Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 09:55

General

  • Target

    2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe

  • Size

    344KB

  • MD5

    2c297e2d7380a850d177c72b49309376

  • SHA1

    3eb7ac98d2474f055081113ad2a1b25de40d70cc

  • SHA256

    214846b3d01e9b6452c1a815e41a9e2ac857cd5cdbc157279b228392e37bf9ab

  • SHA512

    767b9800f4a6800bdb9aa1c458ac16b1755f6cdf1cb673e448df10e0b4e94a338e4ac4eee77de2cf4a40822962efe332567e131e0b57c20df5b97e9109f482ee

  • SSDEEP

    3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-08_2c297e2d7380a850d177c72b49309376_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\{693FC4C6-12DF-43f6-929C-34A654FBD717}.exe
      C:\Windows\{693FC4C6-12DF-43f6-929C-34A654FBD717}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\{70A6AF7F-49ED-4485-BD51-CF0C7EB00D74}.exe
        C:\Windows\{70A6AF7F-49ED-4485-BD51-CF0C7EB00D74}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\{9B3041AA-5A60-40c9-9943-5F6DD8CF3C12}.exe
          C:\Windows\{9B3041AA-5A60-40c9-9943-5F6DD8CF3C12}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3188
          • C:\Windows\{4608AECA-F055-4db0-9022-ABEC2D035489}.exe
            C:\Windows\{4608AECA-F055-4db0-9022-ABEC2D035489}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3172
            • C:\Windows\{A1C31546-7F1B-4d6d-A1CE-CD11B6FFF128}.exe
              C:\Windows\{A1C31546-7F1B-4d6d-A1CE-CD11B6FFF128}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4140
              • C:\Windows\{9D36C854-8BCD-4500-8EB6-6D71D6D2B0E1}.exe
                C:\Windows\{9D36C854-8BCD-4500-8EB6-6D71D6D2B0E1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4440
                • C:\Windows\{3F788548-1BE0-4c3f-A914-0D71DA8307CE}.exe
                  C:\Windows\{3F788548-1BE0-4c3f-A914-0D71DA8307CE}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4340
                  • C:\Windows\{1B2FBA28-2498-478c-9B68-68CA26438CC1}.exe
                    C:\Windows\{1B2FBA28-2498-478c-9B68-68CA26438CC1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1648
                    • C:\Windows\{967FB916-887C-4364-B574-F37360F0839B}.exe
                      C:\Windows\{967FB916-887C-4364-B574-F37360F0839B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4080
                      • C:\Windows\{3D526E35-CA62-4a3c-9B06-496B2EB769FD}.exe
                        C:\Windows\{3D526E35-CA62-4a3c-9B06-496B2EB769FD}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2172
                        • C:\Windows\{FE64CEC4-BBC8-41b4-BA8A-716D9FAB2F0E}.exe
                          C:\Windows\{FE64CEC4-BBC8-41b4-BA8A-716D9FAB2F0E}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:880
                          • C:\Windows\{FC5EAF79-6A0F-4fb7-BEE6-95A3515DA40B}.exe
                            C:\Windows\{FC5EAF79-6A0F-4fb7-BEE6-95A3515DA40B}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FE64C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2192
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3D526~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1628
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{967FB~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1948
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B2FB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4152
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3F788~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:956
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9D36C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4328
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C31~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3416
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4608A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3004
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9B304~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{70A6A~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{693FC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5040
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1B2FBA28-2498-478c-9B68-68CA26438CC1}.exe

    Filesize

    344KB

    MD5

    7db4fd37dbe5585562ff4ecbe6070404

    SHA1

    2beb5def3a981719924570a3ee304600894fb0da

    SHA256

    2ba955fb4428eb430d2155154db897821b84b558d2d1477ad7cfa8ef95dc2e10

    SHA512

    dec799598617ea70a9ac315349a11c46df40e9ea40ffe5d4ce40ac1112ad89af455e5f0a99df6bb7f4d7fe200c05ee53850b07f483d72aa34429849f1933aed4

  • C:\Windows\{3D526E35-CA62-4a3c-9B06-496B2EB769FD}.exe

    Filesize

    344KB

    MD5

    e6902727be065d8b551c73e4f08973cf

    SHA1

    06d5c70ecd4761bc8b2e7ed5bb6663231311cd9e

    SHA256

    cf476afecf3a5a2dabebf3e8d24adb383095ccfc6a2d540dfda66933c4e25126

    SHA512

    0c952b039d33d390b7e8cc6211f0aa74fef853e6e957484149134d5598b55c72ea999bf02bbfe86bf3bfbf4bcc7fd953caf55190a7082e8618e19a88c0e84d96

  • C:\Windows\{3F788548-1BE0-4c3f-A914-0D71DA8307CE}.exe

    Filesize

    344KB

    MD5

    d3f240010e4cd19277c01a56bf9d4c07

    SHA1

    f4426657eed1a6ba15e7ddc7485ebb9fbe9164c4

    SHA256

    9428da615f2f3303fe04a0c4e0db6b2c709b9ba1df6a1b574018d0c55bdf2166

    SHA512

    1caa13313fb96357ab2a710df106b4520fe4bd93fd7da70e789c6b1ede4068b8163c0ee1939e432c7c60003d1246f7269e7732c039547f878a5ff3bb4e52bcc7

  • C:\Windows\{4608AECA-F055-4db0-9022-ABEC2D035489}.exe

    Filesize

    344KB

    MD5

    efcbe15a60ee161c9d03d4eccab234f1

    SHA1

    628bb5fee54562c59dc666ff4d08c5408202f297

    SHA256

    5027cb00321aa05bd44482c2ce51e211a83acf5d9aa20a430378aeb81dcacc2e

    SHA512

    e70238ab2002998c07101b5edd7db1bf46c5566629c70a7ea98ee709e4d827fa64292180c5abcdfa9989a01af84a514408453225f313629c5d1be5b2a5a6a25f

  • C:\Windows\{693FC4C6-12DF-43f6-929C-34A654FBD717}.exe

    Filesize

    344KB

    MD5

    a754ed83e84591c4066c72ac318b5be2

    SHA1

    b9f9f7d0bd74f18ddc9f8730cbe8a638a5bc7629

    SHA256

    b15c5d914ac05e238c5f562f4af6a9e1bdeddcaf25286e82b89c781f1ad663c8

    SHA512

    89be2fe6b305dbd82bf675af060ab291a061e4a84a93ef9c99f2f94441659692cae88dc76d029b1dfad5d89306bd0f6b4b1e73f0b27294cbf2f76f5499b4803d

  • C:\Windows\{70A6AF7F-49ED-4485-BD51-CF0C7EB00D74}.exe

    Filesize

    344KB

    MD5

    8c136c8ee4848e2475a78bdad7774379

    SHA1

    2df8a504f14ccdb890cac63a4a8c781199398bbe

    SHA256

    6c76870993e3d0a4dc9b9dc7ca1aefeaed969ffdbcf331d2cf5f550bf2de157d

    SHA512

    3368ba374066c3531fb8f31b6bb0800ace3830ad74adad30fd199e9ad2de03f32feefe46119aca1765d263fa57023987d06cfdbd559d18a6857f45ca4981c1d8

  • C:\Windows\{967FB916-887C-4364-B574-F37360F0839B}.exe

    Filesize

    344KB

    MD5

    0835c6f4b4ddf4d83c57691d6e162a27

    SHA1

    3a6f7902cede7ac9fa181268e9172cac2c6fd77e

    SHA256

    1c1eafd9d3d7dddc0f698534e53410997360aaea24a36d21c46f884dc01e08b1

    SHA512

    8f6e99d1dfeb8a2b49860cd7d1483d79039982a05a7489f0447632c4b29a41a22cd4ea3bcbc76156fcafd9fee317f59e6424169fc1dea2b0a79fe388777a2f02

  • C:\Windows\{9B3041AA-5A60-40c9-9943-5F6DD8CF3C12}.exe

    Filesize

    344KB

    MD5

    ab61ccb6bae54e02f5cafc3edb6a40c8

    SHA1

    175be7769c462f0d8a8c35e537f3ac313516a0b9

    SHA256

    8ea99a5f563774b033f9e2eac083e7f89fcf27941d257463a4b514896fad2910

    SHA512

    337882961315aea5aed71b9dc4a57036ec09aa8b3f214b807b6ee694ca83e2062750040398a1b7c3072a5b1a18e132016cb3c1d981ea5966fec0c593513ce8dc

  • C:\Windows\{9D36C854-8BCD-4500-8EB6-6D71D6D2B0E1}.exe

    Filesize

    344KB

    MD5

    296dcac96a50a587ebdd62bdf7cfb893

    SHA1

    6992fbff1704a9df9582d482adddd8dc099a27c7

    SHA256

    59c0c8c347a23b0dd1cfd6134aade21b1b7c2b66e68ca4f356bc1c87d891516c

    SHA512

    6cb85e43a8cc7444608efb336cedff28fde285f3c8c45522fab43064fdab0e607b2b3c644b8323a310e9573cce130ca6e0caf9ec016ad24118779b1d15bb4b4d

  • C:\Windows\{A1C31546-7F1B-4d6d-A1CE-CD11B6FFF128}.exe

    Filesize

    344KB

    MD5

    749cefd207ec26f784914965f089d22c

    SHA1

    1213f407b3456e77515e61864f40b530f4a21a30

    SHA256

    7afab5921c198c0075fd471890e23c8350000c4fc4e568d3a3fae8003fd80e9f

    SHA512

    8163d437da78198bccf4b36d9fa6fa7b864e2d42ae577910ed89d8f27e7f43ce54b052469f3a61fafe346a33bc4c03c8d87bef852a9361b6c472d03398d66799

  • C:\Windows\{FC5EAF79-6A0F-4fb7-BEE6-95A3515DA40B}.exe

    Filesize

    344KB

    MD5

    759d224c7b2d83e108b2ef73f05b3a3f

    SHA1

    4f1ad34fb1dcabf1df99106eac37e556df1ee010

    SHA256

    6dedbeb5299f520bc059877aad9baa771b31afad0339e293eb52b9cce16d34f0

    SHA512

    1795c14460ea0b4167997b03e9cd5d73e5e1935b35fa3c8234922b0500d6160ac2d7b3c98dca75a06990775d97fd9ba5d9b280a43a0effcc8574dcfee7b19867

  • C:\Windows\{FE64CEC4-BBC8-41b4-BA8A-716D9FAB2F0E}.exe

    Filesize

    344KB

    MD5

    68c66b92295103a8e54628cd45211208

    SHA1

    35a4625a167d0f0c211bb6f135ebd7473c9cafc4

    SHA256

    19db27c388b10b946a26f596b42dfca23f72438ab6c4c345209ba686a3027ac6

    SHA512

    979be534e20c49763015f3f36212b2ae1e9d7539f5a896a6fdfa8494072f1bfa777feb295b4ef7a74da3fa9c8e03a9d2b7c8f1a6698fdf568a00e061c2c23059