Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 00:49

General

  • Target

    2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe

  • Size

    180KB

  • MD5

    2413457564c4054ca86b0f97858ad5ef

  • SHA1

    df380522c1149359096571917ad5348c4a445b5c

  • SHA256

    054432a5ff2cbda08c8a2114588c1e06087998399aa8a2b8aee8ab9814bbbf76

  • SHA512

    e371d392c917749b2673d37590616070fc05db41966ce0d18d71ee4e7ee50d9b108d5042498385d7b79df6539547d0bef5d871be7f181494c035d9f0ffa6a183

  • SSDEEP

    3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\{98872965-5E4B-4e0a-83D4-ACCC16A38796}.exe
      C:\Windows\{98872965-5E4B-4e0a-83D4-ACCC16A38796}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\{F3F1628B-06E6-449a-B4AB-E61AA0ACE0D4}.exe
        C:\Windows\{F3F1628B-06E6-449a-B4AB-E61AA0ACE0D4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\{CA96EE66-DEA2-48b0-B7F0-4C40F8C659DF}.exe
          C:\Windows\{CA96EE66-DEA2-48b0-B7F0-4C40F8C659DF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Windows\{444A9431-4BCC-44a1-9C19-89B82B7CA576}.exe
            C:\Windows\{444A9431-4BCC-44a1-9C19-89B82B7CA576}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\{F4FAE26F-D0FB-403e-AD00-E1D71D048132}.exe
              C:\Windows\{F4FAE26F-D0FB-403e-AD00-E1D71D048132}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1172
              • C:\Windows\{E2C3F0B9-C7B9-483a-BF12-C3CEC41F78EE}.exe
                C:\Windows\{E2C3F0B9-C7B9-483a-BF12-C3CEC41F78EE}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2676
                • C:\Windows\{248D618C-E2E6-4d0f-857B-C0A208E734DF}.exe
                  C:\Windows\{248D618C-E2E6-4d0f-857B-C0A208E734DF}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2920
                  • C:\Windows\{76187E03-85CF-4b53-A360-719D74FFF9FD}.exe
                    C:\Windows\{76187E03-85CF-4b53-A360-719D74FFF9FD}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1732
                    • C:\Windows\{95E5D1FC-F1CA-4478-96C3-D6807B70499F}.exe
                      C:\Windows\{95E5D1FC-F1CA-4478-96C3-D6807B70499F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2148
                      • C:\Windows\{904F509A-2515-416e-B15E-9D57718DCFA4}.exe
                        C:\Windows\{904F509A-2515-416e-B15E-9D57718DCFA4}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2516
                        • C:\Windows\{099D3DB1-4551-4db4-8B08-16FDB049106B}.exe
                          C:\Windows\{099D3DB1-4551-4db4-8B08-16FDB049106B}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{904F5~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1744
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{95E5D~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1972
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{76187~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2548
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{248D6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1756
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C3F~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:636
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F4FAE~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1224
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{444A9~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2232
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CA96E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2068
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{F3F16~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98872~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{099D3DB1-4551-4db4-8B08-16FDB049106B}.exe

    Filesize

    180KB

    MD5

    e9eaac95da7e9fd055ea1899ddd8ce1f

    SHA1

    44280b5f31f3ef60c8f27081f899e135cb01cddb

    SHA256

    38cf02bd34f0121a62992394249d196f43024be121150126c62a94f69db47d15

    SHA512

    ba1858ad40cc2ce24f7af49d67da2029ec0a472277d4307048bfe43c8401b803b84256ff47f17326e12a4328b19aad57d37b1909023477a92e86b644d89456b2

  • C:\Windows\{248D618C-E2E6-4d0f-857B-C0A208E734DF}.exe

    Filesize

    180KB

    MD5

    845f9cb2bd6c58aa1c3a89a08469593a

    SHA1

    6aedfbfdcc49320b5b6d68b17e7e2aa53baee6da

    SHA256

    5c503e39986fe781c442587b1cf8240b6e5c3488bb8291978da6b93640bdcd63

    SHA512

    3fbf76283535c94f392715f9e29a9af41c195885d921134f1c8645f90cdb9db04c25ef17eed0aa46cc5683adba179278cbdcd5d6b4ac26c64485b1a1a78b9122

  • C:\Windows\{444A9431-4BCC-44a1-9C19-89B82B7CA576}.exe

    Filesize

    180KB

    MD5

    e013c2cd87db755d29be1da40bf9aedc

    SHA1

    e9202a851fcdb92e5927e0328d7518c3fbe14811

    SHA256

    43f9b21ada291da2316b93a7f21d2d11590474db740b06d25ecb9be110acf01b

    SHA512

    4b2309ea61e49b4f74f36b2bc73e98e5c88ff15e8e70308ac7ad20e982228b05d06c0d1fa46504969269fddfa2d1e1edc352cd7c2be80c06ca9474487ceef61a

  • C:\Windows\{76187E03-85CF-4b53-A360-719D74FFF9FD}.exe

    Filesize

    180KB

    MD5

    baa991bb29b7e5977347131d64c0e1d2

    SHA1

    8514c600f365ccb7f8939d75463676b49f2d2e27

    SHA256

    08a9b2499fd84f8b489ec4fbfc9e8d96304fef49264fafd335f6b857028d7283

    SHA512

    0232893fde1ddad0dc3f84886acf470294a0a20e0467f838d7cc7bdd87648c1bf1469f33145b9e442e1607f247dcbc74bafe7e4b6c4375f7da6b4bd80449390e

  • C:\Windows\{904F509A-2515-416e-B15E-9D57718DCFA4}.exe

    Filesize

    180KB

    MD5

    0a4b40c36dc71fe1f3f0cb87c0ae242e

    SHA1

    44337384928ef2bfb4559e17d45d464827c5b8d5

    SHA256

    f60831a8e074879b51eacaa0f63d1ecf5c16fc70dce0d1cad71855b23bc0c053

    SHA512

    251df00057e2f2ab438af8b717947e19ec22b38ec8d0d8ab73dc789a79011c06b0a10c851e4b69f929e05a7a30caf081fc7f67d69497aca6d90bf47dd84a726f

  • C:\Windows\{95E5D1FC-F1CA-4478-96C3-D6807B70499F}.exe

    Filesize

    180KB

    MD5

    5a4e1bd35eb8098a3a0c71a82bfe26bc

    SHA1

    44c9799082e0a1b78f6418482c78b3ceb7b6f477

    SHA256

    065e5b9b5f11dff07fb103d69797a45a7aa5fa2fe067127bb0c2372c5dcde236

    SHA512

    985ad1c05627090fadba257038d528d24d4ff96b23ce740bcf58c04a9bc84db83696c1e1bf0d85f16ce815f9c6ad71b0b146d1da93921bc9848534a9361e8b2e

  • C:\Windows\{98872965-5E4B-4e0a-83D4-ACCC16A38796}.exe

    Filesize

    180KB

    MD5

    898f590a8f26ab391f6dd8e266c78ca9

    SHA1

    309c8e855e63a8ff29f4d5d619e3a1adf3bc3b42

    SHA256

    197ab456287efa4e906db5b5e209eadb518bc056103d268713a1451334296f2d

    SHA512

    6ad4bd643494a165212e6cf5bdd3f050332edb4475bbb3d9638f83c29e3926139f496daf28a6b7cd3cf59b7e7ce881075cd168d61808b47c764840be62fdd13c

  • C:\Windows\{CA96EE66-DEA2-48b0-B7F0-4C40F8C659DF}.exe

    Filesize

    180KB

    MD5

    c065d90e7a7bb6dd4e3c0f3a998a46e8

    SHA1

    f13b16fa497317947809aea1b1d24f5c93fef4ed

    SHA256

    d53eadf484b326d59f8e6d67689b69a34b7236be6725b3b702db4dae13778a7c

    SHA512

    e618833fafeb9eb7888587eb61c2ad0cb3ed14e3073b76b6391d35fcea86e005f2872f97195ee632ee01c552550a05bb40f387158636d3fd33ff60ae6bf2e9dd

  • C:\Windows\{E2C3F0B9-C7B9-483a-BF12-C3CEC41F78EE}.exe

    Filesize

    180KB

    MD5

    109b60ad3f344dffba4cbc02410f4321

    SHA1

    0e6dacd6fc52b897b3fc77be8c4169e76cf6ec03

    SHA256

    9715043b06f915d49da972506d5f93eea9bed27e2ac976ceef153a88f8edbf13

    SHA512

    14d397717aba2680f68d444c07cabb383ad901876e678ec4c62e169489b6d7795ca049930e50658fc05cd4594ee8216905dc399aa33e250e6d3376393f7ea4d7

  • C:\Windows\{F3F1628B-06E6-449a-B4AB-E61AA0ACE0D4}.exe

    Filesize

    180KB

    MD5

    6ae3bee9f3edc3eab7071dddfea793a8

    SHA1

    4048ed861b2b5e37a2046b40f6773a2d1b94f0e2

    SHA256

    18c7605c82df1dfc208274101144fcd286ec432437aefe9e133396b40ffd90e4

    SHA512

    7a865d4d4ac1f13e228f2de3518369d96e19101b833a96d78d70ebd94c89072d64fbc554b13fe478ede8daa47f960367cb0ded52a996df20579e8f2c1450583a

  • C:\Windows\{F4FAE26F-D0FB-403e-AD00-E1D71D048132}.exe

    Filesize

    180KB

    MD5

    c6ff54fa35ccdbda6f87f88124fa7097

    SHA1

    bf302a18d66cf68e219115dd59ba3d325adb33b8

    SHA256

    ad870aa52e950226658f7511628580f69686eb690a902160b6488b28e8a5b808

    SHA512

    d1aa6e874c5ab7392570710d000f920d3735a3121e1cde1db1989697c145606f54d36591604641ef0c1c5a38d1b6d58f13456f6316be6c0615b6b1ed95612b13