Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 13:39

General

  • Target

    2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe

  • Size

    408KB

  • MD5

    895557d300511f763dfa1105e82bb491

  • SHA1

    6c5ff8b4067a83247922d73c5e461f4ffeb8f7fa

  • SHA256

    196000bd2c8369f08eb983b883dac4f7f26a99e3a6a6349dff736e9f22caffe8

  • SHA512

    ec546d97ccd09ca8b4947bebbf13c023d098049c1285cbe4a57599e4a8155d39ba9c7e0bce829b791a5da70c92bcba57b94a0cf8683f9fd50f5945262c684a63

  • SSDEEP

    3072:CEGh0oFl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
      C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
        C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
          C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3432
          • C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
            C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
              C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
                C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4308
                • C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
                  C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3692
                  • C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
                    C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4988
                    • C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
                      C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1508
                      • C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
                        C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3612
                        • C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
                          C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4972
                          • C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe
                            C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1752
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{96863~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2908
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE40~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3280
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6840~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3876
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{43F22~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4563~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2528
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{7AFA0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4236
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{21EE8~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{7625F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1132
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE76~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EAEB1~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3232
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57EC7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3120
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe

    Filesize

    408KB

    MD5

    50bc227596f8656378edfabefd3d6c99

    SHA1

    8a421e2e0be3236cb60bf4437933eab16ec46711

    SHA256

    4ab057f06804402468a37344a90102df27f500c7671cea7cb4f83a64ae5b021a

    SHA512

    5f4eb4f48e0b74232bf96357c579fcac5928f18d671206423b64a56a7c7ec5ae678466570dddabeb7e0aaace48aa5d1bd0efbb165a915a079f162e3bb028d560

  • C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe

    Filesize

    408KB

    MD5

    932f674bb3a5cff8ba3695efde01831a

    SHA1

    5dca7a76c6aaaa23ccdb56aaca7258c03eb2cba5

    SHA256

    59b2690f32a96b11290986e227fe4fb479f42208b154989fe015f01f66bde93d

    SHA512

    c2aa9f5c5fffa6447329ef848fdfb2b270e44bb97c7442e207c512c4beb29ed312dcdbc8a476508d3d86c24823148f0a02b47f6c8cca47fdf0bd92ea9fd8e0ba

  • C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe

    Filesize

    408KB

    MD5

    ab3ec52bbd66f451a11d8bc53e698a2b

    SHA1

    5b2b1fc2c7dcb735367094e6975839ecbd76b6e9

    SHA256

    73a2d53cfdeafefd2dffffede90dafef6fee2ebcef746a9741946a189452f4de

    SHA512

    1fee33bd2bd8f615c247d09bcf21707e6a2f39dfb3c054cfe7d74564a4d9dbe755086addc097c7fdc4fa3c5d9895f8ebf0f2ca7cbbe0a971485c1e31245d2895

  • C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe

    Filesize

    408KB

    MD5

    3a37d3004cad2b94b54405f5da1922ed

    SHA1

    90b45a6ef24d1859cadefcc0cf9b7fe77c088024

    SHA256

    0c4252089db5f58f1564f9cd2e13ad8c886b00ad5e7335f4bc7de1cbbf7324ba

    SHA512

    b0cccc6fd224a45598e17f198fc2713c5255382abcce5ee227bd085b2a4b3a79941755883d88e6f64863d58ebbb3ea960464a29450e00b23a469c30a0093b094

  • C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe

    Filesize

    408KB

    MD5

    f87f60c3ed3c6d715edefc787525b178

    SHA1

    45d64e655324fc6dd68927d5c5f8bae7a8f96f84

    SHA256

    d0bc26125568fce2febc750d55d54df5cf23063a200d02836790fa8d664f7828

    SHA512

    36417eaaa649815ba8b879401bcc12881682ab381fc283dc0b0e7cdf72a0d4db369dcecfcfd5cef7b045199667674b3beb6eaa239848646546535e66796b8a94

  • C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe

    Filesize

    408KB

    MD5

    92edc61bb316563d2c524da3350017a4

    SHA1

    8874267e232f30aafd7e537cd651c449fd5bb82f

    SHA256

    4c4b8d17ca17c65ff5d30071f9e37cf95e0c7a89706bd519e04d1be6fd2cf2f5

    SHA512

    2dcf5124fbbf2854d42a4a903c64da2d278b6bea4eeb8cd5f82b0f05da6d95b982f63b4322905497b49c96514a8e85f1ff0cdaa1ff751042fb9760391a6d0894

  • C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe

    Filesize

    408KB

    MD5

    a92dbd89667220ee3a7a4834903f901d

    SHA1

    7de01b0f9f3249a39d87bdd212a4069965e35b09

    SHA256

    4e471987407d8b170fb669ef216721e8da2af6ae299b53f83a1ad9b54c1e2727

    SHA512

    4cf0355d80c1c5970e81bb80be5871b0da4e749be0698da136d54348052887de5cf8a06ed11d1b5fba3a605ad07a2871c569183242b2c475a078d8cb4061206f

  • C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe

    Filesize

    408KB

    MD5

    517d9f622ea3a2fde911c9c1a0749700

    SHA1

    7ebe1e6284f900f69adeeb1bf34ad5c802588df7

    SHA256

    ba2d692b3a63f1519ab02480d7623309ed0cef0ec73b7ff8c4e92f296b52b032

    SHA512

    a6b5d1c2d63479820d2701a7b5fea3f82a08949b9fe53f82c0eb5422ab38bb53f339e44e56db3480137fc982beede41977f6f83b10f12d7d321e3f799e369939

  • C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe

    Filesize

    408KB

    MD5

    39aa125a0a5a35a858448257277a2d91

    SHA1

    510ce70bb3111fa005bc6d9aeb166030e42623a2

    SHA256

    da05384f43ab106d9fec2ec1f6714f9a3b1ad26ba33313586b8268919e3bc558

    SHA512

    872a6fa868f28738811307ae51e1b8a0dff2193365be1111978c4dd99554e0c45bc259001e4928efd07602c4da013dfc85118357cc9cc97a8d721b136a05f42a

  • C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe

    Filesize

    408KB

    MD5

    ee4d7a4af40a5d2009a6e2e6cdca5a21

    SHA1

    514e5d784452c8824d29c2ab850e2ff78383c35a

    SHA256

    d3644d0306239c0e58f800df68f6615fb625de8c022bee9fea4b4e966082cb76

    SHA512

    d0948b5ef42ea07030c99a6105680d793f455b645e8b66c926aed9a38a423cfd7d68d04b07efd1d8498b7289d77697d2e67d96ef39b7d0e0a44353098844b828

  • C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe

    Filesize

    408KB

    MD5

    6ab49b0dac1a3debf01ed5dfd0285f5c

    SHA1

    01331d43d5330e15faf2b5ae655ef7b566d66e21

    SHA256

    6c8388b73cdda557e4a1b25aa236614c5f04868b12dfd2ba373f958538ba60ae

    SHA512

    afb963e861db8d7a54df1d49227a613c72027ed0bfc53d730d93084fe9b54eb8f49fab1c42d5a847c2dd8dc8d63c2971fb749ef5de2ca9c4e85cd60fad0b41e5

  • C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe

    Filesize

    408KB

    MD5

    f404152fc1bc84204d8ff502dce8c0d1

    SHA1

    2b505be81d5c0f94e57ce2754c5d0671e8b498d5

    SHA256

    0561e6bd5a30d8b5fa6d10a5439ecf5acede2388d38996126e5f97a5ac8fb6ff

    SHA512

    ad5ddadfee8dfdaf8b47e1259933677d18261e3340849918bc483e31332f70e0e4308d9d4e590fd0b3b68c15b706a284c2e33d82204662fa8bdd2cb803b5bc34