Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 15:44

General

  • Target

    2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe

  • Size

    344KB

  • MD5

    0ad4df4fc60c40557469a213b08ba0f4

  • SHA1

    96f810963d366e518c804f809ecebb63c0ea84e7

  • SHA256

    99c871a97771fc8fd32ef992daabf1196b32ff4cf858e3810cb5f8c7c03d9b68

  • SHA512

    1423ee3c224f998072265fed5afc21f893fe8df08710e4fd6dd92cf0f70bb520236f6279fbf1b5f300b4bc5eeca66219df1ccfd0f5b787e8971a77ea82adb348

  • SSDEEP

    3072:mEGh0oRqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEc:mEGXqlqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
      C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
        C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
          C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
            C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
              C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2132
              • C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
                C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4336
                • C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
                  C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3756
                  • C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
                    C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1052
                    • C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
                      C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1800
                      • C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
                        C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:232
                        • C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
                          C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1896
                          • C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe
                            C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4304
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B885A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3036
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B9A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3672
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC196~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2208
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B76D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2764
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA7FE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4292
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{36178~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2464
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B4B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4340
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2A972~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4776
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0A946~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{30D4E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{408D5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2460
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe

    Filesize

    344KB

    MD5

    404b14d25276c5c09eb1cb63a20b37a7

    SHA1

    4b0600bcb470dbb394a51bd646a92e7ceb2b9aec

    SHA256

    ff400d0b61370cb5998d07150189d46e2a7807fa6214dc8d94d951cba0ae59ed

    SHA512

    e813bc61524cb66fa2d8516315b8a07355b9cb96b5972ba12d4eb5512321ea958693920813a2ccc95c558b97dd72febab73a969748992d6c5e8fea353ca33e30

  • C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe

    Filesize

    344KB

    MD5

    45604f4aefcb0bcd873566460c065e86

    SHA1

    d85984e1bade9e7185d96f5bdb8e9693b5df0d35

    SHA256

    70f2d42caf23d38e9145743292d0e1ded2ecb534036d15aebab9e8864f2f8b2c

    SHA512

    a3779a58969248f317d4f3d5f4bc5959af89963988d51841ac7a1afcb5bee4c7c17bfa5225ae29ca864b3a06b0a060ad6a654139f5a1a62f476b4dc5d7d06365

  • C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe

    Filesize

    344KB

    MD5

    3b37fd96a74ab02e48c727a09de5e051

    SHA1

    42e53efee6f1bfa33d225b729796fb0aa3aae38a

    SHA256

    c4c19a9c5e246f6784ba67853fb50f98ec543134be9cbfb50a462d5162344e8c

    SHA512

    17bbf099d8fab97ecf0836c3e7901d6cbc19997714227bbc2da805a73e7561460863363807c7619f1179fe92997968747042b22ed81f5c1e7463eb1860019f5a

  • C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe

    Filesize

    344KB

    MD5

    e493dc72d7b9c6b6b800144b94e54fb9

    SHA1

    0fb103d0a53d50c6fedee15e5dccc0ef788fa7f5

    SHA256

    c58fb84aedda82033ec6b94a6e6058a8c7c29541f8b63d6afccd5c1cef626ef0

    SHA512

    0a27f8cf4ab38fe681c10bd6445aac0a1e5f5d1377feaa7df806726dedfdbcf5f873b8c21030635ff154579f95422954e06a2f148457d0c6b6ecd04bcb1a6062

  • C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe

    Filesize

    344KB

    MD5

    21774ee544c7ec7fbf56f0f6bb6ceadd

    SHA1

    dcad7d1f1c5b3bded416777a80471ee94da79e2a

    SHA256

    149f130872ab82d915eaec530f9794d649e509ee7c8474d5482ca309f241e349

    SHA512

    ae6531ae46c15e75ea4e1c646cc5f58101210bdea2536bbfcc06f4ee1c355042e339c2e5d33bb4977713994d5c4631df33bdcb2e1cc49a6d658eb802980ce4ce

  • C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe

    Filesize

    344KB

    MD5

    a43a896bef5e346c31711de82aa77c7c

    SHA1

    01029eb8e63b3d9fa5495141e35d651e8e54db37

    SHA256

    23ef48387f52c6287b4f079feb94969f8bd40c8de3ade12a962c101f2a0878d1

    SHA512

    75b40b031e8029469afde5dfad2467f602d141ba477e03edf141cdb00edd129dd2b893ab28e2c360d266a41f6fe6ee2b2b400c688bf640ebed971ac1887fd9b8

  • C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe

    Filesize

    344KB

    MD5

    2fac068cf34d0220e45382c900809a0e

    SHA1

    f786cd7fd0c7945eba3bcf8a5b611f0289500839

    SHA256

    a266f350ccc3761e0eb522c9071c75ab4cf0d9aca1e5f89d75595c9a4b6c6465

    SHA512

    75f7e43b05b67c147af05dd466fed28a991a7f4f9d6371f3b5e3cff901b06d73c969d79f5736497b659932b75b1cb310d3e39efb4cc1fdcd332f9042f6f0fca3

  • C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe

    Filesize

    344KB

    MD5

    6017aebabc2f21e586047e203d22b5bd

    SHA1

    4d6d711e32966cd31ccc1b101df5d75bb29b256b

    SHA256

    9d3d1d588770fc28ec72d3812536a2618ebac17352624bb8b96f3ca009fd76bf

    SHA512

    1a25557004c137c4321c95c03c985a508d0a1797d8d6e0e12d0c7965eb38f2a8a80a989f468bd08ad059fe78c2e77724dc50cde7b750abaf8911557cebbe7081

  • C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe

    Filesize

    344KB

    MD5

    f4ef922e86b59107ea77c689e5cb5df7

    SHA1

    6efb67ee105639951c844df8b2f221494a2a7a55

    SHA256

    693640bc07023c4d71b381c6ee71997ccb2479e3bcbfaf88ea5272b91fa020dd

    SHA512

    4e3d85bf3eb5c0c66ef298628be53889440d0bebba6372d60bf78daaf9cd9a65331aaf604ecafd2271c1b197b5f4e82747f38e15e2be30289e9067850e7b844f

  • C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe

    Filesize

    344KB

    MD5

    f93a7a55a9f8a3ba572d5b4080fc3c1a

    SHA1

    32999d5ed35b735cd046b268bea0974790b88170

    SHA256

    156ffd4a23bd108bfad675cc30180db91c9b0a5c47661ec4d7a0add28275a4fe

    SHA512

    d0b4bed7deb2720fc82f2046c6ffc33d22a704a7ca16e0b58d0a394bf4f47c8bc3c41fc852eb7dc1e05293d5006b2ba7a9f567e4d44e67e7f11c1822b5266ab3

  • C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe

    Filesize

    344KB

    MD5

    36f1dae4c1f835ac4aba12b44808eddf

    SHA1

    e78b17cd24f17cef3355d6fff4bc627175a5950e

    SHA256

    13c23e065377e729c4a0ee1edfcf97f54569d0f0eabbe5837955d4200013e919

    SHA512

    96d340f6c5954851dcaac4e3fe9b689dc4bd3a507b73ecb3caee1dcc99d85422149075982b1a3d2c86fb82b4ff9f25de03704a41ad7f19f5d159315d30de2a41

  • C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe

    Filesize

    344KB

    MD5

    6d8eb3e2b619676572f88306831145d6

    SHA1

    410e975753e1ef3d81a8caf8a6cb23da2bea706b

    SHA256

    a74573d55d824aaf47042c157dd7c03eaafbbebfe2583b796a2b78e5cd07c1ab

    SHA512

    2cf549087eb7f2a5f55e5520a3b099af172cdd07796cbb2acc0c2c989d131d6f7419b8392ea0183e3f15e3a44581a392e03c4837f9810a6eb98ca3a76afe7a95