Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 10:06

General

  • Target

    2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe

  • Size

    372KB

  • MD5

    29e33d1018a51c797dd2558a73257718

  • SHA1

    71e289a51a4c299fb0bfd318f2ff899dd04550cd

  • SHA256

    a4a7c3e8c12a14daccd364d993129287e42624d10be9e2d2a118a9b31d605ce0

  • SHA512

    adaa41d1111bd8009333f340b470a127da64bd24f8c23347c491adc8cbcb87fbbd09d8ab1306ab1df38a36292219cdf81e1ff51d8eb533f3d744900eac4e7bee

  • SSDEEP

    3072:CEGh0oBmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGal/Oe2MUVg3vTeKcAEciTBqr3

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
      C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
        C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
          C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
            C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4908
            • C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe
              C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1028
              • C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
                C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5040
                • C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
                  C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5084
                  • C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
                    C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5080
                    • C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
                      C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3908
                      • C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
                        C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4244
                        • C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
                          C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4748
                          • C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe
                            C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:844
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBBB~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:5020
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E17A~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1688
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{60EC8~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8C564~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2456
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{8597F~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2288
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2BB93~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:632
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{49697~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:636
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{D84EC~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4368
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7F7F3~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4980
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8C2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49D16~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe

    Filesize

    372KB

    MD5

    baf191d8aa354c990f6d6b2c207fe899

    SHA1

    862110a5cfd54ba2e82e05379f04e0acfe4987b8

    SHA256

    8fa4d251ae796cdc486aaaeff37ba71620cb646ffb112f895d4d325582126fb3

    SHA512

    26b82a4c96be0768c162ac943cb01edf72d86b757e2e76cd89b525131c4d4df462c277e6e001ea37c7a13ec11a9016e781343b0b5b0598b4b54090b7335f0d2c

  • C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe

    Filesize

    372KB

    MD5

    d4cc310576f59f4ff7cb9589cf9a267c

    SHA1

    e763d6a5f80cc35047fd2b87615d0030dfc81898

    SHA256

    005aa4afe89946201ec85ffc17944294bd78a9fe8198f37bb081af359d37fbcc

    SHA512

    5df2f6bc69b027390224340b2a975fb406659e80e3ca71e0b6e3b802ee7bb774b586872482815d4813f22a2b7220cd0eeb18b41d2734a1c3bdeb8c9f63c28c6b

  • C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe

    Filesize

    372KB

    MD5

    dc6b90c986851ae1d344435f2639c9ec

    SHA1

    49763132ca4d5f63d65e27bbce1aab42def7223b

    SHA256

    b0675fde7b25fbc351b9ae2ca1600418a59308164f41136578b31c9d28de9fe4

    SHA512

    91acaa6bfd74c379b6c1c503a7a27327c2f80a0a1b0d2a98835b65382630c30a60240318f57282ac0a272fbb39f371b5067e213ada8e8bead94610795b62846d

  • C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe

    Filesize

    372KB

    MD5

    bb65461dea29ed9cb2064ed3addecca8

    SHA1

    527c1aa111d277641ffe4c8ea77375a0704b352c

    SHA256

    07b9805f521eaa0535e0630c5d8963e70957b2a9bbb4d7c35e3055660bcb13e0

    SHA512

    1092b61e807bfb2f1ea39323f19afd48ca0f3bfa90ab48f31d266ea5df6901a0bfcf14b7256c878c78726114bd26d4d028bfccc22899830fb29bef99a251347e

  • C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe

    Filesize

    372KB

    MD5

    445f104c73c77bfcaee521ee8858266f

    SHA1

    ef561478d3e2a977db1b0f11545f65aa0c3625c3

    SHA256

    2b3ffdfe10bdf6ef69bba359344f191af40562b87641068036f295471bf302a8

    SHA512

    9dcb9a3fdd0dea81c5c32d959176639dedb3fa81bb0960fbf6de1751fc909d62704904217c67ceed3433740c5a6fd858aba8260da3687edc47e4068553ba2b8c

  • C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe

    Filesize

    372KB

    MD5

    183c5d30d1c79d5692957103d58ac090

    SHA1

    17a3de5d602016438fb3cacd6239ca7da008146c

    SHA256

    416482ab054aaf2c48700784256504fc30de1dd8592e4b08c45ba97b0c086c3c

    SHA512

    c9a58dcc76838cd32115f2eb5680ae5d7e8e2c2bf1ed23765024334014811e749d280b36e8bcfa03d2ed1f2bd6ca6b61032f0ed7ae8aabd907ca48bc155e486d

  • C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe

    Filesize

    372KB

    MD5

    3e754efa1282ebcdcfcf3a40656d0918

    SHA1

    e4148cfedac59a71b2c6a18d800b91f88ddaeb27

    SHA256

    be80f851d688377c40a31b3aa04ad31e0d613253668b01d008e1e48993aaf8ab

    SHA512

    3c0bb1a0ff8f684508035a5821d8def85cb4dd035ed79c56f8c7d4eda71fa8942497d7b453864b72e5d436023328da3d74e5c17456fda6625d1ee75693f7dd11

  • C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe

    Filesize

    372KB

    MD5

    73541af781da2c0955dc834a9da6d876

    SHA1

    b0c717baebe0be0a1a113b984953992dc7533072

    SHA256

    a18f0d4f8989c6658d8c10529aa9994ee764da1aa5abd17937108d1257e428dc

    SHA512

    9e541d0e280e6f558d0b52bf392b55bee640c99e9f24e3123d6b3faed6a44478a05fc837ea37d367c8241bc4e2229a91f93ac140a9fc8c531336c5097826d6f8

  • C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe

    Filesize

    372KB

    MD5

    f37b0e2a7bb0cc3dc8ce21ca2ca7deb7

    SHA1

    8aea99439d49e9ce1e1a700c802c3e80e59db9ef

    SHA256

    bfa422a81908dc73526e4a454abe12c14da8d141fabf99ab24b6ffbc819d4930

    SHA512

    fc635eee799f4bfd6c3ee581b28d35573711c0569e2fd0c5f536ade1cfae5b6ca54ae670d949b6fe1b8b9d7cd7ad6f13292b60a51e0e6d6b17cb610820fd8820

  • C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe

    Filesize

    372KB

    MD5

    02933f42539db5384ebcdc4ba85dd1f3

    SHA1

    d5dfc07588061763debd9f4d78167faa68c0bafb

    SHA256

    5a448ff9c073248f5c4a8c684885433a687d0bb8cfeba8e24d6595ad59c1164c

    SHA512

    7a290a80cf1d71d5b1ca30741c8bcaf6c5368e6c309cface8c3dcf20e02a5563006b13c3f9bff8f5be208c627489a660a6bc2ed87add1d7c89642b19dc6bb535

  • C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe

    Filesize

    372KB

    MD5

    e1739f4c074fd22be242fd06e8c407b2

    SHA1

    bcd8e746de67c73775424009b38dd6dfaa392829

    SHA256

    47aaaf0a53745a778ba38135701cf4c285179a66bca31f287cf6b562f866b971

    SHA512

    c0f68179ed7ba6ae1b30ab799a477db9796c9f6e7d8e4c8211c1abf2a28c02b50166d025d156c586d2d35bf8c920a47c0e4b5a359aa31a8624eeca04dafec7b7

  • C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe

    Filesize

    372KB

    MD5

    8f634c12933311ce0564c50da168d50e

    SHA1

    313d8980b73e838eacdaa8db375cc7ca7838f83b

    SHA256

    c2f8d9cbbf64fac8876b5cee4b636400998c74b1eeb62357ec3d821b6db3304e

    SHA512

    af1fb6daf1e56ca790e19da8af6e3fdb70d75fefff5ff95fd9fc10104e1549d30c61ef096329cd279409a36ee3f67ce8ced037006d7d0421c0942119b5813867