Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 08:34

General

  • Target

    2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe

  • Size

    344KB

  • MD5

    4a4b63035071f312fd7a8fd6a0db86bf

  • SHA1

    38bfe00d6861e48ab945bb170b2a7fc1ace3439b

  • SHA256

    201ded16869efd77c17f64b7a97a75250b8bbb25639174cd2ee449424702f5d0

  • SHA512

    5f7a986bc291aa36df39f1ae2797743c721d28b191af8e22e5e92c0bfea0f794d80fafba845dc577e8ac1261e083901eea979d8ce50650dd12a74be841998b66

  • SSDEEP

    3072:mEGh0oalVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlVOe2MUVg3v2IneKcAEcA

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
      C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe
        C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3128
        • C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
          C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
            C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
              C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4576
              • C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe
                C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3956
                • C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
                  C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4288
                  • C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
                    C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4384
                    • C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
                      C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3316
                      • C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
                        C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4988
                        • C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
                          C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1608
                          • C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe
                            C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{63A2A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2848
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{57254~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:5064
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D57~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1700
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C16~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3272
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{05FDD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2804
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{34C4E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1092
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D2DDF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4520
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{631A2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4552
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F320F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F220~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4188
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC782~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe

    Filesize

    344KB

    MD5

    3f33ae226531012f0c26954516f95009

    SHA1

    76b5c7f2f69eb9a0060e7bb01e9f8888d3814157

    SHA256

    6cdc7fecdec4ac6814fb2e7c9e368917752d5893156e8a0abf1b6311c58e54f5

    SHA512

    0c7242fc722e06c1aad7cc97b979bd8b8ea10de90b5953a4d3d2b5d3ca9b8b01dd73d8d11ded163292d13966ad352253f79feca3cc5bf159f81fa980f994e60c

  • C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe

    Filesize

    344KB

    MD5

    c10fd2adbed9765d8cdf22d794ac4add

    SHA1

    b11d8b5e9f5e6c61904483dabad5d7fc748f1f4b

    SHA256

    ea312434537c9fdf2e3876acde5e048e80987c462c4f5f4359f73f75307d72de

    SHA512

    6c6b52bdf194d0f41514906d5a01911a1ca10b83cdf355bfd4e24f89552b8e564374ed8be1ae61f369ff247688d9f5c943011a926911f01d83d8d62dcf205741

  • C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe

    Filesize

    344KB

    MD5

    e500d16b8d13128d7d93b6cf7b6cf809

    SHA1

    b0725673a782c9722c2b2249e88a3c38a69a71ea

    SHA256

    2bccfc28bfcd6d3e240bd5a95c960e050b4ca92ba1dcf224c43940a462d6b568

    SHA512

    0d5aee63562f658bcf8190e102e6d1d7b7aeddda0e8005595dd35cc8ab77140e32af23073a9a52a0e113f2422dbd47c2570f65b3a2437ebe72cd5937cd862b75

  • C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe

    Filesize

    344KB

    MD5

    62889d763f988e183fea6ef38953135a

    SHA1

    198db8f38c0dcff99e450c3cef3f45ff7dd33b20

    SHA256

    5189683bf387c60f5c6d77f122004c520847177b9c99fd10a8ecca87c5c6e1f7

    SHA512

    19b0cc751ab3e842c1425a47c7bcc3a7001c79ac15f18350f1d1bacdd0460c130f17a4ce9e5ca952b096d4fde82a55b2accec9e4bcfc863edc2bb96262802d92

  • C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe

    Filesize

    344KB

    MD5

    ad66c50f823b35c8987d86a6fba4e4d1

    SHA1

    1402e0b4ee9559dbc5028a7b9e5c1ee0cb757ebf

    SHA256

    982a27f271a201be5cf6af0b2151f987879adeced75b1c07e1da62376d198997

    SHA512

    eb4ac2af6405113d2f71a8eaa1125ec84217e9e57470a24b477235613cd070d76059282add08f673f18b9dc29a0c19e189c8caa40a40ff581f2a9278ed8b4b84

  • C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe

    Filesize

    344KB

    MD5

    e457317229c3cd86f84ad79f3f63cb8d

    SHA1

    a8cbf2453a3bae06687231f166658ec8f0660399

    SHA256

    e1a80b6a8dc3086b6296210d1d344d58255b8a259e61b0a27fb63f0cda820ba9

    SHA512

    86ac2de5942d67413c8106119a34e3bba4446ca11a344eca9c5ceec674d21ed1d97d220f03ea1fac170c5559ce79d162b7d0af3eb45d6b2eaaa46ef8640f215e

  • C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe

    Filesize

    344KB

    MD5

    466f0bf53e63f97a49aa13a26206dff6

    SHA1

    96e169b0a79b5ce7df5303064935b4cbf28840cf

    SHA256

    3dcd53af44114410c3df2ad524304f86ff4b195827fc396591c395717c9cfbb8

    SHA512

    01c216dd6498b927c0fcdd94a5a15ad371bdf57caaf7b8bdd0daf4e530a3e8775bb94417b6f3bde3a8b8279387bf61e4c25e2633c4b34345606cbaf94bf93257

  • C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe

    Filesize

    344KB

    MD5

    d997e26e8252fbdf27d2eabb3ad3b524

    SHA1

    6a841a9377df856f38628ebf7498cc012d52b17b

    SHA256

    11b4bdc1f35f77f4f136c994e93f957dac0e0a8dd94a9af51c1d9a03d6fa70e7

    SHA512

    8ba21cce63457e7a805d7ed58b56e4098eda5738c86a90f5e770b39a5b128f2ad8348b47bdac433ddc834645831ae02f3f4525172f21dca2a51563189ec7a1dc

  • C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe

    Filesize

    344KB

    MD5

    5163e66734ca34b231e505d125ef89c4

    SHA1

    ed948e97cdc93f262b87db1e5266d158b98fd6a6

    SHA256

    37b9cfb85033eb5ef3b0505af61e838235160dd6495914b6f2ceb41ec7794f27

    SHA512

    d07aa35eec203fed36075ab6533a462357eaac7c0a4dfc7c6c050e911729d91914c21ab395316fbaa8ed39ca8a315ff47a0f338a29eb1471d4caf7c8f3d6d6e0

  • C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe

    Filesize

    344KB

    MD5

    11cdf0cb75d2794eed2e9aabfc236df8

    SHA1

    e9e902542d80f8c26f0c259d5f4c14c036a4a269

    SHA256

    13f29d20f8045ba7b75b341ffe17beeb995c6eac72426e85c3294722f8529fd0

    SHA512

    ac305a63ce5e206f6e693b33767a770fbbe113b9d63880131f0f20d8a48602df432075ef5c675bbce4c41c70e5a9c0fbc43a2c7fc1d45af1e7bfc59284daf18c

  • C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe

    Filesize

    344KB

    MD5

    05778866a6de73ebc86000329a2ea50b

    SHA1

    1c0ac1a138130011b347dc9180c399b8b12933b5

    SHA256

    e71974c6ccf5eafe1b18e2bbb3e2a68f344e784ad1f77f38db7598fcb738f5dd

    SHA512

    f852bf86048ce31a5d486a2b9d2c3a5ea20bcf3ae1d3a5be7ab47436df18c55885332237a609643cc28e8d0966bb9272ace5903f5252faf1f238b25d19e6eafb

  • C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe

    Filesize

    344KB

    MD5

    723c52ac3fbdf7c699a95db11b2f91e3

    SHA1

    5126ddf5a04311bcac631d41545d2270ff58250f

    SHA256

    9db214088d71327d0cab1b3b238bf6a05bb69df303e832355bd126f673c3d139

    SHA512

    4efa7d204ace60c3a9b6e7e6b877c8d9e3a29450ac8e88bd366775287cc6951c514a6875dca24bc4be4d7f7999df0af18c509c7123056bb41ad9b746121e6b5b