Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 10:02

General

  • Target

    2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe

  • Size

    372KB

  • MD5

    f2de1dcc1aa5d57624473e92a6bbcab7

  • SHA1

    05277f83e4f261c7df9e7860d873c4df64b18584

  • SHA256

    bc40de42f21116925de31b5be765772fd934bd7d23ff0079db5a5280bdf0afeb

  • SHA512

    cd02c43830105e68a6931ea094ee81774cd827eecd793f4c93fb9887e394ba5409cb5973a163b6134c1d371dcdd9cfe3e36e903877c327dda963ff24ec1e29e7

  • SSDEEP

    3072:CEGh0o/mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGMl/Oe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
      C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
        C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
          C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3560
          • C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
            C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
              C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3848
              • C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe
                C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3088
                • C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
                  C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1568
                  • C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
                    C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4168
                    • C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
                      C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2144
                      • C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
                        C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1140
                        • C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe
                          C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1824
                          • C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe
                            C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1400
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F34BA~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{37066~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:5048
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{287F1~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1328
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{39F3B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2984
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4869E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4064
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2D52A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3580
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9197C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1216
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B447D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4712
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6541B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D91E5~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3260
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A270~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe

    Filesize

    372KB

    MD5

    759f141cd70eccc4c473ac005676ec9c

    SHA1

    313138a32cd1855c48a1a2defc4f79ec1b171dbf

    SHA256

    683dcaa2d3f6396bb3abc1aba95e52f2ff503fcd788795230089f93c37fd36c2

    SHA512

    e5b76d2e163619d1fbdf1249d44581741a61830a926cadc6f4730e50b10d2bead7479a5c6fa5e2f9a5ac8c0db7f201dc2652195e0d557ab053ae1f62b488db6c

  • C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe

    Filesize

    372KB

    MD5

    7307b43ab61226958a3389e074d81417

    SHA1

    6c5aa9d51aebdc88d68332a1e360d7360d8cb868

    SHA256

    4f86ccd462e321553f25c11bcec2be376449c59774eea3193f038b96bebc1833

    SHA512

    a5140caebb0f376d6dcd4dbda905f68c1be3394362353fd0590f4d97ff126d62a1558492f24b1df0897e592c370f9d3de77a0c7056e979d96656c4b9fbdeac2c

  • C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe

    Filesize

    372KB

    MD5

    83c04406f0f25f420bb6a1a662a84729

    SHA1

    b44ba3e6b062c8965e1f974bf0d4b0f266f8db66

    SHA256

    3ae3088e9da53c22e1b5f9574c0c8c7e06c9024d8a92dc8ebb0b896352568b46

    SHA512

    08919d58a637aa8b7d8674f843cccd2b19fd15d25fe8d9850cc6dbfe787aae00972dc27a0e9a9de8b3a255d033c0045fd8b2cc97fcb32575271902744733e35e

  • C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe

    Filesize

    372KB

    MD5

    388a821824a9376ca40fad76c2fd29a0

    SHA1

    0e7074c08b9363ac989c100f60eddf736005e3b8

    SHA256

    6be0ddbe1162fd12774c6291c3425679ce07cc7ef279850095077b9cfa3d1d7a

    SHA512

    b1a7a991d80d27d0c5bb8487e531604fb854dd5fc0c22ac7250e5dd4e3d245883edcf09e9053b77d9c90decf43d5ad690292f5b947a54e08f343b9fa0fc96cef

  • C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe

    Filesize

    372KB

    MD5

    0808bbbe5e66c389a9d69c8a486c1db6

    SHA1

    f31eabb7d4f296c1b857354245bdaaec2ef9eb4c

    SHA256

    87c904dbcf25929721cd39b72c197a7500b03f16374304b779948b99ef8dc733

    SHA512

    2f2d92fb24bfa34ad3eb0864d94340810b9128a68ba5441922c40f71c02a43a2f5172e908ac15eb022b0128c073112739fc4fe445fa99e91a5fa5517c46205ee

  • C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe

    Filesize

    372KB

    MD5

    b483a7009ffa6f767370b6be39f1d353

    SHA1

    f4f0b72378dd069c76abd814e2887af205c477bf

    SHA256

    02f8fb4bee5c0e57518e39970f79e24a6e106f8b2733c2bfe739583d6e24309c

    SHA512

    03620696c534f85e47faeac54c168f1e53d8e49e4c23fe3567183878c321b80240a87bfdf99e33cd6722ac41587a5885efde9949b96c4077d6d803c89cac21e4

  • C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe

    Filesize

    372KB

    MD5

    26c97afaa51a010dd75932b772236280

    SHA1

    1396315b988bebecede803380502242f0bfb27f3

    SHA256

    dd3772aea7d022d1a45f1e894c031fb73530ac28b20cb210a321739364887332

    SHA512

    a13f36927607d3a0929cd00af337bc25ece0b2ccda3e8c3a9648a1f5675ca3a2e6b7f0beb04feb96465e9e41ba708913414cf6c8ff2c086423f0d9953837f086

  • C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe

    Filesize

    372KB

    MD5

    3c0c87d8ef5ac244d4d43dcdd4394426

    SHA1

    91487e4c169a311580cbc3a32bcfbe6c7efd809b

    SHA256

    58bf85870e56529ea4bd3a167d604ec69ba3d575eacb5a7bbb67742791ae4455

    SHA512

    d76f71fef3d86d42bce4b9a1edb9ac9f20693c8cd6cd5ad2904afe856812a3b106fb0dcd2172b6c592b38711f81d9c0079bee8b5cda692838234baac4cfe550b

  • C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe

    Filesize

    372KB

    MD5

    2527dfbabf42b07cecc866f0a0976bc4

    SHA1

    eb3e0188dccb872ca3d6e8bb4aa860de79561d92

    SHA256

    b1aa5d3dac610e77ecb8d772d117c4c46f699449cfc3b749bdfb5f649115474a

    SHA512

    d8ac125329f810f6fab6dd9efeed236ba8d3f61ff778be07073fda82be92d7e32de591344cdc97a53c399913531080fed537f4e63c8fbcc851a40d13b02aa24b

  • C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe

    Filesize

    372KB

    MD5

    2277eb4a313b502e28570e0cd1b27054

    SHA1

    ed7df26185acb0c35b60e54df9173244504ff627

    SHA256

    544ce81fc10878568272d3f139fe3eea7563a933a01318bcf689171b38b0af86

    SHA512

    af995c496fa3ba74342facf2d966be87ec738b7a9b3d23df4b5616c90c43aa3cfb48f3e04356c8190513aad2059b20b25e12bce9e7e028987e2444f4cae6ad4d

  • C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe

    Filesize

    372KB

    MD5

    b8476b7234392ae6e66d68c5aed8a357

    SHA1

    37ad16ceec6109ef8c6fdb2672866678d6ddee04

    SHA256

    0a37e6721952f53455d43b4e5a533f21d33054d7145da440174f6257839a897e

    SHA512

    a814108319f1a608a77e128006d1301726ff98ce9bf078f649d2b8a0155deddf947eab638cb1802b7829fbea5661040e5d4c6ae0509b835967f352302599782b

  • C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe

    Filesize

    372KB

    MD5

    768c58a8772ecb8e24b1d316de8a7501

    SHA1

    eead42dea362314c6efc36d6289bb80af97bf1a4

    SHA256

    8586f3b954366b861423e61230d0f09cdb873307555f3a7f236cda77ee5fbf65

    SHA512

    1d5e37399ad00825f55954d799c12ed6b373d9416832c7825d3661218bee6e9077c697c6dd42b003650fc0cd26109c0a70e332aa8eb4f058e3b6916d2451faa4