Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 09:53

General

  • Target

    2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe

  • Size

    204KB

  • MD5

    b096666ffff0403239dfe0fa0e7dd251

  • SHA1

    29c84f549b5fad661920ac0486209269d08c2870

  • SHA256

    91a2c4e0d74584e844b7c902becb983c7ad5e4436d1673a14de7703a17a4c32d

  • SHA512

    1bfc8d1e548f4227c3361aa016a10b138f152238a46112bf31445f9f6f0c140fcf86a0ee7968fc3219070d095dba11dca102634f81a2622adf004f8b57e09f54

  • SSDEEP

    1536:1EGh0okl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0okl1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
      C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
        C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:108
        • C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
          C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
            C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
              C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1768
              • C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
                C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2660
                • C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
                  C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2024
                  • C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
                    C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2188
                    • C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe
                      C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2420
                      • C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
                        C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1820
                        • C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe
                          C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2360
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{985CA~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:916
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{08445~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2000
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0D899~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1680
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B47~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1100
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{9FACC~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:484
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A1460~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2760
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4C463~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:908
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{33D8C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2248
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CA6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:304
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75760~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{08445414-F8D4-464c-A443-1594C963CAAD}.exe

    Filesize

    204KB

    MD5

    4daf3e8a60c7340293557243f72f36f5

    SHA1

    e6525fcdd573f570b6ad809198b645c32748a7a3

    SHA256

    ca6ce1da36aa5cd9c9841ecc8f12843dad22aee30d6726e006f0d8279272d9ef

    SHA512

    d748d3a922ef4da3719b1d6ae7a574aff4b76c855669be478e39d32f418f4d5462986da57a11f6fe6490bfbe5ddf5bc9ed5799c0cf794b16a77ab5d7eb5d48b6

  • C:\Windows\{0D899E63-E021-4004-BED5-59EA8DDCFCA4}.exe

    Filesize

    204KB

    MD5

    8fbb2e10beefdcbe887faebd22d02a2a

    SHA1

    57412ab4f2241d333c68fd3afd1a5983fac51f53

    SHA256

    de25d78f7462f7c877b6a7459942d40cc5ab7470ca95fc5250835eab0527d105

    SHA512

    95714d8a468ea46995559cbd44ebe4d5fa2f4cf0012876b745085f4403faababdf4381fc7fd98ebbb1668f1c7e0dbef62fd706c330ca4360d2f241363c98dab8

  • C:\Windows\{33D8C558-500D-49d5-A8DE-8DC2447B7D04}.exe

    Filesize

    204KB

    MD5

    b54666a1f751297e21b6d10232147f19

    SHA1

    e955266dc5e1749c43ed253019facfcc0958eb9b

    SHA256

    12eb68ed7ed295ff84c3feba0a11d6790816141068d960660749dcb5b844533d

    SHA512

    02366a952a9154ffd6bcdbcd520fcb86922eee70665fac4031df98fa64715111f8e1a36092f6802ab8c420730d61637c28ec95c7c7a475be563dafec69d3fb09

  • C:\Windows\{4C463680-7724-4a75-A4FC-1FE0B23FC533}.exe

    Filesize

    204KB

    MD5

    1724804b7f90afe8df6d72e8ecf6419e

    SHA1

    859f89229dcf84963319a7829a7164c6b57c7f29

    SHA256

    09beaaf7529dfd3ea66875f4b26b88e7690ced976ee6d5063a75ffe9a118cd0e

    SHA512

    f12fa726e645d40bad973e80e9329d472c9848c5402a56500b9da61e2765e990efdd6ff2c9ca14224caa07764c89516f65484abe131da671fb7010cdedaff0d0

  • C:\Windows\{60AB34C5-4D31-417a-94E1-ECFF67BDC457}.exe

    Filesize

    204KB

    MD5

    80ef772c2d431ab61c21232fd8e5a129

    SHA1

    3c52aad168bbfa634cb23b0bc51f2c4f94f93acb

    SHA256

    dffed137163b2b6cdc3d24313bb84ed7196a59252a42aebb9554ce7793c56006

    SHA512

    bb02c9c8820ca6a24430955312ae6b9e5931e7c0b26294953d3f7bdfd4fb17033c7d3262ccb723a919affae495425c16623b8b7bd9d4e47ce2a6d35a76496fa7

  • C:\Windows\{7576084B-6D67-4b7b-9BB4-5F3A03729CCE}.exe

    Filesize

    204KB

    MD5

    146ffefba08925158d59aec4b602a5e9

    SHA1

    65f5e26b3eab6cf01dc918df851f08d1e3658ff5

    SHA256

    616d2adc1a4ed77b1984b416376c6b94681e533193da2e20772c3297b7f30a23

    SHA512

    f5a8122db8bdbbbcb9b72c7141ef6bf2d2f4448dab285f549ad52a905a4ecb9650a7925914e8c5692b44809e9a536195c8705bdf800d114e2915750e9cae4e96

  • C:\Windows\{985CABC4-6E4C-49e0-83D0-D3BBED94AACA}.exe

    Filesize

    204KB

    MD5

    2d66f984530df34b716156fec1fd308c

    SHA1

    592971a398832200dec26f1978497f06a146da63

    SHA256

    1a629368e84711ed6c69698fed57e767514a64079ac55c50a58f78ab89693fde

    SHA512

    dd234733451824e1529f14de52be2fa525b8ebb59d6c8c3ffbb1e84d7827112699048f5809d0f63aee54050f77223d2677cc7533bc1ae4065a54c4df1a259447

  • C:\Windows\{9FACCF52-B42B-45cc-A308-04D307A29360}.exe

    Filesize

    204KB

    MD5

    55c8fdb8cbf44d9650ad00d5a7ebe8e7

    SHA1

    aeef0be0b1b383a0c59ecb9f8f88505e010e84ce

    SHA256

    37d82bb2ef286db9388aa180421f44cee51359373bd622362ade6d02a41ccfa7

    SHA512

    644222b0761875c7295e4be441e16f8a0e7a1dc3367a6415d3bff6357ad943085e9cf48afdf9a4d55919b48e3f801e2494d920feaa5a73ac61ba59f7fedc75e1

  • C:\Windows\{A1460A68-ADC8-4e49-AA87-C2C9DD3A77F2}.exe

    Filesize

    204KB

    MD5

    185261185068aae7467271cd71c1636e

    SHA1

    5b554297c19db9849bfb89d70b19e99e1f6b5ea6

    SHA256

    00616c45a311913c3e3c642caa1b4bb2e8ff7ebeeb7940a9966783d3da179624

    SHA512

    bcc768cf5ac0e161c5194ff396cf661197c35f1ffa00dbb09642839a9faa1015d2e636dd4961d2657675f5bc95cb1be8a84910e3f8689ab1fbf397a2ca32f280

  • C:\Windows\{D3B472D9-A00F-4b05-8EB5-A78DEC082C7D}.exe

    Filesize

    204KB

    MD5

    582cee078ca1e78190abb0e8777cb996

    SHA1

    917b8bbc118fea5a0f9a33a66672d864e7a0357d

    SHA256

    5489719a76fc01aa64bb24f2003625776b1d5c2a116b9c47a4ef7a576eb9b945

    SHA512

    5feec07d07ba046daa573e778820a12a31e9bf86b1885a83997995ad64ffbc8dea13606b00cf3da4082c5fce8c0d27fa8dc7171ea161cc6bb72128f81bacfbe9

  • C:\Windows\{D7CA6005-2556-4de2-B9AC-63E1D5290526}.exe

    Filesize

    204KB

    MD5

    211bcb3bc611746bb992be6245b1eea8

    SHA1

    405015f6541121c8128356c994183a9e48718b91

    SHA256

    7f2ffac8d17d96aaa8d1b1a1ccc980f8def0e71861cdb44a4697937f6ace2ea0

    SHA512

    ed8b4a095f8930a796c0e3f8f48edd1790dc741299abf433ce0cf693075e0d3d30e5eb5869317fffede48fc5a5b07b3f2fa84a30c394f79faa9c48a9a32f3b9a