Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 07:56

General

  • Target

    2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe

  • Size

    168KB

  • MD5

    553bfbc62ad7c84f8e29fb4bf4442ae5

  • SHA1

    546c7fe2468e6bbacfeb35eac622880982cff82b

  • SHA256

    4dc70f5d77072b5cbb35b47d7f220bcb3ac64ec8d519b53902eff48c81dc5178

  • SHA512

    2e6378e183b8aed8c3f3f6b15e06e48ebe0110ebb0fff79a46a64d16ca0100772bb32ec0aad79250a6d93781234db913dd70d7cf0bf1bf92bb95e491a460730e

  • SSDEEP

    1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
      C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
        C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
          C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
            C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
              C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:860
              • C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
                C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3364
                • C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe
                  C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3440
                  • C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
                    C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3524
                    • C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
                      C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2392
                      • C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
                        C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3556
                        • C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
                          C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3600
                          • C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe
                            C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B43C1~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3160
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB2C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2228
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6979~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2240
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{30152~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4040
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{936C2~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1068
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{90748~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:880
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5097B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3400
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E8A6A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4252
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEEA~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC36~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84FC4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe

    Filesize

    168KB

    MD5

    f2cdd0327ecbd4db4820f23660a03522

    SHA1

    8242447b4ce24f4e469c9dadcfb9e5fcea866546

    SHA256

    fbce5940bc4383574dc47c595c4e86637b0894afc13e957bf5f2509e6c3d700f

    SHA512

    a2de9290cffaf5ac884bc64bd420666664caba2140a08f6c588ae5b610a16bf28eb85e3d41d084372802f2a233f4b43e23f40e13e28edeb46e112a89d41ce48c

  • C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe

    Filesize

    168KB

    MD5

    bde4aad4508253cf89ae9020d5590521

    SHA1

    e74714b6b53148b4f835b78266cef3fd383c9d02

    SHA256

    026f2fe911e581e6080f3a263f26cfdf2e9380dc361d78ee4dc2ab5ca0d8b086

    SHA512

    3060f7f252876ed89f2ab35c0fa3533eaeb9dc6cda706920733f875b5ede13ed49f88a20535a9250ea2f1b0f93f7a01d82c1d68e0aabe3e1e80870e758bafe6a

  • C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe

    Filesize

    168KB

    MD5

    a1ee068e27760f82335a2e29ad280351

    SHA1

    144f1509f642b9dc19116d0522a8bd3297b9f84d

    SHA256

    03f7280d5db17bba93651b1b9ebf08ecbdd3fc9215f9921cc267ca873909d2f5

    SHA512

    7ca55fd324fe610c7c0299ecc245f80e82edd675aa6d88fdf23de58cc9490f8d97e7f48a9683bcbf60ff9b36e013a2737dced4c0de0e38e27eb66aef599629f4

  • C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe

    Filesize

    168KB

    MD5

    275b44896e4eb38d6072656273917ce4

    SHA1

    d43ca6441bcaef5ee4eefc675b6d57dc81e24309

    SHA256

    ed2e790642f03736f86979038b91bb6298027cb2f04f4b67fff43e5c226e432c

    SHA512

    1d1e2d611504802a344144a29a2f7cbb68b111f49ab542ad66164e3f8438e97e0532723f8f81a714eed62661881f13c42485a548ae819b5c424792c2a43d7666

  • C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe

    Filesize

    168KB

    MD5

    b2c7abcb86c055e1c8a7233975e1b6e1

    SHA1

    e04abd6c866eac984442cb54e4b8f9e35d478029

    SHA256

    3c8dc59589e2221d621b2b84343aa4137f662c812ce8eaa65b7d8b97b9f06413

    SHA512

    149105e35dec2df08e4e0ffd9f503fd2d5fb9cc96b5d3f4765fb8573b8720e42a46735b78ae79fb38b3156a71db0e0fdcecfb894bfd3ba344e017d10e0e8f894

  • C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe

    Filesize

    168KB

    MD5

    311850fa3d5b80cb5a57714b950ab74f

    SHA1

    d7cfa09a7eb5160d782ec63b908564b3f788969d

    SHA256

    23a5142f364568021b0b7ba89e16b4f14325bfe9c511c87fcf7b1afa68deaf28

    SHA512

    8d470fab4b0d533ec8c1d43cb986cdf8081a158b7c4b0dec96a684cd99023629584d2c056957e2135e3a57ceccd1f84ace04ee3854df66b734aaa39ce98a1987

  • C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe

    Filesize

    168KB

    MD5

    f11bf6adfccbb67a84b3f297d6affb9e

    SHA1

    668fa0af4d246d90527636d47c396e3507d1eb50

    SHA256

    f39b4622479b477049bb0420ee93bcf8690526b6bad96b501b3f3de7519794f0

    SHA512

    9760fee7a7f1b99b531c267a9683b239536702207e2b74c672e340928f3c3b5defebc5de1ce7d43d6f6ab6ce84aff639309fb21b42f87e8d9b265ad862ff97a1

  • C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe

    Filesize

    168KB

    MD5

    f81bb20a4314c728fa1eaf67cf270dcb

    SHA1

    cf8fd662001148c366cb5450c6a636114a3f3b6d

    SHA256

    b19c8c678d29ed722cc6118032f2d566c12b30166b7ed337735c228aa43b7a95

    SHA512

    cdbcf956e6ba60967a011a1988b893d27b31282f42e0ba1d9801952344b72e0335a3d0e076a99a139548ee81a3a76a01bc601ea087038fdb359b78900146d942

  • C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe

    Filesize

    168KB

    MD5

    8281b0f8dd492f2a1d58c630b583aa32

    SHA1

    211417dff7df80513c8023260664d186f2335de3

    SHA256

    a1381496ba514d9ddb76fe9ced79c4d708fb29d32fe37c460d17d4797591ae2f

    SHA512

    102f1861e307b86dc7cb8b265d7fd61a9e18f945a030b0c8469d3f2f867d4b4d96f719493d88e7d1f470377f310dc797f89951c801008a6d219334093673df61

  • C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe

    Filesize

    168KB

    MD5

    15268b0f93fc321d2bd0ca518b026999

    SHA1

    fd91ab6cffb13918b078ffaf9a9e2a9017162158

    SHA256

    0eacbf32d33edf388eaeedeb8800c62a24ef91ea72723f9b5376b4f287d8de50

    SHA512

    c6a358175900a225f46996e4d4751599a5cfcdd49f43fc2908c89a890bbc9d22bb47895e7b6956ee37878c501ee3fae03202459ad92c8ad1848ba3c0d68e20fa

  • C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe

    Filesize

    168KB

    MD5

    f2e781dd8e1633fd9057b3da07187734

    SHA1

    367ee170d6192508cde0ac68f873714b908adced

    SHA256

    a70365f8723e7c508959d46e6cb73bb7ae7cc6beee0a977ce331cb7483e64c6f

    SHA512

    063db05789e81cd6f88252e8806da6c41a57dd058d7cb7cb2f5627ab960ac3e5e5222d04ebc91da600813b56b6ff6201123d1db3445f57e7da16cbfb5a5740b3

  • C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe

    Filesize

    168KB

    MD5

    3c5b8432b9408c3dd0f12516e0582b1f

    SHA1

    349f81423e36d7de016b8d2ba56336d19656d701

    SHA256

    0a964b708379297c7e32703101c217d427f7736b6fb5e759e8f6faef24d3d228

    SHA512

    5916727e485cbf0119484b4edbbaec80e66088d5c79628175d0884ce78a80084900537b1615c09853d774ccdc23f0a4cf0182231e33ff0f6e97675fc65198fe9