Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 06:52

General

  • Target

    2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe

  • Size

    204KB

  • MD5

    91418c6b9ad4bad03cf42bb6051fcce4

  • SHA1

    580d721bfceae66170eb0ee77d979e1e9b02fdac

  • SHA256

    2f4a1c577c116c13831e447e8fffe55952268af411c90e8bbfc3120c142eb534

  • SHA512

    f95eed6ecdb2e04347cabd0b3597af203f2b023854bb4fc19f23d03a53711ae92fa7031ff26922300a21d51f03e1e856329deca26460a4c5293613721caafb86

  • SSDEEP

    1536:1EGh0opEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
      C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
        C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
          C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
            C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
              C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
                C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2784
                • C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
                  C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:588
                  • C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
                    C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2008
                    • C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
                      C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2500
                      • C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
                        C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3016
                        • C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe
                          C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:872
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{750E9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1600
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBFB6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1244
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{583EF~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:404
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{24BC0~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1264
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D0974~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:692
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0E0CF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1864
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{EA868~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4176~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{64799~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE6A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0E0CF8AA-D20D-4919-99E6-615AD9781BAA}.exe

    Filesize

    204KB

    MD5

    af9ca5d302360d4dd6a65a7f89e4e07f

    SHA1

    5b7d3166b3e7eb1c3d5e37e3fb4dfed03c9b89dc

    SHA256

    dd376c90e40a8160b34d24633e4307988beafa3ba1ba8317b88ae4f957de6deb

    SHA512

    700b767a04f35fa4a08e42ea5eacabf958b55aa8ca4d251785bd598f60a01b57d88f8d46bec230636a570b59ae087214ccbeb4323b506892b85c646e818ce510

  • C:\Windows\{24BC031C-A7BB-4c13-B0BD-7A0B3D4FB188}.exe

    Filesize

    204KB

    MD5

    c20f795eb8ec72bc6e838f8406438930

    SHA1

    c54c8d4c255391fd53b1e486f85ea7f914424d1e

    SHA256

    efb1d093465bdb6c482ce424d9b7a4a9add23fa0b1d207b90b809c9ae05d469a

    SHA512

    793921e5958757a154ceba3431e787dd7abc62cd2334a01379394a195f0b249a30d1bd644142a70795cf639b4c9d4cb13cb646370da358797d5dc65efae9dab0

  • C:\Windows\{583EF1AD-D1CC-4e6d-92C5-A9261EAA47DB}.exe

    Filesize

    204KB

    MD5

    ae606f99b165084dece750019380952b

    SHA1

    5a4dd7d8c736ef5d9f766199facc8c4537194f94

    SHA256

    097988bebe75067c4b42fa184439075836b9d18e78bd5e34830e9aed12b44993

    SHA512

    0a073485c44b89066d8282912e9516aa55eb4a626834c3cf3fd23bfd5508dd8e1231086fb02102b730284686767504bb619edd43ce1f3d4cb925ac7d6ef57446

  • C:\Windows\{64799445-15ED-4eef-A403-9DB6C4C10223}.exe

    Filesize

    204KB

    MD5

    869ce33ff717c619dfc339846f8d366e

    SHA1

    2fd904fd44e3f256c0a19d5ff69ccb23c341edb1

    SHA256

    1b252ce001f9b6720f19e622fa74d6aa5d29fff28ce94fbfb494e1c1643a05c4

    SHA512

    4e59d1a06ec117f182eb834b6b743811a37a506a2cb957c332005530a7fd6edcd69a3e026b06083604827987b5a68c35c4d422561cfaba554ee361ed0839c46d

  • C:\Windows\{750E9E00-AAD9-47d4-8A24-FF1615F56EF0}.exe

    Filesize

    204KB

    MD5

    6a81b73bd0f5171e81d1c3e5d3f63523

    SHA1

    52c7552d45dcb70760ac988e5fe9d8bd5771842f

    SHA256

    0ec86cb641645bdb610fcf9779d066d0691a456521f273824711a910a0727c7d

    SHA512

    9c9244667c64fae509085690d0ac5b7e171de94e7482cd33357207c7cffff9c66fb89faa79dff7c607ee74c9e714c0040fcf6ef3750bbaf9a420f0e33d734e5e

  • C:\Windows\{C909F091-FE04-4f08-AA37-9F47E3F26A8C}.exe

    Filesize

    204KB

    MD5

    14e2b63eced63cf12eb103bcd47e63d1

    SHA1

    0b4dbd7c0b1cc196d5acbb50da74706634d31a5f

    SHA256

    79a8c872709d8f2212196a7c842a6e3cc688acaeca4bb6a3c1b4afeec895a685

    SHA512

    df30fdd446f7e711cdced7a5288027d1b248e173490e9cfa14ecb0965defea5e44bbf6a1079661e5e4778fb4f1f3274934fccea21111d0013a88b7f0d4af1560

  • C:\Windows\{D0974F54-5934-4100-8636-E7C46ABA52F7}.exe

    Filesize

    204KB

    MD5

    9ed19eb73b1ec687bce4484443267eed

    SHA1

    6e5229c02744d6f04569bd2d43c025b90d4b2ca9

    SHA256

    32439f80f840defa19770e8fa5e14ab9bb51a453e62d8daddbd290be18ed62cd

    SHA512

    fe6b8dd941455e35e239d2cbdf4eab8f8f664485ce2131c68413f4f3e4961d22bef325f37838fb35e292ef18434577f6ae720cfa72e4410b5275a1a37dacbcc6

  • C:\Windows\{DDE6ADFC-D695-4e46-987B-2913387AC9B9}.exe

    Filesize

    204KB

    MD5

    50eb43976ef97decdcdb45701914b284

    SHA1

    48c187525c4a46ac4b46f35511bd331cddae5908

    SHA256

    206afa47f42c428d63c4cf2162eedd4e83f51ebc9d93b9cd0e5e81009f4e7883

    SHA512

    889033e0e36aa2931c1f0829132ef9e909db16587b0d8caa44711bf8f18c5ab33ac824098dd9ce04530a419c5389e2759e8cb2ef221cf15119f67e8b0edec6d0

  • C:\Windows\{EA868D46-06EB-46b8-A33D-AEC3939D3FE1}.exe

    Filesize

    204KB

    MD5

    25a119b3dbfd67487da94a8ad5d3de05

    SHA1

    1d409a1224afeb8274e2ae045caaeb260051f8f9

    SHA256

    9699827ffeb31f5eb0b1ecd02fa081466d8cf459f53ab7d9bdfc49e8d37539a5

    SHA512

    1b2618e32ee6ca2226a151585918855373a3a08e6b161a0079966b6875976c2978daeaf7959b6e7cc9ca8b26e9080896c71c13709233a7a5c270f4b5529bd3ae

  • C:\Windows\{F4176CFF-2CBC-43c5-B215-D9171B9C8EC3}.exe

    Filesize

    204KB

    MD5

    2cc392738dc9d37031f146716cf464cb

    SHA1

    8488603b80cdd4212db4896964987c2d17a3bdd2

    SHA256

    c3efa4ced73394cc7d1d57dcb918e60b76cae93ef01c976f5e116be429d26fe7

    SHA512

    cfcfd85f57c548a5604b375e2995457643e9302e54a78e16d9e2f4aeb2f866f09f08cf620ba94e0bc1ad461c4519714fd08bc7d7b8646526fd3b1b187cbad044

  • C:\Windows\{FBFB6A3C-EAF1-42ff-8BA4-FE63DB4ADD70}.exe

    Filesize

    204KB

    MD5

    40ef900290845c65296ee4f6e1ed7588

    SHA1

    431561af02cc383a30f8f6dc8b5e14f8b583cde0

    SHA256

    7b4b2bfb2a09670807cbcc3cc5d6611428c9a11478ac1df2a3ced14560766f0f

    SHA512

    cbb7f5de46e11cffaa1128f3d700b4c526d8a72ad8841c8bec0dc73578528ba81711f73f50e8d09ad467f9d9b57186dfc6cb55775eb61c0c426b018fa275f983