Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 19:06

General

  • Target

    2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe

  • Size

    204KB

  • MD5

    1022046ed5dff4ed2f15b0f13804f63d

  • SHA1

    b3504a96d458b8f57ec12f6893fbaf3f33b73f8f

  • SHA256

    2f136092964b38e946501e0bceae2afd914939119aac3df83a7d5e0dafc4cc15

  • SHA512

    edd70644759952aa604981a1e6a2949f53a7016499ada6a979079454810ea8d11015f35429d3a210ce33c5eead7b3edcf5fb44163c073d5824653b94df6dbb1d

  • SSDEEP

    1536:1EGh0oPvl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPvl1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
      C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe
        C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
          C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe
            C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4712
            • C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
              C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:764
              • C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
                C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:448
                • C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
                  C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:956
                  • C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
                    C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:452
                    • C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
                      C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2352
                      • C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
                        C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3760
                        • C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
                          C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4984
                          • C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe
                            C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:684
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D46D0~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4012
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD33~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4460
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{53686~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3820
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9756~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4456
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{BE29B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3360
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A4340~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:708
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB3D~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3584
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{E039A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3780
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8A3~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3140
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{109B4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:368
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8277F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe

    Filesize

    204KB

    MD5

    5fde44bbb2c6986c3b3bedaa090c7f12

    SHA1

    f670ee75bf8ed03232d5daaad440ab7a3201cd26

    SHA256

    d7010e12371189ec9aba7ed03092b3f478557303f930377d092eda9ef9330b25

    SHA512

    4528580ffd763e486deb7e7307d4e7526ca5af88d1da973b34031067f40713e60b7548a792ce0fc71b5bbf84e22278add2e9d1a32bc2f3c2c3552a88d949644f

  • C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe

    Filesize

    204KB

    MD5

    9b18efafed140c0b89e3b8b356d27007

    SHA1

    65a55316a54410bd766ae3c6403017613c21a9f4

    SHA256

    058629a128daffd624fb550fcd104c5c921b0da6f3280903c73ee6b669b80963

    SHA512

    18e0ac12227e3cdbc71993a6ab1f9e22da3eb8bb18ff748ec9209d9bd6faeb5220108820c7b769ce423544aaaeef18ae552486098504971453ce9a47e3f5cffc

  • C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe

    Filesize

    204KB

    MD5

    e51317c7d482d66eb9b00efae46a215b

    SHA1

    43d545a61216328440cce0aa1da56a8c2b05c958

    SHA256

    ba74fa92dbe4da6cfda9767796044ebfe43befd442cdd8fcee0b72fb0e69d443

    SHA512

    954bda8c69f7e821be3d834d6b2adb20476bed59bb2c6efecb1d5546484a1ff1b71ebde3eefec20d8ee651374d115a32f4f97a558fcf96d24e1423f1ea0c96d5

  • C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe

    Filesize

    204KB

    MD5

    aeb10929730a4da502bba1f4c74dd47d

    SHA1

    4635f812529b17fe21032c6a3a689e4b9290e6b2

    SHA256

    f5750c7e777f9cc2c572d66926854acea8b237d704650fda03b32bb4cb77885f

    SHA512

    2f03a5bdb176d73c1153f30238c2a88291dd4bcd6e39e7a428d9aa3ad6d44070c1bef46f7e7fa20d3d81148b78ff6da3f417a167adf3102a7ffd653485b27087

  • C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe

    Filesize

    204KB

    MD5

    3a3b7590b6e64de0bf0dae5937d96317

    SHA1

    837139fb76a2b8c28dac9c6242d110da6096c826

    SHA256

    09810bb20c076685cec7f4e746d750b82a425d44746d774a50352502e4771b8d

    SHA512

    c050a385f2dc879f558df2750f94da2844ecf3010033cdf15fd15b5c78b4135e5a80af76bfd89de454d31e01a86aa731c766a8af36db96bacdf4a390df8f5508

  • C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe

    Filesize

    204KB

    MD5

    692d44538e5953f3b6af428a86a2c3f0

    SHA1

    6069abf7fc1b90469dcf66ca364850c400e0b3ae

    SHA256

    6d0501478816946af5c69af1377d0ad0bb60c947bed730df91a9f3f96186025f

    SHA512

    fc7c63e11f524d277da31461261fcc26a3e3c1326356db8f3c0583176f844cc68ff88b808ece071d972ce2a71fb7787eb36551f2686cf33d1edc2bf0e43c3d0f

  • C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe

    Filesize

    204KB

    MD5

    e0c3efca6c579e626fc3628c1f9a6bc7

    SHA1

    99159175eadbfef0fc72794605782ea501972dcc

    SHA256

    5bd9233f25edc6d64a19441b4517021cfa8569c2f2fd397affa77a6c824cb180

    SHA512

    ade4c032543daf2e976dade8ae78fb52009ffeaf65454831b86661986930cc9513155b06dec7b4a94d30357c806dd3f64a32afd0d6e7cdffbe1ecc2c4649f60c

  • C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe

    Filesize

    204KB

    MD5

    261a40ad4e1da331bec503cb98a85ccd

    SHA1

    7de1bc6ecdbb953cf15631b0ba46ff9ea97cca8a

    SHA256

    49ea44fcc2d8e53561822cdfb321ec8fe53876b2463db01fead75f4f20387288

    SHA512

    0366c8cb364692353b6be1f2387048b9b32a030b103f6b049c4aadb4e6a28d2965d94d928c5cfe024b953fdb5c1cc433a1f56d5abe9e3d02cc9c3e5e87b0ddde

  • C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe

    Filesize

    204KB

    MD5

    be20b74ee5f16b175fc168acdf890be4

    SHA1

    baced5faa0d5a5c61d7cba4cb2169391ceeaa32e

    SHA256

    ab4cf04d5fae1a0d8304a31ad10eb30cb772f5a14bdcf38f9f375e06daf42d69

    SHA512

    7a47c266fd62dc8e0d2fe82c11e963e9f73da3d4a70973e256422e14e73aa08233be2af785f626a89a68299c274e4ebe06dc19412717edd393d32fe6d2a2f3ec

  • C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe

    Filesize

    204KB

    MD5

    fa6b470270abda937796f6b5ee2d301e

    SHA1

    127f184417ba3c84b47a98d61a153131a15072c4

    SHA256

    5c39f5999ba6cfee7d73a9c9389eae7b058dad576abd0a0f9ac2f35fc4e99b0d

    SHA512

    d76442256d5207f3df49f11ac87c67e237f1e585aa0fa5198223062202642784006c5683164eb51a634a03f3c5cb883aaa50867dae6a0d7afd07d76e38b7a3d7

  • C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe

    Filesize

    204KB

    MD5

    d0c615a049eee42b156062e164e46747

    SHA1

    2533df07ae6fab5c68ed7eb346a577fa3f563d75

    SHA256

    fdb500781966aea646a1d51d5952150f0db78ecee76e9ba3f33bb8343e96d817

    SHA512

    28f1969e9f6992a8c91ec778d110e44462c8b1ecc2c89ac532273cbd0ac579bdb00067af96673c47c0af2cb2fe14966a1a27c73ed8e1c70ac0269e2acc865403

  • C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe

    Filesize

    204KB

    MD5

    a6fd3f0ed9e9849a936534fbd828296e

    SHA1

    218a397606b6802a0a6cc765e3fdcf8781c5639d

    SHA256

    aec0039212dcec2b9867ec394fda54029b456cd2049fa0361c5fcbdbdb46f3fe

    SHA512

    efbbb52509325a183de2a9a65fb041394ea2f5bba179f91c22b820490382169740cdf5b7907ba573d6120b5e820ca4bae0c4e0baf1d98a106ee6af912887c4bc