Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-01-10...ye.exe

windows7-x64

8

2024-01-10...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-10_5bce3ed3ae3eb59da407504b5a36d3cf_goldeneye.exe

  • Size

    216KB

  • MD5

    5bce3ed3ae3eb59da407504b5a36d3cf

  • SHA1

    9ad63a4b29d418461570f9c6e1335e716aa71ea9

  • SHA256

    d7dd8fed90ca9b124c0f9a25c6bfc679bdf662603eaad22905e2e23ff63cfb34

  • SHA512

    e022db25419cf8fd03c329a51fcdf8dfee780df87ebe9637daa0a2ce735a98eb7d6077afdb649b7e33e79b5f3800540a3d8f733c19f1aa452cf8a938a3d0258f

  • SSDEEP

    3072:jEGh0oBl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGjlEeKcAEcGy

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_5bce3ed3ae3eb59da407504b5a36d3cf_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_5bce3ed3ae3eb59da407504b5a36d3cf_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\{C3E47F48-0272-42b7-82BA-F329BCA7A3B6}.exe
      C:\Windows\{C3E47F48-0272-42b7-82BA-F329BCA7A3B6}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\{48B79915-9DEB-4c90-B0CC-6B874ACD2B99}.exe
        C:\Windows\{48B79915-9DEB-4c90-B0CC-6B874ACD2B99}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\{9E9BC13D-DDDC-42af-AAE7-7777A0381653}.exe
          C:\Windows\{9E9BC13D-DDDC-42af-AAE7-7777A0381653}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\{3D661CF6-BF61-40ba-B83A-D037496A0D5C}.exe
            C:\Windows\{3D661CF6-BF61-40ba-B83A-D037496A0D5C}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\{314574F4-9779-49b9-A329-BBE3CFBC4E4C}.exe
              C:\Windows\{314574F4-9779-49b9-A329-BBE3CFBC4E4C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:780
              • C:\Windows\{19449AB1-C644-4642-96AA-62B4336AE9E0}.exe
                C:\Windows\{19449AB1-C644-4642-96AA-62B4336AE9E0}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2764
                • C:\Windows\{1CABF369-9E5C-4ea6-8C08-F14886EC85AD}.exe
                  C:\Windows\{1CABF369-9E5C-4ea6-8C08-F14886EC85AD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1912
                  • C:\Windows\{597C3C45-A19C-4b1a-A41D-281FEF661B04}.exe
                    C:\Windows\{597C3C45-A19C-4b1a-A41D-281FEF661B04}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2784
                    • C:\Windows\{7535804C-0C74-4c97-A977-33CD35EF83E9}.exe
                      C:\Windows\{7535804C-0C74-4c97-A977-33CD35EF83E9}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1300
                      • C:\Windows\{1142B2D8-E04A-4392-AC48-EF8EBDC1E66D}.exe
                        C:\Windows\{1142B2D8-E04A-4392-AC48-EF8EBDC1E66D}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2268
                        • C:\Windows\{76F3B5C9-A2AB-4574-9A56-7EC1FD5742F2}.exe
                          C:\Windows\{76F3B5C9-A2AB-4574-9A56-7EC1FD5742F2}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1900
                          • C:\Windows\{5890A840-E68C-4779-A3F0-8946FBE00361}.exe
                            C:\Windows\{5890A840-E68C-4779-A3F0-8946FBE00361}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2432
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{76F3B~1.EXE > nul
                            13⤵
                              PID:2428
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1142B~1.EXE > nul
                            12⤵
                              PID:588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{75358~1.EXE > nul
                            11⤵
                              PID:2304
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{597C3~1.EXE > nul
                            10⤵
                              PID:2860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1CABF~1.EXE > nul
                            9⤵
                              PID:1964
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{19449~1.EXE > nul
                            8⤵
                              PID:2080
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{31457~1.EXE > nul
                            7⤵
                              PID:2772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3D661~1.EXE > nul
                            6⤵
                              PID:292
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9E9BC~1.EXE > nul
                            5⤵
                              PID:2504
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{48B79~1.EXE > nul
                            4⤵
                              PID:2620
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E47~1.EXE > nul
                            3⤵
                              PID:2676
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2172

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{1142B2D8-E04A-4392-AC48-EF8EBDC1E66D}.exe
                          Filesize

                          216KB

                          MD5

                          671221f89c4d55c5ec2669e3815be497

                          SHA1

                          fb75243dcf3cf07d6b78a20488b85ea191adbe64

                          SHA256

                          13fb6b7b66d5043201c7b1781e2bbb2766f045f61e47224f19864fd06ffc5929

                          SHA512

                          0adea620bd32a9dbab8c2171194016e0f81506028dddf3706c73e5f45cae59e262f7ecab333e0cf4c6c75c5f13fe5317f47be53fe3f21b8534c91c4e10c73f3b

                          Download Submit

                        • C:\Windows\{19449AB1-C644-4642-96AA-62B4336AE9E0}.exe
                          Filesize

                          216KB

                          MD5

                          88122672e937d166d555b19d4bf45fc0

                          SHA1

                          00463449379439b46da237d1b3705c42db53d777

                          SHA256

                          f0dc00f028ca9dfb311358c23dec6b07c1095882c89a2509b0ef1b898336d830

                          SHA512

                          761acd963ea350face81a64da2f5c0d769351f6fadf44e8320caec4d3a6683794766dd4c88f55ef243526d4182446b30299f3115f8c733be3ab94a30f10e396c

                          Download Submit

                        • C:\Windows\{1CABF369-9E5C-4ea6-8C08-F14886EC85AD}.exe
                          Filesize

                          216KB

                          MD5

                          0adca1547936e84ba30b71eca3e9a5e6

                          SHA1

                          fdbee17d36179e2b56c8114c1ab47b86004e1daa

                          SHA256

                          b2655ae094296fa36b7f0743704cd6a31ae064b07798a9cfe3e409ac4f7388fc

                          SHA512

                          210ab0316ecc13d622ef26bed113131df3bdea37fa7392007b56265ab83aaa3c17fa1a5630fd50260287d3f80624e4ac94322be2517cf86c4a33b766a6715cb4

                          Download Submit

                        • C:\Windows\{314574F4-9779-49b9-A329-BBE3CFBC4E4C}.exe
                          Filesize

                          216KB

                          MD5

                          006dd7ffc32e26d501357164449e9dca

                          SHA1

                          676eb0f28419b2c22563ca31cf0802ab325b2b94

                          SHA256

                          edb713642af7c012194afdbbf2517426c114ad7c2d65a833e1419e25c15ece07

                          SHA512

                          1fc219a267cce795b5748fd856ace810c09c52604ef5712b4abb654d0c15ca92cce03b997cde3bc5be8b06140a7ea1bfe57814c00e6ab62747471ca05230ab09

                          Download Submit

                        • C:\Windows\{3D661CF6-BF61-40ba-B83A-D037496A0D5C}.exe
                          Filesize

                          216KB

                          MD5

                          a9d46aa1b051c23ba9864de2f4b67cb9

                          SHA1

                          ee0159032f46352f537430307eed9bb19f6b17a7

                          SHA256

                          8854a93f8bba53cd9e93e29ac83e7df7e9b574f2960fd278ce66e5a6aaf9bb68

                          SHA512

                          3cb4646138d5fe0fc1c8825e49b0ac942375505bce911bbc3135fbb7e5c0d07be608ca3e11b16e4c9aa383679d9c0acf42d1dc03b27b93bc2b221b85ea98c17d

                          Download Submit

                        • C:\Windows\{48B79915-9DEB-4c90-B0CC-6B874ACD2B99}.exe
                          Filesize

                          216KB

                          MD5

                          5f5b83e9497c4b1be77d97c77fe60665

                          SHA1

                          141803edc58775f7343a0ddc1e55230f7341f2ce

                          SHA256

                          f1b14e4c9c863d3d4924982c6ee92e5c81f4f41d0c3e65738ff1abbb9469d7e9

                          SHA512

                          a8d6b501cab8f7e72f53476eead6e80f69776f556075e725f3e1819d567c470e2beb10785424a4889cabba963a1294495dc1a7134973b9741373499f60220ccf

                          Download Submit

                        • C:\Windows\{5890A840-E68C-4779-A3F0-8946FBE00361}.exe
                          Filesize

                          216KB

                          MD5

                          4ff65ac6477dc11d61fdc4c412aec944

                          SHA1

                          171521846a6bf0d8ccf8d906d6a35e41861904b8

                          SHA256

                          21cc5bbb45536b37d04c1c40385bed19224e2c497078154e5c9b7f09b8a2fca1

                          SHA512

                          9a0a816f79cca396748c6d68cf7322b1967d483eb18860f50f3729afbb9c8cc6d0b81eb56225ae24f52151f1c290c3505a1fb235bd28b55037d646c7e50e0cf1

                          Download Submit

                        • C:\Windows\{597C3C45-A19C-4b1a-A41D-281FEF661B04}.exe
                          Filesize

                          216KB

                          MD5

                          37c84a20a196fd08a7465171d70d224f

                          SHA1

                          20ec95ac7bef7354f0f5368838143d6a2700aa95

                          SHA256

                          b83f87cd0661b58fdcc7bf87ffbe7730985e2a94ade62981e928b7cc11809b3d

                          SHA512

                          3d7b0bc24bb943d88ac186de5e700bd140e806f58eb55256c594e76e88df17202c5a31c6346e78a40f33c1c2af38cb97cbd352b68ee6d844ddc6569c5fc4e33f

                          Download Submit

                        • C:\Windows\{7535804C-0C74-4c97-A977-33CD35EF83E9}.exe
                          Filesize

                          216KB

                          MD5

                          f826a3f6ca308c2f6bd48d7e508ad19a

                          SHA1

                          c249f9a4a6bce2491836aa1a9dc1ae27b897d531

                          SHA256

                          e6920b40ae2cf96cd463b715968a2df48ce415d294d038e104f9efdc7f00ea1d

                          SHA512

                          495514a3b9d6c940b035ec201ad948b620f303555c1739e7badcbacdc7053cec4ba2963ae2ed66a91afe257658586530b48beaf44da95b4ef59aac4f66352eea

                          Download Submit

                        • C:\Windows\{76F3B5C9-A2AB-4574-9A56-7EC1FD5742F2}.exe
                          Filesize

                          216KB

                          MD5

                          16a426dcbce23bd905c6ea573772b3d8

                          SHA1

                          b74aaf3b5226fe33fdc49272432d9886b9d683a8

                          SHA256

                          15a0a67f538604e7bab6c0ff8e9431dae432bf8f365e5671b5f7fb9e7e0ad1a1

                          SHA512

                          317c1ab528837e44afdec15f584e9b9b574e626ab9ea052970c902449d9a3bf51a29cd0954056332d27476f130de370e86e9b44b6068f47742f36e416fdf25b9

                          Download Submit

                        • C:\Windows\{9E9BC13D-DDDC-42af-AAE7-7777A0381653}.exe
                          Filesize

                          216KB

                          MD5

                          78a352a9dfe5021bb6ced83d4dde0cfa

                          SHA1

                          d89b6477b7b44184a18b747f3db57545c43120a5

                          SHA256

                          6438d7f24189b498bab3c2ff166a107215f2e16df46c855f821dfcfe26d0a427

                          SHA512

                          aefa25059c2f43e790cbaa3971104005b54480ea43ff7fbe6a8be7a8acaccbcb529d3fa9e96c04737d73af5681cfc39bb6ac063aa599eb1d15a22e1db6ca5d50

                          Download Submit

                        • C:\Windows\{C3E47F48-0272-42b7-82BA-F329BCA7A3B6}.exe
                          Filesize

                          216KB

                          MD5

                          1bbef53bec5aa3691c1ac712310d2364

                          SHA1

                          e0ab8006d84f6a52ccf94a4c82afdd2b7d0b53da

                          SHA256

                          71ab39d226ec143cef26039e69ad645c20e8482231412b86e481497b70c0e50c

                          SHA512

                          b401fbb43f2654ca1ac30ef54f7b03347cb9da4ec8a2875b4fa88e876fbff05d747a85d8f15a80a54760592fa7accf33694fdc1fe4374fb1786011c1a682a883

                          Download Submit