e8d70f79ad6b

    SHA256

    1b826308222bdac9e42c7938c4fe9b50d9e10d9ce47372f6ee5ef580593c9d00

    SHA512

    e91c4091fa244811b5197514e42b975e4401752d596e68a0d6ffc2806e6db0f243729b4cb58b3da56aed42bdb0a843eb07fecf56e88ed71a0cd7eae712591969

  • C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe

    Filesize

    408KB

    MD5

    9f88690057870c2be1a0085d9c9a70db

    SHA1

    f6b7fffeeac38a84eacaa98e5353ac96e3112a4c

    SHA256

    b6877c99d9f055be273de455c446b876a872b671f196ff579a33bf1c2afc6652

    SHA512

    ae7892895c5a983bce77d9ca0335cc7569873f2172add6054dfd9eed301df5d5b4956a26ebecc186941d8b6f18e7888b3c7da5f8b68cf627e7e41319efb3afe0

  • C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe

    Filesize

    408KB

    MD5

    ee2eb45ef364af4a2df3ae71d572357c

    SHA1

    c1ebb915265cb9960706b9e3bac714ed8920e178

    SHA256

    e749fea0f5a2505b77b93119af22578afdf71e30897401135efb4f7eb3419148

    SHA512

    9f8503fa2a3f27b39b70024eab11e0f2bb313d7b9ef784fccdf7e402a5cb5ff47b07284b61bff348a5c98d7587e26bc91f992da4c05ef1ecc2595e2edf6abafb

  • C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe

    Filesize

    408KB

    MD5

    9394e99f7bc2fa9e301f643c339164ae

    SHA1

    d7401d3b2255daa6c2d610102faa2aed690bb708

    SHA256

    bc2cb3f7656f0a125a9ee4797e6311ceed6a0802db2537153371b26c00ba1dfa

    SHA512

    88747363f0d8fec0cfe0db25749d1ab662f89ca1950add624017d64564b49c94032d1ef4979b9acc8b1144c12d517a4b1126829f708d00f99ae118e1d7f08c4d

  • C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe

    Filesize

    408KB

    MD5

    6b1a611d86852e55654fe0b58fcfb227

    SHA1

    593360d9386aa2fa4eeb8e4d4bea098f4c00ce08

    SHA256

    9976f4671a4b57021b068b8f53bf702be89bd021628524bf0c29f1f33092a77f

    SHA512

    9680b007c396909d72346607368860d8f62bc7cfe2302d58ff27c309d1bef15fa548350ae309c9a751bea3f894022ba7757c7100fe7f2944aa5dac871a5e9d78

  • C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe

    Filesize

    408KB

    MD5

    120b15aa4424a037cdd28215ef2c329f

    SHA1

    112fc9d995bcf8791bf6f7f6f370f66c178b6c27

    SHA256

    38a30725fff43fc4bfa9f4e57747796f09d189247d8bff2001635137399a51fe

    SHA512

    46ce16cb04a4e190dbf04285e5877184b444b6b3795575490a1310f0e9d75aa1ce6e0d3c02a99cc174096d46cbcb19d5df039c074ef651ab8c4d3d4971207a48

  • C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe

    Filesize

    408KB

    MD5

    af7f4267e77ecd8e5d6606c500a49d6d

    SHA1

    c4f6f43367000dc7112f4f6350d8ba70e6789e1d

    SHA256

    14dd018987672c1975501a0f90a4588492993367fa32496a7e8bb1af4fc07e75

    SHA512

    62fc544b945c09a0887216530eb42c4a5d81309cf359c5a813528c06f54670005db0fb4372d0dd6c302199c90e5143e9b8425bade0c4499f6f1407ee7c13e015

  • C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe

    Filesize

    408KB

    MD5

    962936b511492a7eee3d9fd5080b5a9d

    SHA1

    3a03d03ad85996de684ae491a0947fc0a6ba1089

    SHA256

    fda40cb63d38905d8c2d27cf91a1dedd5958882bac2dea0248cccf820aa82d81

    SHA512

    eec5d9347dd4d106f6ca50a28fbbc1a50664df4eddddead8b621c6139a718ec70c01639338915b6cdfe7ce56eea84be17d0fc6d3cfe4db4c6be7b74718b96c67

  • C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe

    Filesize

    408KB

    MD5

    7269a886d0845c39a458d6c16d2b8188

    SHA1

    9997c74753e334d29284bfa2e58f231dd061538c

    SHA256

    f99c4265d226c5b9049dd99baeeabd37a944e4f9441e228fafc60dfe879fbe47

    SHA512

    fad508cafd7a7575eb344f6dc3b9f47ae4356b8d4a3a64a37ec673c98736509ab2a4a3fc7df34c801682dd3171a8ed567b823147df5c6459defa27d6475a4360