Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 11:35

General

  • Target

    2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe

  • Size

    372KB

  • MD5

    a85a60579d91f34dbe932702e61d16e6

  • SHA1

    31b36ba209a3412f00564f81840e6498ec14e5a1

  • SHA256

    79452ea75069f14b89efd4440facca77d54b7f284207b36c2149afa6f2d4fe6b

  • SHA512

    f0359115024c1a8ac31c47906791916b244402f43ec80f09b9aab41bd39498a1c02e668957f4eb9e7849d84517407d89760d77f6b5ae7b1266d649cc3a8c0788

  • SSDEEP

    3072:CEGh0oclMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGKlkOe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
      C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
        C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
          C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4092
          • C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
            C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:552
            • C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
              C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
                C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1824
                • C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
                  C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2956
                  • C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
                    C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1304
                    • C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
                      C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3596
                      • C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe
                        C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2992
                        • C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
                          C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4568
                          • C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe
                            C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1064
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2D9A6~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4108
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80899~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:912
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D5A6~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4440
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF59~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3932
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E487~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1244
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A4992~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4344
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A0E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2288
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BAB7D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2780
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9AADB~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3880
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{63DCB~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CE15~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe

    Filesize

    372KB

    MD5

    8d6da331dc21ab67d208d6266ccf0875

    SHA1

    2fe8584f01c8feba4b96725e26be64694fe28862

    SHA256

    d53c5526be1731de0c52c49f32867f6e0d8bf7b689cd2d1f4bcc29fa390ddb70

    SHA512

    0ab5782a44ba194b2b49591343b24c56a92cb03e785427c04f9345de227277c5b37d2fd5e476894cf84d481dab80acfc135e541d8a7e5f7f11e5168711e8b00b

  • C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe

    Filesize

    372KB

    MD5

    23255874223ac1a4e30a366d09f22c3d

    SHA1

    b9441cb56d9bb85cb748aa5332d8480861d114b0

    SHA256

    a00599fcb749745f04b0ce264f9328d04117728ba53d98e6fe03077d083d5406

    SHA512

    4f036733c516cf70b791bd1087bd7605b53d73c9bfc22d00fac678ea1151f3ad36ce58fd63a530caa9fcde49d4720b59211ce6b23affc6b7edffbdd54a948b29

  • C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe

    Filesize

    372KB

    MD5

    c5d4a3df1227fc5e1828c65fe585d07a

    SHA1

    9253591d03604a2e426c2522b846c4f0ee3783e7

    SHA256

    f9fbcf677c0cb8705e3fdabb5755aa33e88f24598b17a0b5fe92fbdc1a1e2cfc

    SHA512

    a28bec7edda961955338a70d97b0e4bd7ff0d8cffc06b9340ec634498f4d7777664b7d29ff5025c33b27377f50247c8f5f6aedd7f7808b11bbcca8a26e2591ca

  • C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe

    Filesize

    372KB

    MD5

    3495981cb512db3a404feba37f60d08b

    SHA1

    826cc1c64023fe2556e02cc01d99e6974bbdbbde

    SHA256

    769b6f3d0a9d6cb0893afd6a8b5afc1f24552fac8d6633a6113d15d6c452ee00

    SHA512

    f5700028c03e349be1046bf6feab6de33244a9bff8433f35677f51e4e23f484d16faba50d0781d182584e36f938d5b2e80b010b3cf2468e4df8512f3886c7bd4

  • C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe

    Filesize

    372KB

    MD5

    b6c3d24fb9cf127124c47784433545b2

    SHA1

    106b5d4ccf33d6c3f64ebdddd4695fbbd3e2bf0d

    SHA256

    325a543998d56f0b141046da1a313cf5dfad66eedbaf63806492ea34c2f3f3c1

    SHA512

    e7c9b8954bd4d254f515bab61eb5ef33520a30e2beec27979c8c9b7bf00bcc8a5b5949bd6358d975f0b7f1a2a4654a2baf3108701935aac98943dbfc6dd85cc6

  • C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe

    Filesize

    372KB

    MD5

    c5ca794bfa4ffb6c28c912e6ba95e01e

    SHA1

    7c2aa944acec2c5b577c81ca45f045ad798965f2

    SHA256

    4f70ffb84cd62539385cb3b6f375014e65e7fecef91878a760fc5016e0032c20

    SHA512

    c88a81bc3b2c6795eb76970e8e06d25d102e4cd71153049ac90e45ade94aef938c5167e167fc14121a709c5b6fe6ab617a2d66024b7ef97589dc73a0014b1130

  • C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe

    Filesize

    372KB

    MD5

    58287208e02b9b2559709ad7ba005f18

    SHA1

    05a29242b2337d9dc8faadaf398a52f6ef9a10e5

    SHA256

    26a5974322bb7f2dff40ad143dd10652a2ae8c6926443d653021458f56831e51

    SHA512

    162183b636ac234e72aa29d8808d5fdbbef432d8602e36c44ba74f891ac1e8c8cbfbac225c9fb4f909b80d13c61a414aff7478be2790fd90bc1d4f55c181fe21

  • C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe

    Filesize

    372KB

    MD5

    081d0296e486573fe60dde36f311717d

    SHA1

    399c4120b6e001f1e137f30625a9c5d2af0faacd

    SHA256

    b00a9b7284ac23328710c9a350bcb4399bf652004466717f49cf38a0286e2bb5

    SHA512

    50b5f01c8e952dc4f61b6776a54a011c0d1b75ed6df21a5d47e366f4a59783aa9ba696910dc024cf5785d911bdc9ab6dcc21ed894c50d82390ca28117d9b2d0d

  • C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe

    Filesize

    372KB

    MD5

    f4315b67b97adb67be4c47adee610a81

    SHA1

    c423254974253a4c9d8f82674a86ba914bb67cf0

    SHA256

    958cdd955abf79c6ec4d850d11dd3b4b56ea7bf00d3dc2c4d01e033a490e1559

    SHA512

    cac94334fbc2780a01d3baaa28fbab7f4e909bde050c447a2d57cc86598a3a4511b4f74869aa40bcfde2c84fedddce6712e69ebb9dd00547419d3b4e7a763c11

  • C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe

    Filesize

    372KB

    MD5

    c7881b2700da012de7a5744366665795

    SHA1

    41d9506d0c586644501d8dc3737db136d3c4c84d

    SHA256

    89c32c8e6f9051441addc1a3126099fba71fe57df9e9a8b8791aa0a524fad5c6

    SHA512

    ffb7490f66bdaedc5c3b9ab3cc3d4ac4fa94f37b678ddc723d2347535523d8b72c74c070f7174109a0fb1bd70da757ecd7a19e327c4cd87a8f29c97ff3de808b

  • C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe

    Filesize

    372KB

    MD5

    c065e153fa324c42576b7a3b9f377e2e

    SHA1

    f8de6af1ad3cf2c40cae68ef392152cd97d8b4ed

    SHA256

    d9f313ae9672538b5bd6b25c099d1bbd096027256504ad10e4410edfe5fd9352

    SHA512

    066878d9487f3fbf383d66e5b13b8111d15eaaad18a2822863c9c1027675a01ebea1795c6f1501222b34c19769fe497761afd911d585b857b100317800f887ee

  • C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe

    Filesize

    372KB

    MD5

    98ee42ccac0bed374b98e156db8c9a8a

    SHA1

    8665ef37e1d0ea9c517c4427f9b8ea02558911f1

    SHA256

    755216230e178cdafafb4a087a6fc9f4c45f9966460e9ca2b9bd0eccc5542cd2

    SHA512

    5829e7c8045f5361b216f5c996109826a30c631eced884a333c68ab60888c9e54a927c66a3645b0ba208ab9b277c80e792ba6e4eef2ae6bc85374e262921597a