Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01/09/2024, 07:56

General

  • Target

    2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe

  • Size

    168KB

  • MD5

    553bfbc62ad7c84f8e29fb4bf4442ae5

  • SHA1

    546c7fe2468e6bbacfeb35eac622880982cff82b

  • SHA256

    4dc70f5d77072b5cbb35b47d7f220bcb3ac64ec8d519b53902eff48c81dc5178

  • SHA512

    2e6378e183b8aed8c3f3f6b15e06e48ebe0110ebb0fff79a46a64d16ca0100772bb32ec0aad79250a6d93781234db913dd70d7cf0bf1bf92bb95e491a460730e

  • SSDEEP

    1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
      C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
        C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe
          C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
            C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
              C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1560
              • C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
                C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2056
                • C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe
                  C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2184
                  • C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
                    C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2076
                    • C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
                      C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1748
                      • C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
                        C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2288
                        • C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe
                          C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3895E~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2216
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{59E42~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2492
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B9CA~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2436
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1157~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2728
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{10916~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2908
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8784B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1304
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5088F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{49826~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7D6E3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2824
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38CFA~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{10916FFD-DDF7-44b9-88CE-D92C4168EFCE}.exe

    Filesize

    168KB

    MD5

    3448abcb8b32fe78c253adfb40b55fca

    SHA1

    b11aebebc55a5c01a744edb48098165cfe429cdf

    SHA256

    610a10d2af4b01c6bbad93f1543e14ef34d391385d114469838fd89a3fbf5b9d

    SHA512

    a0d2e681cb9ac327c73bfaba9e145c5fd884508efd1b6e322715b70431aa44a5a45fa0cb29c9f843e0e494893035b6829689eb1ca919b6381ce24deb76a29f88

  • C:\Windows\{1E38DF51-D848-481c-8688-916E2C38D1EE}.exe

    Filesize

    168KB

    MD5

    0d99b2b7cef962e22737d57d206d157d

    SHA1

    7214ebfaa60a06671ce8ae6b95e938eea15ebea8

    SHA256

    b3c91885b4fa0ffdaca8b677f99c38462dff1f2daae6ad70ac1e621f96129a59

    SHA512

    f59ec6a22c925b14e2d777081d28c31bd4053f3e20079673f8219c6258bcd14a483d16e1afb859d9c0c392b9b3d8e695460cadaae1141a8c23f8dcd82110c314

  • C:\Windows\{3895EC4A-D49F-44b9-81B1-1E77F2F13916}.exe

    Filesize

    168KB

    MD5

    bac60ff5e039729a6451fd35ee433b94

    SHA1

    ce9f66debcd42a40981bd49626ef3e36f62243c0

    SHA256

    e700a444cb68568afbd619dba2c67ad271c74d4b149f95a007ed55118f9357fe

    SHA512

    880d4d8b5044008befad8a65247f41562ce2c83caa4684328062426f0e7659fbaf5eab62d5806e792bbf195b27d48460494a4a6a2cc0d9955e78c4a5f79d869c

  • C:\Windows\{38CFA020-537A-4e0c-A51F-D4472664080B}.exe

    Filesize

    168KB

    MD5

    d2a5bfd0721e2c756ade176d3d643e6d

    SHA1

    07b9168ae6995efa028c5b87ac3ed5b3e159216f

    SHA256

    256b2d98e425825e2c48c8f71436548aaba9c76509c8a1b4aa801b622b37b504

    SHA512

    3699c32721f5829e70ea0f9d9496226bf98f090e1ac782bf7b8c2111de65f3420da93b9699758f9e4127fb62d0e2af193fc910ffe81df186f00195290ac12e57

  • C:\Windows\{49826657-CD8C-438f-92E2-C257CDB80488}.exe

    Filesize

    168KB

    MD5

    3d37805453ebd53b9d1f7bb55aebe95e

    SHA1

    24993ed91afe434ce0a2586ad5e7b8f8af103927

    SHA256

    6d79bf9866274c12b6d5537364680df805576e04bce0fc10f9bf65e2a0d7a040

    SHA512

    59d4b4f7b0530ef3df63b94a370c373b18e32852903d2734bdd61d4b45c85ab7fd1f39b52bbb9143b586175b8de716930b5c3608f63cd9076d2e376a054a0a6e

  • C:\Windows\{5088FA2E-6264-4e7d-877C-320BB940C700}.exe

    Filesize

    168KB

    MD5

    ba24e7fd113c0bb0730354f8f2aaa406

    SHA1

    d5f699fee5bd86afb9497432e9c664aaf8c74b76

    SHA256

    ea13c1c0bf3946470e61722ded762fa4717edb37980c1eaa6b59dbd2a2367098

    SHA512

    57cfe77bb1b65cd2a6f3841aba0c3bff55c1cf2b089b7382640a04adcbed21beda731053b6cffb3a3e1898714c6c676b486d036537438b7a106ac5109f4ffa17

  • C:\Windows\{59E42073-3323-4089-A4DF-50B575BB85AD}.exe

    Filesize

    168KB

    MD5

    2bb390ace9ec21ce8c2cd96a434102fc

    SHA1

    d97dc5b73526401efca0ca0a50b4e493ad5121ee

    SHA256

    1f382e0219f259cd2fd1472a28647ca29cb91bc3f798186ef911f0ec1ab51b2d

    SHA512

    aa02e868d6032c67ea10587f63fd97fdbeb722862e27724a4f69f80f819314d29cb11676ef6765625c1bb84257f2d81405cce39497708b2bfacc22291b580d65

  • C:\Windows\{7B9CA3FF-5955-48d2-94E3-1D784F644FF1}.exe

    Filesize

    168KB

    MD5

    c6a2d8b7024aa4c2d04349819ca82a1e

    SHA1

    dd0e7e74bb19acb1831e37d6018f2afb87a8357e

    SHA256

    64d72c82305d7172460fd731a8661694fb1bbc4f472176bdf2014cb7426d3181

    SHA512

    d996ce3cebbcf1c8c295564f7680703232ba385cdfdf2105f305f509f75595e912234bda98e21e15c2b65b7468ed478205f75c9f2b1fb06622f2c458ae03b517

  • C:\Windows\{7D6E31AC-272A-462c-87A4-3EF03770E1E3}.exe

    Filesize

    168KB

    MD5

    c8bc45f5c891bd368efc0dcb04578ce4

    SHA1

    ba0cf1b4c1186c4f9e9f13f2125806e049111649

    SHA256

    4c1f66f1a8dbd909506b92377c17886f5f71feaeb583e38c3800ed6920b13aca

    SHA512

    f104acc89d844257838cac889d236adb7b084eed07901dc788516196965591dffc5e89da79b75847315a0c6bc7b6a1f33705288fca82cedb8a09e56a3e5ca666

  • C:\Windows\{8784BC3A-81A1-48f9-948C-228ACEA73E98}.exe

    Filesize

    168KB

    MD5

    ae978d0cf1e0ef0af7673647d1dd8c09

    SHA1

    e8082d6eb364030e4cc4ef9e9b6a3771ac8b60dc

    SHA256

    3203feae5047b242deaea496cbb116e5e4e7d710ed0dab53879a927facfded05

    SHA512

    e247128d8024026dabd32ad8ce91f81b8dc2dcd2403d6294f12c2e604b5ab5488866ee41082af686e77029e52f6a2315ee7201334b5125c1b6efc5c5b28f46dd

  • C:\Windows\{C115730D-022B-44c4-845A-96FEABB3825C}.exe

    Filesize

    168KB

    MD5

    a051d2e03795db964940e6f168c71705

    SHA1

    b600498fd22e067412c4fb1f7835e9e7e258a600

    SHA256

    914f6008a70bda16f90e70a3e8b5d2820c4d72070c460dd81346ecd0e3299e03

    SHA512

    2c495346178e7d41d7adf45880b8f5e3c3ea833115980468e8337e85319096a40c70e9a3133c76e2554dbbb6323f44755cd3dadd3e81d7e363f354ec2c1868b2