Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 03:54

General

  • Target

    2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe

  • Size

    408KB

  • MD5

    508e14c07b710e9f09a714899e20c7d3

  • SHA1

    706e0084d5303186cffbc27faf4b7f343fa3b341

  • SHA256

    4204727d562c1e6a328c40c693dfacc47ee5d92ad1dd3fb8e59966658bd77fa6

  • SHA512

    0677a59f17afd90030bb09a1e95217f673c9775e21679b356643b3af70332e15cfa2c249998f63592b6a595adca6b1c9f64d881ec67771ad1ea2123fd5ea229b

  • SSDEEP

    3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
      C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
        C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
          C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
            C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1908
            • C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
              C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3964
              • C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
                C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3416
                • C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
                  C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2448
                  • C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
                    C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4312
                    • C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
                      C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3868
                      • C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
                        C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3812
                        • C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
                          C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1656
                          • C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe
                            C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4384
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{77221~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A8676~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2316
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E0A3~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1396
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B703A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:5096
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DBB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4892
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD8B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1476
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC2B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4444
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{627D8~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DD37F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AB724~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2192
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC19~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe

    Filesize

    408KB

    MD5

    c2013a34c60fdb100b6486be389fb610

    SHA1

    732071033d7e9cad4451bb7eb81808487cb4de0a

    SHA256

    2795b3fe9ed3b60a676fe5e83fef03aac13f660bac1cbb81bd0b6a7813544edf

    SHA512

    08bc9eeec227620ed4245c1ea4444ea6a8eb27adecf63f7e27e926c88c95ab96c6dc01c41f714b8f57f2ca0ea0e84d774ab3dd0add7c3a36e8143665e432ebba

  • C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe

    Filesize

    408KB

    MD5

    20d256ac52dd388ac023d3b0fae029c1

    SHA1

    ecca2230ad4cf67ee84ee08d733ac61f9475e91d

    SHA256

    e250568ae17f5837ef02873b8fee5be19faeea7007068531033e543c20051fc4

    SHA512

    542390987fc7f31b7e6c6d9bab3ce6c53b4563dc27ad51c10abf3abcc9fb2bbfcb03476baccd45d873d8f87dbfe6dbe50bff1c03bd83d23f5a8897dd67259ade

  • C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe

    Filesize

    408KB

    MD5

    cf0b25b28539899c260a3cd95501d5d0

    SHA1

    ec61540cfec99fb5d3226a60a10a45cce32a169e

    SHA256

    9d956afcc12061d4b70ee518233c241ea7c56ef599012cb80cbc9f216e207d54

    SHA512

    7f790e579f14b5003ade91f16e2625c5d24da6ac4c25a54d137d46f6059b3e68700c5ec7857923992aadaa8636e7d8ee5b1c5ef3fc6df93ea357db8ad1bf10a5

  • C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe

    Filesize

    408KB

    MD5

    1e1f1e53c68bb1c6e227a8d3f4316072

    SHA1

    49556c75a68b8121507eb829f976d1cf00ff4c40

    SHA256

    51e7dffa3f446dd3784c439fced35364509f18cc0ba17efcd6e2d93b00ac8107

    SHA512

    a09dbe73a65139ef871685a3e66013a5b0ec9009664d9e4af6b414147d77efaf4f257cbf0027ce148bdc1b6b4ebdb3012f19207ece9b7315c394f03f9c8a3dd5

  • C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe

    Filesize

    408KB

    MD5

    5b639485190521e35d18bca40c59b63e

    SHA1

    4a412d27ee125bef4d96d99f27cf7adb52381fbf

    SHA256

    b2d3063ca656dbc1c1bb9ac82a3762283e6b123631faea49b0a76fbb26d9c9a7

    SHA512

    5466aed1135eca0bffea2171f539eddb3ee567936ea06a27eb7c63920f58e6a24360362a1a7666a1b24c663be31e8e86a07ffae340e5765ee8396edb52405c7f

  • C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe

    Filesize

    408KB

    MD5

    0c49bf2039da325d550174715165996e

    SHA1

    99357fb7470d45834b0e180615adfd515bd16228

    SHA256

    81257806b35349a95206f8e021bb6688362234bcbd95f9530579e10ca36540db

    SHA512

    4a9543ce499ffc59e0a7c42f21653ba588336ead7cb8cee98ab48636a48a7a3ba80cdc287f7077478be6f8c7c40f4579a839ab4c43214b6c9025e2896884c6ce

  • C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe

    Filesize

    408KB

    MD5

    67037c7f458d96d0f6f7b4dd41f2e3f1

    SHA1

    a417fad0209fcf41b650072e60593d87ad866049

    SHA256

    d5250099fbdc269ad10cd4246fa45e812b4b90a38d707d4d8d31c540a26416d1

    SHA512

    92d5f073bcb705bc2c32ce4f7ec0923cc93f6e685040ea6edd08882d59241925022d9039e287bb1dc99f4e663aeef407935b2900c70054aaeee19f64c548d841

  • C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe

    Filesize

    408KB

    MD5

    e57ba4c9c372d7fa7c8807d3e740a53a

    SHA1

    7e066ecf0713351ac8e660cadbb3ad77be452fe3

    SHA256

    7f6ef31baad403d63ffcb693ac226cdf2929b47b0eb9b838ca1fdac5f6edfed8

    SHA512

    580ec3386b62de2125f39e5b91243dfb8741ad902f2d7649617f28e5f490499fac48e4844a20993c9ef25e3808db5f5d7bee215ad5facee146957d1ed79180fe

  • C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe

    Filesize

    408KB

    MD5

    5fa3e5f1920ddb6d4aed4699143c6ff0

    SHA1

    1f4529b3057e509056ead7eed1e27e62fdcc810b

    SHA256

    a497c34720b41ac0f5a57f3a3000bcc81df780a3b6f431e1cfa1ccd743aa08c6

    SHA512

    c583d0752b40cdb556dbb3319c75e8782324b760f89b0d806c67253c0e782332d936e6270167fa613a6c808b0ae57da0138c56e5e15e12d5195eb8be61f73af5

  • C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe

    Filesize

    408KB

    MD5

    605e8c5545127b7bcdfe2bf4b41295d3

    SHA1

    35aa9300646fb76410dce975c573470f61e1acf1

    SHA256

    3fd2ba25f889cf0e4774863d136238a556e21792bfa8c9c22c298ed99e3b24d4

    SHA512

    95341685d8b71077c1bf04f80f206f851892df48c6448bddac4f8d66ee556ba2bae2038132ce723bb3516cc32bd298a482f7c4fb64dbcdf9be41f7997f82e6ca

  • C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe

    Filesize

    408KB

    MD5

    fed968815d753738380d62ea0114f8c7

    SHA1

    4a46db3fe3e6316877748251b0e1d902cff9aa19

    SHA256

    40ba37419d466921e3203035b449df230f1e6b97df9a2b9b435f3ad6f1927383

    SHA512

    fb1f5fe10f0c1ab7639799e2aa13b6cf101b7a805f9b60cc452f96cac7a96a4bc6feeef3e3c19be5b285fdd98d357eab528bffe87d57010c5fa3ede6ee6f9c60

  • C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe

    Filesize

    408KB

    MD5

    e643de57062e0a985630b66ecfe5df53

    SHA1

    dab4fdc4fd55d2b3a4df4109b0c2be7c01f08737

    SHA256

    4f7d895a74b2db60ca3dba3ebcab3dbb2b7e26a35e14ae5f7d3e788a650bfb60

    SHA512

    acefd1d2c4af542d8a091973df20580521a7cae25d77d286b7a5ca85a48dbda9f1103b860dd6615e9959f54c5a3c6e2a06d04f077d572284da53dc67d35105c8