Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 17:46

General

  • Target

    2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe

  • Size

    380KB

  • MD5

    5372648664cdd5e18ae5248351fc0ecc

  • SHA1

    581fecc7931bf7d9f7d389d14a386a0bf9a0a3a4

  • SHA256

    84022a542402ff42acfc624e88c77173e0262f64ac20ef74869b7488e3861e67

  • SHA512

    f598de50a5cc46cdef632bb978dd4aae969a174b7f4ebc24728ac3725fa84bcbfb031e24b55f0f9bc7f43dd08feb1a63435c40505d0bbc0b1a26c8d34297237f

  • SSDEEP

    3072:mEGh0ojlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGFl7Oe2MUVg3v2IneKcAEcARy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
      C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
        C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:860
        • C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
          C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
            C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
              C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
                C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:856
                • C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
                  C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2800
                  • C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
                    C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1676
                    • C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
                      C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2140
                      • C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
                        C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:352
                        • C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe
                          C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{40F10~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2252
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD1BE~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1140
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E72B7~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3052
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD25D~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1756
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D2454~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1752
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{DED29~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:300
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2A452~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3064
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA9A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7D702~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DC96~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{2A452072-33E2-43ca-9066-0198F1F1C002}.exe

    Filesize

    380KB

    MD5

    4349b2fdfc695c9c5fa602aaa0d16a69

    SHA1

    8255a2949f4a73b67f52425209acfc992e587dce

    SHA256

    483a4111c2c35223713d6d6d2547f71e6d2de9f47c805f012a66577b36aafc2c

    SHA512

    cacacef8ab33785cba75fa70a24c43e9f581d37e868bdc8e066aee826225da22f53555456d361f3ffec80346fcf35fa3cfeb00d1d7eb5d3f86d1bc3f8e1acc92

  • C:\Windows\{40F10B10-CF59-41e7-B1F8-87AE43FC43A0}.exe

    Filesize

    380KB

    MD5

    910b09c5289b714002ede4c1830d281f

    SHA1

    0130149a2583ac377fae923f767d014047b4c308

    SHA256

    9728aae8463851847c1b7f6fb484dc2d6277d35aaf606905ecde632f88f6b96d

    SHA512

    da7d13fa6fcd9cc31816751c312d1bba3930d4b74427389c2847b93603c0ffa3a161defc8aed633f142fbc16336f5c2ae8b64f0d9f6b6222582edd9e86a90674

  • C:\Windows\{6DA9A890-83B1-4005-A3A3-E7F85E6B78BB}.exe

    Filesize

    380KB

    MD5

    cef1c350199b1803b020a9bbfc58914a

    SHA1

    602abfe104507520e57fc4dbf76e388b7265922c

    SHA256

    91b7e80aa889eaf976d069f0d3e87eafd6c07ac28ea3201bd96b878945dbda55

    SHA512

    674c2d5203c0524a17044fe991082a638be983e934185f7bf881f1d64b8c2c2a71066f41cd1a27866bf0e7431475bf7050d17c8748de601de859157ccd096b2b

  • C:\Windows\{6DC96CB8-C114-4647-AE62-2D761488660F}.exe

    Filesize

    380KB

    MD5

    7b7389249050b49a760f4bea0626a9a6

    SHA1

    c9c4691c0b3624110984e0b8be770c5d328c38cc

    SHA256

    e1979284938941d35c927aeb9c06f760737cf8121a6c4999715f041dc9baa9c0

    SHA512

    1afd20dda7115bd11ad47490146cb6ba54e9e6025b0401fd42b0aa028887c2a608da2d7ea13677e716cb7ac3ee4999e496b5d33811516bdb6b3eb5db53b1756f

  • C:\Windows\{7D702A37-6F07-4128-AE91-4FD1F7A127F5}.exe

    Filesize

    380KB

    MD5

    528e28633c74f5d56a07a30e892e86a2

    SHA1

    5ddba720713c3b5f1b43edbbd79b411bd01af391

    SHA256

    b963e07536ce3534628d0b8ffb67fdc56a88f69b9fc06c9f001f505c886094a0

    SHA512

    4e6b6518a259d506d1a9d3b1b98522c1b76f9bebfd9547bf026e91bae5cc37feb1c8a102676a990ac62fc5cd32351bff9cb5f16eb162feec7d3fd5dba95fd9a9

  • C:\Windows\{BD1BEF2F-EA3E-43f7-9FA9-4CD513670A18}.exe

    Filesize

    380KB

    MD5

    45df6ba42d33964a9744c0c15897ad92

    SHA1

    c085a9f8ea061a513c7199379d138a7d06fe2109

    SHA256

    4165c44619c677175b344a4b84b5232046901cb28d0a03cc66cab2f5ab054586

    SHA512

    ce9cf887206e84ccd2708f8c359ad2681d1b13d9a6902852bd5bcc7a59e8276ed4ea5817f7db095da8085240d9ac6b9b4c58b2e22305313e53cbd7522f5c71bb

  • C:\Windows\{BD25D8A5-6699-4038-BEB9-41FF04B35382}.exe

    Filesize

    380KB

    MD5

    1cf2dadc06fdb363f573ad2d14d1998a

    SHA1

    0961e9936c3561c5b680d49815f282e209660c2b

    SHA256

    f0324f57313d883812f58e7d28c2de20f2502446dae7d8f0085b5efe4d04f633

    SHA512

    851a847c2b9a09e0ec24f5c76675f53a2334dd022a9aed6a64ab94983e01e5378bdb0f28f5e45223bd8e8432d6969945d608675b1e35caef5363e01677d61146

  • C:\Windows\{D2454240-1AD4-4ce7-95AB-588EC2257150}.exe

    Filesize

    380KB

    MD5

    dce183077a8208be75a627bda12ac777

    SHA1

    4fc7076ed2dfb3108342df2b68ab7453d07f0df1

    SHA256

    ee83c737d1f6f74c8181cd4a3d6b80ef35630213b7165d3893e6747280729ae3

    SHA512

    d4486d24253092f3bdacd2d366b809079ec0049a077564fde0710f8b1a183146c34aee502baf30398ccb8563f029705f0dfde52a561c53f0a108ef96e45fd715

  • C:\Windows\{DED29942-7DE4-4572-A98B-8FB09E1BF3F3}.exe

    Filesize

    380KB

    MD5

    fb541d5b4379a59be1036d1bcb24087f

    SHA1

    cc84ca919e7c271d80f414b71f02187a9a35501e

    SHA256

    2416251cd1ec7c27c5ae81c5febc6f3fd6612d49f3fa22aec5469722479fda8a

    SHA512

    d6366da5d9bbebd3db3eac5d7196efd0348cfb28b60bccdd5ced4be9deb1648e2767dbd07984178b6c8aa99243e8a5fe9c2d220279807b4d3b70527b23b90572

  • C:\Windows\{E72B742D-44A3-4996-B945-E2C3A3D32DD0}.exe

    Filesize

    380KB

    MD5

    65c3a9b2e04ff258ab2ab12b79dbadf9

    SHA1

    ac8252fad52c551e0bd6dc20ef6d2e8fb5bd1b61

    SHA256

    6596b341af8b64d1c726c4c1e37152178821ab1ed58f2d77dc0d60319c65ce54

    SHA512

    108ad0ece7d3344cb205e9a2561462bdfc7fccc940a6ce93005e6428f2ca2eee55406fda507e007ae154b7c7d179dee14ca36c92bd2dc3630b265620befac9fc

  • C:\Windows\{FB46DABA-918D-4092-A519-3CEA76EDB908}.exe

    Filesize

    380KB

    MD5

    0f2e1b3f0c1114cc5926b777b5441409

    SHA1

    2abefe71e4e619fa3f20d7ffcc7120df3d30da65

    SHA256

    60574f748a963391698da208386017fb95c78cb56b724dcd79d8204305dc7106

    SHA512

    8ce4c77fb47c6e0ba553fae77b08ff8434c367354ea51a7a36096df370d4ed73f856dfcf5ec91ebff7ec88594581fbb4c3c8ce79325a797d42f1dce586a90770