Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 10:10

General

  • Target

    2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe

  • Size

    168KB

  • MD5

    dab6d8f1ef18fbf3b0e954085c0c51da

  • SHA1

    53821e3046a8d61dfd565949a18b1cf93f91c3b9

  • SHA256

    0fb6d5d629bc87c4f0e67626a71eddce44508909b4fa8c32c84df39d7627dfef

  • SHA512

    b0a6acac2863b1bda9808959bf2429a84c1a19fef26839e8afbdaad15e474871dd9496bfd8dedd3c21441b028a1f07b2e376ceac760c1563034c8f70a95762c8

  • SSDEEP

    1536:1EGh0osqlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0osqlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-05_dab6d8f1ef18fbf3b0e954085c0c51da_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
      C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
        C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
          C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
            C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1652
            • C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
              C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
                C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe
                  C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1780
                  • C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
                    C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2860
                    • C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
                      C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2312
                      • C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
                        C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2004
                        • C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe
                          C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:856
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EC7~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1296
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{82950~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1408
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A71D~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2404
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4E4E4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1528
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB10~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2284
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EA3C7~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2776
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{69CF6~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{72A3E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E99~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60010~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{4E4E4B07-1A46-4039-8173-24377138F015}.exe

    Filesize

    168KB

    MD5

    64e783c753d2c5d801f77a750a058f7d

    SHA1

    4e37718cf9946c1d89205e1c07c8a2bc8d002c2c

    SHA256

    3487e5ea606371822dcd5bd52310235d1d6bda51e25a0a7743c756a536de12e6

    SHA512

    c1fa3e25a3ea044bdfbd168c1fd1a4fbd9899a1406087423a7539b71b29dddd5662ce86c2441c9ab0381ef8fbecefcc7d2805fa9f385e840ae58f0b1dec84f6d

  • C:\Windows\{60010EA5-FFBF-4adb-A3B7-5BCBF5286E7F}.exe

    Filesize

    168KB

    MD5

    c68608a3b281d15b76f8173734752fbe

    SHA1

    772c0b026a0520801e62ff1b4a4f6fbe45f6076d

    SHA256

    d2fc0682e8dd958459dab4ba61f6bf1c6deaf772e0db7efc23cdc578fccf1cac

    SHA512

    93c62c57845b428f289e8d2f68cfea054979e191e128a02319c932c814e8cf391fed17745bf2af67afc5af161d9f2ffdf6d7a5fafac73a89d3cc3b6d8180c8d4

  • C:\Windows\{69CF6442-4EFD-464b-AF46-897E1F3FF17B}.exe

    Filesize

    168KB

    MD5

    0a664ba3ecc8f0dad814a698d248146f

    SHA1

    34ee0f785a1878b94c942efafd8a9f761fefec83

    SHA256

    48bb4e875b1dbd0d0f75497f7bdda1f08d21a05b2e29847c82e1b1a54d637f5d

    SHA512

    f05f6889cc7ae50012c04d8505fe443ce5e9421066222f44cc2405ce5fb691ebc804b008d3eeb3277129fce4bddf1bd258636eb76da3c2a39e84e5ab7b4a0a2a

  • C:\Windows\{72A3EC94-CE24-408c-8F7C-3DB4D48E903B}.exe

    Filesize

    168KB

    MD5

    dac3340693cad2c80539449adb429d25

    SHA1

    213329ea867938c01804c8da625a7e03f48a5685

    SHA256

    30fe08460703bbedff1f54a5a3c756908d705d7da7519b68bf39621df75defc2

    SHA512

    3db68ee3d16af4a4a5461a3885ea3966316ef7eaaf12c708c34dda99f47d037fa8b9cf386e0444fef86d484ad8c1664b022b64a0229b966f540355e3d990b0bb

  • C:\Windows\{82950F95-82E7-458c-96D6-2AB314FD5050}.exe

    Filesize

    168KB

    MD5

    1b591d075557391fabbac01e526dd918

    SHA1

    a50e3d6ca8b4afca6c39582807106fef10246832

    SHA256

    4ee4cb622afcb74b6f549c4f826432ec5dc9f7049d50489084f26e857d316483

    SHA512

    d8851aea4b2413db6494feac7ddc6b446a4ff50ec8d3bb9aa75f1010a37539acc4cb3093714ffb244838c87255a233d83618d93e5f8140f4a446711c011e4697

  • C:\Windows\{8737FFE7-7C8B-4a8c-9277-D65AC15B3C10}.exe

    Filesize

    168KB

    MD5

    fa34762f33872f747e490ddf802781e7

    SHA1

    982f2bb9799c8af9e3a792a0936eb57c3396cc48

    SHA256

    918008bb7c9aacb7722e5bf9f10480a72d63ae20081a4cd9ee870224dcf9ef40

    SHA512

    0f7e1a59f8510d04e34ff14c31bcd0671af1df7ed493413118423bcb18ca8323bf258bd2f9b41855c3bcde959f207fc56ffd4fd51caa461c13efbf9ad9b50400

  • C:\Windows\{8A71D7E6-94F3-4dc8-A6AF-8AEA9119C203}.exe

    Filesize

    168KB

    MD5

    2ba39de9c6a2bf27ea37808b9e3b3718

    SHA1

    45083b35f3d91a9768fc32439d1a152d9f328b6b

    SHA256

    00e109386761537dff6e1fcb9255f3688852e98fabb588c54caf77e2b7760649

    SHA512

    56f2413ca035a8941d8a402c75e6834de85ad69aa22debaad7130c8e23c6b30ba916b909f3edf26efe509d1f9ac15adae1ddf109fd0cc69a318c8b97f5487d33

  • C:\Windows\{B2E990F1-ED70-4622-A99F-F497F71997A0}.exe

    Filesize

    168KB

    MD5

    63c50bc050fb04d1a254f39a9a72bcea

    SHA1

    552b9b232eebf07578a287cebbf2926764e3f1d9

    SHA256

    6bb678c1d0e05358bc6636202b2b33b8b0887afbed55a2ba53d355cf6963caf8

    SHA512

    39c6a018e6bb2f5e577763a8b82062724c8734dff9ccf48f3528a1937e816a530d4be3d2775db06e999e4a7cccf2732b6510ef2e075c01cf4df98a47e5a501fc

  • C:\Windows\{D9EC76E6-5DB7-4380-85A6-BE5454629C08}.exe

    Filesize

    168KB

    MD5

    70dcd9965b11eea4917bd733be78deba

    SHA1

    8aaa25dbc47271ca5c030e072b29981e372fe117

    SHA256

    b2ccdef9c003b478f4a0ed69892f997f0ff84054efffa89abf88353e1bd8952a

    SHA512

    9abaa9cfca90f1559d96646bf64b6c5d2131acb0fa26befa91ca7528276c0d3ed636494bff3a0b575101c9f6133e9aa2fb30a005d68c428c83db8b6925722a0b

  • C:\Windows\{DEB1063A-B1EE-4fac-A9EC-3F94992C00DE}.exe

    Filesize

    168KB

    MD5

    e64f03f4b19eb6ed1a2eb41bea5137b9

    SHA1

    004a4e4a6075222e58719ab107c7e91695d76c3c

    SHA256

    39d1403edb4c64a8ece9050bac52cd8273677aa037fe17feb33a752b3c6d7050

    SHA512

    747328040ca8f34d67d574ab83e1631c5175c0936b78bee1ed0cebe0a14866068bdef0735aec26515f284ca711b87f1c27e263d10e96abbecce0c270e23e051e

  • C:\Windows\{EA3C79F6-C315-4dc4-A81F-5EB170E722BD}.exe

    Filesize

    168KB

    MD5

    5f4d6381fbe32cde943f3cf78bffc072

    SHA1

    b032e94b13fa1b8b837fed9101253c7e53c42bd0

    SHA256

    951b812a83dc5c4a5ac3d9bd35c09c2e1f3839ec44c0e247d89a4654ffaaa64d

    SHA512

    fe11284551941b3324333722a9115d6c40d25936a59ee1240d17ed6bde6401019466a35a74ceee0fc5a8a777b9c1717e84d9ebaccbca9b5da53c3e8681125aa4