Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 04:08

General

  • Target

    2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe

  • Size

    204KB

  • MD5

    d4afc190e704a99d43f851e26350a46c

  • SHA1

    a8e65951bdac9c4a5370f9f01a8c589d920bf9de

  • SHA256

    024f0fb8819514f1d7532a8e97a244e63af69a071d41455b5c1e712cf02f680f

  • SHA512

    c62a3a5b882a780bb7d4400dc02296870c9e4c90527970a3ee10065e81338581621ffbb47b12ca4f9f60f818703587d6645947851dcbf9486a39894a5fb90656

  • SSDEEP

    1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
      C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
        C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
          C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
            C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
              C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4712
              • C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
                C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1020
                • C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
                  C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:920
                  • C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
                    C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3188
                    • C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
                      C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2128
                      • C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
                        C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:720
                        • C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
                          C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:768
                          • C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe
                            C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2028
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E57AE~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5032
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D84~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1400
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5F6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1996
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B04~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2112
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{60FC8~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3836
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BAD71~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:224
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{07023~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:60
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9FEA7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4708
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{15E6A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0E7A7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3036
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74013~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4744
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe

    Filesize

    204KB

    MD5

    f97666836f499ed4f32485c3fd465897

    SHA1

    16dbcbac26b00fbad5f2cb828b0c17f1ca5373f1

    SHA256

    d0e2d8db1209d5fc38ceba569ad21d0572f852a8b339960c2db093036d4ed66d

    SHA512

    1c106a47c9a563f325fcdca7e91ad70a5032a25fef5cb43760de556fc508c53d31ac36150f16188d2655a9cc35815121ab4fdc047b682792fdf66ab94dbf76bc

  • C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe

    Filesize

    204KB

    MD5

    073adb3d7a796c3322ae83f7bc620b13

    SHA1

    369016e7408f13d17536e77519dd966d4f7bca19

    SHA256

    102668819e14c77280ef0266999d5c264bc83ef7be85a2d1cac7b1047e55b801

    SHA512

    0b700757bc9c98b67cc8b24d4b662de574dbb911d4d92d51c3b34380fc608b8015e16bc3e798405eca41949fda9cc0e74fb9fde4fcf579cc43bf0959d20620c1

  • C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe

    Filesize

    204KB

    MD5

    5ffeb61256304534ade97776d665f4f6

    SHA1

    8b2221a612c80abda93ab3221608a1b0686f28bd

    SHA256

    351d13276ac701bdb5c8c978fa395c37a8bf7fb527ab343fef54e018a8b55603

    SHA512

    a2d9465bff21602f185b8a927d38b584a517c2daf302484aee0ef375b5115ba85b1028c8ef4385b46bd0b46c66c66a879b431c04e1b984bc57ae8c26efa703ee

  • C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe

    Filesize

    204KB

    MD5

    9f1dcea78a325912c024bbde7783b6e4

    SHA1

    f626f9bbce23139062482fc3ba4e5ece12982fb5

    SHA256

    121c640328ccbe363cec064bd738e0df8de93899f40ce7f548ec8976a94e9ae8

    SHA512

    6afa8621000f8991a11e095cd57fd1113cfdfc90d12936952bb78df7774187e1f4330165d511f326ab581667c45492aa565f69918d8a91c9f2066a228d6e2fb2

  • C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe

    Filesize

    204KB

    MD5

    65ce619013db3f7786d6a4b4051bba0d

    SHA1

    2c293e6eb19771955f9164089cf413bc739720c5

    SHA256

    f3c6fdd83d16b8278fafef89cd2e54f640d67c4cc52c42a289f7265321afb1fc

    SHA512

    b3b6776150c282fa2a369770a41767d51ff1744260dc342e22ddb605beea446ca7382d3ea25731017e14ab9ffa17750c82fda4737ca1c319c5fc4956f5164a96

  • C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe

    Filesize

    204KB

    MD5

    74688fcaad20df2160a59f753a594431

    SHA1

    c68bd6f7eddbd50c87d33eefa8b412e0ef9aec08

    SHA256

    ed03449627e4bc5c5c9147594f5927d745fa06bf4d4ba0ea6d330ce05212f3c5

    SHA512

    0a09236314b86c9a86e72f39d5a405b569f73bce8fce4a2c0df1fbe09329ab1c425724bedb2e05d494a7d2f9e586966ae02a1a613ccf466d992ddb7e5f7e4c7f

  • C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe

    Filesize

    204KB

    MD5

    1e26ecfd4d00f39456cb7614caccc50b

    SHA1

    daebf9692006f3b5ee703cb86718d36a23289c56

    SHA256

    f27d7a88d4af5ba70521f79b642ee9cdae24e765a5f23c9f67a3ab64ec260eba

    SHA512

    49172f6043354ff663a299cc35ee01a355e7d5dd8d64649f74f2e6eb0282fe60d3f55c3fae21a3350a0272c5a39af18e93737275411d0d87749ceb909c5c7927

  • C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe

    Filesize

    204KB

    MD5

    6ba2738164bb453bd5bbee0d3b0113d0

    SHA1

    9431b879fcc80373c00ccdbe45f3299a292e95eb

    SHA256

    79ac2ca75d1e50db2e2ac627b1d7b83b97312106154c733ed3001aaa9965e131

    SHA512

    6784694b0b417e2f60236736721c14c55e64b15229347c774e80a090559202196707cf2057fd0fd633893ce7093bfd5811cf2b4f7f61e3bd81bcc86a6bcae3b5

  • C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe

    Filesize

    204KB

    MD5

    4a99dc5030d43099917b7fa2b1df17be

    SHA1

    ad354520a12b5e7e5254559ceb792664b32a9e1a

    SHA256

    320fe0f9ae9ee2ddd5d0b6e537c28f911cbe69380a560ef820a6814206c83917

    SHA512

    34c2f3d1801f9047719544d720cd0c346ea91462c2e6a1a3074932a09a987f91e604aae00a933547a82bc69b545d50f6b3f3104797161731f82dcbd9f16c623b

  • C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe

    Filesize

    204KB

    MD5

    f3f925cde955bd2260131895a2a226f7

    SHA1

    3e20bcb836f692af14d1b1fa9b27b544d2a568c4

    SHA256

    a8fd62a1088644512ed49e23a51bb215cb3adeffdb6e86b043785e3af423e7f5

    SHA512

    6689533ac9fb3b60bb1c4edab258c2ef347e67daa8c8454ebfd42b3d93cf04814c9425fa0db6159b175074f0d5149d5142e80d7f7324378f130d71e9237d5faf

  • C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe

    Filesize

    204KB

    MD5

    30b7845ea0764c0940f55586e2d9f815

    SHA1

    54856275578560363b980c9b4caa47168c448562

    SHA256

    e17b4b642d0abaaec29a0f83a35dcf022139f1e75ed024c2c05cd5f412905438

    SHA512

    91683900338f4661ca1347a9055ee79289fc730301a0dce44c9537a5b2d8f749784ddb91133d74e1c483bacf1f505d35bfe1f87fadea31cc2074cb38e82a17ba

  • C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe

    Filesize

    204KB

    MD5

    b13c58d6c7215e48da03922efc5658af

    SHA1

    6fc2ffed880df900380d9b39f8b9582df2761c52

    SHA256

    51f3c8bc81d396f22fa95f0995699d30cf50afc1167dea24e9c985b5935023c5

    SHA512

    32458bf11b3f5e7c0fece419e73ad2b8bfefa10956dec4b29e699e78b44d3c6026df988541fab326133666d20a467ff1372b0b60f2032f9fa571a858e4c5163b