Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 06:06

General

  • Target

    2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe

  • Size

    204KB

  • MD5

    e35965126b7ed6a8723a41c4598ea358

  • SHA1

    73397af636e0bd9d37144deb7ec14674539001e8

  • SHA256

    591018a3d12bc7bbe98ff48623d2b4a6c23e72fa1cbd610d1814ce581c80b41b

  • SHA512

    c7db4a5414272a58c6b84a0eae34c0b1b9f1f37c7ac7fc445194d6256b06fe8a03f20eb2b69c19e58e858e488886ea13bdfd89efdb6f384590612381b28af4db

  • SSDEEP

    1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
      C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:184
      • C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
        C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
          C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3140
          • C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
            C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4228
            • C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
              C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:404
              • C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
                C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2980
                • C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe
                  C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:660
                  • C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
                    C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3500
                    • C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
                      C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3488
                      • C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
                        C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:536
                        • C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
                          C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2932
                          • C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe
                            C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D90E0~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3808
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{478BA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2784
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8449~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:796
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D57C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4840
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7463~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:5044
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{73590~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1216
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{500DE~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4000
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB8B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4544
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0E9~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1516
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{FA008~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E35~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3792
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe

    Filesize

    204KB

    MD5

    f1d415bc67f863156148547296adb6ae

    SHA1

    106e315158848f7a664f2abc95895bfd4a12a081

    SHA256

    65d94c323360564478d46d6b084e5f68c39174bddb1df7988d01473d777dfb02

    SHA512

    4c44eb27311767a5e00a8bdfd2d4c69aafd7801108633b311099d4800a0e9e003353e2f26156a40fa763fd36f484e12199bf69e6e2f8f44ec6c4c15697e4cf05

  • C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe

    Filesize

    204KB

    MD5

    eaebc0b4deb94bf8b01a3474f6071381

    SHA1

    ce2c02d0c0221a9ad3e9cc88bd6ba58c232f6969

    SHA256

    299c2e93c06eb6b4c25012965d77c2f883f92e9462a02ecdfab25954b7eb0abf

    SHA512

    456007ef6f8093fc844015252c48e487d93ddcb25f1cebad15661d826023ded412407612915fe00004d4e7b317f18a0198963f1b9457c3ffdbe34000fa4e6f33

  • C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe

    Filesize

    204KB

    MD5

    34ed627d6bd2cf8742f2bb777a5e0797

    SHA1

    dd2155cd5002173f57013b646950fb19aa1c58db

    SHA256

    667e4a44da41975312704c609accdad78e8a346ba6864fb03cb0512fab978782

    SHA512

    c6a14baf351ff26649a98817222ff66e19f11556d71bba29f2d39a705d30d5cfec1fd51279d78cf1af8c8cd4357dc2d23eb7b07d7acb01a4fbc4af7c07ce66d9

  • C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe

    Filesize

    204KB

    MD5

    9b5d8958c5ae768730226c41e0686b4c

    SHA1

    92baf30ec23020fd8f89f13b1370161645a873ff

    SHA256

    3b48d3143f52de58b4238d6890bcf7df453dd543ec463cac74c718be37abf8fe

    SHA512

    85a68774e4f3903d39be9abf621940633e8dc6f51b73856d9e0cfaf18613dca66cedbbe85ef1cf749f94875b04aba337832342ba84e2fa064f993f7e61876885

  • C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe

    Filesize

    204KB

    MD5

    11e55f9d7245bc1a3c85b4d52e3aa41b

    SHA1

    eb06e58f3bae45a2fe55eb42864cde1447ae77f4

    SHA256

    a1cb27c0ab0306ddc8a77d3a8eae20846eb19664055853547ef6c7d3d2838539

    SHA512

    841fafbdbbe41c23db7accf23dbf5f208af9afcf9388b3734c15d49936aa6ae1a9ecbe2d1eca7a752f08ba1dcfd9dab45c82b310f85e3596728be134bf772160

  • C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe

    Filesize

    204KB

    MD5

    90968da675dfdcb52bbc17c5a9581f4e

    SHA1

    98b4c9b53f7d721c306b0ff2ba72cb95d4b0f727

    SHA256

    ec1ed8b22cacbecf7345b7fee4b563da7c56891e75226e4b9fad72380b964e91

    SHA512

    6301a093e7c72c5ac3a34326acc1d1de0566fbffdddfbfa6d9b6726ec076db613535559fcc6025f6de75193d29390163fc06a43b45f267a6cff5fcc3f5321680

  • C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe

    Filesize

    204KB

    MD5

    8fffc6c681501f1ceba34e620f455995

    SHA1

    d186af0a93ffb59ec39d49ce95e1737368159917

    SHA256

    843f806ab76d6ec739281d5693fd952a6d0e48038e190d0b1b57c8d3f939c32b

    SHA512

    d0eccbc4d296a246e2afa6e06aef867f67d91e48bf82af7d15d575e5f809ad875ff77daf24f08f60778bedbb7c17671504f6dc825d2b612c21d24759781b4d3b

  • C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe

    Filesize

    204KB

    MD5

    437456a9e7ae3707db140a0c80e4378a

    SHA1

    e52cb584eead2ebe1770f4c5fd533689a920770c

    SHA256

    42173d1fadcf23072606c8a25cf8e5d59e269c362f070a80204dea453a88cf0f

    SHA512

    9ee967c2b0bd441642fce8a36eba194b77dd78fbd772fc96a854206730d5744bad132194075b695eab0b44bf93a900f99d499938e32759937c03877fbd99d450

  • C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe

    Filesize

    204KB

    MD5

    6d056932dabd32d0aa35892e7e2c2d2f

    SHA1

    c44200866f32e05457be303d6d635fa0a58cebc6

    SHA256

    b20916f633c33d0af5378e350768a58120d0beb6d49b6b684f74ad40901e0e26

    SHA512

    94ed8190597ac586ba24c3b12e648db384485899416a11899688a2eabbd20dbb476902de0069224e4224cc02f8144f6819dbda61fd7c4d166e87388fb3c88e21

  • C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe

    Filesize

    204KB

    MD5

    2793da2e452137ba5a0e5b351b0fa7ef

    SHA1

    8934dc096fd311e29d5f5c7b368d2c5e21ff17a2

    SHA256

    fd082d113a61b1d87c257f58a69740263a0d632c41d69275027202c0a8473ec9

    SHA512

    7942176e4257752a0c810b01ccfd7f60ae5e1f64682bdd6ba60805e1596f6839eb627df05ae2e414ddf7acb659243901ed9bb2ba5f3247037138ac1b46f5a5c5

  • C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe

    Filesize

    204KB

    MD5

    3b9fcac7475b47d921267581efe1ba84

    SHA1

    444aed7439e5eec8943b35f39dbfea4f1d5923c9

    SHA256

    409b4113a53ce1c4f3b006fbb53a0d499c355f2860a221c9ac6bc347eb7ba704

    SHA512

    0b66b9425a9e47b35bc670d2a3eeb3a23453b88b85ce7edb88f6c0ce09d8db4193c9c8d74dc91177556a99092bb4dd26b113c4514ffd8017cb809aed37ffcfe1

  • C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe

    Filesize

    204KB

    MD5

    0c59fee8c2cfb92d94038b1695dca6a7

    SHA1

    bc440ab92d736f9d4b762140ac35fa580f856655

    SHA256

    9c3b85a0c8b9a7bd52ab499d172f360d9a490b41d9bc7b4fa5dc2418efc38b01

    SHA512

    93bc0ba0791f39b67238b31764a4d413c27e413305d011ae331a09cce8e9ee024f55b375d566ab6bfffec6d59fb5bf8c5c23471b41233fbfc9bd1b8cb610e182