Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 21:26

Errors

Reason
Machine shutdown

General

  • Target

    2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe

  • Size

    192KB

  • MD5

    bc7e015682fadf0e35ff109f495d3b14

  • SHA1

    c5ee2cfda3cd5d09177d92fc59d7634c39027660

  • SHA256

    01e1457d06ac6269a023986923bcc113bab7d1aa8e8fb03a01083cc0907c4efa

  • SHA512

    99f19800432ffa3fb324ecdce64f630aa49c18e30415d13426d3bd4d7893b7decea87e30a8c4230775d5dcbe7888ceaeabeaa257c299509a80cc77d937ec812e

  • SSDEEP

    1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-23_bc7e015682fadf0e35ff109f495d3b14_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
      C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe
        C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90023~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{900239D6-3105-4561-9AC5-B67A0181FACD}.exe

    Filesize

    192KB

    MD5

    7c1952becb3c44556d155861c72163df

    SHA1

    7643409eb3568fb9408556f95119d2f6a932a6d6

    SHA256

    c54c9a2a17af178724dd6c139b3394e7fb3fc3731d6181da621c2bea09c6e978

    SHA512

    b1c76115032bb37ebb686efadfaf07710eccc5b54d2c7421345b1c1411b58cb9f2faf16cfd8c64a8b59c02feb72e3a40cedac0d5c5fda720d9bdfe78205c0d33

  • C:\Windows\{C135B4D4-FC99-46e1-948E-CEC958605E82}.exe

    Filesize

    192KB

    MD5

    5a4a61368df88c4ca26077c4f4218964

    SHA1

    ffb943b2e2d9051ab419932fa824b754f1bd11a2

    SHA256

    dbfcfe45f249d01ee57fe1b90b3e4716961cf1c69973f43a97f9a73e60ca011e

    SHA512

    19853af4bb88f281e0a3a7dd48ac6f7b30f8aaf13c98bc4f6f8995fbf84db025ad0b4e79eda94c8f5214a6267bfa40af3cc26b1e5ea8a25b9ae55cf5536c7397