Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 19:07

General

  • Target

    2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe

  • Size

    168KB

  • MD5

    899ceecd0f8172f1d1c54ba07b35b342

  • SHA1

    62f19ffa367b475361849be9d03829c6157f7932

  • SHA256

    16eae0ed1e47bfb71cdaff6a3a42be1297bcf2dfade2918f2aec3bfe3e7714df

  • SHA512

    85cd1e42ca98bd9e95cb27c476e7c4a04187b3334b65ce6542117138256adbef9ccc58e26a1d0baa3ed9ab6f015622e3eeadddc2713898438b251ec180395eb5

  • SSDEEP

    1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
      C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
        C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
          C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
            C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3276
            • C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
              C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1048
              • C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
                C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1972
                • C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
                  C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2484
                  • C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
                    C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4924
                    • C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
                      C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2856
                      • C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
                        C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2696
                        • C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
                          C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2472
                          • C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe
                            C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2420
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{29A04~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CD3B5~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3636
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{51BEC~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4392
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{52BF9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2500
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{86922~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:920
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3476E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4200
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F6FF2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2420
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{A943E~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1848
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7107~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5116
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{63D09~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:436
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C725~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe

    Filesize

    168KB

    MD5

    24664f5302d0c0fbd65b286b23eb58d7

    SHA1

    d9bb31cbbe833050fcbfb7e3c2c4985e01839d4f

    SHA256

    7a6e404a2ff9086676ce87321a6df13e3c553c6de9de8ee0c70b2cbee7841025

    SHA512

    c8f639b38c334b9308ef05e26211428c0fff8e139f541bbd1c361daebe455b1db03fbc14856d3ba5b3b0ed57f67c0ba9ac27f0e913a42a4d24b46bc8195c73b1

  • C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe

    Filesize

    168KB

    MD5

    59fc3d7045c16ad381dd5e9693be5700

    SHA1

    9d8a0187ea6196b1cf595a018df3bc30c02ae565

    SHA256

    a187a49d077efecb0b1b1f0e5c20f24b581136bf46daf3c93117e99ac679191d

    SHA512

    e873e08094a99cbeb066f538d23d9f79ec4e99d5c90dbcb23f05791349bebbca0da6765a5f89326a7b333f544b909691df2f0a3601ea85ec2a34798e01d3ca88

  • C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe

    Filesize

    168KB

    MD5

    4f6ced35e46ece004369081795d66d19

    SHA1

    6af8b207d59723aa734f24e10822533cfbb9be97

    SHA256

    3481679f002731876eed87926a2a4a7f23b8e600ae9db7662af619836ff9a809

    SHA512

    4fed53951f24021d465d5cdac7404040da5f5f517aa697cef62acfa431fd294f07e0669fdab6cbb0caa260bb1039b5f30e09bfe3984b523747d8035e487123c5

  • C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe

    Filesize

    168KB

    MD5

    921b24af1eadcc1691d54c154c0c1fa3

    SHA1

    50264f3973da37e4ab1c3f99ebcee481fa8fdafd

    SHA256

    2ee31cd8e2c127bcf5be7c45c4af77996d43418bd7b4dd6ea37240f8fdcf6fc3

    SHA512

    fbd2c6ba881c7fc47acb87d0b5518d15101d6a71a3a98c2ea7fda18d6a303cd003c9bd6bc03f2afd7aafdd50c0c5b6ace730cc2f67fa3a0de83168677b7cfe87

  • C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe

    Filesize

    168KB

    MD5

    d053a8195a078eb3cdf66b0e745f1f39

    SHA1

    7548c4d25bba08940fb556c00effa1abafb81359

    SHA256

    84f52699e7fa803a58470c3220b348d0162ac5d3a7260182a40143a9ce4f205b

    SHA512

    58b77dcd15ced66f4762ae390b665d523a75099b792358b75cd5a80f019f2b1edc827684afd02e8bde7285903d962b4f6fb4093c21a0664c76989fc9a95ed970

  • C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe

    Filesize

    168KB

    MD5

    503422280e8b90b485ffa81b4f1a730b

    SHA1

    ab46b9ed111d32a90acca660ad86e4767a17b3ff

    SHA256

    31fb7b955910807fed7ca5456536f935a1d6e872edb474ea6c6036f0b49b0dff

    SHA512

    e49bfc7f2f84636c0cf5f321b55905c518b16d915054544dc110a16fcdb9b307d29561d4c4b0533a863412a48072c014581b013f8a3d388db3e8ed538f09c767

  • C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe

    Filesize

    168KB

    MD5

    51ae1e4b2cac6bec439afaa9594f0a62

    SHA1

    69e82c63a108b14d4bd3c65f0c9cb50c5d69c0ba

    SHA256

    26f7bccf121693ec8cb9aeb480e838fe1927827be08e0865c709df012fe10820

    SHA512

    7d22b6c94855c85cb77e7b88d2702fea7a43d3be9bdfad2e553bc74c57c4593a9968f779188bc71ffd25480be1aff4858686a2f6b8dac406529a62bea027c0d9

  • C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe

    Filesize

    168KB

    MD5

    a9671289f50bc3b925c39fb4cbc8d25f

    SHA1

    f1637c36c5d38587afbd51774280ec727fb049c2

    SHA256

    0adc9e49adf9d2a0901ae9b4fbc7a31fdd50f5bcbb18b028220257c3573b8e36

    SHA512

    bfca1ca8889ed587198e85f7b18280a828c7cdad1d2e4b9bb4f308d538bc98e9ec605388b0a56028c9bd778c7b8e6e7a87d36600d02dc02c158ef51d423b1eae

  • C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe

    Filesize

    168KB

    MD5

    47e93db6f56a4d8196a3171698cc229b

    SHA1

    0c759bacabfdb404d444ec0fd4738e73da2fb761

    SHA256

    3c07ecf5e9268886dc78e2f19036a691b957001407870cb9851fcc7c7d26f249

    SHA512

    d62031e138a4748f7dcead77c052dd51df0ca935b63cd800c7c0a760c29ec0650d6c7d4e614319c64f95de65cc551e6f9c00f9003c8c4c11eeed2cc1bac0656c

  • C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe

    Filesize

    168KB

    MD5

    40db4319f630172ddb3ca1e0b74b1b70

    SHA1

    3bf44ea072fb2652100917f43b285be1f0880601

    SHA256

    d0d595ab65d7f4bc9e0bfcc9ea62484bc3c5d85db0a98b2d8f1bde8f19468543

    SHA512

    981ff3f99e231ee935d2fb89edd8045f4a15b60810c5ec00a5131c64e838f5437b8a78d7674aa687a9341d7594348faf2285a4bc4bdcd82dcdbe5791b0174a53

  • C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe

    Filesize

    168KB

    MD5

    2cadd530b467688cd5cf152bf333e86a

    SHA1

    f9361f0a3749351264329a7b4033bb8b902d1ecb

    SHA256

    91adeafdb324622a26ded50ac88029c846608196a492b2b260ff1ea91b3fb234

    SHA512

    2d2c177e0b5d142d283fe55ad58899e15257939f69e007d9def64c2707de2c9313cf91e816f4aeaf55cec48bbe21ed6bd6aaf801407cd897711a5aea4b92133c

  • C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe

    Filesize

    168KB

    MD5

    bf6e6d0a96f26b072106d37d54b4db30

    SHA1

    e14540cf9604933a8dd28d2d2650f4239d97685d

    SHA256

    9673318179b047788cff30615dd473856cb92fd90a467bf05cbb275d42730929

    SHA512

    45e4eae1004fef667af786b26d1e3def572749811446a6f228b3098eb47cc4e2025413c3b4eb1c52e8ec0ba1970d8566aabae208be2993e98d730651e93d2cd0