Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 06:33

General

  • Target

    2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe

  • Size

    380KB

  • MD5

    6b72bc43e7689fa8be7ea99be793d661

  • SHA1

    0a4bf2738266e3cf417ae7a6703272aeb870e7ca

  • SHA256

    1bec1d8d19c5967ea4f055350601566e5ee1405fe683394e9db3ac1f3bdfaaed

  • SHA512

    5e6c310b55361811fc46bb5dbb90b14f9317c0ba5ff3b4b1fe956536b3630b9ea1ede1ef8f838d23a5198c8822eec1acc1010843d770ac1c201a3b7d88d2a1f9

  • SSDEEP

    3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe
      C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
        C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
          C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
            C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
              C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2924
              • C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
                C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:948
                • C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
                  C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2948
                  • C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
                    C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1348
                    • C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
                      C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2564
                      • C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe
                        C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1548
                        • C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe
                          C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7F661~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1312
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{88479~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1176
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{94D45~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2344
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D35BE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2708
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1D2B4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3052
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{18C86~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1004
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{64C2A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1276
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{1C471~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3F6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DEF0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{18C8602F-2744-4903-AA2D-B438DF4900E1}.exe

    Filesize

    380KB

    MD5

    272bf5c991c14229ae6e0b521ba3b867

    SHA1

    b8dffcbf4d4a2e282b8a823e49f3e6e86a16c4fc

    SHA256

    4e71d24410ee7e09910c98470136cfe962707f2bb65145fad9ef1cfeef4935cf

    SHA512

    7b72cbbbb2efda61508e9934a5164038249481fff7c0f3b8af0ccb28c041a1060028f6126761dbf1bf6c6ad310ea4f934d84ecf237280e986f31b1976faf35c0

  • C:\Windows\{1C4716EA-6DB9-400d-B925-D6110F1B0573}.exe

    Filesize

    380KB

    MD5

    c4987694bcba6b6202f80178317eb38f

    SHA1

    f44964ba4d94a42c662fdbe18bdcf1545e192ca3

    SHA256

    5b878fe245cbd1e97b0731f0ded15ac2ab5e1577f847d3c826894da60e98cd32

    SHA512

    ecbef869861bc9da30706eecd07d04b6ac4f3793c2748901f6673f327cdf30838280c8f284da67ade9f6abfb19ee1cb79f929565c9048f42021dff83ccae3e90

  • C:\Windows\{1D2B43E1-2870-4896-AEE7-37F755799B7A}.exe

    Filesize

    380KB

    MD5

    a490838a8845476511164c4d80437d77

    SHA1

    01f0abb6b39b925ba9ae41ed5a03821a97bf6f81

    SHA256

    3f7357b77ade0f753791a3b7a8a9ef29ae1feb72a8f217bbf426f6f20c3b8eed

    SHA512

    54f5d92d55787d36f87cce52a4feb4d3dd99f8d2f1b9e8b3bffb3687da2de3860da02705f80905bec9a28e9300416eb97bd9069a9f927a797087354220319c6d

  • C:\Windows\{4DEF076A-FB83-47da-969F-A7F976050484}.exe

    Filesize

    380KB

    MD5

    8792a1367794c1ce1d21ae42ba53cd0d

    SHA1

    12034d39851b5eaf61b6ef35ed53aec42d4fd860

    SHA256

    483900ce83698010452033fbb4fcd0c061fb8cca76cd149c8e6991f93494e29d

    SHA512

    67923e962076e981cf8d279bc2bf704709157b34364fd119259eab6e471eca4dd4331863cf2253f30c2bc2c9f7a5452abb337b163da78a09dbb6e35dc3326992

  • C:\Windows\{64C2A8BB-00A6-46fd-9B85-8303C44DC214}.exe

    Filesize

    380KB

    MD5

    8b1c0114c997639e2905534f445eca7e

    SHA1

    c4c110f0e6d193ba3dfbe0df5985b43aebd181a4

    SHA256

    1a5a2399fafd09dfee539ac0211ef02cca49fa15c64a0397824f3f4fe3febd73

    SHA512

    fb7ce29e4146d1067f56839ce9d47c8f43e8256b0d4993effd5f069c11ef0245d85c9149fab5cbe82fd6b9fc814a298b181c9c40b8e2b3348d3276f3eba96105

  • C:\Windows\{7F66139D-8244-45db-8945-98185DCE0271}.exe

    Filesize

    380KB

    MD5

    984136936b3f36b1202a4f54ebc55d27

    SHA1

    3c8933da03bfdca57843f94c1dbeef3b90d03a17

    SHA256

    dd67b1602d47e76e7634c2d13d4a43ab179f0acb03fbe905e3d9e071929ece6f

    SHA512

    11c8fbc86d8a955fa0c560e7a8235bf93e67b6622085477e94d335134c811ef0425c2ea64ff4f2d0c34a039d7eb18e9a2fee5c1052fd01966135fdbe331fc84f

  • C:\Windows\{8847918B-A8F4-453e-BEC7-B3D7713A660D}.exe

    Filesize

    380KB

    MD5

    4dc28461c2f4c5250b5b8991ca605700

    SHA1

    a0e688a75405425c6df6206c9e6771b4488fef88

    SHA256

    4a961ab5c69b2dc95c3eec67cebb50dc196381fa53db3067f6976a8b34bc6ff2

    SHA512

    70f334b46c9082f86d24c777026bf0c1dd10136767dd085170e0b92c91a6030fefb69784b89b9b913f4317b46d80af83f7fa32bdaecc0af810340a34a9233308

  • C:\Windows\{94D45909-6E0E-4065-A6DA-AFACC53E0D83}.exe

    Filesize

    380KB

    MD5

    4f9efc21cac37554086bb02c47aa737c

    SHA1

    dd55d8487d7abb9fead2f48a340dc04f2c267f7f

    SHA256

    6f62f61b3798450b21bc4882f4c676a7def2d51a65714caa723562d2304ef0a4

    SHA512

    3e0e5ba8558bac79f326a50aca7e43379d248da81fc0fc3a5f01cc19a1f67f84a888d2c35d9632bb0a7b0c3050af831f49c9824cebf52cb66f73ece7db8f5523

  • C:\Windows\{BE3F6B0E-D47C-4107-973E-A26740179E53}.exe

    Filesize

    380KB

    MD5

    1f45ddf4a94e196715d4399ffbed6ddc

    SHA1

    f9ba8e627960c7bcbf9f4997ba5268c5bde8e742

    SHA256

    c64d3cf53619af4354dc5ee8a2d7c2a544d7e7deeb70fd9d531f7721fdefc67c

    SHA512

    a1d48a3f0634991f97a03254bafdf1cf14522e353c522682f32b8a128d07fd3592657fa29b7e76afb8db3856eb4dca2c8f2713cc1d0d90a3b490c5636faf86a8

  • C:\Windows\{C76B7B71-CB0C-4cfe-AAFF-932637486BF0}.exe

    Filesize

    380KB

    MD5

    bc4c35c9d48beb1f376b98307307e6ae

    SHA1

    61da61021d45fd79833a0b3c73d2305dc10f6304

    SHA256

    4b2733f7f109ec37befaf1a25747c01358f77b02008fce9e8c91d32682466600

    SHA512

    8cc527865ba1818627793bcfdf6b0995466ac8f72b93ed4a4722d32d9b027330fc9e66918b37cc2f66c7057757ff9b3bb4adfaa08b20a852fe70d0185412795f

  • C:\Windows\{D35BE5E1-DDF3-4aea-B599-1D88D1CDBDB4}.exe

    Filesize

    380KB

    MD5

    bcc30c5657b7b576247a44c58b630b21

    SHA1

    92d945cb92d93ac2f7c50f70fbaee6e725ec607c

    SHA256

    73338612df92686ad21167e7fc69f390d656ba3767e716026102675989ba3713

    SHA512

    0054930daa172dfea2c773ac7c265b3c0d3c29882ee97f23d089fe83f2c6d8ec8a008c9852ed0a31d24951614ac9930bfb1e6ae70de9353e7335f7717f0b846e