Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 16:46

General

  • Target

    2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe

  • Size

    344KB

  • MD5

    1b8e72116f8b31fd62aa3fdaf659dd2e

  • SHA1

    eb2cc04ba9b56124ac79ba2a2576b1445d76d622

  • SHA256

    fc89de18632cda35e8ba70a93a19ea3fb04fb734169bc704371e5dcc8c55d057

  • SHA512

    d5d80d887812d4f59ece1336bfe82d0d6817c514bb2b7ec55b11f7e0275980c9f74a92d2fe1ad6b221f3f838ab8cab3c2d2e9292de51e00cbdd741b31a0b921c

  • SSDEEP

    3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe
      C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
        C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
          C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2268
          • C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe
            C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3192
            • C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
              C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3944
              • C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
                C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4856
                • C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
                  C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3144
                  • C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
                    C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4120
                    • C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
                      C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1812
                      • C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe
                        C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3064
                        • C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
                          C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3288
                          • C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe
                            C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4108
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EBD~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2456
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{81A83~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4068
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{14C90~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2676
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9027~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2936
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{797AE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3404
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{052C0~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2960
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{92077~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4796
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{90517~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2780
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FB38F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2384
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{49DB4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23758~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4432
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe

    Filesize

    344KB

    MD5

    46d4ba440b676ff565cf1b5e2d83a56d

    SHA1

    8a6185a6d61d675993e5d41ea17c73f394d04347

    SHA256

    a17746d356b47f6b6fc71e08d663437299d3c60584a16bd5cd7897fef5c24776

    SHA512

    390210e0f0688c078947aca64edba377712606f57f4e3d19b43ea576a4b113a0a7211d9953e447041f506d66ec45d671e806b6ec81ddb81936c585fec7ebbf99

  • C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe

    Filesize

    344KB

    MD5

    f3cbe638a5a9dffb57e7f1d6f4f0a0d7

    SHA1

    3e9898d23a366131b094a931c28145f2f4be4a4b

    SHA256

    33cf63d0f0c594f2659cb61ff0a98c8ffd21ef421bc6836baeb852b3246a7c3b

    SHA512

    b698445b020f7dc89d442d13d2905a0f658a969ddae6017851f7384b12615d94aec3b67e0cd5125618affd26fadc147027bd1edeac2734121087e00bcccc0247

  • C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe

    Filesize

    344KB

    MD5

    8711d47869837a8bad45ae72ec24433e

    SHA1

    74cec228e48a466a202b4da7b64b0b56079f1327

    SHA256

    d1546a6995f58975cdbfdfd2d7b3a2c4c8da5633ce0ea9bb289cbca3601d43d6

    SHA512

    bff7134b3881070ad2e73d56a3660eb2332b00156f8ab6c4092eab18d071ef6fe8d02f1f88d41b5af5bc0a6d77568216968c28a3f6b2c057f4554f806bf7edd1

  • C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe

    Filesize

    344KB

    MD5

    f9e48cebb38e0dff942995e621030ea1

    SHA1

    e4e77a51db0384a3fcfbb99bc50319c99a4290c9

    SHA256

    9be2f61e3637cd7aabfcac354ba8e18ab71bd9a47d358819996d73b45a2bcb36

    SHA512

    b8dc710f749203605b0ef6be57a5a3cd1b8b6d643c597aa8eb6bcbc5fdda1c5b128ab10ca7239bfd035553d1d1e7692f9707919978f71c4a86f42d83f80c911d

  • C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe

    Filesize

    344KB

    MD5

    101a24bcb50af09274e543e8d1676a47

    SHA1

    909e92aa7c57ed97fa254cbd35a1d1f3e075d70f

    SHA256

    5a2f10e0d2702ec412602134c4e5024acd04aee55c56fdff343ca6024e4f3f52

    SHA512

    e0483a13dd8639e8bee86df8c93414031193478c2c47e9023d4c8be373fb4f4e9278060631798a58476a8680e58cdc4e669d2e1a2508c99fe1cb0eb69f1fd114

  • C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe

    Filesize

    344KB

    MD5

    df94e6e90207bc62d04f8dae1039218d

    SHA1

    6f0e1305ce7c5739c3e56e85df5ca4a35d6eeba2

    SHA256

    76c08a6fa3aa67d338f139d8b4058d169fc53e21bffe78771c89807b3833179e

    SHA512

    a82f889d030d75cfbb59a385808a0037803ba1a112ea005c01ae4d6f5e941fc6e5dfeb1048270c428a8f837f0413bc5a968d5973be60e794143b93bfc0c8c9e9

  • C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe

    Filesize

    344KB

    MD5

    91ecbcf5222c05980e8287ead3666fda

    SHA1

    1aa2c2b47f21cbb2f4ff893012ca675e0ddc5dbd

    SHA256

    6bc1d26c051846bff89802f66e040a30a838c1fe05f20b5f33bad12e0533d387

    SHA512

    e4fbb1723b0acd906d4a4abae07c3f3acff63b7ceff2ec3cb3c4363ffe936a161c8774bb824bbc6f3e155327f2dcf9c5b25b0a4c6c7ef7de014818513f5196c8

  • C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe

    Filesize

    344KB

    MD5

    77ce5b42a31ab4a072d3029c77071b5e

    SHA1

    500ac3c11b462b4d2f41327c40014bda65b2fde1

    SHA256

    ac9db809ed7c31eae414d67db9ec3b5df384e49a544585fc7edf1f62b168fd12

    SHA512

    b28756e203f0b448fb9c48a96887bce04cc9b982acc9ecf6a07b66ef4fce8cda09ce6dbe18c55056d5215dd5bc08c6fb049d9efc53feeadf54d4d0ff7ec0d15b

  • C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe

    Filesize

    344KB

    MD5

    61377d5ab0beac45d9dcea21c520fd41

    SHA1

    1fef8877d39b2a04ba5413e35a82d5024e35f0db

    SHA256

    e588059f590ab3bfd762cfb951e9b5dcb55b745b2dc114b34a3013f684a0b3d3

    SHA512

    c21af2c81e6aa24615ef13e880abaf8f1b95f70457318a45428e824ec616ca3521d89a22c01fde596f1f50b5376ea1797228af2c0b07f7aae1ec18815d426c7a

  • C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe

    Filesize

    344KB

    MD5

    20310c1fcd0a286757485f2ceb7525ab

    SHA1

    ef5f03f6fc11191b93e9f9625f806bf37a94a123

    SHA256

    5a901839e1181dd05d7300cd5b1f5b93cbd16ff710ac76ae3892d1119d793595

    SHA512

    978537eba88d19fbb9f3ba0535764d05b8b66cd6bdaeb1924e1f36351e76e2ed340b88afae8e6805c09c1c677c7f2c50cdadf6ac6ca98fac3f90af1578c32a46

  • C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe

    Filesize

    344KB

    MD5

    4c2f2a34bf98988405551c5adeb23c95

    SHA1

    6120e09577cda135adde387bb92a95410a7aa733

    SHA256

    70389410996913d291d84d86cfaa12ff0797e30251e18eb90e05f17d7c7d72c5

    SHA512

    e234ef2be97b52639e9bfa4338dfeb91bcfd538755d77cff235cfdfbba79cb58726c8336172359187e7e951e1d15f4e80fead5a50a4a2975b69656b9cbcaebc4

  • C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe

    Filesize

    344KB

    MD5

    4baa2d259eb346e9467e9eec76c75a94

    SHA1

    e26d2ba92f1df9f65dc14c22d0f5396a642858e9

    SHA256

    56b3b75ab0e3d8bd4b911692b9048834effe9ca75ec65e1273cf7918aed02c43

    SHA512

    5f8196ddc92792a4af709abbb2d9a4d28d63fa4a07cd3e43435030f48f374067af9f36b3af8a8a27b3579a877d693e866f93849f3c141b47bc403ee0963cfcbe