Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 19:07

General

  • Target

    2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe

  • Size

    168KB

  • MD5

    899ceecd0f8172f1d1c54ba07b35b342

  • SHA1

    62f19ffa367b475361849be9d03829c6157f7932

  • SHA256

    16eae0ed1e47bfb71cdaff6a3a42be1297bcf2dfade2918f2aec3bfe3e7714df

  • SHA512

    85cd1e42ca98bd9e95cb27c476e7c4a04187b3334b65ce6542117138256adbef9ccc58e26a1d0baa3ed9ab6f015622e3eeadddc2713898438b251ec180395eb5

  • SSDEEP

    1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
      C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
        C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
          C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
            C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2496
            • C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
              C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2432
              • C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
                C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1744
                • C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe
                  C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2948
                  • C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
                    C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2252
                    • C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
                      C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2012
                      • C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
                        C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1404
                        • C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe
                          C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FACA4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3044
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{4293E~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1932
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{598E9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:320
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{50235~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1508
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{077A4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1844
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{62D72~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2356
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2516F~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2648
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8CAD2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2616
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{54769~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4959~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{077A4BDB-5770-4879-A470-6FE2CD271DE4}.exe

    Filesize

    168KB

    MD5

    c4ac175020430d4b9b419d3444c32a80

    SHA1

    11dd524d94292c868c3299069c12eb89a3f22c84

    SHA256

    b9b852712bba73f30bc0ed9f8d085dff273164465d41d72ffa6c7d1e991ed57b

    SHA512

    907c617ef4a9f5b0c4ac3be21c146ec5679f20cfcdaafd97a131d74e0c2108cc0717d3dfa275f18bcdb952a0f74a9d5d05a1a6011a934ed83ec0da044a8c9cf4

  • C:\Windows\{2516F5C3-DC46-472b-893F-2012F1305C8C}.exe

    Filesize

    168KB

    MD5

    fd853198ecaeb176694cd8c71fcd0754

    SHA1

    f527a8902bee9072f523574e546e912e176f8f7b

    SHA256

    b98fa9d8f5b6467ecf39ebcae92ce68685c7e36914d8acb5fb178206ae1aba3f

    SHA512

    88e9e6e542adc663eb9f440752774e162211a867f059866478faeeccf5befd07229c6c2c41cc8e2787638f08e94611abb490352741d8ed2458a7e706421d1395

  • C:\Windows\{4293E0AB-F039-4907-BFBE-ACC4B2892DC4}.exe

    Filesize

    168KB

    MD5

    42b2229654dce2a62ba8b4412f04caee

    SHA1

    0f66376f5d1a2ea3605f94e2d4c8a1da59d7f2e9

    SHA256

    46adcb15596cbc7b4ce7fbb05151f13d72554af3432da0bb6e750dc85cd3f2b4

    SHA512

    2e2d10198180b63160531384626c5e22636ebbd9fb97735ea8f0f8534476e6131b09249493d564dae9e3ba831cca159ab5ab3e4a4112eee951d065a6da034a17

  • C:\Windows\{5023565A-5999-468c-8845-1E8F873239CF}.exe

    Filesize

    168KB

    MD5

    7eef1f95911abfac4d8fc08f8b638ad9

    SHA1

    5b67cf6addf6ffa4f03de5a2090da1b69aa6aa46

    SHA256

    06ffc47ce0ae412fa2fe54c125426f5006a1643a314e74d6d03903cbedfc945b

    SHA512

    9d3fbe776bed0b2ed7405f00b85099e24e8d7ae30506128f3e7289aa6d89709761f7d11fb421c3ad7d28e8382d9dd8d5aa268c20ddc1c7668ec7687a3a03ddfa

  • C:\Windows\{54769854-DE6B-4b58-B3F8-18FA3E9233C9}.exe

    Filesize

    168KB

    MD5

    027ba30976f22d10a98f8fc076c62cab

    SHA1

    ca86d0029df48c49191ef8ec67348c88304e72b9

    SHA256

    ba54b8830568e5a1c48c2896da4a5e0789af953aa8407bd8046ed876cca2e73d

    SHA512

    a23cbc3e8fc668d251791efccfdb567ec9d0a5df21d9972e0f215fe6f3048237ea57ff4aa8081e7ec3721c9ba8056a0f2afebe9ca16c12c2433c200cf532174c

  • C:\Windows\{58B23959-EF71-4e78-8C2A-3A5B684B074E}.exe

    Filesize

    168KB

    MD5

    49186f22090641d422ea39911b66cf89

    SHA1

    fb93d856fbd04e0e2bb3580ae8e47a8c1d4fe29f

    SHA256

    7d7153f6f98e49df252c42f83c0f67725cb632073689fa76e97db6d772a76cca

    SHA512

    4848d05b67d09c9da372b0673befbeaa80df308287d162dd3b95603a97d7d048a3d0765ce00d2637de0aab3f72c3a98bd20701cdf46fed0014b3ca3f15dbb360

  • C:\Windows\{598E96EC-7127-4398-8279-1353F6D0DB4B}.exe

    Filesize

    168KB

    MD5

    ae1a846f2e735342cc22a3e5fd9eb66d

    SHA1

    ad7593591f45b9b753018483b5ca5270f4dfe96f

    SHA256

    c4511d73c4ac3d2c7bc78d39d1c2ba27450c44c2a7ec7bd120011e42cc0e8279

    SHA512

    35fc96a5aa2ee0bf8ce8c7061191ad184c0b88eca5bdea5ec4e462a18a1a916a6c85cddfdf510db8f33b187bca7a82263362ff1d0886b38a1e1863c203e999b2

  • C:\Windows\{62D729E1-8FEC-4bdd-9975-77EB311A40BB}.exe

    Filesize

    168KB

    MD5

    b046d886b609f73c09ca0478f8531b4c

    SHA1

    d8b607791dc90e72cdf07ae9dc3bdac002b5ce27

    SHA256

    d9ea0ca7d9a275216b793e874cbff2c916a46ef10035743716c9a3594c6b6e07

    SHA512

    f9cc83803be6fc09073c3e8b170da3fb2684a897029ef81e6a8ce1df5b8ee72fb7179d1346e7a43aa4d310a596d7ef83d41a15f39c597a1c9a4ec4391b870704

  • C:\Windows\{8CAD25E4-1905-4069-BD85-E48DED52BD54}.exe

    Filesize

    168KB

    MD5

    acb36dda0e75a260e3b4b9b4b1ec70ca

    SHA1

    4532771f192faf1b89a68e2715fcafce2baeeed6

    SHA256

    e68cd3c148d71e390e52951d2eb79e4b445dc0f4c5e61526238876aefec6160b

    SHA512

    cc8e47616c0095bc1e95415d9fe8b35b9632c34ff2ab4135bb93c391400adf45ae31dfa2e6a16bb4ba630a35b753198427bcf445e18eae65fc6336deb369af2c

  • C:\Windows\{D4959236-EBAE-4274-BCE8-8B39D75C8861}.exe

    Filesize

    168KB

    MD5

    563d1ad9bbf5dd8461736379bc27bc99

    SHA1

    b35522a9fb50f163be44dd6f332a81180ea9b5b1

    SHA256

    0ec913b7e109bd7b12367780062fe3743869b6603ac12d90f29cdeb02ee0f8ab

    SHA512

    da309001bcf57dc3d90b6a00ce42c3244440febaf1f02334289e14c216bb33895de06c66276c7105485fe88530ace55d155a3d489b174f61f4fcd8eeefee3b2e

  • C:\Windows\{FACA4AF0-A9AC-40f2-88EE-70EC9CDD003F}.exe

    Filesize

    168KB

    MD5

    5bbd6871a9a732bf83b399fabe452d26

    SHA1

    b448a5a70e976128838e85403bc01f9c6e493dcd

    SHA256

    6c9e0df79c082ce48b550089afa8da81d652f6a67c93a000eceb12259b8ea1f9

    SHA512

    cda5236ab5e8ae53b45a8a0ce5354d59313ce59d60bea308093fa7195dd78acb61e819a020fc61dd4a4b7e3ac87c5961a34582b19016e4ed814d68ac97ac6d3c