Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 06:50

General

  • Target

    2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe

  • Size

    197KB

  • MD5

    6659b4d686860a19e97f64334cfdc947

  • SHA1

    8a4dd78e983f60d4b191501af52ff39c9e6c0912

  • SHA256

    36715e9daea422ea0480c84d66839cdd2f98195e37e6f5d074ab921526354958

  • SHA512

    3dfadcfdab409cd1440d2cb8282ea28b064d197b9c3825e12b253867850580719e8aad3d26975f2807badf6fafccfa008562bba7c53f057437ad721597f21014

  • SSDEEP

    3072:jEGh0oKl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG0lEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_6659b4d686860a19e97f64334cfdc947_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\{6EBD3EE0-22B4-46bd-A90A-D7CF8C4581CE}.exe
      C:\Windows\{6EBD3EE0-22B4-46bd-A90A-D7CF8C4581CE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\{00BEC174-8E90-48d3-9C03-B60EE4546A09}.exe
        C:\Windows\{00BEC174-8E90-48d3-9C03-B60EE4546A09}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\{0DE1F290-4852-4bf6-9E9D-B369B87EA8F3}.exe
          C:\Windows\{0DE1F290-4852-4bf6-9E9D-B369B87EA8F3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Windows\{BDA503FE-DE46-48e7-8F50-F77A66E218E5}.exe
            C:\Windows\{BDA503FE-DE46-48e7-8F50-F77A66E218E5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1532
            • C:\Windows\{A17E4094-B342-4d13-BFE7-D1BD711FE71A}.exe
              C:\Windows\{A17E4094-B342-4d13-BFE7-D1BD711FE71A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3212
              • C:\Windows\{4D78FD5E-E38A-4c37-B22E-A50E5873F309}.exe
                C:\Windows\{4D78FD5E-E38A-4c37-B22E-A50E5873F309}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1612
                • C:\Windows\{4A9DC782-9200-48da-BC87-8E7FAFCD0A79}.exe
                  C:\Windows\{4A9DC782-9200-48da-BC87-8E7FAFCD0A79}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3912
                  • C:\Windows\{4993A578-BFA9-4cd8-8353-4AB2F37B1C14}.exe
                    C:\Windows\{4993A578-BFA9-4cd8-8353-4AB2F37B1C14}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1108
                    • C:\Windows\{1862D74D-0051-4254-8B8E-62CF7BB43C86}.exe
                      C:\Windows\{1862D74D-0051-4254-8B8E-62CF7BB43C86}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3248
                      • C:\Windows\{C3E39815-3E00-4d6a-AF09-6D9492488AA8}.exe
                        C:\Windows\{C3E39815-3E00-4d6a-AF09-6D9492488AA8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:392
                        • C:\Windows\{138AF4C4-A3C5-4c00-9CF2-590171FECC3B}.exe
                          C:\Windows\{138AF4C4-A3C5-4c00-9CF2-590171FECC3B}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4408
                          • C:\Windows\{FF637B9B-0248-4d97-9D8D-536AF3EA8058}.exe
                            C:\Windows\{FF637B9B-0248-4d97-9D8D-536AF3EA8058}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2260
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{138AF~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4392
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E39~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1132
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1862D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:228
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{4993A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:208
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A9DC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1052
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{4D78F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:740
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A17E4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:728
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BDA50~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1932
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE1F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4348
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{00BEC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EBD3~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{00BEC174-8E90-48d3-9C03-B60EE4546A09}.exe

    Filesize

    197KB

    MD5

    465d59643274baab78c3ac2c816c2b15

    SHA1

    c34734b024c4b43502f277f555b839807e27d78e

    SHA256

    0ef6bd35395a8e87e707884458df29ae039e8433f115c35fb988b7f00596c7cc

    SHA512

    f74e950d6e26289c5c50b1fea26d5896df4eb10b02290815a7706d8dd7ba7f9307a7f88409616bdee48f95e8fe8e4e45d97e4766b17a1a414bdb5482303b3b19

  • C:\Windows\{0DE1F290-4852-4bf6-9E9D-B369B87EA8F3}.exe

    Filesize

    197KB

    MD5

    598383d5f1e5560889dc484925ab5ce8

    SHA1

    a88927a6385b3b92923380f0aa8966b82be854fd

    SHA256

    ff4eee5679cc6b983c5fc58d0fb3cc76133f1c4a779e07bddd36b2bccb6bb9a2

    SHA512

    0b4fa5a1a3fa0be5f7c892fb0276e419a5c9a420e8f970614e13b02e1d3f901012c03d62044e6a5230f25958e62bdb68136e663221f0b4632b658de6d3b60569

  • C:\Windows\{138AF4C4-A3C5-4c00-9CF2-590171FECC3B}.exe

    Filesize

    197KB

    MD5

    edf75837acf8897443e7908811710b02

    SHA1

    0556ec5a34bd84e1ce60796251f346216e39cf06

    SHA256

    b59746ba278713d7e53415bb1bfb334477c3b5624a693a9c967f066fb048a842

    SHA512

    6e3e706fe66490bd11ff36e76be62f1aade894742c1c0fbdbf19735dd5f5ae807525ba6900f98ccd2d692eb765979f4205e4697a0f8f765cd38566502ad74861

  • C:\Windows\{1862D74D-0051-4254-8B8E-62CF7BB43C86}.exe

    Filesize

    197KB

    MD5

    12bd6e3eb8621d72f536b6ad7aef9e4b

    SHA1

    6b29bca0dd6cc3321b4da7bb478082fd72590810

    SHA256

    a1e9df088cfb7a83f348f73a189f77227e7615305c5402b58bf077ab79598593

    SHA512

    750883b9cf2a12b42014f6c697a8a9e4e83cf4bb8a8a4686ba116556d4ad91d9ee98785502c61e29d0d5681d2b9630c8c55e9c669e2f88a594dc774a6614dac8

  • C:\Windows\{4993A578-BFA9-4cd8-8353-4AB2F37B1C14}.exe

    Filesize

    197KB

    MD5

    458ce0a53306e51a7e39272be0d380d8

    SHA1

    1073e29da04fe2fb7bc891cc074976b4a3e88874

    SHA256

    8238f359c167febfd07c347e0ae183e8b73112c5d25ec5f05c45f7a32b448e27

    SHA512

    e891dd033a5c9ad277d0cd8f33d8ecba8338632edd74664bd0b3392befec7540ee7b5aa1f68d42f06844e37fc9fdae9665c63db1292d1c6fa1e849f30e9db613

  • C:\Windows\{4A9DC782-9200-48da-BC87-8E7FAFCD0A79}.exe

    Filesize

    197KB

    MD5

    67bd320fd3d5eff41e4f56a614cc9e26

    SHA1

    da28ed8b0da25cbf2436e91ba12b0991c47ea683

    SHA256

    22d339c3feae435ce05411f4f2390b4ebcd60ddfc3c96f8f7424e65b44cdcc71

    SHA512

    571593fa34e417f540576a84bb5ecee2834067cd4c77311fbabd0bda14bfeb66922f92a0674d0fc4c35fe05bb95487426d6d855418ba712b1a4f04697cc058e5

  • C:\Windows\{4D78FD5E-E38A-4c37-B22E-A50E5873F309}.exe

    Filesize

    197KB

    MD5

    aa682ae91bf7cef9b776af3b31dbade6

    SHA1

    0c73cb0b4c1f9f6b897f26e09baa4e70c072b49d

    SHA256

    4ab9e576cfc1740f818297e54aad57abdd305ef16a55ba5965fc20972be5b075

    SHA512

    2e9e22ec9a5d6868dff5fa955e456dd2ee21f4b8425b1e876c449d0a511343ffe6e6361faa8e7793cf0ae223f451a252d97064497f223c791b312110e6117285

  • C:\Windows\{6EBD3EE0-22B4-46bd-A90A-D7CF8C4581CE}.exe

    Filesize

    197KB

    MD5

    6737816cb6f90a787d0d1e0946f65550

    SHA1

    5e317e94af29220168838e83113ed271e8950573

    SHA256

    535c7eb48903f46ac66970eb502ce379aa0bfcf76eb1537276f6fe58bf8f10a1

    SHA512

    6c6b15a653f62a7b7b5833737370b9edc4915fd29761be3bfe26b9804648cffdea9ee3027c5e69460433f10e46761de304e5324fe06e1bfb2ee7c805bf82bb03

  • C:\Windows\{A17E4094-B342-4d13-BFE7-D1BD711FE71A}.exe

    Filesize

    197KB

    MD5

    f0958b1895fa4cfd2ee86f49f8c0d67c

    SHA1

    823d0ad53ad3336207eeb296faa6df80cbd8e64c

    SHA256

    5ad9c60febfd7b28eba239be66e986db2fa5d9cd9a982e122ad1263b24a1d407

    SHA512

    fa4781cf5e09587baab8a79561741962e12187141f439dc14d61463c00305ea95220788c604281eed9a5a5a3e3d173c426b62beb1b5b089fed206ddeaf63fda3

  • C:\Windows\{BDA503FE-DE46-48e7-8F50-F77A66E218E5}.exe

    Filesize

    197KB

    MD5

    e6703624d18c2eba70a0fa6cf0f281af

    SHA1

    48bcd0e4befcc9b940095d1ae659aab47d2af6f5

    SHA256

    ff32bdad14fb757327e295ac7e5cbe17c52404f3d66cee4de21341edcab1c460

    SHA512

    2db372e67de42bab1b14ccd8ee93199ba610ebc03438dfa85a1c973967ef8db185ead66cec4f54be6626be8cdbc2c2ea643030427a1200f992e69190d2bc6c5f

  • C:\Windows\{C3E39815-3E00-4d6a-AF09-6D9492488AA8}.exe

    Filesize

    197KB

    MD5

    7c9cd562c7708f26f28587b615a3208e

    SHA1

    14ab68f482f69c5da869eaea0cc9824431779e05

    SHA256

    deaa231fd38f69506329a6b8edc1e39eaa5d109129565487641a12bb3b8cdd77

    SHA512

    140b4532417344c98d48b5030569963630f2f58d37921cd3280d9ae34828ae65ebf9131cab15e5cf9bec334f0eac9a03918fc358653a58d23973a1293cccb13a

  • C:\Windows\{FF637B9B-0248-4d97-9D8D-536AF3EA8058}.exe

    Filesize

    197KB

    MD5

    1fa530f1dac86c5af684f7f96ba866a0

    SHA1

    40f784ed8dfd61dcbb4f696b2f61b5655bb21352

    SHA256

    23a4dafed79f62b1a47d8863867f4474c369793c731ee388b0c55e467973aecc

    SHA512

    0e9231bc23aea81ef5f440be9aa246d1af47e0065af94fbd9632c234f2b49c4309ea850d666697f141de424e0dabaa748118267e106ea95a94f20982346dabc2