Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2024, 12:19

General

  • Target

    2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe

  • Size

    180KB

  • MD5

    b9a05f4b65bc36c319367b726f012c8e

  • SHA1

    75a1e3e877c5f03873ce504aa326d0d90cd5dce3

  • SHA256

    a1a98a70923dfb2a7ca3a214231913d684a716866ffa8c2651401e960fcac586

  • SHA512

    8021774a4e0e480c7b35018752f7928b6c54199f31cd559df20a24241c69e1d4743a14839abfe4fd4f4e268de66c4fcdc914948e4a555fd4100db44f84d17062

  • SSDEEP

    3072:jEGh0o7lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
      C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
        C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
          C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
            C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1536
            • C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
              C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
                C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2700
                • C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
                  C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1736
                  • C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
                    C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:316
                    • C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
                      C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2044
                      • C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
                        C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2728
                        • C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe
                          C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{037EF~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2168
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{58733~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2424
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{586CA~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1996
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1C66~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{DB1D1~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1544
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3C539~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2884
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0049D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{FA127~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{675B4~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93E33~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0049DF99-BB36-486f-90B2-0D507CC14DAC}.exe

    Filesize

    180KB

    MD5

    0d448479550be806b5742423c47031c8

    SHA1

    63e56ea1bd168f88d5e1b1ecc16fd626d541ec54

    SHA256

    29dcc2b59e9617847e0c51949180abfdca2f8c3c86c57d417a934fc3d9aae66c

    SHA512

    2c51b4b3cff3efc513d48934930cf6b391b6735e2376052805d6625255c475939513bf16e531714a0035cf7125d21cbf8b73671baf3b50aa7c4dcd8090397394

  • C:\Windows\{037EFA9A-2040-4ebb-B825-F3B470BB3838}.exe

    Filesize

    180KB

    MD5

    557966903331b51be08bdc90a952400f

    SHA1

    15245a4b1b2bb8c38787dde59122bcbe68e5cad8

    SHA256

    b125b4b4c412ce138fbde0fbfdafdb88fb5e244c166da640d4b7429a5fcf237e

    SHA512

    1df9584692dfae0268d819fa4f787c21f59c42644dd9d6ff79bfebc5962c7a056ff98b9816371f539b52cd223d489a10dc70f7bc597d4a63520a9674c01ea952

  • C:\Windows\{3C539A14-1725-431e-9B4D-D9AE40599CFC}.exe

    Filesize

    180KB

    MD5

    ce8b78a9c0b70af740d178f8b9c1b0da

    SHA1

    8483f6eaff2e8b0fbf99a21a9ba3318783af04b5

    SHA256

    8a3f81abfb150dd28c7a9091b452a5f196827089f138a0cd45e328237503c909

    SHA512

    24b21813680b1d132477f9665273613c94169492d34d5270f01ccef4aa0ad89f0e562c69add4209e21f67dcd3aeb0f6c18237e73f99194ab6819c206ea1d048d

  • C:\Windows\{586CA6A3-F573-4382-B784-D56AB3E8B991}.exe

    Filesize

    180KB

    MD5

    21322ce9b61d383f8f4266146a2f5341

    SHA1

    314a1742080251f7f085f76110ad1465c0fe6537

    SHA256

    a9df1421bfcdbe49affa47e945bd5f2294355659ae2c8e2c04b5b0ca8d2fe03c

    SHA512

    f973c855d10cb06ebbf3882617c2e759a91c8b62b1b0a2fe62415510b358deebe044df2820d3067c9a00aea4b42eb6fbb44975c08b5e894eb7f4fd271a147711

  • C:\Windows\{58733F37-5885-4cf4-9707-A280EA94EA6A}.exe

    Filesize

    180KB

    MD5

    f6ae442eacc9639fae9291d5d6034d69

    SHA1

    9a6f6953e44d90c791b242252b84a62355ad4c1d

    SHA256

    9ce427363909f4cd68a0e76493913739342e94ed6f68d1e06517964a6ae0690a

    SHA512

    d349ce14fad65d3d9e3b84cad1397e670bb18134d5ab68555fb0754a8d14b13d57eca760f2b73a64cf000ddc127259b9b5b3810e1a298040bf5ff5589251682e

  • C:\Windows\{675B4E74-9F62-4286-ADD2-90A64F947E9A}.exe

    Filesize

    180KB

    MD5

    d72d241858b7fe4ca83b043a7e52a30a

    SHA1

    f94320e1c17ff72590179b2e12b647cdd0e880b2

    SHA256

    8af686a018bd277b277dddfe53014d6d29c661d28c1b556c9dad13ffcf8407b2

    SHA512

    37015bb02c0c126af4db09f73e50e3ff7ce0f1723f2c55ceb2a7078acca6d3ec760148afda4c20b38626e7f30e90d7cc545a0f05864924b979c1391679bda61a

  • C:\Windows\{93E33FC2-831A-4a79-96C7-872AED67A01E}.exe

    Filesize

    180KB

    MD5

    3bd6c67241cefe1104357c01a0977432

    SHA1

    b84f89f036c8ae42688b5b5c793cf61d4adf5bed

    SHA256

    da283d481fea75c4cd0048007c5f72dbf3e069f41a58ec6038369ef76498c965

    SHA512

    ebfba1aacc3a8c42f4bf2c2c80f5da77f6943a05ddba11b7949f3eba93c6723b5e45da1a73f4d252993e583d681970214a78cc96e80243b5514f8ee3a4f5bd29

  • C:\Windows\{D1C6674C-919A-45e7-BDBF-AC399CE12FDC}.exe

    Filesize

    180KB

    MD5

    99a3ff9abd0ce15a6c39a52988d09dbd

    SHA1

    77debcc3651e35e3c3619064f1622fb1d37dc829

    SHA256

    8e6d63581947a0be7d0dd3fd8983e5128d938f40faa6f84de08ea73c5f5b7476

    SHA512

    393e22a494d01dd79828eb94a0fa5d38cb9c382aa645158829e40a342a287437bd07dcd9791e623cea139f78ce99a17d590e3202206f8847cc216ae6bd7764a1

  • C:\Windows\{DB1D11FC-63C3-4d8d-B165-BC00F7ABDEB0}.exe

    Filesize

    180KB

    MD5

    f752e493b10cf612eeb9cb5ae5eee8bd

    SHA1

    11060ed8361b886036af72a8c39c99790e83c7cd

    SHA256

    48c6ace37c96013ccdad3825fb00e751faf1320cbe816f9848623ca21896a2e4

    SHA512

    ec4a02ed8b8ac63c24fcda745b33e70dbb1f4cd8cff1b07b4a6f918c3059f2914a52bc236bc82b95476683a9d7c2436bfd34062d7c928840dca930106ff9dc49

  • C:\Windows\{E3B1E9C0-5616-4ecf-B9F6-86C4D1C0CF17}.exe

    Filesize

    180KB

    MD5

    bfa51c55a1900667709119eed5ffacaa

    SHA1

    7b006f3cae0b984e3ebe4c2561e4c40d442f3c52

    SHA256

    3be60270aeddbfedb9d3cc9e85b0f404a742e6078a12a07d96afbab3134b1f29

    SHA512

    8dba64e06cede4f65d94f10d87de4a9675b938789003552ce42ed74b91e43316958491e91b126182d08cb2f82dbdcd47ab36257c0569c1f1182d235ad53f2c43

  • C:\Windows\{FA127A2D-B43B-4b2f-B1D0-6B40A68FF164}.exe

    Filesize

    180KB

    MD5

    07b59540a8f0648018e778de210161b0

    SHA1

    d6d6f7591da3133a23e20c3c05e246eb6164c1b1

    SHA256

    3c2fd0dc25b3e55736dfec2c2c7bb5f3c817fda15b1ce1474ba83ec88384c677

    SHA512

    6ad025dfcc1804df79097f98b7f804512cfd829bfbcb54a5adbc394414667399c569de277778c46f3347b8cc868e228a2d84d4648d06313b38fd90c30c5bc929