Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 08:27

General

  • Target

    2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe

  • Size

    192KB

  • MD5

    25861ea2893539cd23cb931ad9fbf92e

  • SHA1

    e573e98263a326f9bd4e558ae354c30a6a9c2c33

  • SHA256

    13c23094edd1c20bcfa7cfbf04b46598d15e4ceb62e075418f4077075f222d4f

  • SHA512

    dc723717327501e11b8aa3642cd2fbba444dcd82a9f5064df8c3ea25e7dd9df4cd1d359b6faad2ad613b5a44ba09d64be1adb05cba865247a7f717a2ed62cdab

  • SSDEEP

    1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o1l1OPOe2MUVg3Ve+rXfMUa

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe
      C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
        C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
          C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe
            C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4340
            • C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
              C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4956
              • C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
                C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3320
                • C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
                  C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1516
                  • C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
                    C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2160
                    • C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe
                      C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4992
                      • C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
                        C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4724
                        • C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
                          C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1832
                          • C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe
                            C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4312
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A3FB1~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B894B~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2844
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{08A09~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3020
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDB5~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1420
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{10AEC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3200
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{94D68~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4776
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3F9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4664
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DA386~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2904
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{C2F94~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{63C12~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4692
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A002C~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4364
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe

    Filesize

    192KB

    MD5

    3078edb9db2dd3fc14a9776de428ec6b

    SHA1

    7ae3a1cca630ed849f7514e4ce84df109510b889

    SHA256

    46cf291796cec590e66e4984e4b5b09bade3ed8c2685dcbcf9175bc20425d991

    SHA512

    3b30ae9c72c643742120542ba227535fce60e7b36db1330d01b12a705eb8d3d34a04b11c0d6f51ec681000712576ebaee1ec5440e5628f91531b4155f64a2480

  • C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe

    Filesize

    192KB

    MD5

    cac7deeed5d9df79b042c6bf3bd634b4

    SHA1

    ecbf543d5bc28c558152a25e3799cff49c2c6dbe

    SHA256

    335a2e291b2a2d7f73f01d236f41e5eac4c206c7fa4e35d1dc3d77885b8a726f

    SHA512

    b0e17dfb552afdf08546d92209e4dfa151d35f0334cf8692cfd00c033909ab671a5403e624cee12ea4c1011e18c610b53242a90c81ef217f392de8ae15c7ea55

  • C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe

    Filesize

    192KB

    MD5

    c6e4a374c1f0c8d953ed396e519ddc92

    SHA1

    7dec578c1edf8ec53fb444fe1b5b7e516020d47e

    SHA256

    335b30775650cbe889a5de45115d7b183008c325f426e56b985d367534652904

    SHA512

    11d96fd6d3fc29304d5a4bee25a9735b4d6478632d48eb3cca9a15244024f0b8a32c01eb78691a3ac1a7b10ecad5667350c1761e6956bd8871e91c01973b2533

  • C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe

    Filesize

    192KB

    MD5

    6666618f6c7dae2ecead1edf029cd809

    SHA1

    6603454cb0957ae77fa5ae4e32ea4003aeff85e5

    SHA256

    db152aae912d9c3fb313dfe8c368e71562410901a4de7a47e2f8a90053e1b8ee

    SHA512

    df4dbab88c9d4d28f253bbb9e108c9687460040a3c7d0392e584287c15c704f41049b96bcd055e1cd9b5c147e123dc1e3bd43c34a0876f6d73243efc76d7fab6

  • C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe

    Filesize

    192KB

    MD5

    904ea5b61a21888d97183ce7979e8049

    SHA1

    416d77f11275e3bbe28414f1252eee25831cc5d7

    SHA256

    00185694afeeac5b6125b8259e68d8b81438922898b78a7c8e6eae3c545f83ba

    SHA512

    c7866c707d0caecd67c17facc444ab061a1ecfebe999b4881259cb8abe53007f2e92b2d1c326bfcc64eaff6d054007ca80ee36ddb290e94e4f5e91bfd140ae1d

  • C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe

    Filesize

    192KB

    MD5

    828b881701151a9c8e2d74387a4f6021

    SHA1

    1611f2e7ac1674d813535adaf62ad79a3b4f0332

    SHA256

    c6fc88353de88d6caf5c08253fbfa3a9e41cbe9ace5c6d5cddbcbc98722eb326

    SHA512

    6623247de97ab6cb54caaee04d9d971e3d2311c93b419abe1c034ef8e8b06fc212f54e5d167f114c05bc1c2e65063c41a6d14dc79aa5e9a7cd0c55f411dadef2

  • C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe

    Filesize

    192KB

    MD5

    c48391ed656d7b715ceebc34513b4185

    SHA1

    a316582ea801378765cc52574d64fe8fcd17b55a

    SHA256

    3f06b65df20452ddf11e4324299333dbbbc38c51177f78a8347e95cf19f32812

    SHA512

    dfc1db09c4148c20dea9b465f8cd9c7c9743b1b907332ba76d02d1984ff30a85b7f3f18626b0fc768c377341e102455d782454838a6fb67160fd51a8795fc0d4

  • C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe

    Filesize

    192KB

    MD5

    52f2f07e1423b27a336835c030a698a9

    SHA1

    d733f65473581165b5a9224b3e433de199129de9

    SHA256

    cc5751bcef2d47e48bd22c7f0dd776d71298d748abf0935a6fd3e472597b9a2a

    SHA512

    7f91b53ef57cb55a3ab2c72bdf483f350be6a4eb75dc71b4751de092c2a20883a6fffd09390ffff7a21beb0476f5cde84f5f5fc433665cdd8f881f5c58b8e575

  • C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe

    Filesize

    192KB

    MD5

    c83cff975b2e21c167fd975ce23aaf7e

    SHA1

    89a800cca50b5a607dbb9413a81b0a2fc05bd4b8

    SHA256

    785c6e3cbca35401c4860249e4f2e92959dde86a751565d622cb7b94a32ce0aa

    SHA512

    c8a96b07f83f723f9f92956eff2485c09d71198c4b2fe69957378ec4fe0d01ed720fa7ba4f2a519695513a0af3b72410ce2bb52c2c848836350f67cfc662408e

  • C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe

    Filesize

    192KB

    MD5

    1dc65aee0d13e377c7a5e6886c0d37c6

    SHA1

    fe831bed6c58e608cb9c0790b2ce129f02fb5c9a

    SHA256

    373a23dd43eb895ea2c63ccc225bcda4b314b7b8e2a2c0c9f3462e1fdb2d5241

    SHA512

    710542ba532d3a36734b167e74ebc4fda38adf2c17873193f46fd1bc7f407711e0162a5e0b370cccedd4db9bd6163a0929bf6b000b0f35d67c759ea7e2d22ce4

  • C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe

    Filesize

    192KB

    MD5

    84421e0acafe4122cba9fe74ce797c65

    SHA1

    90a454248ed5ed54e16c7dcd008c03c7e19d5c4a

    SHA256

    4904c7cd2d7cf5d46a5907e3f11e337c3cd6b1e8c5b5ebc3135115e969199b38

    SHA512

    a1db0f49f54803203a67eb85d65b9d3cd0d5f3f0f6017b18ce66d865558d0b7901c2337753e92ba85ef941c5727cee38a0c8b7f207419857a48f10c19bc6dc36

  • C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe

    Filesize

    192KB

    MD5

    b59c6a1fb55f3a249ca3089c53df5ee5

    SHA1

    f57b4638cf1a6728f4d98d1f7f683bfa2d08d328

    SHA256

    4fa76d7fac31b117b7f04ababf9a5a0d42eecd0c3a3d4557d0ecd4cdbb0deacc

    SHA512

    22af380e118bc2b043a8417b212d73e2f135b41327e71132ad07bda6c2c6463e4c37cadde3045553099ba6181e1c3e056c6f54c623effe8a607f452dd5d2b154