Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 05:42

General

  • Target

    2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe

  • Size

    216KB

  • MD5

    1214e16331e699f2f27c568dde9c3c80

  • SHA1

    78751462d4a0abd3b5711e5f7e5ce1d990d1d1f4

  • SHA256

    b264be4b8195c6118bf8e8ab002d2ed99eca502f7ddd03963b32c29ccb6ec4ea

  • SHA512

    955b544cbdaad767c565fc3995dd822df594ea36c48b817a68a156e30cd3fd744363150278e694d2a9b4c9438610980c22da2aaa68dc21f14bf4211d3a10abce

  • SSDEEP

    3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-10_1214e16331e699f2f27c568dde9c3c80_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\{4A143769-8968-49a3-AC7F-5A36D1B06461}.exe
      C:\Windows\{4A143769-8968-49a3-AC7F-5A36D1B06461}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\{6E594BC9-A4E4-471b-A8B5-02587D831DF1}.exe
        C:\Windows\{6E594BC9-A4E4-471b-A8B5-02587D831DF1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\{F97876F6-7C48-4f6b-BC4A-FBD21333940F}.exe
          C:\Windows\{F97876F6-7C48-4f6b-BC4A-FBD21333940F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\{27BAFF92-BC84-41f5-ADC9-4B6F2AAD5C96}.exe
            C:\Windows\{27BAFF92-BC84-41f5-ADC9-4B6F2AAD5C96}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\{150520F5-0493-48c9-BA33-FDD924BAD0A4}.exe
              C:\Windows\{150520F5-0493-48c9-BA33-FDD924BAD0A4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Windows\{BCADF76B-5949-4f64-AC38-B90CD3D53124}.exe
                C:\Windows\{BCADF76B-5949-4f64-AC38-B90CD3D53124}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1612
                • C:\Windows\{E8E30D1A-9573-4665-BA43-26CF54307E2D}.exe
                  C:\Windows\{E8E30D1A-9573-4665-BA43-26CF54307E2D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2504
                  • C:\Windows\{F248ECFD-B787-4a94-BFC9-A0D8B070A6DB}.exe
                    C:\Windows\{F248ECFD-B787-4a94-BFC9-A0D8B070A6DB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2796
                    • C:\Windows\{7C7A1C80-1225-4239-9324-1A9D6D0DD134}.exe
                      C:\Windows\{7C7A1C80-1225-4239-9324-1A9D6D0DD134}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2836
                      • C:\Windows\{055748FC-CC5B-4fea-B258-5F18B4D19061}.exe
                        C:\Windows\{055748FC-CC5B-4fea-B258-5F18B4D19061}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2688
                        • C:\Windows\{B108C57C-FFF0-4529-A3EB-A455230A2C2E}.exe
                          C:\Windows\{B108C57C-FFF0-4529-A3EB-A455230A2C2E}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{05574~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2784
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C7A1~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2632
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{F248E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:644
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E30~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2808
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{BCADF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1540
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{15052~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1512
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{27BAF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2644
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F9787~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E594~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A143~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{055748FC-CC5B-4fea-B258-5F18B4D19061}.exe

    Filesize

    216KB

    MD5

    a853fc67983876f692f7f63f20f669ed

    SHA1

    62c14ab1a03e7f63a649ad28eb1b098bd269dea9

    SHA256

    6b98ceb63b1a67664dda551d4bd3be341c82d8506649f5a110dbb85255546620

    SHA512

    6165308812541d64868a5f6d0d6984881542e199f1846bc299d93fa3c5355a294b3f31a1c3592557861bd1abc656cd888d7b5db800281441e439391ceb7e2f98

  • C:\Windows\{150520F5-0493-48c9-BA33-FDD924BAD0A4}.exe

    Filesize

    216KB

    MD5

    949dc3b3d75ffacaced500757275bcd4

    SHA1

    b076b1372eed629724958a397f2f2be9cbb9bf44

    SHA256

    75444e095f677ddeaa61ff5dc5cc02c4ffd39ebf21734e9ef2bb05ae8f893963

    SHA512

    222a14e41a163ec828560660cb7bc3fcd85ac4b052abe8ed285174fc9f43065ec36b97ba5d4e011f6f249f0306a075397469623c0e47afe5bf04703b31311cd8

  • C:\Windows\{27BAFF92-BC84-41f5-ADC9-4B6F2AAD5C96}.exe

    Filesize

    216KB

    MD5

    481dce95280efacf827dcb2fe590f734

    SHA1

    e1d238481b7f091d7e86a98818ec1b2b08bec609

    SHA256

    482401679bd3b5c57740a3aefc2d16cce474f8e467e67d12b199c56e1bfa1d68

    SHA512

    26ea973296c705ba6b7eb51b890e98aa764b5e38186fe070793398682742aca50d60fcf72147b6eede34fece407a9d917eba8f2cd682f8e7a27b25a4319d4b48

  • C:\Windows\{4A143769-8968-49a3-AC7F-5A36D1B06461}.exe

    Filesize

    216KB

    MD5

    5f2781283515f3194eafdc49051fad68

    SHA1

    c4160ef5d4c948645d08b3d262de38d25d905e73

    SHA256

    1e00d0e64dc7b303e2ccfd0efabc80bd9649e3408256a014a4138aeb16e7a0e3

    SHA512

    efbb926d96e8f07e36e0aef1d26caa13399dac8114008937f734a5dff18bd700fd1d3ac2f74b6c1d99bd6dc14bac109a1f551e0426f61169a582be0bb9470bbc

  • C:\Windows\{6E594BC9-A4E4-471b-A8B5-02587D831DF1}.exe

    Filesize

    216KB

    MD5

    fc0bd52735dea5d2d760468af87cba0b

    SHA1

    f387f12a671c6d32919bf97b58f958e3d42ec71f

    SHA256

    36e817682a3c99f72f01982e784d66838ad2e0ed06a4ddf6b8ca46dc163009e9

    SHA512

    671ae464e79e955bf5a7a6017d96c248120a40c2c83813008538cac17be434407d20fe4528db3255defdb877cfb7b8a51a81f06da125eb746896346b11c426f5

  • C:\Windows\{7C7A1C80-1225-4239-9324-1A9D6D0DD134}.exe

    Filesize

    216KB

    MD5

    7b58829a6b6dfb5bda398b17127c8b1e

    SHA1

    c791293da111cfcf9c5567d590d54446487d0a04

    SHA256

    a6542469f380df1f58761310f840b058ad6b788e9d11171fd70632216d1407d7

    SHA512

    ff4b28b1c231fbde37a6d362c0a1bc62c754ff73841355539d30b0a59503be58103656e7b45ac16f17221e340449e0cf92fd4e50bc19147bfb5a7f70a6441210

  • C:\Windows\{B108C57C-FFF0-4529-A3EB-A455230A2C2E}.exe

    Filesize

    216KB

    MD5

    a8984dcbf3d1f724ae46df06fa5b0a48

    SHA1

    547a671df20a8d7efc5eff33316bcbf2923eac74

    SHA256

    a2a29d98ce6f2a99f757e5560ae3bb08810ca701bfe3e8bf045c6ef5e3e049cf

    SHA512

    46c4b0e9ee34ff943fb48333e0a16878ffcc955398e7c892a52550e22f62eaf8a9f26ae80bf978732f98396f971936f71f89e91e3c51fb668a9f8bef29ba329a

  • C:\Windows\{BCADF76B-5949-4f64-AC38-B90CD3D53124}.exe

    Filesize

    216KB

    MD5

    f5a2f88cdf4e7625d877c316735029a6

    SHA1

    2302c4af144c52149862e2ee5cee74dfea9e10f8

    SHA256

    e5e92693423f385cf72d293bc1a481d7fe72f2f3b80fc56fdc1fabfbc91a5cd8

    SHA512

    d508748676444e1705008a213e0dd5b6162d101278effde9713d5fcef3aff9bc182f67c5c3a8ef952fba07cac7b48f9a8f22c5d39bbea7cc9afb809404950075

  • C:\Windows\{E8E30D1A-9573-4665-BA43-26CF54307E2D}.exe

    Filesize

    216KB

    MD5

    c9b29ba68693acdbde26d4a724c6fcfe

    SHA1

    50343072a62cb8f66ae412a3d0dacbd475b3e127

    SHA256

    1ba7f4701b491f7b4623c9dc8954fdc0f871837118284bb5460058d279da53ac

    SHA512

    66107767e2604d83eef32f80c1afd952b082fddd1b3e682b18a0fc0035484ae39134e34486c85d276b5bf8e9f674c89e87ff02d6c2d66227fc568b01975b7d6b

  • C:\Windows\{F248ECFD-B787-4a94-BFC9-A0D8B070A6DB}.exe

    Filesize

    216KB

    MD5

    5d9a918b552feaca42d02b3fb53bb4f9

    SHA1

    36b5b0882adc477ad850f839c6e8393bcf6933ed

    SHA256

    864f79990c161d104fbb8f3ecbd467a7682b812fa3190eed54bc88fe390ad00d

    SHA512

    7b7caf80e648567069573f55d7da89926d583d54180612adf3342193bde2d8667f8936a9fd53b35122b92d23e1035dedaa508df0a59fa524951f7995a222efae

  • C:\Windows\{F97876F6-7C48-4f6b-BC4A-FBD21333940F}.exe

    Filesize

    216KB

    MD5

    1b9e4fe078168f51fe3a756738e68f17

    SHA1

    79f9bdc029e410d6970c2b5dc0d5014c6908d294

    SHA256

    9797cfb1772f884f885af3d6c80f8b6fac6dbd5b16f2db9afe74e4c2be0cbc5b

    SHA512

    4fd483be4983357680d4505c9af6a116d413d42a87522240212948f6edac97f5cf3a0abea68ea05402357d70b28743e3c1b247247f8565bfd0111dd4344c064e