Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 08:34

General

  • Target

    2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe

  • Size

    344KB

  • MD5

    4a4b63035071f312fd7a8fd6a0db86bf

  • SHA1

    38bfe00d6861e48ab945bb170b2a7fc1ace3439b

  • SHA256

    201ded16869efd77c17f64b7a97a75250b8bbb25639174cd2ee449424702f5d0

  • SHA512

    5f7a986bc291aa36df39f1ae2797743c721d28b191af8e22e5e92c0bfea0f794d80fafba845dc577e8ac1261e083901eea979d8ce50650dd12a74be841998b66

  • SSDEEP

    3072:mEGh0oalVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlVOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
      C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
        C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
          C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
            C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:864
            • C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
              C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1800
              • C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
                C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:992
                • C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
                  C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1996
                  • C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
                    C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3004
                    • C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
                      C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1880
                      • C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
                        C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2388
                        • C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe
                          C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2520
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{82D2F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:908
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{23261~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1356
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B56BB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2164
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{53358~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2960
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A8B01~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2176
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3E3D3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:444
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE59~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2628
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B05BC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2896
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{26E1D~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2220
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D011~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{23261B56-45F9-4f70-9041-8AD1AAF658C1}.exe

    Filesize

    344KB

    MD5

    f0cd2021d7f2cc4edc54fa6d3cf76f02

    SHA1

    2a73955c2ad769873b4cf051963ec3f0745ac47e

    SHA256

    e9e4287369cd4b1a7da7bf9763f82bb2eafc4a0d1b21f2d6f53d3677146c03c3

    SHA512

    09557ba3a370a26b7eb5a4a1e054068f6c0ecb7712687556b331fae761bf5f68f21698f98df4aa60588be8999424a4a836c393d7f67c28a57c88e76498f56a57

  • C:\Windows\{26E1DCE1-1FFB-4063-8B93-E9F30A930404}.exe

    Filesize

    344KB

    MD5

    5b593ef44f72083b059e943a73a5a23d

    SHA1

    5f1803ea9a5c3eb29754eddf7ada50f6692ec5de

    SHA256

    815604b8567c5c8fe7dcbe8afba514e7b0c8f7368cc164054a2ab8178fb21e00

    SHA512

    5336e9803f4e5e089829bd0032a62aee000c0f73965eeaea4cd0bc2e6b24f6ff2f9025b0290a0b6b89da0a13eff9d0059b3f208fabdd16f90ad1a303cc084bda

  • C:\Windows\{3E3D327D-9E2F-4c5a-9499-9F3A182CBF32}.exe

    Filesize

    344KB

    MD5

    9ae309ad3cd9119e3575faec76210c5d

    SHA1

    bc8f28ceefdcdbc9dcd409ca91d70a0b51b77d78

    SHA256

    2ea0c14533caa3714c113ac9123e85c1779215e5e9bdc7291221cdcbec8fd7e2

    SHA512

    7f3fbc61a425a03958713cef0493487fd2cedbddfe42436aaae5b29a7184ca1bd773afe0dfc041a34477a1f0534560a2e106862ef767587c9cefb09f9dd8dd98

  • C:\Windows\{4AE59DAC-FFBB-4498-B82E-31428E546E80}.exe

    Filesize

    344KB

    MD5

    ec7138bdb1bd3d1d1722827bfe4ac0d1

    SHA1

    cfb948bcf0158fd69f7b5ec9b6f1461cf63abf7a

    SHA256

    19b358b95bfb17c4bfd1fa5a76e060d605269b38994612c869ea51425b0516e7

    SHA512

    07afba75763db1f3048208c354f49ac56f4b5268c02e02beff6aa77125211cbf6cfdb49328a6598670bbc9128da0c02a02a292117a45104c6be74efbd73d9906

  • C:\Windows\{5335894F-5E23-45b8-9ACC-903D7EFCEF65}.exe

    Filesize

    344KB

    MD5

    32f959ce26185aa433f8056ddc0265ec

    SHA1

    b02e1a5b9acfd4e347713dc40969d99a09128b01

    SHA256

    d64ff4cec6c1ba9e59c597d5ab0a1bcbeccf7551be7b462704609cae8f04c1ed

    SHA512

    2bdb2119c21f879b3bccdef032985e9b6cd58fcef84af9a686b43c0342b488521480f8975a1448d3bfe4c34dd4bb34b7155a5928943060e8970b67903acce8a4

  • C:\Windows\{592F5C9B-B80A-4769-B873-75D145A571A1}.exe

    Filesize

    344KB

    MD5

    dd3a0c21b1438ebe48b2b79b5693a3a0

    SHA1

    6b91ed2cf80bcbc1d98b879ff2e2fd9540e6fc56

    SHA256

    5ea998ba77313acca0d5811dbb641d9898e8c182111e2f40adbefad59b220ac6

    SHA512

    7677423684f8510fde20d486333ee68d6835025c6b746adcf6b418e5137713c921a70e25297e56a20b74536b6adce125e0973d03b179dbc9291decfbc439b74d

  • C:\Windows\{82D2F990-A839-4bb9-9365-6BDCC9985DDA}.exe

    Filesize

    344KB

    MD5

    8f17cafe42eab782c8af49eddd532b39

    SHA1

    330f3bb1725317126baed1ce8f0501d219e40a5e

    SHA256

    f384cde783e62e7204f013a05a631838764b97473a16ad05b5c3a9a4a04a8406

    SHA512

    1c6c84c9aad28e184385a43bfdc0c866ce7fe397c6f052b63095690251f53bea3e566e6ce29a5e676cd94f3acb43b506e149b81e5629dc75ef733ffaa9ae9c7c

  • C:\Windows\{8D011FB9-27F7-4d01-BA48-611D747BC3B3}.exe

    Filesize

    344KB

    MD5

    2d08798bc8d043064a96745ba44080d1

    SHA1

    10b97413d98448e0e388e7e93f79be867109de5c

    SHA256

    8c32e13441a12745a7bae6ee84ebf7947c5dc1c6885047a532bbf73cd19b0d11

    SHA512

    427654608d56b466f7c71ce9014da00dee5ea620555b6e9d2fcee3639a5227044d032f6b1b68ac44b41755f46ca538263e9f6472db9f0c76f7607ab6ece79cfd

  • C:\Windows\{A8B01F49-0A88-453b-8A4C-775772AA85C6}.exe

    Filesize

    344KB

    MD5

    c3f6fe3250e4863aa5ddaed94ab85845

    SHA1

    c0addc0132108595483787bd80ee2bbe047a07eb

    SHA256

    1ea381f8716ee283443e98c7617740eddb8df4cd13fc90ac09946ed36bd8e3db

    SHA512

    6084a89924f1d4af559cb16911c86ec56eb7c59085ec51315222846ad04a949652ac17f6c25739b35ddcb749fa8ee8df18743975194db759bbfae5de3532c0d9

  • C:\Windows\{B05BC9BC-A0E1-4703-9942-62BF0DC77B08}.exe

    Filesize

    344KB

    MD5

    e44eea7d87b98b2e70ead03db63df8ac

    SHA1

    5162633652973d43f15d86c550feee95b7277856

    SHA256

    f94f97f5e47c1a0647a1966eb34bf3717ecd18a23847284186020bdb6753d512

    SHA512

    a415ae0540f679be124ca577ea3c20f040c446d8e333ab38beeed83d2ec795c6059c356c19e3e8708744a38032330a77bca10f71938922894d375b84f0456645

  • C:\Windows\{B56BB060-993D-460b-888A-D212DC8FEFC3}.exe

    Filesize

    344KB

    MD5

    01a8bf41c22eda70d7066a5f0142b835

    SHA1

    bc7b55c5d45ca5cc595447041d3079fe023ab419

    SHA256

    3ab6a60320785d7d2a4b063a291912b124a644f47758cd9840909ca63072e2df

    SHA512

    329a326592202e2535bcc0b9376d5a4b293b6287df62629776d8a1580cc92b03923af93daa279047c32695deeea41326b7277c4c81bf9ab9c518f1384e00cb49