Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 04:00

General

  • Target

    2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe

  • Size

    197KB

  • MD5

    c75dc8f3168f6f1fcdb7e996504f2b95

  • SHA1

    74c97a0f2490f1f46704cc3de4d728676f3265a5

  • SHA256

    5fe36e03fd9575ca8c3059b86f8d8ea8fc0989dfcbdf79f509188b025eaa82f4

  • SHA512

    35744b0696f2edf9fb1a196459c8b8b2e4496d18a1f1ed2ee00b10e5507852b458bdc8b52d7c0b75919f7328d6134e56b97a751b5a863a153e38fa8aebba4e00

  • SSDEEP

    3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGklEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
      C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
        C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
          C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
            C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1668
            • C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
              C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1248
              • C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
                C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1708
                • C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
                  C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2756
                  • C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
                    C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1432
                    • C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
                      C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1768
                      • C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
                        C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2316
                        • C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe
                          C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{855C1~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:868
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC43~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2116
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C1A7~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2916
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{86732~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1464
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{22CAC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1940
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB91~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2644
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{05604~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2832
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B9057~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE230~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2952
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B41~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{05604998-2C05-45bc-9705-184CCC6D1DDF}.exe

    Filesize

    197KB

    MD5

    c4496e786a2fa7c82d378264c3a6dcb9

    SHA1

    44697eb3d071615ad4a14ee334902afdf0eb5baa

    SHA256

    d14a9ace02e0daa838b992d0b7c984e4b97f95133f9a2153374675ad102fc0ef

    SHA512

    48ca9e7176160f3293e4a0fd1c5f065bb974e93c92c666478846b11da4c12c2d492fd730baf81ba7a796a078ae1011ff1a9fd1bdf512f9b4be4f3b6645096bca

  • C:\Windows\{0FC431A6-B5B9-4ec6-B366-16076C600406}.exe

    Filesize

    197KB

    MD5

    bb08d14c9ce6005c4352209c7b25c7c5

    SHA1

    04c9b226d9f38a4328a6a6f7bce05357bd52637f

    SHA256

    197ee16f9fb948b4d72c8a0e2965c29cd36a38f08bdc0129f2fa1cd8a8ef04ba

    SHA512

    8f431c38127a3c1f27c4cb5c7af6436ed2785335a93c5589e417a434f6800bf704c5297f69ebecb5abaaeb855d9a178acc6b6408b0af0115ab3738283240a4aa

  • C:\Windows\{1AB91C41-3398-43fb-9CB1-9D252C4721DD}.exe

    Filesize

    197KB

    MD5

    08cee7924fe0972b864598e48dcc510b

    SHA1

    12d6aa2a39eef2d53862d0cc2895560e78b88f22

    SHA256

    4ed01b9085ee14326a91b2b5361796277bdd8b466857cb7e5a73b5b091302fe4

    SHA512

    031f92cf93bad187f2c4ca4cd0e7b46776e63cfbde199d380f999e3c7831456046684b01f9640c8cf494a7da69667be9cf437d40171760194aac1bcd57c904b7

  • C:\Windows\{22CACBEB-527D-4931-898B-7AFE908775F0}.exe

    Filesize

    197KB

    MD5

    73a8545a08750fdc08a88167fe3ee7c7

    SHA1

    3981a2ef04f7c43b66a5183ba9b22319f3e419e6

    SHA256

    1b60e7ef3c629a9b436d6cf3115468c87af1e1010b7a6afbccfcdba15d66b2f4

    SHA512

    1fc29af36e7b708016cb71fd39edf26e17c175fd6a2c7dd3f31bd9fde85d5d6f5c3ee985cd3d17c528afe97a08bd884dafa88e1365e4e6c637c826aae9964bb1

  • C:\Windows\{6C1A7D19-6E11-4931-B1F2-925D05059D83}.exe

    Filesize

    197KB

    MD5

    243a24a987d372fc0dbc3637d2d90d2e

    SHA1

    01ce1ea48791cb8e08a45c66655ec250be46ff39

    SHA256

    c649c3d45bd4d3345ad1484c0404d3f6c96ae91bc71c1b5c77a532f5a4e54c9e

    SHA512

    31e1f30684c5fb324d4782f356f77577cfeb9d5554c18cb60947e2a696daddc8a3bede7b7be7812628b8e2a9d3f1a451e501bc189820444f5848d85444a28c6b

  • C:\Windows\{855C1F34-EAEB-4ffd-AFD6-8BD505B93229}.exe

    Filesize

    197KB

    MD5

    d95488b5a1aee6626820f3b51baf3c64

    SHA1

    0b18adebe42400b192e2362fd63b5bb871e91281

    SHA256

    fcb1edc70a392072f1b33fef51cd01b1d5d67bbed57e6755773c0233670d6a6a

    SHA512

    bb81ffb4029db8996647ee281a5576c3319efdd32538c8d970b0c971e628c45fcebf3a0ea646c5656549940d031cc8c7433ceea05740f1632e96b5cf5f095e7c

  • C:\Windows\{86732F85-2AB2-40c6-861F-BBDE43D65D1B}.exe

    Filesize

    197KB

    MD5

    f738faddbd6ca64b3e256bc4618556db

    SHA1

    fbbfc49fa5ba7e62c586950de2c1555151bc7884

    SHA256

    e03134063a2805aa27da07bfd3e8cb70243e2be1fde6858cc4c4b1c1b3322518

    SHA512

    245cdd7ee73412fd797de9208a0828787ee4e270089b355777ec92d56d042fd0e1a19d05a6441b7e7f37f9f93dc09e9615a680372b150a569d0a3571484c395f

  • C:\Windows\{AE230C6A-37B6-45d0-9EC7-E185116AF714}.exe

    Filesize

    197KB

    MD5

    669fcd9a23c2fe8819af9ed0aee53dae

    SHA1

    38e67ec88270588ef7e02aa0b0c80e28f09d1359

    SHA256

    badd59ae3858708c415fa5113b48746574be80816be8dfddf7134fac05f73c3b

    SHA512

    fa40591608017a071d73f6134f41b9baeb10763b2faba40905e9b99d32eb70c4e4468bc142db5105cb626a3375acb191b5a5e62e9f9b32d3957c87fd1cc7848b

  • C:\Windows\{B1B41CCD-CB4B-4b85-9D3E-4B184B42B137}.exe

    Filesize

    197KB

    MD5

    c23a15e93f99e3167b28c1af9f6e700e

    SHA1

    1513dc40dcb99cd1d4d2ef17bc375190b525dba1

    SHA256

    e47d3e19dd302e30e430dceeb1761ec6b7e044aa739ed20ac6f2bce365c7e910

    SHA512

    d5c0284f5ac988bb5a0285b4a218d71cb5ffe0549c3dc2fec224e356f0bad299a5b2ea48afbbc413a839e0148d383a2302739c5544d85640d20b26dc9f95675f

  • C:\Windows\{B90579F0-CB2F-4a4a-8081-986B26A4C217}.exe

    Filesize

    197KB

    MD5

    b62aca8fca5319ac4a64fe95af2c5c92

    SHA1

    09d974588bf2f3cf0b001412c1aae9b140def0fc

    SHA256

    ddecd18faae8bddd43b0d984d07f140220bc22422297aeb7e3cd55a0b6ebc345

    SHA512

    e5fe5513a45e848634c44cc730f1b371218df64bb87cf0f382a0a1ce2154ca98c59fdddc0a870a913277c45c7925e95892d64d712253f04d6f32af3ee9b34ea9

  • C:\Windows\{CBC890C3-D8AB-4910-9169-01487BAF59F1}.exe

    Filesize

    197KB

    MD5

    637238a38b06aa80fa53ac7676fd3a4a

    SHA1

    0ccc57b3aff3479245513834298a53af16a072c3

    SHA256

    dd2fe0a4fb31a418c55c69ecce89eb262b24dd673b7e1bc7ab169b156acee863

    SHA512

    f51e9c6680577180848c4d0e28ac8f8ff84c301f3f0d88710f180107441fde9ee40535e6fe60d0ea5aca636b941d02bdc48e049b726ee69b39dd7f5ec3f413ae