Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 06:06

General

  • Target

    2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe

  • Size

    204KB

  • MD5

    e35965126b7ed6a8723a41c4598ea358

  • SHA1

    73397af636e0bd9d37144deb7ec14674539001e8

  • SHA256

    591018a3d12bc7bbe98ff48623d2b4a6c23e72fa1cbd610d1814ce581c80b41b

  • SHA512

    c7db4a5414272a58c6b84a0eae34c0b1b9f1f37c7ac7fc445194d6256b06fe8a03f20eb2b69c19e58e858e488886ea13bdfd89efdb6f384590612381b28af4db

  • SSDEEP

    1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
      C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
        C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
          C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2092
          • C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
            C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
              C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
                C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2856
                • C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
                  C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
                    C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:484
                    • C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
                      C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2340
                      • C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
                        C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:528
                        • C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe
                          C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3E028~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2500
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A362D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2216
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDF3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2980
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D5CB4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:860
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A55EB~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:608
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EE0D0~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2832
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{64ACD~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2020
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{0185F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2604
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{FFC8D~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6448~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0185F884-7909-40be-9DEA-37B8713FE8A4}.exe

    Filesize

    204KB

    MD5

    5908fd295432d06a475854d419a58237

    SHA1

    353ed324acdc02239872e16d94da764b6659646a

    SHA256

    24f38be0aae69c6eb6eb995ceca4a1f52f7d743dffc52bf86f192641cf55ea7c

    SHA512

    aba8645a0de63dc506f277b600ad23dd622ddd36be8469b8158b4ca32eda688c08abd5fc22ce644bfd0c32e0eaf06a2bb4001acd9bfc901e3444969886df9b9e

  • C:\Windows\{364AB8EE-924F-406b-A6C5-8C8F4A416964}.exe

    Filesize

    204KB

    MD5

    9f4a0d816064006084cd7cb8fcb552b3

    SHA1

    8e1b230d6288add4999bc180b3e388c731b3a732

    SHA256

    e90b76e8e08d88736d0941d7d308bf83fcf821d8d5d869def7d510d0981d8a93

    SHA512

    d162c20d3f5cb5b503ec071a06000ad6aff18de94663442d13304627a490b30111503006790e687aea40406e7ca6d0a603a84d277352a3301b6f76ab2a5d01a6

  • C:\Windows\{3E028337-B574-40c5-978B-EB7ECA3411C6}.exe

    Filesize

    204KB

    MD5

    eb3a91df83278b5713e1d29c14899452

    SHA1

    e2c7cb972d376467bc48d1ea2901956c51a85748

    SHA256

    2efe46aa0b39113fa5affff3c7eb749bb25e9abdad830e49bf1be8cd5386163f

    SHA512

    3d0f6175c6a2d04bccd2d5e5d6d44805b7275e2848663e6e8f43093afb84af7d510ae9af7416ee5ec891eb5041a096cf6c10a761001eb4612b2878cbee514721

  • C:\Windows\{64ACDF50-FBAD-41d3-B3D4-9499321EFC22}.exe

    Filesize

    204KB

    MD5

    f6912421a9a25897fbaac1d7a431b510

    SHA1

    76466ef138a934bbccabd7b83e3ae750552cc9e5

    SHA256

    46f2aa4ae22cf52c75110ebcd5fb3cdac6819548621421eadf3da773e60cdf39

    SHA512

    7d092086ee7b3a1eb2b9bcd17a50fe67bf8ecad393cb0d7e66f445bbca252d666b2fc9b775a731f8f6897d72f03277b2624aa0f599f16ae6e61458aabd92fc6f

  • C:\Windows\{A362D8C2-7E90-4b90-B3A8-33F0482F73B7}.exe

    Filesize

    204KB

    MD5

    ee03f97b0a323e7ba8f7e2c4aca92d10

    SHA1

    e2ac12a211536e2c20fe7a7236aa18e27d53c9cc

    SHA256

    5acd15240de49f70d0dc0007f75e65c747d0902bb1b0a4bf2ef499059435aa18

    SHA512

    18741fd98d069aeec324fd7718bcb73bbbeb406526a9338d3f347a46ab35d30fe8be00f1a12a64cdf07b62d1c38344ffbd7d20e6aec105f946a9a81d6df924c0

  • C:\Windows\{A55EB6CA-434F-480c-A25F-E0AF89376CEB}.exe

    Filesize

    204KB

    MD5

    387e205111e85af57596a487755abf8c

    SHA1

    a4940078d785d1e4bd864687f4e8a13be7f458b7

    SHA256

    77da8fd7a17dbdde60f0783bf6572c28b4992bfd760113aed021087cca18d189

    SHA512

    ddce7d54c437ad54b6492d6d0c3f8e1a96873b537c6fe9572cfc2f457c2a91af26f5d520a60f49e91d183e9307374d48b7f14ff3cd3c1ae9ee7b3ef678a30636

  • C:\Windows\{A64485FC-38C0-4700-925E-29A269D2D94A}.exe

    Filesize

    204KB

    MD5

    b50a6dcacae419f690fd8bd29d895776

    SHA1

    92b20b215e9a7f89a267ccc07c4b108af242a06d

    SHA256

    f74dd82f0d32f0b7991d52f1031e70d9df06bfbad2b5fca1eaf2f511083df868

    SHA512

    6a3984ff39693832caa15f111b3788b39f99664dfd6bb6942efb07b4b20c9ef2e7e889992a35be6406c71795f6d40c3f62df2dc026f427476e6eb9ca08d7dccc

  • C:\Windows\{D5CB4498-6C4D-4d02-ADBC-3792A242241D}.exe

    Filesize

    204KB

    MD5

    6e275d5540a936af71813b156c29868c

    SHA1

    bdd647b4bc185c750cfc84d25d83e87046b7009f

    SHA256

    8fd3df7f1250aaa05192dbf96c0f8e09b69a2548936154107b5ff340d381c542

    SHA512

    6e41f91c33c4d78f210f6ec5e62136c680bd149680de26855cbba9e0f6e0532f72a6c23be23e6d0c7c483d1c72b3a33c539dd3da02cc11a4f6bd0119b0d94fa1

  • C:\Windows\{EE0D0268-18C1-470f-B2A7-757AD48C1464}.exe

    Filesize

    204KB

    MD5

    dd4d389544d29cead92ae94a9587aada

    SHA1

    394baaa92cbe22a19f6a7d887f3295f2bdd4f9f1

    SHA256

    5375b7e324ea7dc4fc1e63104868ab52f12c0550d0a953f91754135781a14b7e

    SHA512

    f5da3850f0b2b5e28165650f77b9ce41f853bb4d0d661a396e9cd4f3111c1f1ce4fdf6cf1366505696f146b666bacaf9762fa3a9fa78b3bc480a6330eb748348

  • C:\Windows\{FBDF3579-27CC-47eb-BE29-85BD825FEDA9}.exe

    Filesize

    204KB

    MD5

    f14999fdb859371f5c246847629ea6e1

    SHA1

    f1bb5973d9f95efc37abfece19aa6276de08eee2

    SHA256

    64949eba478556ca070f5f7c16055b2e36ce0af712c89a3cc2738286fb214cc4

    SHA512

    8deec321f858940a507078f168b44f67fbaccf0d76c3b1fede4c251ad3783062d330d3db0b951d41d0d347a0e6590be761c581b864341406f0a0b181222e0612

  • C:\Windows\{FFC8D010-4524-4130-A5D9-5ED64181D11F}.exe

    Filesize

    204KB

    MD5

    a56941765c3cdb685bbd32190bd8b5bb

    SHA1

    287cf976dbbaa6f93f6fff71ff3934491e529233

    SHA256

    9f38ab4a1c67578e24dce55cd910e72945da09ac41ba0ed2aa7b87fdb402de9d

    SHA512

    e75ba95a254be9867035a4995d17e2f0c4cdd34e434353f29f906c592150c84f42d3745f0b671d589e53d0ad2259933b09d924c576786fa3751f6535d4790ade