Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 21:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
-
Size
192KB
-
MD5
bc7e015682fadf0e35ff109f495d3b14
-
SHA1
c5ee2cfda3cd5d09177d92fc59d7634c39027660
-
SHA256
01e1457d06ac6269a023986923bcc113bab7d1aa8e8fb03a01083cc0907c4efa
-
SHA512
99f19800432ffa3fb324ecdce64f630aa49c18e30415d13426d3bd4d7893b7decea87e30a8c4230775d5dcbe7888ceaeabeaa257c299509a80cc77d937ec812e
-
SSDEEP
1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900239D6-3105-4561-9AC5-B67A0181FACD} 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900239D6-3105-4561-9AC5-B67A0181FACD}\stubpath = "C:\\Windows\\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe" 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C135B4D4-FC99-46e1-948E-CEC958605E82} {900239D6-3105-4561-9AC5-B67A0181FACD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C135B4D4-FC99-46e1-948E-CEC958605E82}\stubpath = "C:\\Windows\\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe" {900239D6-3105-4561-9AC5-B67A0181FACD}.exe -
Executes dropped EXE 2 IoCs
pid Process 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 2248 {C135B4D4-FC99-46e1-948E-CEC958605E82}.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe File created C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe {900239D6-3105-4561-9AC5-B67A0181FACD}.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {900239D6-3105-4561-9AC5-B67A0181FACD}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {C135B4D4-FC99-46e1-948E-CEC958605E82}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe Token: SeIncBasePriorityPrivilege 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 556 wrote to memory of 3608 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe 92 PID 556 wrote to memory of 3608 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe 92 PID 556 wrote to memory of 3608 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe 92 PID 556 wrote to memory of 2680 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe 93 PID 556 wrote to memory of 2680 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe 93 PID 556 wrote to memory of 2680 556 2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe 93 PID 3608 wrote to memory of 2248 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 97 PID 3608 wrote to memory of 2248 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 97 PID 3608 wrote to memory of 2248 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 97 PID 3608 wrote to memory of 1524 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 98 PID 3608 wrote to memory of 1524 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 98 PID 3608 wrote to memory of 1524 3608 {900239D6-3105-4561-9AC5-B67A0181FACD}.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exeC:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exeC:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90023~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD57c1952becb3c44556d155861c72163df
SHA17643409eb3568fb9408556f95119d2f6a932a6d6
SHA256c54c9a2a17af178724dd6c139b3394e7fb3fc3731d6181da621c2bea09c6e978
SHA512b1c76115032bb37ebb686efadfaf07710eccc5b54d2c7421345b1c1411b58cb9f2faf16cfd8c64a8b59c02feb72e3a40cedac0d5c5fda720d9bdfe78205c0d33
-
Filesize
192KB
MD55a4a61368df88c4ca26077c4f4218964
SHA1ffb943b2e2d9051ab419932fa824b754f1bd11a2
SHA256dbfcfe45f249d01ee57fe1b90b3e4716961cf1c69973f43a97f9a73e60ca011e
SHA51219853af4bb88f281e0a3a7dd48ac6f7b30f8aaf13c98bc4f6f8995fbf84db025ad0b4e79eda94c8f5214a6267bfa40af3cc26b1e5ea8a25b9ae55cf5536c7397