Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-01-09...ye.exe

windows7-x64

8

2024-01-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    63s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe

  • Size

    380KB

  • MD5

    1c3b0cac6ef7f77f5568e703e435e1ca

  • SHA1

    72223b32312e2f879e834df12cdd5601fb03fca8

  • SHA256

    0b085ae04be55c927ca560265dca477b7c246664e77a6ba7907e2487b802e215

  • SHA512

    8d05c1deb2c92806ad0146c0a0409d829b22f5ac88f7642b0ae3551f53d42e8708372330986412f065857895fc141bd76fc10c039818e5961de4005c762e8009

  • SSDEEP

    3072:mEGh0oZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGvl7Oe2MUVg3v2IneKcAEcARy

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 10 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
        PID:3940
      • C:\Windows\{EFDE7566-10A7-43de-A423-DF69255F19E4}.exe
        C:\Windows\{EFDE7566-10A7-43de-A423-DF69255F19E4}.exe
        2⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EFDE7~1.EXE > nul
          3⤵
            PID:3332
          • C:\Windows\{4C5E372B-4BFA-4941-A7D2-B87C703750A8}.exe
            C:\Windows\{4C5E372B-4BFA-4941-A7D2-B87C703750A8}.exe
            3⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1284
            • C:\Windows\{20DBD983-A3F0-434e-BA35-8FBC151957F9}.exe
              C:\Windows\{20DBD983-A3F0-434e-BA35-8FBC151957F9}.exe
              4⤵
                PID:4064
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{20DBD~1.EXE > nul
                  5⤵
                    PID:3968
                  • C:\Windows\{B524DD8F-FFEC-480f-88CD-7525E0817ABE}.exe
                    C:\Windows\{B524DD8F-FFEC-480f-88CD-7525E0817ABE}.exe
                    5⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2536
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B524D~1.EXE > nul
                      6⤵
                        PID:4324
                      • C:\Windows\{713624C7-7F8D-49ae-896E-95978E350BDE}.exe
                        C:\Windows\{713624C7-7F8D-49ae-896E-95978E350BDE}.exe
                        6⤵
                        • Executes dropped EXE
                        PID:5096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{71362~1.EXE > nul
                          7⤵
                            PID:4352
                          • C:\Windows\{8DE54C0E-39F1-469d-9B8B-673D023BB7FD}.exe
                            C:\Windows\{8DE54C0E-39F1-469d-9B8B-673D023BB7FD}.exe
                            7⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4064
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE54~1.EXE > nul
                              8⤵
                                PID:1412
                              • C:\Windows\{40D46849-B07F-42a5-9E85-8579C9832AC1}.exe
                                C:\Windows\{40D46849-B07F-42a5-9E85-8579C9832AC1}.exe
                                8⤵
                                  PID:3704
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c del C:\Windows\{40D46~1.EXE > nul
                                    9⤵
                                      PID:3976
                                    • C:\Windows\{4AC5C55E-7563-46e9-8552-63E4D0AC99BF}.exe
                                      C:\Windows\{4AC5C55E-7563-46e9-8552-63E4D0AC99BF}.exe
                                      9⤵
                                        PID:2508
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC5C~1.EXE > nul
                                          10⤵
                                            PID:3240
                                          • C:\Windows\{E17F1837-F587-4b32-BB30-C053ED562918}.exe
                                            C:\Windows\{E17F1837-F587-4b32-BB30-C053ED562918}.exe
                                            10⤵
                                              PID:2356
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c del C:\Windows\{E17F1~1.EXE > nul
                                                11⤵
                                                  PID:4840
                                                • C:\Windows\{089E106D-133A-48be-974B-53D14542EBCB}.exe
                                                  C:\Windows\{089E106D-133A-48be-974B-53D14542EBCB}.exe
                                                  11⤵
                                                    PID:376
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{089E1~1.EXE > nul
                                                      12⤵
                                                        PID:4700
                                                      • C:\Windows\{B8146729-8E3F-49d1-A7F1-1DAD8D1BF1DD}.exe
                                                        C:\Windows\{B8146729-8E3F-49d1-A7F1-1DAD8D1BF1DD}.exe
                                                        12⤵
                                                          PID:4368
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4C5E3~1.EXE > nul
                                          4⤵
                                            PID:4504

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads