Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 15:44

General

  • Target

    2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe

  • Size

    344KB

  • MD5

    0ad4df4fc60c40557469a213b08ba0f4

  • SHA1

    96f810963d366e518c804f809ecebb63c0ea84e7

  • SHA256

    99c871a97771fc8fd32ef992daabf1196b32ff4cf858e3810cb5f8c7c03d9b68

  • SHA512

    1423ee3c224f998072265fed5afc21f893fe8df08710e4fd6dd92cf0f70bb520236f6279fbf1b5f300b4bc5eeca66219df1ccfd0f5b787e8971a77ea82adb348

  • SSDEEP

    3072:mEGh0oRqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEc:mEGXqlqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\{D060CA7E-ABE7-4efc-BEC0-9A354B8893B9}.exe
      C:\Windows\{D060CA7E-ABE7-4efc-BEC0-9A354B8893B9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\{9C5CF57E-D4E1-4ddb-B5BA-34E96A586336}.exe
        C:\Windows\{9C5CF57E-D4E1-4ddb-B5BA-34E96A586336}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\{3C388867-9AC6-4f0c-8D66-BF5FA835CFF7}.exe
          C:\Windows\{3C388867-9AC6-4f0c-8D66-BF5FA835CFF7}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\{270A0BFF-94C2-4168-9F42-225E6F5CE5CA}.exe
            C:\Windows\{270A0BFF-94C2-4168-9F42-225E6F5CE5CA}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\{E2140B58-10F5-41af-BB51-1C21D116EF23}.exe
              C:\Windows\{E2140B58-10F5-41af-BB51-1C21D116EF23}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Windows\{272145B7-B844-4050-9EAD-2E0D2EF6F5B9}.exe
                C:\Windows\{272145B7-B844-4050-9EAD-2E0D2EF6F5B9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2012
                • C:\Windows\{0A1379A1-DF92-49a1-9121-995B643AAD17}.exe
                  C:\Windows\{0A1379A1-DF92-49a1-9121-995B643AAD17}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1928
                  • C:\Windows\{021A6AD2-FC6D-4382-9ECD-90C83605498F}.exe
                    C:\Windows\{021A6AD2-FC6D-4382-9ECD-90C83605498F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2688
                    • C:\Windows\{412C12BA-2717-4b35-B39E-FB9620033482}.exe
                      C:\Windows\{412C12BA-2717-4b35-B39E-FB9620033482}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1876
                      • C:\Windows\{0063268F-2024-4895-8A2D-2AC68D219BA9}.exe
                        C:\Windows\{0063268F-2024-4895-8A2D-2AC68D219BA9}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1588
                        • C:\Windows\{85331537-E4C7-49b1-802C-0119664783EE}.exe
                          C:\Windows\{85331537-E4C7-49b1-802C-0119664783EE}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00632~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1108
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{412C1~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:904
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{021A6~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:344
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A137~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1748
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{27214~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1916
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E2140~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1704
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{270A0~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2796
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3C388~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9C5CF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D060C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0063268F-2024-4895-8A2D-2AC68D219BA9}.exe

    Filesize

    344KB

    MD5

    8f1a3fb48b4d0ab20855c0a451baf1b8

    SHA1

    142375388013a4d9316c6fc74fd7c5c370182bc3

    SHA256

    ebbf172e7e223750ab2b8a63f03a554990c83bbf65816b7d1d8cde3a91028659

    SHA512

    8e5429072c5fc5657ed9b3f16f68b539313c81bdd7d7eed73246070decc330129070d2207b88bc368f0322225e7054f8ee85bcd4ac7223eec97cf55502b64f5f

  • C:\Windows\{021A6AD2-FC6D-4382-9ECD-90C83605498F}.exe

    Filesize

    344KB

    MD5

    d329dbd1d411e08328f453b365ce79b4

    SHA1

    6f2529e6b5342a960efd66869f78807fcb499467

    SHA256

    0087c0648109e38ce2f381ca7ffaadd429ec78118da5583c41bd1367b7c44ebb

    SHA512

    d786246c58eedd8784706b356104abfd09625fa41293fba36584c6d2cebe0fbe7dbdbcee5933b7859868d57ea86f83439667292f556e2c4cc8e14f728d2d7a85

  • C:\Windows\{0A1379A1-DF92-49a1-9121-995B643AAD17}.exe

    Filesize

    344KB

    MD5

    05f42160f32c09f901d133a123595223

    SHA1

    6f7ab61a6d7af4a0276c1cef4931e89587bdcc30

    SHA256

    dce6a7746c8be501eb2fe4182070065e80a0f70f145600158e1e38ef88cd1fdf

    SHA512

    1efdf2347b965b8e07ef2c1a88f2b2f9dd7758981d81a864615b3c7b36dc617f3d3552f1db4e554df066ac1efe7d378ee387c5d08cebdf9d58010f8004a8fb08

  • C:\Windows\{270A0BFF-94C2-4168-9F42-225E6F5CE5CA}.exe

    Filesize

    344KB

    MD5

    29646f948022999686d668f42741dcff

    SHA1

    7c59f9d52d4f063c12f40f30939c157a386dd429

    SHA256

    b09d35b000cd75b1f389974b49b612e6fe07c7332f7f2ffca08c712fe0c19249

    SHA512

    384669a56cbf57bb6ac060ee26c46787c15b8fbdbbedc97930911a36352b7620e56742e6f44f1c10e272c3583de159103e80b1a92eae7079c3d17e0879483fbb

  • C:\Windows\{272145B7-B844-4050-9EAD-2E0D2EF6F5B9}.exe

    Filesize

    344KB

    MD5

    14f02a30da0864549ad667ef009396c7

    SHA1

    c28036246020671ebeb3a7c5d09cf74e6c94294c

    SHA256

    e2c28c363023fd0d6b431b8c0c955543c7c84885624e44893d035646bc03d94c

    SHA512

    e23c96ca786b3d1a055a1bec17105f9de3fd1f1dd6299ff1ca92da2e06964d25b9ce16942459e174a63b5a227c1869288cb380f45895196fb5d93dea3bd5eb6b

  • C:\Windows\{3C388867-9AC6-4f0c-8D66-BF5FA835CFF7}.exe

    Filesize

    344KB

    MD5

    c7b59ddad1b6189506e7b86db8686aa7

    SHA1

    716f88133e1e1733df9633aa04ae2c588ada453b

    SHA256

    41a8302dc2718147333b38c0ff7d729f1de76ab0590d7d28cd1bd126e8e19947

    SHA512

    3f462cdbe4a282ed19fd3e6810d81cb4bee2c8ef345bf796d0671d79ee1e58937a9fda84c843862d060a52604d54004546cf4e03011eb6ab555e15a83b1f9541

  • C:\Windows\{412C12BA-2717-4b35-B39E-FB9620033482}.exe

    Filesize

    344KB

    MD5

    e371d4d25ec0bfe4139751b7fcf7577c

    SHA1

    f8e2b928f2b6f2351342d3f422ec54f735459a2f

    SHA256

    fba1fcbca20c4f54f39e183b89cfc4b8b24ba77df48996c78bece42d8ea893c6

    SHA512

    5a16583bd96f24815f0597293b246ee637bc7789114d58d3028af5ccad192e8e326b9cb00b3a6f400f5b38eb3f9c609f4ff64818bb4bba3bfac22cd2de863737

  • C:\Windows\{85331537-E4C7-49b1-802C-0119664783EE}.exe

    Filesize

    344KB

    MD5

    bc2b8c58815421755a9d81473498d45c

    SHA1

    ca1805140fff1a3f998b3ca1adc36caae5b03d19

    SHA256

    12d744e357e3361c815388c5cded424041d797e2025f63f49dd7d78231980667

    SHA512

    7e1038a648a649e835745db2d1628c6e72aac8c1ba52cc24af2e8007e05d63e210200362ec6c16acdb74e1c1d435646dd7d855e7387364e048df7f74cfe3d331

  • C:\Windows\{9C5CF57E-D4E1-4ddb-B5BA-34E96A586336}.exe

    Filesize

    344KB

    MD5

    f29a21bb3e8b7c31b3f08e6fc5138e38

    SHA1

    071c368c46a0afd72e29c153a84dfc5c6a8abd88

    SHA256

    c6c883d9c33f4e2c1ef727a377175070bc63a2834b5aa4b5ff7db48b2680cfdb

    SHA512

    c88f40b7af057e154a4c5fa6affcf55d31080cb6a3eb71c9970bccfab621190c8404d1811ae5fc0acf9d4a556e40e1ec7edcab3b6b7fc1bfa7a012d5a01c4a02

  • C:\Windows\{D060CA7E-ABE7-4efc-BEC0-9A354B8893B9}.exe

    Filesize

    344KB

    MD5

    e8e0f261b67b408e3697f10ad3d93a13

    SHA1

    8d76f18e49e96791a996c37984634e01c6ab8268

    SHA256

    11d6bf62b7df5d9b4f03ce0217cd27548830a25dc6d1d2e3d6d665c52d07b5b8

    SHA512

    9ae10dde9ae57146264ab302020a1f5feb6c0b8b4885192f0609e941534ecce1e78382175bc33b805d8d27b9102b641cad2c4bfbf3ad652198f04d4b83cace79

  • C:\Windows\{E2140B58-10F5-41af-BB51-1C21D116EF23}.exe

    Filesize

    344KB

    MD5

    482dddfe89c7bf68aa9b1630a30ee025

    SHA1

    8a81e02e6de266c275bd293a73cf03c98c8addcc

    SHA256

    9b4e864ad7227c43ec5bed05ea10f114b2c33b0204597e79582c9c4143b4efe8

    SHA512

    31f87916830cecd699d6f712a7d67f17999c206dc910bf8c5c217402872bd412598fb60f1b5c11209c109a10304f5be88afe05cfac73c0c20dd8358e5ae1e9e6