Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 09:55

General

  • Target

    2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe

  • Size

    344KB

  • MD5

    2c297e2d7380a850d177c72b49309376

  • SHA1

    3eb7ac98d2474f055081113ad2a1b25de40d70cc

  • SHA256

    214846b3d01e9b6452c1a815e41a9e2ac857cd5cdbc157279b228392e37bf9ab

  • SHA512

    767b9800f4a6800bdb9aa1c458ac16b1755f6cdf1cb673e448df10e0b4e94a338e4ac4eee77de2cf4a40822962efe332567e131e0b57c20df5b97e9109f482ee

  • SSDEEP

    3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
      C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
        C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
          C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
            C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:316
            • C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
              C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2732
              • C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
                C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2940
                • C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
                  C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1136
                  • C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
                    C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2076
                    • C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
                      C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2156
                      • C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
                        C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1936
                        • C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe
                          C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1064
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A040C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2236
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F879D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2208
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F5D0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2180
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3D2A9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1908
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{6CB50~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{32290~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2892
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{00B92~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2200
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD50~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1664F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEEEC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{00B920BD-5398-47b6-8469-EC5A6AC7D37D}.exe

    Filesize

    344KB

    MD5

    1776b617b15051849c6e1b2357c68f6f

    SHA1

    85a1fc639d71ddf7f48f04d56b8d98325d7d0925

    SHA256

    4d02c46db3380fa063c4e2826dc78c8bcdba1c2250e2adc02214f3ed30af908f

    SHA512

    276e528436886fb3847d97f38ef6a5713da00ccf1389546018bfe3df1d376028dbb8da945366c313b22ed4468558a4669ed7ac3a503af2b75895deaec96d83d4

  • C:\Windows\{1664F377-E597-4b80-BC96-87DAC589B7A4}.exe

    Filesize

    344KB

    MD5

    0a989f940fbd0fa285e3af42067cc940

    SHA1

    c83ba62f2cf19408ac5e6259b03bdd19c7408e21

    SHA256

    8c5e48a6b2760da97e33bceccce3b05b33a06beda8666a9d517a025afd3ca07f

    SHA512

    212906d18574c53ea55abfef9f28a1ca0a9ce5ead6d55d17b321b99d2df7c5f3c92ca2e8a1094e12dbef484e420a892324010d911fe543e163fa30a9833b239b

  • C:\Windows\{1F5D0998-6F9A-4381-90D9-1AE4136FF391}.exe

    Filesize

    344KB

    MD5

    1ed97d8ced89260145b5c1380df5d22b

    SHA1

    1cfd955b9bc1f5292e3dd1c4a59b0bb906c946e7

    SHA256

    9fd75b11f62a72824e026fb45e4558a239d648ee04bb935fa9fbadbc8387e4cf

    SHA512

    6e49fb5b42d63157caea975f28f2cb0d49ddea681c4dd1e6f0b75da7ed4f97a124db8a29c5ebcdb7b0eef85b1e4d41f8505711f6000de88395273dca4bb56e78

  • C:\Windows\{2140742D-40DE-4c74-8F23-D0DE4D9017E3}.exe

    Filesize

    344KB

    MD5

    3fcc83222082c79e1953223706200f98

    SHA1

    1877a01bf3c2f8c9bf26eb666ec976b379dc293d

    SHA256

    8a76460c4b84f66955b1656037b34591a5387cfe91b2fafb217e867770300f17

    SHA512

    456a5fff56f50789e36a9b639ac149936e23fb2584972fcc10ca364ddc9bebed7ab82ac8979dd51974aacdfffddc15fbc3ab09bf0b7ad3c7d8bfde9bab17155d

  • C:\Windows\{2AD50289-E766-4706-B7AB-D904C36905D2}.exe

    Filesize

    344KB

    MD5

    50367c5c0e9e936970ca7652df46afe2

    SHA1

    bd296ae4cc76e0c897d81e1ab4daf54e4f693d87

    SHA256

    a6118bf802debd42552a4eff7a65bb23f4c3a653d56d9b960fdbdb35b0f5f2d5

    SHA512

    4983019c866144ce8e8f3ff3b7d98e90a0ac1553f931abd58e888094e2b0ecbb3e15b3878cc780620d717fbb41e31a9edcd25deed5f8896ff1cdc6232da49225

  • C:\Windows\{32290A86-ABBF-487e-A39B-6CAD5C0B5CB4}.exe

    Filesize

    344KB

    MD5

    41b480b2c2419b0ac343241f730f6e22

    SHA1

    8510d8096ae1e5afbe51d733bfdb64dd11d7c33e

    SHA256

    df8866fe38e6f413cbc265177ca747108eb9ae676e67c852b09c3b845654f8ea

    SHA512

    980f663cdec0a4fc59d25168f3700a07c89dd6e14d7612b69f93bc664894991ff56c9117a666a4c7c8f38f04477d7066b013dc4445f0ebec56aca399840aae57

  • C:\Windows\{3D2A98DC-D15B-4e96-8515-AEAA88393B37}.exe

    Filesize

    344KB

    MD5

    6eeab3915dacf17f5f5b109b04a769a2

    SHA1

    e759992397309d6b6d778cd9429e1f56bb8a3d40

    SHA256

    c6512a0e76cf068a9f84c64508d32ee96acaa7cde405453bf6cdd30ffffd948a

    SHA512

    d38d587d617420bd94039b50f99550b46e8ec3d15ea9a2d5212eae1df2849d1d0b8ecd1b22529afad6a68a655392849a1b999fa4a3e422107f36ee9095d29548

  • C:\Windows\{6CB502F0-362C-4aec-8685-24868ECB1A24}.exe

    Filesize

    344KB

    MD5

    08ddce5404363637470fcd8eed36aad3

    SHA1

    ef99e83512a8c7891d398f7f1da437383e5be26e

    SHA256

    59c217f0a372f4cb17f9122bdbf7c81abb63c6d8126f56bb0eb5172b399ca93f

    SHA512

    5c1dd5fd1973df81c32fe08a12b455cd61b3a3b3861afb58e5daff4ab39b59e85cb9b87d297d727757fd0ff0698215d34ae498ecb73711928fee3897a1af8983

  • C:\Windows\{A040CC94-11ED-4a0e-9BE6-919A0857210A}.exe

    Filesize

    344KB

    MD5

    3893f3fb67ee5f76c647d63e640dd92a

    SHA1

    522aab293bf3c442df22154167ff554fd9a8dc17

    SHA256

    95e6f438da82d4359b88262d357c3ddc96814f20967ebe0515a752acd1de85b0

    SHA512

    4f61b9813b1ea92e8cc1e03c4265ee7e82b9d789c5a756a11904842a1716117379c74455b75c006db86dc6ac64e19e441d14a564e14824157922e6a27c4e6c7b

  • C:\Windows\{BEEECA5D-0490-4daa-A07E-71799998A4F6}.exe

    Filesize

    344KB

    MD5

    5cd361ce4054037b2eb3ecaf36aea003

    SHA1

    244ecb3abe0bb7e9bc2bc4f1ac4645c218e1aeaa

    SHA256

    324af09e77c9c6110feb75d794ee2292fd3a614d677f680fd79f57ef87948077

    SHA512

    c5c8dee5d6a58cff46c1d9cb9dc83a840c14d01d33e8d1e8afbfa2f11328abb2ddbe97e08c50895afa4cd55f89fbc6cee4eb0196a73c9abcae2b3e901a6d587e

  • C:\Windows\{F879DAD6-BD54-41c9-A111-BA99F40559F0}.exe

    Filesize

    344KB

    MD5

    a6299f01c0dd3d7df2f07ee74867f4dc

    SHA1

    d37c18f7429b0df4d321c8d41c2113f860121960

    SHA256

    1eb15273d43b92a3f9e1f2d6f96d6b96eeb281b59a3e85727fcb15f64976cb35

    SHA512

    3b52631951d481396c78a58021d94566c49826c556a76db5b0dc8b84b5b253ceccad91a8706e8522aaef267281f0941eaf88a9f0258d78980cb7b4f277fb864e