Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 01:21

General

  • Target

    2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe

  • Size

    180KB

  • MD5

    469d59cb12d4b8fdcf5f96b156736d76

  • SHA1

    b1255858095e652f181f77ad82c699241e079589

  • SHA256

    a07953552d337b40ccf6add58d742877b85d03699e959712b3eb7020a6b57487

  • SHA512

    f86a47a0632bdf20625fcbea427b8d25f61d18f57f400c82d394203c8ea3f360713fc822fee5ecaf94c3a261ad3503b98a368866719664c08b2ddc9f8deccd9d

  • SSDEEP

    3072:jEGh0oRlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGXl5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
      C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
        C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
          C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
            C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2200
            • C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
              C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2184
              • C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe
                C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2788
                • C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
                  C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4964
                  • C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe
                    C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5064
                    • C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
                      C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4804
                      • C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
                        C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1004
                        • C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
                          C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:592
                          • C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe
                            C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1548
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{65B82~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCDA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1208
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{97B0F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2884
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8088F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1340
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{02C34~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4428
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{31A04~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3588
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EE580~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4300
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DA38D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F5A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4948F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4156
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BB2~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe

    Filesize

    180KB

    MD5

    be3466d4226a6fb1e7448f4a5e2621c0

    SHA1

    9c65269783da5683e3c1ba64cfa66d49ae58e33a

    SHA256

    ddbc3620bacfb3c33adbab73e4e8b70e9b680b3b91e0b1c285b35649f60bf66d

    SHA512

    7757e7a2e2b246a2cf07442f3d00329b4e5b3b73eb7a623603ff50d2078a2b7065e3af5ec9352f715d62fffd8c5db2d8f622019e622db8053c42ca17541afa06

  • C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe

    Filesize

    180KB

    MD5

    473d941388b39e22bc910d8348293d52

    SHA1

    f2ddd12254917f6d831e849d56f6488aa2ef6652

    SHA256

    3df9a14cdcc567b1d45173fe656971310c33b04457b6ffb4ff08472ce1426df0

    SHA512

    a1a039a769d7e6b5070d7324d273f1cb8b1aba26cd37b2b3c9c4d10d9ccf62635ea92d9619e62541463f06f81ae376d70f91e3c717777c06292974b888d8e0d1

  • C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe

    Filesize

    180KB

    MD5

    9ffa560c83619191bd6800b2e7e70694

    SHA1

    8d85153c4835ac8b7dd8736e6b986817aacb1d1a

    SHA256

    2411844beb82535258a04a08a4bd2cb20b64e2ea4ea721b412f8fc756e6c75e2

    SHA512

    49dd774a6bd208dad5063d77c22e7950de1940656dfccc784f89b7829aabe8cc516fe7e3536d0092844743d4273086fb88d6087c87d52713080ded22ded7bd67

  • C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe

    Filesize

    180KB

    MD5

    43e35a6574715f4f25d6cfa4e5a436e6

    SHA1

    bd1fe63cad8076efcfaf2dd9409cb8a0082af072

    SHA256

    6bb88806b6891f01d3f5140c484bbfea82a529d251af90c4060959e2b4acb16a

    SHA512

    4d871fd9b7f2046ed6b4c9fd1afc9a6ec77158444e5afa38fc39e5fe29235bcfc5399ea3f39c8e956de2b60c44f297423cb2cc75fefa486a69f15bf4633682d8

  • C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe

    Filesize

    180KB

    MD5

    df5a2119d196411016e388df0724007e

    SHA1

    af3dbc7a3cad0cb49512fb0c11df553ad500b9b6

    SHA256

    bdcfc02d42b80aa16743c59ca907cde3d073f592da919bd18b4b85d3b673a212

    SHA512

    f8430cd0ff584ce485f5d4d3c21641e01c24b377177f4828d64c9f3716455c11d1c5de12ae9c86048a8a60aadc972a5c6c5bf35a11d04c6f5432022ed89aa92d

  • C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe

    Filesize

    180KB

    MD5

    d349c5e29de9d52da3f301afb22376b1

    SHA1

    e55101088ce97e5b18ed2e395ab3cb8a390f48fa

    SHA256

    08b0cb4a374cc4a04f161d4ab51d5369ec704f4ea751d713c9de1a71a265df4b

    SHA512

    edf5ab745694a33ade303869962146bc7e251a77d131a1e2117402c557a34693190ca67c9e2e39bf0702398f8c9cc385006015b549436e1a5fead98494b6616b

  • C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe

    Filesize

    180KB

    MD5

    a41da3b3ae239086618e5d962154df99

    SHA1

    7d07f0a281c9181480c3b2d8be119f40723c75f0

    SHA256

    6fb4d2e40b2d94a280ec8a5613ba09b3222f79c8d19ac0b8599cf9b8a4b33146

    SHA512

    e3af53924572b0d846491d8be4db5524b58ac74dcc945bbe2ecea3fd847df3e7bcb3acdcdb8c01bbfd34f73730923733cc0193350d4419c2806087cfbac697ac

  • C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe

    Filesize

    180KB

    MD5

    300b662764f06c013e0ffb86e41b4b10

    SHA1

    9a735976f760f5719dbc3dde58069dd5d29daa92

    SHA256

    d26d01478af61e07ab50661737ce2a11bc522e1651684c26b3537a8c03d8fb20

    SHA512

    8df71b6a2827a27307561dfc6505e1bace9b906c19c0ea0278415887a8df9437912c9262188f66e867673451b0e4f94df0875edf5c06cc88688a44314f1a2fa0

  • C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe

    Filesize

    180KB

    MD5

    a0fdd95a061ff553e536f3187c043543

    SHA1

    61ead5ae29617ae1bfb7d3f7722d272fa80d17a1

    SHA256

    63cd561d9648446e4de0e56c76876b4cce519e5d5585ef64904c105b135af3f6

    SHA512

    7ae1e44329ee9502bf70c1a574ae84e1035145e94737a862dcf3fc12f2a5ea1b9c978ceade8dab3318bb6eafe59931a47e925dd422255d3964b51c11e455c5ee

  • C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe

    Filesize

    180KB

    MD5

    0af66f43de41d42e4e8395498d3875c6

    SHA1

    938ebf8a8da2c50c7e078c1fa35ce86dfdbdad80

    SHA256

    0615802ec3d3273b444b4e4a77711e293248782c0665362d86fe95a0549d777c

    SHA512

    26b3393e788293dd5c4e938f6ca77e2f131dee8f5674b54372097032b62cc5b4e6ced4deb1b8f876e1812e9106e8423cb66d3b53c577da5260a84ae7511c6f14

  • C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe

    Filesize

    180KB

    MD5

    2323dbc85e5f9fa2b14f7528fe61ff37

    SHA1

    9b42bdd023592b31216fcc7520773dcb5cc41ad2

    SHA256

    2bd98c4b1c2db756072ec6763411f5656d457f247cc41ccb9c6a6ac9f3e88eb5

    SHA512

    1c310ac32cc30a25289b127764de8fa1642bd97a0caade5545450146c63419bd3f84db5bf1297e122e023f869c77505bcc05e1a2b8fd72d3da2cdb2fc3d6e1ca

  • C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe

    Filesize

    180KB

    MD5

    39eafc65228511c0d6db433bcccb86c2

    SHA1

    e31145bcd84cd2b2546a4e7763ca67fd6991e387

    SHA256

    2f90fc2b3c56e4ceead305b11e23eb1fa9aad2738c16aec38d45fd56a63c4429

    SHA512

    f5775f2e83f68d173e7f41282bc30cc6082537107b06a7b30c260d0d96d5b6740e79caa152d1d73ca893177cf8d576e8d6aa7f1041e854386a66eb33edf7d3af