Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 16:54

General

  • Target

    2024-10-12_320379e8fb99f2ef23f743fb7b2c1ddb_goldeneye.exe

  • Size

    168KB

  • MD5

    320379e8fb99f2ef23f743fb7b2c1ddb

  • SHA1

    bff07e68b763f630991bca5c04dc616495f6d762

  • SHA256

    83a1359792eeecfd91789a475aa3bb05d6087649d1e7c2ab43f7e381cd1e21ad

  • SHA512

    53168b9da73ddb898f6b95582747c0b829fd4ca0baa45e10027f34eb490b3bef2f6395b0d19d1887ac7e1c5f53a257da130fb6fc8d269a8b1eb962d21b81bd7c

  • SSDEEP

    1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_320379e8fb99f2ef23f743fb7b2c1ddb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_320379e8fb99f2ef23f743fb7b2c1ddb_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\{60CB12A0-EBD0-426b-8192-D56D91F47CEB}.exe
      C:\Windows\{60CB12A0-EBD0-426b-8192-D56D91F47CEB}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\{7E454353-6D2B-49fb-9D2A-E94F02EEB58A}.exe
        C:\Windows\{7E454353-6D2B-49fb-9D2A-E94F02EEB58A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\{3A904DC4-3537-49fb-A0B5-AA49ADFB6F2D}.exe
          C:\Windows\{3A904DC4-3537-49fb-A0B5-AA49ADFB6F2D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\{46844CE1-33B2-42c4-8957-BCC2247A180F}.exe
            C:\Windows\{46844CE1-33B2-42c4-8957-BCC2247A180F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\{8B0A6E8C-2DE4-4258-8180-09AB28580DFC}.exe
              C:\Windows\{8B0A6E8C-2DE4-4258-8180-09AB28580DFC}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2332
              • C:\Windows\{2D58E271-8591-475c-9A73-A126B7213A53}.exe
                C:\Windows\{2D58E271-8591-475c-9A73-A126B7213A53}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Windows\{F3699A8A-23A2-4a98-87AE-E7957BD7837E}.exe
                  C:\Windows\{F3699A8A-23A2-4a98-87AE-E7957BD7837E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2528
                  • C:\Windows\{C6D18217-D9FA-4115-A45C-3C3A6918E0D2}.exe
                    C:\Windows\{C6D18217-D9FA-4115-A45C-3C3A6918E0D2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1488
                    • C:\Windows\{FAA0C6D9-3C7C-4296-BE7D-D72E90553C08}.exe
                      C:\Windows\{FAA0C6D9-3C7C-4296-BE7D-D72E90553C08}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2684
                      • C:\Windows\{AF1F3C59-ED09-419b-8CE7-8906B8039FFE}.exe
                        C:\Windows\{AF1F3C59-ED09-419b-8CE7-8906B8039FFE}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:816
                        • C:\Windows\{D3584CDD-1885-4d52-B416-92DFEBDE64AA}.exe
                          C:\Windows\{D3584CDD-1885-4d52-B416-92DFEBDE64AA}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF1F3~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1512
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAA0C~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1728
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C6D18~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2436
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3699~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1692
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2D58E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1672
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{8B0A6~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1712
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{46844~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2868
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{3A904~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E454~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60CB1~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2D58E271-8591-475c-9A73-A126B7213A53}.exe

    Filesize

    168KB

    MD5

    c19d145279b07ada283c6a56c41e8733

    SHA1

    0d514bddf23e84b3e0fc324600a10b59962a6f17

    SHA256

    56ecafbd3794686d59492208f6e2af0755295ec3bf64c789542dee91d8d1a674

    SHA512

    f6fb597b88f3d1e7744b401850a62bf74e36f20d865da43997477a0aa7338ee3212b48099e6b3a7d4498ef5615da3b06698761c00c08dc2fa842530cba20c842

  • C:\Windows\{3A904DC4-3537-49fb-A0B5-AA49ADFB6F2D}.exe

    Filesize

    168KB

    MD5

    7289884f55ce5a13428b6fcb6c72bb3e

    SHA1

    6190d8688ea6eff582ad4e5ec5aef7b89ad14bb9

    SHA256

    b075b33756c9eb07d548d32215e7d4955868cf6a2018251623f2eb30e4e1e076

    SHA512

    a4bf383102004a4564e26703e21b3cfead749f65d9194958e951a8e88c0ca6cb4553001ed0569483481582133a808a7e40ec2d693f01b0c69a0072fda0340393

  • C:\Windows\{46844CE1-33B2-42c4-8957-BCC2247A180F}.exe

    Filesize

    168KB

    MD5

    ab47e0a05731b7d6dbb534708b846b15

    SHA1

    5da64ce70ce502ab8f7558278ea44a8d7627c7a8

    SHA256

    cf47097fd2fbfe468d902bc768cc1a82b895c7cfe9718fddc45e7d863631a8ac

    SHA512

    6a53035f698272787b4282cd67eb9f81690439177290048cbd4fb55ff9263859aa7c336e00b1cc46090dd23ad5259a764a23612fdc65e538350128e232f9daa5

  • C:\Windows\{60CB12A0-EBD0-426b-8192-D56D91F47CEB}.exe

    Filesize

    168KB

    MD5

    4fe7ce1e89de505eca98378eeb55d2ab

    SHA1

    26833eb35ed3e6f26a7acfec53d8d75486ae9538

    SHA256

    ffff23a2554456540473e0249b77f0334812316cca2315e3c9be83e7ffbacf5d

    SHA512

    69a8fbc018f60d55fa10052c29a31d923654ac50eb41a8dced609268e10318437ba44d4b22a00925e6d8bbf3ad00c0c803193223ffa0b8c6f27b542de7974127

  • C:\Windows\{7E454353-6D2B-49fb-9D2A-E94F02EEB58A}.exe

    Filesize

    168KB

    MD5

    94a537346de7795aca38f86105291122

    SHA1

    042429f261e0424ea201b9fc4937cff1ed121ce0

    SHA256

    82e0099b5a73c216dd89c9f2ea66ca77390ef6679f2eb65168ccb6a04b0a1f38

    SHA512

    7ebe2263cdc5e5503feeabaf21e65c18252840c09b569ebbb04a849cc2171a2d3b73f682b07447aeeafcc1a13697d4c49f0bcab8af8a1050268b908182586b90

  • C:\Windows\{8B0A6E8C-2DE4-4258-8180-09AB28580DFC}.exe

    Filesize

    168KB

    MD5

    d1350151b93996c0449e75c582225b93

    SHA1

    9b837a7eeb4f6682160cd809d2186fa88801dc25

    SHA256

    a9222e7f015cf64296f4a878f0e5d184bf8698965c3db687eb405449d88f6de2

    SHA512

    75081bc9942aefe4d510f0a49b04696f0a666f5553a93ce6437fad4bd33ee3524db7bb1645988219fad24f2eba23b0fd2a4e342cdd38039c14584c77c088a521

  • C:\Windows\{AF1F3C59-ED09-419b-8CE7-8906B8039FFE}.exe

    Filesize

    168KB

    MD5

    b01de7faf715b57c696bd0cb6589d0bd

    SHA1

    b0efa182df3074f1875d4757a809126ecdf7f4dc

    SHA256

    c37c4ddeda3c0bdea33dd1f03115400f52c122b4f85879a0db7547451fb2a2bb

    SHA512

    3e98ea4750eff319f9b8eb36944418907c808607ab8e718d27e57d63e50fa42df41220008b01ceba49ffec510413625c30bb3f98c9834f7804762b5b4cf55b2e

  • C:\Windows\{C6D18217-D9FA-4115-A45C-3C3A6918E0D2}.exe

    Filesize

    168KB

    MD5

    8255d506bb1c873384bbda84c033b253

    SHA1

    951cc75c567dfcf5fb2dfa6e19e880aedb8f4208

    SHA256

    d216aa86779de9f024b9413134de63b83b24c45f58b9d479317804644d793a18

    SHA512

    ad7940e39bbf92c6b30ef1b870b42a0f983b4c8a6d66b2935de09e70d7d8830046dc92ab5cf72ff09b42cee0b4b734ce55dab3ed4b148a6f18131e7cae79c1e7

  • C:\Windows\{D3584CDD-1885-4d52-B416-92DFEBDE64AA}.exe

    Filesize

    168KB

    MD5

    f4ca5c0ac8d3b1879490a954aef5ab3b

    SHA1

    096abf60ce29df7192f36855e75bf168560f12a2

    SHA256

    48c646520883ae53970b74498b418022a14c5edfb7517916e5bbe08f09feabaa

    SHA512

    1a721dfb4a36e6f01dc45bfa5876014223a71abf33ff24f7fc6775832a22e4e0e7bbb9c0fde4e896064ffa25112ef147e72b92f0619ff54830f55bcb58865acc

  • C:\Windows\{F3699A8A-23A2-4a98-87AE-E7957BD7837E}.exe

    Filesize

    168KB

    MD5

    ec74bf06d2ffe7c6882ae78edd76b9e3

    SHA1

    7f7ecd4fc9ffc7817960081c12e92bfe15bd8949

    SHA256

    e3703934f40086953a6285bffc0948e4398a74bb098d2d570f10737fee19b439

    SHA512

    7b8286942ebc3a00640b1b1c09dea15134a929b10567f86cd905e5d690abac4b46c9bbdd17ad9a82a4c493a21974005537875ef0a3f8040b14c0bc41c16530f8

  • C:\Windows\{FAA0C6D9-3C7C-4296-BE7D-D72E90553C08}.exe

    Filesize

    168KB

    MD5

    ad842327ef25d34d944a4e9bd41bd416

    SHA1

    4b54aa89347cccc85b901c9d4f7d04421ee94a95

    SHA256

    6c4251c45bbfd007ee18889cab2e33b821be46ea062f39cb2760f5f5842a677e

    SHA512

    c19a56bb13b1115acb4af8f2f7c3dc72dca3bd882c4813779ddeb9c1af42f506f1475bc7805812896bed74691e5fd3bfea9743f6934cac05f2a9bbf7d4737208