Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 16:47

General

  • Target

    2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe

  • Size

    380KB

  • MD5

    0ece39ba2e3f44647774f23bb76803b0

  • SHA1

    5b90ed455ca376c486f1ab1d480828f0c9b23efa

  • SHA256

    ff3ea2abc932cd69002f47eb7e92157f8a43fea2e3d1c5d6b529760dd6d6d004

  • SHA512

    351cd26de5649883d3e6b42066c59812933a16e2ab5da0e67848d94fff7c2a4fcc3a5278bbed6d52c37b49d1e4e7ba509b6c7cc53dc8ac530dc1e9a3e091ae17

  • SSDEEP

    3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
      C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
        C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
          C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:696
          • C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
            C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2124
            • C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
              C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3024
              • C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe
                C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2940
                • C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
                  C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2516
                  • C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
                    C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1152
                    • C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
                      C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2468
                      • C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
                        C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:488
                        • C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe
                          C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3052
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2220C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2088
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1543~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1660
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC3F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2232
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0727~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2308
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{28BFA~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2504
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A9089~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2104
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B85FF~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E239A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF5DC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{025A7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{025A7B37-93DB-4c1b-A419-EDF5BA8FA9A3}.exe

    Filesize

    380KB

    MD5

    127c0002616cc3a095c615af1fe724ce

    SHA1

    13c8ce3d1a48b8096aca074feaac86e10bf7adf1

    SHA256

    be4fc3a322e50d64f38192a8e753de169117792e48c20ba53c19b5902bc7853d

    SHA512

    df24b91301d31f039d188392600ab1bf1faada9cefb1355bd4b7145f5155e05dad3dce0fd766c5d358fe247b49283dd9ea77f2b6cac04c91129f5cebcdc617d0

  • C:\Windows\{2220C8D8-F507-4c35-9CD5-42A0A05BBBCE}.exe

    Filesize

    380KB

    MD5

    dbaf8b6fc51cf0a0f96a91a2ac75e7bf

    SHA1

    867365ce21726a7bcfc3ff31f5974139cee91783

    SHA256

    02b81e212a61d3f1f680bdbd4ad13d4bdc507c2c23470952eb838dcdc6afbf3c

    SHA512

    ea0c462c82c94dc944ee4ef90bb8ae7d1f8b557f0136fe0d333ad88db0ec12adda89603002b7ce7e60a2f4f6939e4063ce750bea24f60d18182bd14ab9a38d0a

  • C:\Windows\{28BFA344-7658-4719-97F3-512AD227A565}.exe

    Filesize

    380KB

    MD5

    37e15a6a65c22eee7ea3d20b0411fbb9

    SHA1

    91b4a4f9cd6a4f481c29f2747879e519c0c3367e

    SHA256

    4054da4fa8a316b61880dfdfe432fe5fe5eb1330bae9750f0373027cabda8e8a

    SHA512

    8d31fccef1eacb2aa65e607530f80b41ba2d13d55b023083f4fccea5c246ad7c5ab0a5dd0c0c9a31b3e9aa697aae7d04c7e19d305f97505a17d6c59698eac1ba

  • C:\Windows\{38FD8722-BCF7-4dce-AF35-4E19DB635E32}.exe

    Filesize

    380KB

    MD5

    9c15f9da464c2a655f1c0cc078902073

    SHA1

    adf23d27b1274907d55d3e513bd9ada80686899a

    SHA256

    126051dca560bf0241463c876f83949735d2f45dc49e53e0f51b4fba0dbe1492

    SHA512

    f0725119815c5112f1f4bb9ba8138dc7957eec27bf66b353d4ce4fa2eaff0c0489ec3fcc030d8d3ff860045ebea14c2f308f567f7a787820acc640cc0fd05cb7

  • C:\Windows\{5FC3FD46-3DAC-4feb-927F-8707BF26BC4A}.exe

    Filesize

    380KB

    MD5

    c7c207fbab4fdf0dc658244863f721ee

    SHA1

    acb80532cb0f9d2f50439739cc1c163700805a64

    SHA256

    f8475ab08dba505ff10217f27ceea306a0b7e83cffe4a6f105e1a0a0f328dda2

    SHA512

    2d916328092f928205ca62e64839c8289be1bf53f407673fc79ec4512662c9d0af944c3fefcee5876db89a782db7b8fade727ea22efd5ffd732966a03b2da2f0

  • C:\Windows\{A9089D49-D004-4f99-9751-1D4DA52C33A0}.exe

    Filesize

    380KB

    MD5

    aed09414f0de15decebf5fdb0cf3cfe2

    SHA1

    c132f86e219403ab48550ca37f67ec34397ed600

    SHA256

    ba4fe92df5cce4cf4dd5c6c0772a6d0fe2f49979a4f24bb881613c82a6847c81

    SHA512

    b7bdadb9520ef814b78c1ab635e8b9e9d63a2b10c2f699e3b8428695b184ce5f9909e5e426ba839faff132fb1dee64dcff1d75d73ab9330e786cc10878ec93ae

  • C:\Windows\{B85FF6F3-162C-4899-88D6-673EFEFDB7D1}.exe

    Filesize

    380KB

    MD5

    80ba99b592cf0cb1bda26584140a63e3

    SHA1

    0ebce4089f7865ead26c8ed09ee25cb3f9dc6e3d

    SHA256

    ec57e0ba736194bd17e1366953922603a31db14e9c6e25cf6d53dfcb35cf6825

    SHA512

    e6f218942b6c549c1030e5939fe1b9bf0e4d1a97059ff69f85cb090054059bf0dd8c6f09e8cce64d8e03fd95f5b0a1ad9c6a4ee13a8858db02660b4f03af4a99

  • C:\Windows\{D07274F3-92A9-476b-8D1F-762E8D3F5C5C}.exe

    Filesize

    380KB

    MD5

    db0bba997588b70dfad944b7bae53049

    SHA1

    3b9e3eea587f8189ae1f2faad4cf927e7489fb04

    SHA256

    c007cae7ccefac645b5927f56b97212e219e44945f14f6f4d9fbf9b1fc399e21

    SHA512

    08b6d8bb37fe46bf960882724d5b2361b76ecc961fb0c35ca4d44fa5580275379659c3fc52ca17d4b50e83a85aa2e11ee4e7342804fc1c5e970bbd028a991e76

  • C:\Windows\{E239A642-9007-4bc5-98D8-F29EA053B871}.exe

    Filesize

    380KB

    MD5

    8f0d5a4fc369d565cc3a92e777df5f6c

    SHA1

    12025f7e3e9e71fe361026017d2f5c23e6a6a101

    SHA256

    84aa3374781eb7658f514cc80dbf06d6f7c0a3c3b6d65c2f0e5c8bf48e16381d

    SHA512

    23ce960ccdfc014697b73839ac2a1db5619b4cbbda1865ad7b4d0f94a45ef7614b3549ce06af21ac5d11a2872fe772c5f9d569a4806bcacbd002cbd0e081d2dc

  • C:\Windows\{EF5DC303-0541-42e5-9C3D-2FE81B13EC5A}.exe

    Filesize

    380KB

    MD5

    af1d9dee040d3bc118e0905a0344bd99

    SHA1

    e86f46ea101f20354a3e9c5b14133b25f1a8ea64

    SHA256

    74218f17c5d5305f6f858c4d826b5f2f4bb2ad4edb91c29607db82ab33990f0d

    SHA512

    46f8e79ef4009eaa1ded74ed1bcaa700fda8bf2c629d194e143986036dd6d9c05e1ce00a9d0fc65f80f3bf63116f913aa2c7a91be540ce0bae9768a0fdf48495

  • C:\Windows\{F1543AD6-2AF2-40bb-ABC4-E8B67BA85ED4}.exe

    Filesize

    380KB

    MD5

    82dd5f1eaaecdca78a470a8836e113e7

    SHA1

    0bd4bcb9639efe9227e03f4287778b504ff31397

    SHA256

    16cffc22e1c5280445112945f5d749aa8d32b8d2ff33ca04ce5361fa97c5e7a2

    SHA512

    5e702df892e17d66c8aeabe5bf02fc5fb4b47ddb5be283e659ec53bc36b67078c75968e8168caf7462a7f2a247810ac804dd1621d5d99140382e40ac1ae351dd