Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 08:44

General

  • Target

    2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe

  • Size

    192KB

  • MD5

    5f06f55a35c44b0ba1ec576d24f6b1a8

  • SHA1

    05931824bf747d5dd9b9e65c78dc0a70cd5e912b

  • SHA256

    33d746a47c9b11938bd230c292dc521db27e111b8ad0ffce4ed8e941b6915d8e

  • SHA512

    2a61ac1f5a4ac2bd5c643790a28639e86423ed1fbc11ddfd9d339e169b5da73ea7fff138cf8606472e4fbb5915400ea6f506eb85e57cca07680bac5292534ede

  • SSDEEP

    1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_5f06f55a35c44b0ba1ec576d24f6b1a8_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
      C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe
        C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
          C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
            C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
              C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2652
              • C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
                C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3024
                • C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
                  C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1604
                  • C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
                    C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1648
                    • C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
                      C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2788
                      • C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
                        C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2784
                        • C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe
                          C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2384
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6ECE2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2944
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{26AF1~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2588
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8949E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:756
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{891DD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1948
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D0206~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1696
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A1A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{F424F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1576
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C12ED~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{34F97~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{050E6~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{050E6BA9-FCF1-45cc-B5B8-4A6F53333E7B}.exe

    Filesize

    192KB

    MD5

    24b3887c98f53ccb83e63d5f5535952d

    SHA1

    d276b4436ca37d8ac77570668bae981cb0c8b7df

    SHA256

    1dfa4f7c6638a702aaa9d7585f4e3db45dc0c101ace469ee27603685f5a51584

    SHA512

    56186180c0c9f09039c410ded9b0ea4fad65fed113418f022921eac2bc4ea167977a39eb3240d785eaeb62cb63f090aa30f3ca9c2ff5b7ea71fa9b43ca5a0e8d

  • C:\Windows\{26AF1FE1-4DBF-47ef-A1DD-CB497124D6B3}.exe

    Filesize

    192KB

    MD5

    d86acddcb866dc627f7e688a87ee0671

    SHA1

    7cb9b62d53cc04d87bb403470f5659f60a7387ca

    SHA256

    f1cfab440f00d0b034ab0c0a76ab63b4bcfe6358a713ddfad755f5f9dc0930f8

    SHA512

    78cfe6b8b3613a9b0deead6db96807dfb3bdcd2c2bccba32aee6bfb992fb06dc360e87570d99df2ca0fb2df7dbb3545608eebe642b1d75d15b0938ec4f6b1d57

  • C:\Windows\{34F97277-0C51-402e-AC90-F7637590621B}.exe

    Filesize

    192KB

    MD5

    728f709e1c4ce22872ef535430c0ecb3

    SHA1

    034e125b0af4f1accd82974d75415f4e074afeb8

    SHA256

    450215a07c2ed7d49335a068c458472682bb200a5c93f9660f894a772aafa62e

    SHA512

    80f73b1d4effcbca3d4e4f19430cab09bd9b0bdaa8b52a79c57c0de45368eb74869f0ceb174e155f6331c47f20a7d2328ecd7eebb2169fe2d552b3fdf0aae4d2

  • C:\Windows\{64F66460-9E76-4c43-A6A5-7C76CFB2230C}.exe

    Filesize

    192KB

    MD5

    276b209458d7efd2c128477c46d995e3

    SHA1

    01e3e4b8d9b09be647d574477fc4ecb040bc1fbf

    SHA256

    6da172ca1488d76d004ad83787cc45c63a12de869da705e3de88e48119dcfd68

    SHA512

    82c3445a6e12b6080e663b09d0396d7503eac81f6478fb06fa3a32fcae8f173162639066f4c584dc6e0899ead015efa77848096fb7187216b8852226fafe56e0

  • C:\Windows\{6ECE237C-BAC6-4855-AC8D-F491AB916532}.exe

    Filesize

    192KB

    MD5

    8eb43d6127154436868518c46e3b6e6d

    SHA1

    8316c0c074a484738bff601e4c25a3cee08c2385

    SHA256

    7aa8aa960967fea989f57197e8f07514ed73e4b26e4a514f8d2594ca62b9516f

    SHA512

    01a12821bf5c740011741d2105d893dfe2c2cae4dd2404b5cdf88d0dab4283ec3db25d765e67809b11f2f410607043078669a4f29990c842d3badd4c30ee6b01

  • C:\Windows\{891DD161-D9AB-4aa2-9744-0E3C2C571AFD}.exe

    Filesize

    192KB

    MD5

    95e7f3d6f36afa523d9f468f8cdf456c

    SHA1

    fbbb42d2d876c73849c0972593c4e5da76aa293d

    SHA256

    2d9a90800e09e57dbc40115fed6453e4f26bbb5feb1fc8e2e6df433cf34d8bac

    SHA512

    03cdec1297b46d9ed59800e4e380b00a05d862664a063aba094643b7633249d8efe0ab5f6a64a182a895348a96f449a13b5f7ae3e8aad8a48fd24b914b13c3e4

  • C:\Windows\{8949ECBF-3A2F-4e50-AE49-F97706C9737D}.exe

    Filesize

    192KB

    MD5

    ba16fbe6801dd438e719502ea4e6b30a

    SHA1

    2b48be7c3eb728c76db4411f4f2179a902d27220

    SHA256

    d4bce763a3a10ae672e8e0f38250a99bd29e51cba4420eaa707d05d5dae3379c

    SHA512

    d15245b643473e90c77448f2c80dabda4b648fe2c0177cd6761baac1ca7667567d1c10cad1ba50fc709ab254b385b43ea923167c28a0dbef91f99c48d73949b7

  • C:\Windows\{C12EDE40-3B01-4443-A97B-531EA02F1054}.exe

    Filesize

    192KB

    MD5

    71df9429be3af50b36d8faaadc861a9e

    SHA1

    8372edef3da41c1af07d45e0921514226d45850a

    SHA256

    3316a8d56abe1c66a6ebfbe2abbcf486106d63b34e249f01c7950d6550a5bef2

    SHA512

    2736bb65e1af9070320807b10764f845af93b0b2277df51fb090e0c7fd58605f6024b3bc5ec63b194ff6ce65d019ff1c0db2aae9dcc550aa9f9dddb0be3479e3

  • C:\Windows\{C7A1AC6E-FDA2-4a91-9DD6-1912048F1F66}.exe

    Filesize

    192KB

    MD5

    5655c4e90fbe8dfad955b3cd515053e2

    SHA1

    925cc1396b50deee5bb53cdc1e65d09a62354cf3

    SHA256

    250c6a46f13bc3379e42e62868c6eccb7c85225406e2f523f948c66fa571c11e

    SHA512

    dcdfe8838c0f01ac023d45f9fce42389d4ea95a22d3df8ce424e0f0666794a4d2c27ae8ef73f496ae10df30bc52d65fcae824299bbf2a5e5931fb60d87cbd99d

  • C:\Windows\{D0206425-6026-4393-B18E-7BBE43F855BC}.exe

    Filesize

    192KB

    MD5

    54ff7dc7e91e368e115cd360c451d197

    SHA1

    6caccc123fe67010f18e51e4528b5464664a5df9

    SHA256

    ba380abade1e55014ee39fe05d67812f692dc05c14faf57f94c372e1b999e5e0

    SHA512

    5214bc7975de7e0be62e94803170e3a3bba904e7950a7c5e56ba14b97a26e7f4db2d46f57ac5b2321bd820e0492904e1c768821e40cc30f234b6dee3cff505a0

  • C:\Windows\{F424F712-CA9C-4628-9AC4-69E44230C15E}.exe

    Filesize

    192KB

    MD5

    03341908699d233674ea7aa479bbee67

    SHA1

    08b745bb04e814c792145ed0a18e04fb47d5c2cc

    SHA256

    dc9748f2f93ddb96f8b7039a7e960d0f894847613a79bc7404da3bf78ee64466

    SHA512

    bdb3304135c3788dfb6bd1ec93fabdb65ebf43311f8a7881d02c0b7f6d01ab0fe38ab691b0a673fbae40b84fa00212b34be34906ae3cbf0ab8402d82b46e3f61