Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 10:17

General

  • Target

    2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe

  • Size

    380KB

  • MD5

    cca048eb7b923d08382dc52a055590c1

  • SHA1

    6befe52eceebe91da7eb228848310ff10386c3ef

  • SHA256

    51501a3547efdd6fd1c136dab628609cec269649b0dc73b69ba968b5ca6c57b2

  • SHA512

    ce66a497b9e45e7d06f9dfa417ee89221f2d13a37e9e96014e4f6dd3de24ec8630bd5e218c820c8354dfacd4af8a53dd66e4644003ebe3deb1c65b238d3a562d

  • SSDEEP

    3072:mEGh0oflPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
      C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
        C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
          C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:680
          • C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
            C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4728
            • C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
              C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3464
              • C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
                C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4376
                • C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
                  C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2268
                  • C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
                    C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1872
                    • C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
                      C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2240
                      • C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
                        C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:460
                        • C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
                          C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2052
                          • C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe
                            C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2656
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0B433~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC60~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2548
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5362~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1040
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{404F8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1956
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{920FC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3868
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FA4E7~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1256
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB76~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4380
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB11~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3860
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{EF693~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AD5BC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{085A3~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe

    Filesize

    380KB

    MD5

    8c58bbd7af19166afa5667aebe7483e9

    SHA1

    68100c6b2f2c33a626ef0d81ecc2c2a6d69c085c

    SHA256

    c0e841aacd5e54e4b9e558761073529a745057b24d19173402e84a2841ec8262

    SHA512

    740727e513efb37ec8ec2884ee77903ff12c4c7dec641e1963426bc014c0def002a62abd97a0d5e3370d25c4cd0e4583d3188440105db92f3950028460775016

  • C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe

    Filesize

    380KB

    MD5

    e57f542f76344c8eb844397a6abd5262

    SHA1

    6765d6a886d31331682283096b8efbfc5391ccd8

    SHA256

    f1efeabd41e5b53b06f88d8fd6e821e84c5b6781db7b4db7f55f539c41d3ffb9

    SHA512

    ecfb80abd2e69f7c5fb79beb414465cc043cb25c5b309ff3a7e89cfdde6b836451105470ecb197a2033db8e8cbfdb81911eb804badb3c0a2936c486326f6613a

  • C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe

    Filesize

    380KB

    MD5

    0571309f13b88e50ad0e09c9bebc9928

    SHA1

    e6cf1f4beb97ed3653ab341e42a07627ea02fe2c

    SHA256

    fece895b55ff60c953d79ecc4469e4d523007bf888cff123dc6b247c88401190

    SHA512

    3f227a8ab6d60ab22c1c2386e05471b3a1a2413e3f841f788e9323814aefd9cbcd1414463c371756bbc287caa7f1d7712f27a3ba4bf9b8a214b9c73f35cb406e

  • C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe

    Filesize

    380KB

    MD5

    6fef675977306d8e0f9c4c5fcde2a5d0

    SHA1

    572c5e9d9e4c1fde2a25da57ecc75471d2d31f93

    SHA256

    f174feecf73590ed40ead87d2633bbbae0e8f9cfadf3e4950d73e3c271382c4b

    SHA512

    907f2b13dc105e86a919c06d40d2f0be503e9381b51c4aa67bcdbdac485cb9a1f65ac1bfbb36b429344907e006d65a49dd78d7844714f0cc1d09d627ddf092ee

  • C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe

    Filesize

    380KB

    MD5

    0588e7875558923f2a91c43a221f94d0

    SHA1

    1aaea9fb2616d5c4dbe3c19108071795533412d1

    SHA256

    b2b22386b0b8e6ac947aab379ae399860e33787758ea8bb28d1dd12bb998bb19

    SHA512

    c659b2728caee12cb51f575d9facb9d70c36fffbacf58f130b1140f9e0eaee206a026e758c04dc1d00ca650058208febf3530bd29d89e7b2967df6c33b9af84d

  • C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe

    Filesize

    380KB

    MD5

    6563d7539d7eea3925ab7d9b55e0550f

    SHA1

    54a465ee97eed786c2e6af3bd0823d2faa8a4810

    SHA256

    f1393a296fc715165bc97028dc4cac734e144494179338823e27f3c0045a6e58

    SHA512

    aafc6f98e1b80e756cb473abfdd9b100755393fe42411571fb0a540c6b96f3d37d2a3350e7ea2eec44fb635b969d0f3c2acde57c2b73110635d8a2d360ae6115

  • C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe

    Filesize

    380KB

    MD5

    8b78106a4f80842a7b84bbefb1ad066c

    SHA1

    d8eec38b6f663116ad9f18a46b6a923fdc175ac4

    SHA256

    f1554fbd08afe98c2b130043c08e56a84fe81a05513f86354efd8828d41efa2a

    SHA512

    a660247fb08ff592e114828502ad39df49cddca4bfde72a97ff776de0c47d78d4dc0a03d74f2645c37077176bd4e7e0523e3209c924a1e1495770928486a6f8c

  • C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe

    Filesize

    380KB

    MD5

    9671cfa6eff503c9188956c051d0bc34

    SHA1

    9d42b39d846a8b8c1403cf54e90ba6d3a8fcf29d

    SHA256

    a099054d1f446eaf3c7c947f8e973f3da8a0253235be1ccead3586eb9b7e662a

    SHA512

    9b585d0fb68306d51d5e0c8ae1bffa81bfc70ecf9eb8430e36d1ee954c13c16cdebd31d9b2e456ac2f56896dbc1ef25074c539308f95b9207af173c48f1cedcb

  • C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe

    Filesize

    380KB

    MD5

    4007c731e535aeefb0658cb375af5cf8

    SHA1

    2393fb434aa5aa40ef9cbde9577cc3b4aa1cdfe0

    SHA256

    a1b15c507abedc1f04c967b06c49862ea6abd00435f44991847ff115d741a709

    SHA512

    3f13589ef7279a68c4bf28695e0e711f176b85f0778894f48cba4768ce7fce0216379eeae6ed783ae5ec52504d9558bc9b200dc2c8ba02b2d074d474dbe753f8

  • C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe

    Filesize

    380KB

    MD5

    d975394e30a5266c2ff2b3c558493dc5

    SHA1

    2ba297d874e21698ca00a75299c11f251955e345

    SHA256

    ee350f6650b62262ba7315f575b5701f4061814af422608795cb1488d26e87aa

    SHA512

    cf666f674764969685e6c3aba232212ae0fce32cd508a3a2f0e1101332a0cf703038c14c847691dd10ecf9620d4b487bbfd005f41799962ad2a0e00ff7c53c4e

  • C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe

    Filesize

    380KB

    MD5

    d9cbd746e5ac2779ab79956aaa4078ee

    SHA1

    e4a1f98536ce1ee1a270309d5aff114d567fb1c7

    SHA256

    919b3c7a393b8937d533c19f98de9d5329486c79f523926dada35592ad50f455

    SHA512

    813261ddac0e97b7979014ace5e56d0f475f0064b95730fed5be0f9c728d918f300a84442fbd526f0ccc15b793523d00688e355fa6bf00ce0e6b164ea0d0e23b

  • C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe

    Filesize

    380KB

    MD5

    6592fdf4316845bf853ce6c11290241c

    SHA1

    15d8cbbf9b1f394fd3acf9c33e3954f1feafe746

    SHA256

    06ae07086b4edc2fafe0d24300d697832f4b3a2c8c37f4d752bee02e5aa16027

    SHA512

    ff21413943337830d00f29c114e3b68bda3dfb398247563219f668df78691c5cfe743da189cabeacd418829546760a9c6ab55034500079bfe5d50fe8f6f85ad9