Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 10:01

General

  • Target

    2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe

  • Size

    408KB

  • MD5

    fb7a014ccb227a9f8fc425ea6808aa92

  • SHA1

    47c326bf0113753975bd64acd139574f51048943

  • SHA256

    3713d713584f6daff65e9cd220f01dd50d3e19b4013a7cb364bd9d4c03d6b4e4

  • SHA512

    49851bcd41c5ba81d790821a2bc02e0f45ed5d974b6f4f92146cc1c46d623d8095adddb8f450bbda3ea9154adea7fd3765ff32ce118ec935e5ff7922d7637608

  • SSDEEP

    3072:CEGh0oql3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_fb7a014ccb227a9f8fc425ea6808aa92_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\{971F777B-EFED-444f-8A7D-A7C0A361F767}.exe
      C:\Windows\{971F777B-EFED-444f-8A7D-A7C0A361F767}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\{63D86F77-F1FB-46f2-8935-E4114CD83EE1}.exe
        C:\Windows\{63D86F77-F1FB-46f2-8935-E4114CD83EE1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\{9C07C68F-2BAD-46bd-A912-0D7ED2A456B5}.exe
          C:\Windows\{9C07C68F-2BAD-46bd-A912-0D7ED2A456B5}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\{D53811D4-A2AA-47fd-9AF9-3D597B9389D7}.exe
            C:\Windows\{D53811D4-A2AA-47fd-9AF9-3D597B9389D7}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\{9A6C581C-6F52-4217-A6ED-DE8438A959BE}.exe
              C:\Windows\{9A6C581C-6F52-4217-A6ED-DE8438A959BE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3012
              • C:\Windows\{98549B94-1B08-4a67-A25A-A29873984BE7}.exe
                C:\Windows\{98549B94-1B08-4a67-A25A-A29873984BE7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:352
                • C:\Windows\{79FEB94F-8A05-4f13-A649-7F7D48089059}.exe
                  C:\Windows\{79FEB94F-8A05-4f13-A649-7F7D48089059}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1036
                  • C:\Windows\{C8E0CDA8-74FA-48d5-8E9D-7372D04C6706}.exe
                    C:\Windows\{C8E0CDA8-74FA-48d5-8E9D-7372D04C6706}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1760
                    • C:\Windows\{1CA54B43-A442-45c1-90C6-99EFD08641AD}.exe
                      C:\Windows\{1CA54B43-A442-45c1-90C6-99EFD08641AD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2912
                      • C:\Windows\{C3EBEE91-6CFF-45f9-B873-40DF4C2078A1}.exe
                        C:\Windows\{C3EBEE91-6CFF-45f9-B873-40DF4C2078A1}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:448
                        • C:\Windows\{4E1BFF15-6965-40ef-BB4D-B7CD5A87270F}.exe
                          C:\Windows\{4E1BFF15-6965-40ef-BB4D-B7CD5A87270F}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2380
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C3EBE~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2652
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CA54~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:584
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C8E0C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2424
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{79FEB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2624
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{98549~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1396
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9A6C5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2528
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D5381~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2228
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9C07C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{63D86~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{971F7~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1CA54B43-A442-45c1-90C6-99EFD08641AD}.exe

    Filesize

    408KB

    MD5

    9240941ece61203f425bde50ba2ed04a

    SHA1

    02316309ec7025ceaf12cfe0197d6ef644b46ce5

    SHA256

    7356cc371e1133578d1694c6fff87637492c8ae5150e7f92010e4691384b8ecb

    SHA512

    72f695e6e097129a923530f067961bad4ba6ffda4215f054a2365b0c1fb55c519459b5f4a3f95dc50170366e24bf78a52149d8f1e11ef35489cbfa3f88e5c944

  • C:\Windows\{4E1BFF15-6965-40ef-BB4D-B7CD5A87270F}.exe

    Filesize

    408KB

    MD5

    5d3424e71cec8401cedaa08b816e14ac

    SHA1

    a78fb9b85df9c61321c867a42a49c8afd9d073b4

    SHA256

    1a3f1e5c2a9c4c2871551b211f95370a7d8174cd7c1cf18c6c57fd25feb68a76

    SHA512

    6254590b831cf6a0360d4666b91711f6eda949fbd4e49725a9185812df150e9786a9414d83e5f035d1e692279bccbb7fda35a95f660bbba5cd7698d2cec1b1af

  • C:\Windows\{63D86F77-F1FB-46f2-8935-E4114CD83EE1}.exe

    Filesize

    408KB

    MD5

    c3b4ea8e39d977425357e9bf7c3eb0f1

    SHA1

    1e08b071942d65aaffdad9667556442bf1f120c8

    SHA256

    f6662da758c17565f614a4762eaf9f31dc0cec816196c6db291ee7a77f5d6419

    SHA512

    e3b62a9d89d0605e3e0f4185508a4987875901ebf7d2351fe763e24b93b72af337c5be205808a8d528267b72830e5f29a245ba04fb42ef960268e317081bd95d

  • C:\Windows\{79FEB94F-8A05-4f13-A649-7F7D48089059}.exe

    Filesize

    408KB

    MD5

    fc220ad4b920c4f682938937654b5f60

    SHA1

    b5ff35f7da4d56aed488d97db4f8faa59b56fa04

    SHA256

    4993962b68b34558d2a04a6b9f99755cd017aa7e75a11ef9530f11a051e19336

    SHA512

    7f29eeaea70a13565ca1743442c29069bd5eaed4c60116374940747ef12f55c0a71527947db04fab42265e35c31b1a92338c14f7bdbaab8de4f007b7dfd9d232

  • C:\Windows\{971F777B-EFED-444f-8A7D-A7C0A361F767}.exe

    Filesize

    408KB

    MD5

    16d13275fd5f26433430202aa5b92b23

    SHA1

    6648297ef42f932566d3cf5b89464fbc3a70de3e

    SHA256

    da222bcd65d1bb60955f6bb9e810f7135b75ad0f069c4308eec8ce0f6f9a8ea3

    SHA512

    743bfe0222c704eda01c957e64cb7f3bed14bffd49a3abfe7c1c25cc43a165bb5f9830ad0370c6aa31c867755fed697b0c8462be66cb081a460ce727badd5ff8

  • C:\Windows\{98549B94-1B08-4a67-A25A-A29873984BE7}.exe

    Filesize

    408KB

    MD5

    7a81171c0099bb5a3909415b660f7a4a

    SHA1

    32da4e2cb65903d4561d7b80b82b65690bc8b220

    SHA256

    ae3b455278304ca46b1996285299b8561a5c88c8794206f670b0a226545a12f1

    SHA512

    b238af26d61d8f1b4ea2abe53907a04e269a289a1515b31e74b91a9b8ff8e19b622e2bd50d5fd3ee933b9869e375e2e4f4c6494edcc6f5adbf21affe7da14805

  • C:\Windows\{9A6C581C-6F52-4217-A6ED-DE8438A959BE}.exe

    Filesize

    408KB

    MD5

    0c88390bcc1140c059b12307c057cb9b

    SHA1

    27c2c49fb1d3de5f0ab0c331ed7ceefe7cdb012f

    SHA256

    f063c7974b05be21693f73565321ff8506964925ca0d06f371963c7f10052e83

    SHA512

    578a84c78a9f961b4e3171dfea3a29d6f6f54df55df4fa783133bdb6354b8ebf17064b112db53a1d7bcc5d9c65a97caeb2825c34c8b0c179f6e4cd2f6b77edc7

  • C:\Windows\{9C07C68F-2BAD-46bd-A912-0D7ED2A456B5}.exe

    Filesize

    408KB

    MD5

    0fcf382615c6260ff93f7a28e2bab29b

    SHA1

    337798e0fdbd1ffad9873b5900302ce77ab31298

    SHA256

    2671477f6b00e8ccca49d6b2b8f0595bd02ff22baf7b5ae401e3c09eefb494f3

    SHA512

    30d39f732c2603cf44837c211d6fe977f91b46fb6f55f7302350de8b4a96a581baa80f307f91833d73a29e79edb78c538cbd7fbcccab623c435f4c373b96e2f8

  • C:\Windows\{C3EBEE91-6CFF-45f9-B873-40DF4C2078A1}.exe

    Filesize

    408KB

    MD5

    af5e98b66c4feb30e1ddced35dad2b20

    SHA1

    d42ec7fdfdc05e6986884c0bb65415c34bf13169

    SHA256

    bfd70fa52d0872ae0e39a32766ed413a7112baaa9d8fad0c0374903181a501c9

    SHA512

    1c41d273aa3f4af01f0c918c5c0788b56144f63e559bd47548de01ca6f9da483f69c8bad7a86b483451df2f6e38bf20dff1dd8d6a695245f9a165ea57f6ca037

  • C:\Windows\{C8E0CDA8-74FA-48d5-8E9D-7372D04C6706}.exe

    Filesize

    408KB

    MD5

    355cc6a4cb809e06bd26b9a20fcafe94

    SHA1

    25dfe70ce8d1ec0582a94ec635ce3ff7fe7c2662

    SHA256

    03b4dbb65957ce06aabdbe96aa68a517d0896bd51df2cdab00f3160b2aee9673

    SHA512

    59ae0ecd397d1f3f6586be5fbb28dc232432c83fece1e7e892af38767c0aa4a1554a4109e6635db98248f32fe1ec64a81452d7d03a829dbd65dbb1275f956be1

  • C:\Windows\{D53811D4-A2AA-47fd-9AF9-3D597B9389D7}.exe

    Filesize

    408KB

    MD5

    3d78658d7f1a88910923cbc5f5cbb0ed

    SHA1

    386b6dca6fbcca671a192ddd396f75a36bb637a8

    SHA256

    b1b0cc3e2d760e666210ac5aa4803f1fe3e82717701e25e7d7d3acedac9f3d96

    SHA512

    b0d389640ac5eb026a225e94beff394cfe12f0f7d06d0b2676584fd28fb7b4ac8dad505335e89893d5549d1b2a551c810a475e4d1cbf3008803f011a7fc353f9