Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 08:52

General

  • Target

    2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe

  • Size

    168KB

  • MD5

    76a54df5d37821938d15f40306de56ab

  • SHA1

    19ad559a2a12ec1e21abc9d2529d42d18312f277

  • SHA256

    685cfcd1f3ac9cf56c8e3b0e4d895c6d68313d9e7ed3f86c5c0a054f33173b2c

  • SHA512

    a41fe8779936c789e1849ce0fb47868a26fdf37fc7b9cfc638a969a4361cd22b6e3d6f9a72c76ef32c5385bfe446eaf264af3567ffa646991a6eb2301d2ff1d8

  • SSDEEP

    1536:1EGh0oTlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
      C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
        C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
          C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2268
          • C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
            C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
              C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:964
              • C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
                C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1504
                • C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
                  C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3592
                  • C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
                    C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2340
                    • C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
                      C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:760
                      • C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
                        C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:612
                        • C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
                          C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:832
                          • C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe
                            C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2352
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{82099~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FA315~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3888
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{47631~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3372
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA70A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:916
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{C63F9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4380
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3B50F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4868
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{97D41~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2328
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0BB~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3500
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{68C91~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4932
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{1E4A3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D7FD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe

    Filesize

    168KB

    MD5

    0862bc8a0af012122002434940dbd794

    SHA1

    dba02ff7d2777cb23c66baac53a99ae973b3f298

    SHA256

    ddb0cce5fa03119eb27aebba1b67e963ca588d1027b0e5c068d7693053c9fb65

    SHA512

    aa1b51becd8f9db1560352baf692bf924b16f5ee0d36a586b3b45f56e90fbb192b40408cc50074a71baae1ca336e5510b4336c90366ab60fb01f9c5c9465fb32

  • C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe

    Filesize

    168KB

    MD5

    d005e83170469cc3d7433a39bcb737a9

    SHA1

    d56c8f9ca312534096e466ca846b624cab807ea1

    SHA256

    0d6a08ff8383c69f3c36c433829e191651b249c37284c2d744d39df9a0a7eabb

    SHA512

    8c5bc6b9c0693b79473a246e86d5d5e1113189a218d4987bf0891f2bd6ee7ce6c0db77ad3c5183a401b5146e84407d5f12ddb13f3b5cffaafd2ed1606b728fda

  • C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe

    Filesize

    168KB

    MD5

    a58a4b4fe2fa9fbec0a336e2348dd4b0

    SHA1

    a40b80900b1c9d40f0fdbb2e6cd62c1bb2697c8a

    SHA256

    32049d8bf25abf3b42eea9cd6f4aec2d0586d9dea6e35a26b2eccd07f54ce1e6

    SHA512

    2d1cf475faab9b36c182b8c313bf3e51e84114e1ea86796daa3c33d2d4d7af7e235bf9ef419a5a25dbd0cf9c14dbe1df6c5e2c93cc2e43dc0e95a8af3241088d

  • C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe

    Filesize

    168KB

    MD5

    2c9017469ac3f7b977f36a2c51d96c48

    SHA1

    3fd95d9b30c423ec0cf43d67dfe88bb2ac6abb5e

    SHA256

    41edf7c4d0e4e525a2ab3ed025b4972f02e5236493c066ced0fde8e2da1abcb1

    SHA512

    b67893b78bca56afc6942eb4c8b74ba9e5023209ed95dd121505fc47a61adc2126ebe6229f70fa51de405552461797e6608b87435dc6b4e0bff95fbaeeff82f0

  • C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe

    Filesize

    168KB

    MD5

    89a7ca1681c50ffa36b61f745dc559e4

    SHA1

    7c463eb5b7e76bd126a8970d064ff03759e84f87

    SHA256

    f76d3e756b0922b40dab4cb7be422d7b3715f98f8a4b603fdc53919a7974666c

    SHA512

    bfe30842e94f8ec99d31e58ff7442ff36631db13ecfc28ac949f116a29d0a05f057a1d99c72cbec6a016aa1611ed11307790c7578ac3b78b983242203a26fd31

  • C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe

    Filesize

    168KB

    MD5

    8a177541b36d01bb0ee18c2f5af7e541

    SHA1

    1d3f5b2a26f96c8dcb278120d5b36dd810f81490

    SHA256

    99b1c1a066b1412dfde824a05608324cc9cc2381e045cfccbe0d33f575a26d9b

    SHA512

    17daf684ed676d5791886058a605fea3d060aba9a2b3a8ba3336fd1af318c322fb061dab5f6f7f1a9649fb581f758ab5aac081efb55fe4ec6a5e587e2d10f381

  • C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe

    Filesize

    168KB

    MD5

    03ea24fe26140b630c015bc71d05cdd1

    SHA1

    a316a67a35bf20665973e0bb6a3361fec3599578

    SHA256

    db932fcd86501584a7decad624afd7d86471e5948baa89ff88ed18eb848fd44c

    SHA512

    9330ee7990598589b4105b9df57a1104ab3c331a0ba49ac0bccbcbb39ba8f5d8aecef551b4c5caba39cb6791193ecd3e29ce60d782822cca49afa451cfc84f84

  • C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe

    Filesize

    168KB

    MD5

    bd39d085902b5d6a67dfd67fd637948e

    SHA1

    8a09051a8d63fbadf4be4b77ac240d6eebdb7273

    SHA256

    2cb354b084301e3d99d065a5817c7ad372f6e5d444c1e7af9e3a3221a294d097

    SHA512

    85b34725599776358848cfa30a6d67cb7307b70e58af2a128e34d2d1663a6277bfaee6fc1184b0082428a492efbc9ebfa72c636ebe9cad3e360d3a492f66f8c1

  • C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe

    Filesize

    168KB

    MD5

    aa22d8e7034e438eef481d8da26732d6

    SHA1

    f3cd91c92644bbfebf38e20b648067e8d614e11c

    SHA256

    e59d1ef9f6a3bfd88773646eb04626b12fa3fe560cfc3dfbed36f94e4024e21f

    SHA512

    901facb83aa9eb1eec6a2695f53d2fcb3438274e7d174338f83dc25ea90df07664acc8d142a9969245bb4735793fad9e004bf51ccd2a70e9847236e9764cf3d0

  • C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe

    Filesize

    168KB

    MD5

    cd82777601ca0cec65ac1efff5ba4f4c

    SHA1

    e796eef9fd285ff9f6020384356d31779d44d1d6

    SHA256

    65ff4bb73807b6254252e6e10df12581126550ddcf4317f100e2eed11328ede7

    SHA512

    0e43456615e63a5e222b3f7e479aec62b4ff5fd93a9c6d80b7a09726d622737017e64e177ac3883c579322a89a1dddc08a72a7c24f20692e33166c3a297f24ff

  • C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe

    Filesize

    168KB

    MD5

    c741d3b5bbb5eadcc83d8290f8da81a9

    SHA1

    2d6a13b8ae1e55ba08f1013d49f58c89d682b831

    SHA256

    30e69e278f3d32c6fe6412764d2b99fb4da9e4cd8797a7304a5a944a9d1bad16

    SHA512

    92f55f7293c09e00da0262a278e2d7f18fb39d7e19c13d107733a79d610459a717b76d64f501cab666025fa340701716a6d49b6574ec70b0faf11725165b69a4

  • C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe

    Filesize

    168KB

    MD5

    5d7a3e67e90a9f2e5efd7b37ce2f61d0

    SHA1

    4dfb2668d68caeb6aa59ad85e461ac096d8c7c7d

    SHA256

    846144dd75097d874f76108e259d8d21258351ba34348a5d87a9af4c3e67aae1

    SHA512

    90cc8ac7a4b48bc702a9e4c1751da53babb1469cc9fa3586934bbff84bf4dd3bf4ad52371cb8a4d7d4c99ecbb18ec096e5ca972f2a2fa74569fdae0348d1bad3