Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 09:49

General

  • Target

    2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe

  • Size

    372KB

  • MD5

    62cd081bd3e7f9784db59a7d190bfa57

  • SHA1

    def16a2b60a6aa463506dd16e62e2e123ee6e19a

  • SHA256

    674ad5de64c23d0e0bb26d875d0ffac969bec6bdc38f76e5a135970980d3d54d

  • SHA512

    f9c90f55b3cfe7ceb2185c7f55122b8793c8bcb8c627a1c05ad7ef264f4944f887772233762a5f34b5ea81a60b1867bc66ce93117ba45da0ed438836489cd42e

  • SSDEEP

    3072:CEGh0o2lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
      C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
        C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
          C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
            C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:980
            • C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
              C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
                C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2932
                • C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
                  C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2292
                  • C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
                    C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1036
                    • C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
                      C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2388
                      • C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
                        C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1364
                        • C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe
                          C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{42192~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2524
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC11~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2376
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{17E4B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1432
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{BF50B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1944
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3B3A3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2860
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{7AEB4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3024
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A7A33~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:468
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8E830~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{52B67~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{658C8~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{17E4B33F-F848-43e4-98B7-D8CF012B3100}.exe

    Filesize

    372KB

    MD5

    e421f28c355efa9e1a6360e1d72a17dc

    SHA1

    7a749dbf3eabe09c78c5b3d0f9e9ce29abd7dc0d

    SHA256

    f60f853d100ef83f209668518f2933d81d2dafcc1d61a4ed4f88151863d27c5e

    SHA512

    2b2990e22a0f6fd6090c0ef033f889c1b5c1038def4ef613aeca7c98741c9fbd1c0534b9877ba890ce4a668c9ce60b8916bf7d06ebbe9102a4f7cb3d8a8d964f

  • C:\Windows\{3549BE5B-3ACE-4ed6-A39D-FFB68E51E55F}.exe

    Filesize

    372KB

    MD5

    0db05b560bd3ff95c0ef7532dc03e833

    SHA1

    8997ec966f2a8361304f04276c138bbb6e91ba6e

    SHA256

    0b06fd75c27f88fd8595b34b895ea94682f0154a345a1457f5e8d236569e718c

    SHA512

    7cdb460000b37541a4dd6961951d4cb8a3aa8dce98169bda521acecd89fc918e0ed589528fd8b75970ceef503097c008684e3dc85e8feb12227d1472cafd22ad

  • C:\Windows\{3B3A3E54-A65F-4321-AC45-03A05965630E}.exe

    Filesize

    372KB

    MD5

    d50ea624ce337a9d0f99afbbb5b0290f

    SHA1

    1b87a3fc48270ffe2c3578ba07874b0420297a15

    SHA256

    8b8a5c5965eceff9e1aa35be62d2e38d823547df1c9502fa15a38c18d68b324d

    SHA512

    9b149f568e94b554ae92843bc4efc26b217e2dacdcc45262d2b54d1f7e0f8c1261592391413f17a9ff746f846ae0527ad6b982c9e6e8a154ff61a863b8d34342

  • C:\Windows\{42192CB1-514C-44ac-9422-FD5A618ED7C3}.exe

    Filesize

    372KB

    MD5

    6d858fc90cc48b89dd5bc87bccb5ea2b

    SHA1

    c044068b46ea5e705347e658b11eefbe0f798155

    SHA256

    b3e5d88b0fcad64c33ac0ce9ff85b9bd5d4b04337a393f287deb101af6a76947

    SHA512

    f82daa98be7c76d55b3973a806cdb9e0b490932daa22bdf84a710e6675ebb919198b484a07890b5f18683409fd39bb522484b8d78d76c27894e8c731602fac89

  • C:\Windows\{4CC11CA1-6550-4d26-89A1-3951210B118C}.exe

    Filesize

    372KB

    MD5

    3ca21ce7dc2c454682bcd8856dd90dff

    SHA1

    d2ffe888c2a9029b92f0b22bb83b078f3bea9700

    SHA256

    0679c3cf467dfca0729cb1556b5b9a4a2092ac8f25b7dc2aac0156420e30fd3d

    SHA512

    3a33f8670219a94ab31acc1110d81cafdc0c21a62754dc4a3d84e487af5e04d10ad864bad86abe6d867ee924c70ac0e12d2357716b0ac5de2fb0fd5eb967f411

  • C:\Windows\{52B6797D-222F-4637-BACF-957F4FE1FA55}.exe

    Filesize

    372KB

    MD5

    6c957d83d8c33b405dd2f0f9a8c12856

    SHA1

    613285476f26fbf01561a76d352eb59c04d2190d

    SHA256

    d8256f7b9281f860dc197338c71009476f1ba411387153fe3851cdb2d848455f

    SHA512

    1a81fbf66ba4d544bd22955b3797a73e3f3d0a883b2cb63e49bbac310efd359d8ca80a407030314e7358f580faea0e5fdf31b088d45662ab4f9ec3084cb4642c

  • C:\Windows\{658C8D1A-E24E-4562-AA03-531584ADC59D}.exe

    Filesize

    372KB

    MD5

    3908db4c583ec16dc1fcb138763788bf

    SHA1

    232842fda3bfa0fa2d6ccdf9f5e6e96669981d89

    SHA256

    ee1330ff5d377015e48873f50ee76d0e0918ae26eb1927d0cb4676d9647a91d8

    SHA512

    c40a81197ed0dae49b0de6564f21499d9422c75eecd092f86d7d8e1737b932e84941b725c15e3a8471a0999cdbcbaa2c0e5fc7defc2263fcd617c39e7f7ae1ae

  • C:\Windows\{7AEB4DBA-0DF0-4824-A6D6-989C3D81AF2C}.exe

    Filesize

    372KB

    MD5

    334c5b9eb200626e2a4dcc1057e3d73e

    SHA1

    15a4aa8fbf58fb2068e64da6818af5af42b8f6e6

    SHA256

    e6deeec31811a4d4af788796b18aa08da5f38258584444435b95952d45dc82c9

    SHA512

    2e3a4043eec881faca6e2725b8617b7a9d7170f536c498f8f16ce7de97b20491b49d6c4ab8619f333b30d38537eee2a7327c37ed9fafba735690596c9ed2cea5

  • C:\Windows\{8E83080C-5BC0-4265-B87E-8D6294B8E193}.exe

    Filesize

    372KB

    MD5

    b014fd0658a49d99c79a0986d84c8d32

    SHA1

    51ae4806263783578101efb65102d0c5d6862eef

    SHA256

    614e3893ecfbde3335065af2221c6fd49f64d89157422cf43d04cd6411a8e13e

    SHA512

    aecb38460091e3f21990b4495ac263e398733da94f6d1248ca4418eaca7db2b13dbc3bd160ac0cd953b831dba4b12ca300831d0f0ef4cc21521c996c513ad9b0

  • C:\Windows\{A7A33EE4-90E8-41ac-8C63-90FA459D47E6}.exe

    Filesize

    372KB

    MD5

    4ee883106c2bcd1dcdd4b791d359138b

    SHA1

    d78fda1e5170aed40d438af5ebdb41905e2d9357

    SHA256

    ad3889e5fd424f7d150e4ce301655cd9a3398427e8d7f6ff4892c6b3182c600f

    SHA512

    dd9b5a445965b5244205919937020b865e02a54e4d63ec13114eef951233602885adcec5fead5a48915b36ec25a21fd7b2ff0ee70273871b6f0b3d8406f18f57

  • C:\Windows\{BF50BA2F-E9F1-4d24-A3E8-CC438E0B8F56}.exe

    Filesize

    372KB

    MD5

    b38905dfbcf75d0b5a7bb6de539fdd01

    SHA1

    11000507b3ddae8c8bc181e908d3d4614d2e62cf

    SHA256

    62ba669a772ee54290a520f8c56f95ee01b4b025e49b3ead7db83717bbafe84b

    SHA512

    a6492641aa824afefe21120a56c54fc9e57a9cb8d731afc8eb4cfb5c9a7156d6f50a62ca0f52fbc8d9b61dfc3cd077bbf93029605ee3a3f381303bbef89f4d7f