Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 16:54

General

  • Target

    2024-10-12_320379e8fb99f2ef23f743fb7b2c1ddb_goldeneye.exe

  • Size

    168KB

  • MD5

    320379e8fb99f2ef23f743fb7b2c1ddb

  • SHA1

    bff07e68b763f630991bca5c04dc616495f6d762

  • SHA256

    83a1359792eeecfd91789a475aa3bb05d6087649d1e7c2ab43f7e381cd1e21ad

  • SHA512

    53168b9da73ddb898f6b95582747c0b829fd4ca0baa45e10027f34eb490b3bef2f6395b0d19d1887ac7e1c5f53a257da130fb6fc8d269a8b1eb962d21b81bd7c

  • SSDEEP

    1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_320379e8fb99f2ef23f743fb7b2c1ddb_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_320379e8fb99f2ef23f743fb7b2c1ddb_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\{0EC5E60B-5F42-4fb1-A92D-B9791787019B}.exe
      C:\Windows\{0EC5E60B-5F42-4fb1-A92D-B9791787019B}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\{8C610F0A-E405-4da7-9C64-A0649AEF4B22}.exe
        C:\Windows\{8C610F0A-E405-4da7-9C64-A0649AEF4B22}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4168
        • C:\Windows\{F8C11FC8-5055-4bd0-BE8E-01B5670330B1}.exe
          C:\Windows\{F8C11FC8-5055-4bd0-BE8E-01B5670330B1}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\{09BD434B-D255-4e75-B1AB-0863B6E7AE2F}.exe
            C:\Windows\{09BD434B-D255-4e75-B1AB-0863B6E7AE2F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4544
            • C:\Windows\{948FF9F1-214A-4a8c-A2CE-FC0EBEDFE269}.exe
              C:\Windows\{948FF9F1-214A-4a8c-A2CE-FC0EBEDFE269}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2184
              • C:\Windows\{0C997B7C-2F9C-4341-B0DD-02E7A1B71C72}.exe
                C:\Windows\{0C997B7C-2F9C-4341-B0DD-02E7A1B71C72}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1260
                • C:\Windows\{50F311CA-062E-48e2-8144-A5CFBB11D8BA}.exe
                  C:\Windows\{50F311CA-062E-48e2-8144-A5CFBB11D8BA}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1108
                  • C:\Windows\{9BCF8406-D844-4b6f-AFA2-FC4C6A48B1F2}.exe
                    C:\Windows\{9BCF8406-D844-4b6f-AFA2-FC4C6A48B1F2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1540
                    • C:\Windows\{92400FD8-F0B9-46a0-A746-6116771E5995}.exe
                      C:\Windows\{92400FD8-F0B9-46a0-A746-6116771E5995}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:224
                      • C:\Windows\{81E7C45C-D425-4720-970A-EECA1933BD22}.exe
                        C:\Windows\{81E7C45C-D425-4720-970A-EECA1933BD22}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:4228
                        • C:\Windows\{F828FC7C-2655-492f-8E8D-EFC3BF3B7241}.exe
                          C:\Windows\{F828FC7C-2655-492f-8E8D-EFC3BF3B7241}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4948
                          • C:\Windows\{AF9BE979-A2BB-4168-A03D-B5186E7994F8}.exe
                            C:\Windows\{AF9BE979-A2BB-4168-A03D-B5186E7994F8}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2496
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F828F~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{81E7C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4196
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{92400~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4452
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{9BCF8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2844
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{50F31~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3036
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{0C997~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{948FF~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4416
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{09BD4~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2200
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C11~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8C610~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC5E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{09BD434B-D255-4e75-B1AB-0863B6E7AE2F}.exe

    Filesize

    168KB

    MD5

    1fd79f6ec986f03b3c1f135ca49a9030

    SHA1

    eda8652f489b590a616b7c0e4d2f2e85000546bc

    SHA256

    1cf3a80a7d29d8a58e9fcaf2bba61f51ec8aa41d27ad5033a65a7b05711c6f59

    SHA512

    8cffde544f1f02790b273f58771524241d071ec59098a4396ed9d1aeebcda174ec76c0f572802bd5770e17cb58d776245f2899dbe1b852a29d4d811833f05520

  • C:\Windows\{0C997B7C-2F9C-4341-B0DD-02E7A1B71C72}.exe

    Filesize

    168KB

    MD5

    e66e13be88e7891282e7b839a74c92e7

    SHA1

    c06f8fc7d553462ab6f148e1828c6da193888f62

    SHA256

    a1d282cf41145209a8653175f4dd989571be7b0fb4abe87bab32d630dfc15723

    SHA512

    27cdc6615022962d00f12450be05ec934ae2b45c60c0f51d7ef7c4a544b0de26fd9bef156623db269de60566b612667632af3121fdca479e654acec622986e8e

  • C:\Windows\{0EC5E60B-5F42-4fb1-A92D-B9791787019B}.exe

    Filesize

    168KB

    MD5

    f775dad990b1af53094fbe222030551f

    SHA1

    f8612bc7ced622a47d4b0f65f51338420fac7ec2

    SHA256

    b7c335861f51126d132def2790377f21908abb785340c71bc6d71644ecebbfb7

    SHA512

    ee9980f4d107d0af50ae57cace5f85711dce83dc32fd43c93888555d3a5925fca19da38b8ea47a94397c64ff12886a54ab75cbcb75e1130ff5a5aee177b8a31d

  • C:\Windows\{50F311CA-062E-48e2-8144-A5CFBB11D8BA}.exe

    Filesize

    168KB

    MD5

    e37e1fef78bb73f086b4b7d65f5b2635

    SHA1

    3509a324057fa679077fe783023d382da67d6136

    SHA256

    c134b37780e63993803f113fe4e3dd942f75a8afadcac9254bc313967c9d2c26

    SHA512

    56ab6383d371b067fde021980f425c74f813f0b6563e6dab2f7373680960901d1f53966657a72d66364aefd9e80e3b358ce7e35c87fdad02f62eced4a2980164

  • C:\Windows\{81E7C45C-D425-4720-970A-EECA1933BD22}.exe

    Filesize

    168KB

    MD5

    4b0f0164700d4421bae064c8cf998be9

    SHA1

    b4aa12236921ba87034dc1a5746d764b8815816a

    SHA256

    6b83a8199c1a70ce423ecb701f45da17ec5524ea7efd8dc6010e363466c58fe3

    SHA512

    9f9f3516a3c53a6c6b69499eb446183274a52c58aba7d84f0a1b2320a5eaf6407374f7797e3bbbc30be7fd6eecd0a382d010346b43bce4b0a2588c2fbb2a46c8

  • C:\Windows\{8C610F0A-E405-4da7-9C64-A0649AEF4B22}.exe

    Filesize

    168KB

    MD5

    c8da56e67c7b4e22822ba8e3ab6135ca

    SHA1

    00b17e5fdad1ecd45f857076a97e51c54598d387

    SHA256

    a77939f979160658bcfeeb2a76cfeb4a016b27856b9a62620285dfbc1b1cffcf

    SHA512

    136ee2f7acf38a5e1036336324ea387720590d6ed01bc160aca5efdd625526391f523dc400edae94d9866aaa63a25f65b2b9f1332229688319282a07617248bc

  • C:\Windows\{92400FD8-F0B9-46a0-A746-6116771E5995}.exe

    Filesize

    168KB

    MD5

    44374b59cbfd82684bdaec1c532d9749

    SHA1

    6b8328e35fcd8597c1ed78d7d9020b686718cbd8

    SHA256

    a8cf6525f2eaaa584297141c460bbff40e4394756dcb6a64961324a06dc2e91c

    SHA512

    3600d393cb9fc39e66ca771a2b41a087e21d591889089ce6d5b7c6e3ee761ca3919985fa0d0821cb4e353c9c4c54f0f5eface398a01a3db0bfddec1755673442

  • C:\Windows\{948FF9F1-214A-4a8c-A2CE-FC0EBEDFE269}.exe

    Filesize

    168KB

    MD5

    78807edb8fe2dfba2b0ef95a3ff40140

    SHA1

    742a438aba0a97a435c7196d960c93f22c8f3d66

    SHA256

    bd4071f8b657c920ebb92baa03480f013627be9649422592544c4916062820ed

    SHA512

    3f78423795c5c20c20f73e1dd33d075d3cadd24162500a3271e6cacecd85f61d9ce207ca1e112919ce05430c82cd791d0be039db0dfbc0b9612cd59f764d8e55

  • C:\Windows\{9BCF8406-D844-4b6f-AFA2-FC4C6A48B1F2}.exe

    Filesize

    168KB

    MD5

    65e119247292e08099430607e2c87bbb

    SHA1

    3d0db44d58887f8ec688b01abe523596ad1563ce

    SHA256

    122a6aab56469981477e87b09de2bb852fd0fdcf8ea60c5c05163eba72174684

    SHA512

    de9b6488f4377fbbb484985230975e9a5d525ecede2eeee40bdee0cbb1c42331b9138cfc78332959475aa412fdc428b5f138b1dc4df99310009bad0b465f5985

  • C:\Windows\{AF9BE979-A2BB-4168-A03D-B5186E7994F8}.exe

    Filesize

    168KB

    MD5

    3864a54e61fb68832f47fc499dee749b

    SHA1

    8cffe2e496654667c64edcb8dad0a54dde87c054

    SHA256

    1aa5de95026034060a12fd2b285397fa0a1802afb100294b01b593aec230e9d6

    SHA512

    19cdeeb0a59e4165caf4c2dc4bb7cdacf29011d5f897bd2649ed9fc23b44eaa452308c73ab7ad1c36ed9ccf07df1276cec8fec2792c038cae53e419bbfb8332e

  • C:\Windows\{F8C11FC8-5055-4bd0-BE8E-01B5670330B1}.exe

    Filesize

    168KB

    MD5

    39745eaf179ffdcc4cb0238b600b1497

    SHA1

    9b8d2e25813044575981334db2e85358e5699b9b

    SHA256

    42224d52e680bd3042f00db39af35fbd4cebb06638441a6f38745340525fef3f

    SHA512

    cb0da633aea95802409b7d3e9aed65f5faf8722939b4077823a6b7c5c4b3f896093fa34153c0ce202a5bac5815bce8aa4f99db6f2cabb0909fbe96778aa46d47