Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 09:24

General

  • Target

    2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe

  • Size

    197KB

  • MD5

    e14a2135f733866986d32067555d385d

  • SHA1

    bb6adda52ba3824dd5a94fc4e58327c5a10cc187

  • SHA256

    cb58ad2c3ea77e4cc76aa026c0f9ef2b4999d445b5f07ddf722dde04e3db8c3e

  • SHA512

    f5cb106b2a654e9b1815cb58736f3dd9f7568b6c4c0c3f630d5f2228e6d434df4df24b52eb708fef51d65353cdabb40b5a7fbefd67203ec641a27a85dd4b89f6

  • SSDEEP

    3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGPlEeKcAEca

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
      C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
        C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
          C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
            C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4432
            • C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
              C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
                C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1336
                • C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
                  C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:436
                  • C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
                    C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2648
                    • C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
                      C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3012
                      • C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
                        C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4532
                        • C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe
                          C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3976
                          • C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe
                            C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1928
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{607E8~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{74305~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3272
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9FCB~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3808
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{80CED~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4100
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{26802~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2976
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9BE~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1760
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D79C5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2628
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8271A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3600
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F02~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A13~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{716A0~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe

    Filesize

    197KB

    MD5

    87f725f698d0bfad2c8ca78f63d26e29

    SHA1

    b55bb688a8ef51b0050ce457f809a98920e0d805

    SHA256

    dd0d5284bc40566e56b8d767ec8b5fdf8da24466b610c77e12721a6aad40519d

    SHA512

    4a6d6f019744f680fb36ef48e8bf6d14d6e7da513181b7443f6b42e1827dc717f8ea7be94f32d01d2b4740f4bef07afe4273b1da2ead18bb745d161363ac1142

  • C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe

    Filesize

    197KB

    MD5

    e4f3cade7d17a3d5982906085e3d9fe5

    SHA1

    84a3b7b5dde1cc721b5961ca1d14abd84f25fe26

    SHA256

    f394ec2bd44bb25229ea5687725b89d108064a30e8a8f499ca62903ce05b67ce

    SHA512

    f860b27c01260460d56985c28ce293a2e67ad498d78d853c4c713ab42469b203f369cb3e9594965d6816b7c3809717308c736d82c4f8c1fc5ee88bdea08b6fd9

  • C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe

    Filesize

    197KB

    MD5

    63a4869e95ceef05f045d58887534539

    SHA1

    e847a25e28a865fadc778ab0834eb782ab8f6c6b

    SHA256

    5b4dad873f29a694599bc415d0b2f7c679068d4373bf9795ddc14a388687ab22

    SHA512

    ce290b9289200b534a30ea9191b859fe5549f65e178431bd8a767720fed96ef5b2a0c2e00722ea02b958cf7f0447967b187ea7016f26314b980018df52141ae3

  • C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe

    Filesize

    197KB

    MD5

    c7b3c35900dc39d313e20477950820a2

    SHA1

    908cc8fed966cda511dd750fe8543a1a00f78796

    SHA256

    66417a1635dbd5a0832d9aba333c036b692f89514c789aa798acea5d1bc0df90

    SHA512

    991844a8f7f3a8982bb789a626a000496b6d0beffba10d8ab9f3f370806681c16c16b32caf2f1ea0825c8c906331fcc02c3ff71dd09d5f3a9e012077e979b010

  • C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe

    Filesize

    197KB

    MD5

    80c8a51648b2007d62dc001562c8a3f6

    SHA1

    377ae13c10462314635d3d7d645a5621ae17c79b

    SHA256

    7d4f1fc55758c234ad3ba5cf1361f17390d0da5de4114a0ea4a314e80924a65d

    SHA512

    ff3171eb69492c797539a946dff0fc42daf89dd2edc0614ab5e12576980e211f4910ebd77e94e6fc0fdfdd2e876e5642f18924ad64ff5efccafb1df13de02f94

  • C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe

    Filesize

    197KB

    MD5

    54311e396b8e891de8d787fce9c3048a

    SHA1

    c0594222464eb5e05bcd6522bed6dbefb311b012

    SHA256

    0ae6d59dc87bbfc1db81e0d936b2bfcfc7c08422b707ed06a2053ec41fec46cd

    SHA512

    1422da8e8f2d72de2623bf21a6b6e5ccbbd609af850bcb4cc5555a37c7ddccbd89c4bb2264c47dba0b4bb994eea2aa09c6a348a836b0e6c148b3b6585ee0fad2

  • C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe

    Filesize

    197KB

    MD5

    a9a5989ba47d369c53058a36e1056ccb

    SHA1

    07b2b770040b0e7d8dee981086069fdb19923246

    SHA256

    29de3cfe7057f119b012d8310f6051e5b1f5c7825623b5142beebe33e70da7c7

    SHA512

    3c6a9eee59256a678df5ca6a600bc30b260d478e64c811cad04186073318ca9ced2c2b94604b22201bc4fe2de27ea7074db43f839cabf1f30bfd472abef43a99

  • C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe

    Filesize

    197KB

    MD5

    c002c50979bb1c95ff6e874a1e4ecad5

    SHA1

    9c60203dc1262a8daef0eb84f0072d86263694dd

    SHA256

    293c3f782a43960668bdde727ef20228eec8da65f6c6ffbf059f882c812738c6

    SHA512

    e9eff7b2f77ee86bb29fd4d24f456a219bdfeb166eab2456c87877eadf33fe44e7e570ee442881dd3e429864016a2d7844690847ab6a3aa5ae46277dea2f2ff0

  • C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe

    Filesize

    197KB

    MD5

    36191e24a8d498376fb40db8b790b3f7

    SHA1

    d5071b9f5cf057e6b9876adcbd9c4edd88e7b5cc

    SHA256

    68285091d9b14c4e4b86a2a0831e4d99d6cc9db082214332d48607abf325ef94

    SHA512

    be6f39defa864f132d9a9bb7826a0cffec669ae35717c335a39a79fe7c3446ba73bc36a37fb4118f62f2233f631817c2714ce0cd8ef853dd2743b35098aa9dd1

  • C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe

    Filesize

    197KB

    MD5

    0bc989a0588c51fe354722c2a729d37d

    SHA1

    69c9af30590f5f53c2cd440ba997484f8dbbdc54

    SHA256

    3f635096c8c60cf786e030c5d20ca16ff2c32ed5235ddbefc40678bf6f0ee68f

    SHA512

    0d0bb8b2f2f45a80f3382f003a9f7f0d73aba4ad34e465eea6ecdbe370fd16f00d8cc989f7426886eb9896288aeb282120a2f0a1bba25f572d66f2fbe63a0051

  • C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe

    Filesize

    197KB

    MD5

    4e1a1c74fb99d10e8270bf6d998c3ab7

    SHA1

    bb1087c17bde83c2e78f636feef36d1d09116ded

    SHA256

    0d1bd36c85f8c11bf87a25a8a98e67e166ab0ca085d18b18588b004c182bf124

    SHA512

    7eca9075adcc7b2d038edf493d7bfffcb1842acc0cc0fdbae232cea6d0c444536e7edb93702d80ff7710ced9b7a9897e0365d3b80698cb1a2150ed1cb3693329

  • C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe

    Filesize

    197KB

    MD5

    ef0e231b2a0abd7012e474bb9ef7c94b

    SHA1

    f9fb901ff7ee6faab871f96edf9d0ea61ab3254a

    SHA256

    94ca65b23601b3dfd9c4ea2dc08c19ee00978e42c055cb8722118dc6a37fcc5a

    SHA512

    97f0b712129a92cf8fcdf49f5fd89396076a9f90a194a5ee4bd2d9c61c8de7d67b15f7b23d41f055856b5576f9ea892fb19274beadca8046f9d97cdfbbd8708b