Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 04:29

General

  • Target

    2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe

  • Size

    372KB

  • MD5

    8fad08cbb212a40ae81dca1250153e82

  • SHA1

    de2cc9bed4e4452411138e6499c3d9709ae06f0a

  • SHA256

    a42378d761dc527aa9710f76bc406901e3777bc71e2bed9529f389a5cac81c73

  • SHA512

    ddb0099c9168c4fb45c670f856257f27f07bdaf49e968b50aeeef92e95cec7a00df3a73bbec8e9e72380248a5558d79f8d16037a1f08ac24ce2a0de4b6f940be

  • SSDEEP

    3072:CEGh0oxlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG/lkOe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
      C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
        C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
          C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
            C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
              C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
                C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2464
                • C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
                  C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2664
                  • C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
                    C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2476
                    • C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
                      C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3064
                      • C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
                        C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2204
                        • C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe
                          C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE30~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1496
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CFD9~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1536
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C2E0~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2236
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BB14~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1288
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{4D3DF~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2920
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACBF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2996
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{725F3~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2716
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FBB94~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9718E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88C95~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{3ACBF6FB-D95A-4eef-A8B4-760A79C233E8}.exe

    Filesize

    372KB

    MD5

    3471cc8cbcc4bce2cc08cad5bc904091

    SHA1

    7e71e7f874bfd8492513bcdff205942b89f66684

    SHA256

    c83730c802d582d460acc7e3d86f7f2f0be68b2358eebb3dfc3693d15086fc1b

    SHA512

    82c0a09bfbc334bfbe6e9f86457d15aedefc39b707e336f786a3105ceb00c52e384043b02a98ea55be555bab07b31eb282990a1c66cfe21ad648800614fb17f0

  • C:\Windows\{3CFD984C-1174-442c-93C3-B3785B5022D0}.exe

    Filesize

    372KB

    MD5

    6b645c67147dd28f9d74811cffaefbf1

    SHA1

    fbbdf8062abdd85ea9809dcda22c087777e17297

    SHA256

    16c907566e69dec9b3daf08389dd25160a1f51d188e8565c396b6b42f4a6ace6

    SHA512

    a0313d3e400955552f41cb7de9513424b479c85109a14d1891e46af91b596a612259ef358e8ff44e5b328b2172385ba6f20d96bb3478008dcc1bfce1b03b1ae6

  • C:\Windows\{4D3DFECE-683F-48ef-B46C-E46447551B46}.exe

    Filesize

    372KB

    MD5

    404d66a9f75b696b71ae205aee981b40

    SHA1

    609dba695464d6cb8628e0f2cecc215aebbb8fc9

    SHA256

    efe9f61ed9e5f6a226c8f9e5bd179805a910a3ae65850626a174f033697348e0

    SHA512

    5f88f2ea70f5c18616fdda2a4a589bb78f3a9b1fbb79c4b3ca32c1ba221790eebff164cf70cda0fb1430c87debb30dc76914b29501431b30d393807768dad5e9

  • C:\Windows\{52E4FFAA-98A7-48d4-9C5D-C59D5738E137}.exe

    Filesize

    372KB

    MD5

    bba3fee7bd3dc9d690176620fd951eaa

    SHA1

    c44d65ddce18b724de5fd22a0069e546982abcf8

    SHA256

    657d02138da260a14e5ba114d9c566c2152926e8fe3ab7fff4c58a58f7a1dc9f

    SHA512

    66b5276d8873b3c64d0968c60089b179a4e3eee6e8efd647405d410862c7baf5587308a0b37848e61fa732fd830f5234890341216cdebf50c78bd872743e2196

  • C:\Windows\{6BB14C2A-F563-42dc-AC3F-449BB9693894}.exe

    Filesize

    372KB

    MD5

    54c3a254ef2c2a6945250c9dbc95db52

    SHA1

    66c4aedbefd1c34bb76908e086a181c45aa01576

    SHA256

    e4f62d91b65deb72b41558e232d033cb1f940b10b034c9b57821565ba0377aa7

    SHA512

    5edb460fbda86d734b6ec279fec79f49ee0a1174f8e186e371959607181490d05e8331e5489de2c210d59a4c349c6247b3ec09df7e8502356c452048f6d1917f

  • C:\Windows\{725F3F04-61F2-4348-9C9F-59EDA2B13E4E}.exe

    Filesize

    372KB

    MD5

    2183006a84a41d4e590689dd5ef98cfb

    SHA1

    bcc04e192d078b10ca4664fccb8d5122b2842791

    SHA256

    a9b1b71ef51040be7e1803e28c320e736d6efc47d4ffdc92c7d8b3b9ab26d4d6

    SHA512

    9b2c4ab7b25ec1a9db5bff7919b0f802f3b60863368ee1893f06d9a8d639fbf55bd6a000f66f774d199106278285d95e49d7eb496133eed326418fdf0ba8bcc2

  • C:\Windows\{7C2E0727-35BF-4158-A3E5-BD7FA8A1C9DA}.exe

    Filesize

    372KB

    MD5

    e7204bb1def6162881d41474b60b4b82

    SHA1

    2f57d8648224b04f88dfcdf52ae28a6833073b1b

    SHA256

    9ddc264c5c22cb5ab7cd79e868091f048c7610f9b6f4be8a86c2682f861a51f5

    SHA512

    bf1cea95a2e47250707a235144def1d13a45967b1ba56f9280833ecab2254bca32e23e34cdfc74960fbc689b1b43cbc68ed3a0b6058007cb30350b40c8f5ac1b

  • C:\Windows\{88C9525B-7E45-4d5a-8FDF-E65B8B30627F}.exe

    Filesize

    372KB

    MD5

    225a608f8e1ccb71f0b5414e4f820b29

    SHA1

    911a5d396bafe38c370674a9370c959acf854672

    SHA256

    869ea7a5b2dfa033f4651e895643040d8592a840b1c98a20617b6dda2823ae1d

    SHA512

    ed6738b37a8e684723db9faf4e23781108653ca33831657f08157ca74baeb81e15c40199d7e260865757c434940eb41c02cd9b698550304188d4a55495ee5395

  • C:\Windows\{9718E07A-CEE2-4cfa-9C2E-EFF4885C3027}.exe

    Filesize

    372KB

    MD5

    5382bcddda91a54b2da8a283cf854c01

    SHA1

    10fb14a72edaf74a05d4779ddb3f719fb9a6cd2d

    SHA256

    83c3de240207efa43475a36c9891440f1ac4f07ad23e557d649d693704a29fce

    SHA512

    2a9e90f72f5139dc07db6b233dbe3f027fb808187fab594cf270554faa77f64ba0b850fca2f204b0063a5996261c17deeb27868ca34207f42fb3706dd343ac37

  • C:\Windows\{9CE30C84-966B-490c-9A9B-15D0E59C45BA}.exe

    Filesize

    372KB

    MD5

    b0aa808079a5308131d554e0bbb13015

    SHA1

    2fb890fba62247f83765ff97422335f4d322a297

    SHA256

    15b0e7c61f22952953a58251a64a40cb4a11e916541d60e81c0e9e308a4edea3

    SHA512

    8819724e6435e2f69c7fa9467f833c31683fe0d929f616cbb2cec947a15fb31f2769fa8cd14c6a0a88582fe2c3c8a1611f7710ce800faed1289b57891fc41622

  • C:\Windows\{FBB948DC-4341-421b-BCB0-ADC3D3EAF8FC}.exe

    Filesize

    372KB

    MD5

    957b60a742bd760974d442ecd1d08ad8

    SHA1

    701fdd6f8933d44ae2d498de9f250062ea34823a

    SHA256

    e23a17b08b7a74ad0a16d82b2d4584036a222d5ca705b535882337dec3027d6e

    SHA512

    512df177bb2cad04aa6f087387be995025815b986ac4024546794a5c11d989304266d3b43fa151aafe08643421b86e3659c1c6743485d21b973d3d75ecfd854c