Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 09:53

General

  • Target

    2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe

  • Size

    204KB

  • MD5

    b096666ffff0403239dfe0fa0e7dd251

  • SHA1

    29c84f549b5fad661920ac0486209269d08c2870

  • SHA256

    91a2c4e0d74584e844b7c902becb983c7ad5e4436d1673a14de7703a17a4c32d

  • SHA512

    1bfc8d1e548f4227c3361aa016a10b138f152238a46112bf31445f9f6f0c140fcf86a0ee7968fc3219070d095dba11dca102634f81a2622adf004f8b57e09f54

  • SSDEEP

    1536:1EGh0okl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0okl1OPOe2MUVg3Ve+rXfMUy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
      C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
        C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
          C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3808
          • C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
            C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3152
            • C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
              C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4848
              • C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
                C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3356
                • C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
                  C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2136
                  • C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
                    C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4312
                    • C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
                      C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:216
                      • C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
                        C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4372
                        • C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
                          C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3940
                          • C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe
                            C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1948
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F7C3B~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1344C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4472
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA317~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1928
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA31E~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4544
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A1E4~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3656
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{64E4C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1612
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{CBB4E~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2168
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2C6E7~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2248
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{27A9A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E7CF0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{546A9~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe

    Filesize

    204KB

    MD5

    22e729fff1474a31e8aa284e2be4c742

    SHA1

    499d9f75519405e6712d4755d1440c1d32caa4a7

    SHA256

    c89a2df36bb542f91c4a1ec50d865e0ddd975518c70d7f517cb234e2be45bafc

    SHA512

    3934bc951bc3aaaf3ef792e85f718fb2a9ab09b9fef6f4d8e50dec88fac6718d7ee38c81aad21dd4d3f73254cee70142d92e5832341cc839a66d68ff5c0aebc8

  • C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe

    Filesize

    204KB

    MD5

    6ff60c81a55814e0ed27fec72d139cec

    SHA1

    4b5e897f6429c863b21968d918bc5486ce3f38fb

    SHA256

    08d703861df384fa8547924fb9538a19cb8067a415f3233bb8b1f010639fcd23

    SHA512

    f36b5a59d3d7ed4f339afd8160f617955d846900c04ee7bbeca846b343f88f73370f3485e608b9ad85bc73ff442ae1796429cf5db722e0d82039a3f30b6777a1

  • C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe

    Filesize

    204KB

    MD5

    f4cc1db65a500c985cffc9bcf4b3dfff

    SHA1

    255cf3b6daf0750c79729ac2613e93edb1017c5f

    SHA256

    acbae5fb9f488fe0604cd56ac0140c92d9fbfb690b914be8bd277bff8574b65e

    SHA512

    133596ada96c225b0e1df99dda76aca74a63eebff50443900033c1fbe118f90d50eb48def093da0cf44578dac3e479dd6fd3de8722d383d6cf80ce9ffb82f58a

  • C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe

    Filesize

    204KB

    MD5

    20eb5729240d81cac078a46ef5ab46e2

    SHA1

    1cbed6a30a7904003e7ffb0b1839891a2cc0e14d

    SHA256

    8f799ce01381633ceca6332d00eae686a82eea87bbad68019b85202e367e054d

    SHA512

    b4439ab4dbf013225a553aa0af0fc3f40e6d1b33f73decb4095f8e59e27a2bfd53dd547ec0187d69cff8529c2b9fcafb36d318cef304aec04301afaf55c4bd5f

  • C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe

    Filesize

    204KB

    MD5

    3f0f2d4520127e1a43fdb604a5372dad

    SHA1

    879f60c4ae50822214d7b6dfb6501f82c5946c7b

    SHA256

    431789ac854e80bcd49454bdb77db4a31e21ba6df95120fe4e740bb0856f439b

    SHA512

    775e76e8a50daea8cfebdf65238e69cb9c47b6dd1851586c65d2c01994ccbc5e3e1e596e1dab7fd871f2b475a7a5e9ec099d8e36fbe74e01dc3a089a5ea2ffdb

  • C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe

    Filesize

    204KB

    MD5

    68db882af7ecc7d13482954be1b65500

    SHA1

    269ba75c95654b834f9954aacd3392acfcd20ffe

    SHA256

    5e82b45d65a7c9c9a4f3b84c61bc89376a781dbb495287bc2574aadf13d21dca

    SHA512

    2cf45a648d912a0097fe581d9ff16ded3e79d7c1e0706bd511fbdb1ccbc003e79075cb778135da00e0524f04a35b5e7fdcd6ae5d35181c5f4318dda801bf826e

  • C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe

    Filesize

    204KB

    MD5

    c9d4a3bdcce306d6d2b9dc3867ded1d4

    SHA1

    140a9dac2ac4fc2a310c678957550a6127fd0922

    SHA256

    8fe1e0210eca4d1232ad85278e129d62e8e035c8863f7617c5fbff6c69bbc41b

    SHA512

    45d1535f3d2e4e9a7b06af1832ca6217f429a608d387c21d6c8e94af9123523a6393d6f4135083a24a041c2a9938fe3175256565135962c088cfe2de8223b5a2

  • C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe

    Filesize

    204KB

    MD5

    16538d16caf01461b452226ee45b3244

    SHA1

    9a805a2bda1b06fa4a7ef0315f6acf2732eed524

    SHA256

    7f9c49890bce94c97ba0471d2d4c06d76c2bc72a49c68cfa91c270a0df0b5d2e

    SHA512

    fdd43b8a1576a0b93820c0457833eff37346a703dac7104320eff30ba59f0b556cc6b57290c41d4e8b85b618c0ad06927466e22bad8abe4516395f989f15bdd1

  • C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe

    Filesize

    204KB

    MD5

    07d259dd6dad74c57bc52eb46cce7cec

    SHA1

    7556e44f1776cd93b0ef98f82530af087ec26af0

    SHA256

    9efc6f4ff5db3381dd3b9526cd4fe263eaa2fad413b89eb6e892bab368034d99

    SHA512

    8f946cde280faebc9b8abaa797ed0322d8a8860b1982c818f33a80db8048763f444a04fd48e4f2e158d3d04d1b811c2bdfcd5db255e6e79f6043fc44c6b6205d

  • C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe

    Filesize

    204KB

    MD5

    7417529ba3e2d4d8655ef5012387dcdf

    SHA1

    5578ec7d9ce61bf4213f7f656c9d5ebf41f282d7

    SHA256

    ffc2761603654844e4df04b4f7ef9428a9bfca841c876e851e0ff36168d17930

    SHA512

    b59a4356ad9c50f89607494914d2c35ccbec6450801ced9e6bf8fd9f705878005d1ba92dba9fac3d041db381493df9e22c82abac2a5ff5b076dbc5adf143d56e

  • C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe

    Filesize

    204KB

    MD5

    6c0ec7b294b286eac40b44a789e56e30

    SHA1

    67c107bfefecca640ca8a2db3f2d347c2a8e2f84

    SHA256

    95ea0c6ab1a3b3db31eae37309df10e6d4aeb1002da43ec0d349c79fcb014dee

    SHA512

    84c04dd341bba45761bc261585b06cd7b257f4d910fed1c5f508e9627ec685332197239299445b11209c5e08f6f6a53935a5c704908d1999f8d6edb4144863a6

  • C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe

    Filesize

    204KB

    MD5

    99ee5794b7885737d4802f16ce53f0cb

    SHA1

    a76f2482ad73937c906f3cc86c6e025b2e69cf9f

    SHA256

    223184b17ae39d8c70a86b937a6064629c00cb8ce8ea92412c6f6f0b374c62b7

    SHA512

    971b31f30c3eb1188cccfca3c1f171654589c2c8f743e407c739e09f83d91b529a95a64c00c1f809a208253ea3264755f7d3da92c7d26d47ad9b183c512ef9f1