Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 04:29

General

  • Target

    2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe

  • Size

    372KB

  • MD5

    8fad08cbb212a40ae81dca1250153e82

  • SHA1

    de2cc9bed4e4452411138e6499c3d9709ae06f0a

  • SHA256

    a42378d761dc527aa9710f76bc406901e3777bc71e2bed9529f389a5cac81c73

  • SHA512

    ddb0099c9168c4fb45c670f856257f27f07bdaf49e968b50aeeef92e95cec7a00df3a73bbec8e9e72380248a5558d79f8d16037a1f08ac24ce2a0de4b6f940be

  • SSDEEP

    3072:CEGh0oxlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG/lkOe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fad08cbb212a40ae81dca1250153e82_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
      C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
        C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
          C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4340
          • C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
            C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
              C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:760
              • C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
                C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1660
                • C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe
                  C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1644
                  • C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
                    C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1120
                    • C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
                      C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2392
                      • C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
                        C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1588
                        • C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
                          C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2052
                          • C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe
                            C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2460
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{463AC~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1716
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3B551~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1244
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DFC8~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3836
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF3B9~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2140
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{11974~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:812
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{5970A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2220
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{82AFB~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3784
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{8C74C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2920
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{070EC~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{DA991~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3316
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB96~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{070EC92B-85C4-4538-868E-F14C0EE8F21B}.exe

    Filesize

    372KB

    MD5

    445e943422f9d7b6eae4b4be7cd0c827

    SHA1

    1cc0914b6d6ce251ab9484d9e0304ef0daad05d1

    SHA256

    b9615a8dc08870d1e7a5ac13b47c93b6c376eb2ca71883bb3e33cda5cdf70505

    SHA512

    3a133e82aa5b8bf8c7d884adcbbb2105d0ba2ac68c5229ff46cd56649cf7c4e4644bf94abbc01e5c71b33b9793814786a594639329fb6f9b349288be03861a74

  • C:\Windows\{11974A9D-4E9E-483e-A299-7E372B215643}.exe

    Filesize

    372KB

    MD5

    6a378fa67ac0014cff70f2f603be31d4

    SHA1

    742ddb6a44ea85f323decbf2e5542fe56bc0c0ca

    SHA256

    2a0593a84a7c157844a01aae61c6d4515643ece254ce498c4c6da9a2fb8e42cc

    SHA512

    a921631ed5ccb51df11a61c0ae2385fc537f5a9e706731d2b0428202f0559b354e8e47b8d9f47213695e79d84b1f0ce8c6524012694312b9eaeb927ca33aa475

  • C:\Windows\{1AB96FEC-B8BF-434d-9E8A-F7CACA22C06A}.exe

    Filesize

    372KB

    MD5

    0d90a75d75383ba4533b2beb56269abc

    SHA1

    ebc05e6780272a18e0b9277bf3ba1c5a49e92a6f

    SHA256

    76e0ec8e78239386715d9431c4d852dd68fb0079a9ac47c661c242607abe662c

    SHA512

    7b90581e98effdf11eb7d14ed2e62a8faa0326e6065b84943f5952e70756db3ec10c018724449c93d9d1c103b0bf5e7a9f2d1e7f406ad9d6d0d5c67c46a35d35

  • C:\Windows\{3B5511CF-19BF-458d-A10A-18656205DE4C}.exe

    Filesize

    372KB

    MD5

    5f7ce71b6df6255d8e93b2da7dbb4366

    SHA1

    318124d3e1a152f3c81799bc1467b5b68ee0ec51

    SHA256

    82be995730e3a11b98c5be350686a44c159cfc715ab9da0328ee9f0c11c39988

    SHA512

    3f78916f6b6bdaba68a88e9a6873ec603dd2a12c81fe4d53c0216ca66df64f72457c353ccde528e11ce13cb1b09d902f415354537f118a039ceac79084d896e5

  • C:\Windows\{463ACF36-FF4C-4485-B330-BEF84BF0E662}.exe

    Filesize

    372KB

    MD5

    d5f3550dc0aa8a3acbe1ad2c5f0f0662

    SHA1

    a2c6404342dd6e7084b1f4071338960a01da0be6

    SHA256

    4b541602e9a3ab386d3f92cde1dd21d29004e12f56dada098a2c0cb7f5e4167b

    SHA512

    be18655eca4f963a9aa5e62ca2d447b4a8cea5b46433e78ad3ef7919377b79cac260310ae979dcc6993c851e614cbb5ad99b595a822bee5aa8681dca40ed3c28

  • C:\Windows\{5970A08D-E0BA-4679-A3D8-BD00F66E89E7}.exe

    Filesize

    372KB

    MD5

    556aa66dfff3ba3ae98a4970622e2bec

    SHA1

    e2d9aabf706227be41ed6d7562c4bc178cfad57d

    SHA256

    d52ca249fb3b59dd810c0c922cc8097a271f6eae09d92cae9772d4a1149b19bb

    SHA512

    c37ea85a951fdc5850cb69aba4fc1d02cce6fa406b4d5e957d028f9b92f2bcd3553d03e058668af71afcff7040110179320be772cbcc533b101dfabc53d22eb6

  • C:\Windows\{6DFC8590-A86F-43f5-B2A5-12FD59F5C6CE}.exe

    Filesize

    372KB

    MD5

    b0ef1e12de8968d8e15719225a471144

    SHA1

    4aea8d8e8c9879f1d6e8b76ce305cc91f86fda8c

    SHA256

    a925fb11fdbee1b79bc2add00286e256d558221af82ff2fb88b7bf9ee9f03fc2

    SHA512

    b9a408ab9a9a2faa46d569f63e5fc6388958be21829a941f7367dd6ea7d3d4ce633a15ffe3e36824ae3b51be5d00ded66812fcd630184986895045afbabf67d9

  • C:\Windows\{82AFB6EB-94CD-4035-B6E1-15DA7FF7E103}.exe

    Filesize

    372KB

    MD5

    dd0b3918afff643ce47002d7f4547f30

    SHA1

    88e2a81a079593245817c86dc5edd41dff6544c1

    SHA256

    fcd91ac6d33542a773be8838111694f35408cc80b12843458b317b75161d5c12

    SHA512

    62672c19e0ba57be67bfb4387c92fb3e88aaf635fc084349c3e5b96c6fa3012d3637c58b40f116067ea81a22b8fdf482e6bef20201468d8abaaaa50a0cb55788

  • C:\Windows\{8C74C255-46E0-4e9e-81EE-379B35B0A91F}.exe

    Filesize

    372KB

    MD5

    8979491b898398351827148c48fd19ed

    SHA1

    56102cec4d0885c69e68cf683192b9b99fd41174

    SHA256

    38f2526534d48e7fece8aac6345ec4229861a1c85aafe71556b779f17461f89a

    SHA512

    b7a8c047547511ae8edc9aa6e578f2dc8d2f4fc2a5e623dfe62a60f4364b64bcf4f4fe18d83710271577db5221d87cbaecdd3d150c184d928e9344ec70ddb3d7

  • C:\Windows\{94A3FBD4-53B8-45c1-850B-B2877E18C29E}.exe

    Filesize

    372KB

    MD5

    be6ee36ab2b42745783f5b938e12d495

    SHA1

    51f5df72dd497e995dae1afc1316daa8bfd6bd83

    SHA256

    ac0deab258d854f430c380e308b5e1396e2156a7868d7d080633d9326486bbc9

    SHA512

    048653890523a99806a5ac76b418a70a3cadf3b7c4b2e9091da4302c3e4890c55bf6a4b67f690a0a5c3248004e866d66a60b3272d50041883471e33d6359adfa

  • C:\Windows\{DA991F5D-FC20-44e2-A91F-817B96062125}.exe

    Filesize

    372KB

    MD5

    48ee74afdd2d578ac04a76d35c442cd3

    SHA1

    29291ff41066b8d31660cff3912102f78bfb2d2c

    SHA256

    129a8004325d2087272c71114cf28116a26f9c9534f987b1c9063c31c76e65b8

    SHA512

    9ff865af0467373249bff6bf4a2c54ade18ecea8ea04554447bc2a16215990656813fed1018071920c1753f4ccc547fdd85ae4b8e603e17ed37ebfe05f106f23

  • C:\Windows\{EF3B93C6-81FF-404c-A1B2-E6AB1AC93808}.exe

    Filesize

    372KB

    MD5

    a5378cdd30e9594f099238b9ae26063c

    SHA1

    fc232d726fc202840704e7cb732b1c29e2d4da1a

    SHA256

    e4d6d0b936c0f419c0a1d8f464f52b418375c1655907ccdae6d2661b7a77e49c

    SHA512

    ebaa9d54736c608958701db0c97133a4aad8996641483395fc73cb4c6b4e68eacf9a3514bfb6ff1cf7db83d05c0e8bc793977f39339e92f7f1488273efa00a00