Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-01-23...ye.exe

windows7-x64

9

2024-01-23...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2024, 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe

  • Size

    380KB

  • MD5

    7942cf433de728fc0f7f160d29148850

  • SHA1

    38ec9dda65c397bf167c810238f2341a20dce3d4

  • SHA256

    a4f66f30611440ea13369f0250ba98617d26d96f5a3fd7bec33fd9151d3962f5

  • SHA512

    3ae4ae36febb333c17bd8774205a2c25e0e68139342b88497b1db9eafb24606427b861c8302906321ff580a657655fbb5cbd763cfbb4de29cab7db51c9d1b496

  • SSDEEP

    3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\{E34E81E7-F969-4ad0-A7FB-E072B12CDE8C}.exe
      C:\Windows\{E34E81E7-F969-4ad0-A7FB-E072B12CDE8C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E34E8~1.EXE > nul
        3⤵
          PID:2804
        • C:\Windows\{1C3BCF8C-5D50-4cbb-BF8A-B9BECCEB4AB4}.exe
          C:\Windows\{1C3BCF8C-5D50-4cbb-BF8A-B9BECCEB4AB4}.exe
          3⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\{CDFC4921-C4B1-44fa-95E3-C59B8F5AEED2}.exe
            C:\Windows\{CDFC4921-C4B1-44fa-95E3-C59B8F5AEED2}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\{004FB988-3CE4-465c-BE9A-7D2CBB27845E}.exe
              C:\Windows\{004FB988-3CE4-465c-BE9A-7D2CBB27845E}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2532
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{004FB~1.EXE > nul
                6⤵
                  PID:2984
                • C:\Windows\{D1739094-64FD-4e56-9211-313E4E5F90B1}.exe
                  C:\Windows\{D1739094-64FD-4e56-9211-313E4E5F90B1}.exe
                  6⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2896
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1739~1.EXE > nul
                    7⤵
                      PID:1208
                    • C:\Windows\{380CE2DE-B93C-44f8-BE2E-1B3ECA73FC6E}.exe
                      C:\Windows\{380CE2DE-B93C-44f8-BE2E-1B3ECA73FC6E}.exe
                      7⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1688
                      • C:\Windows\{0A5722E6-60E7-4103-AF5E-29B42410EF12}.exe
                        C:\Windows\{0A5722E6-60E7-4103-AF5E-29B42410EF12}.exe
                        8⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A572~1.EXE > nul
                          9⤵
                            PID:2460
                          • C:\Windows\{95D4224A-3DF1-4c0f-A308-9E1837E85C1E}.exe
                            C:\Windows\{95D4224A-3DF1-4c0f-A308-9E1837E85C1E}.exe
                            9⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:464
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{95D42~1.EXE > nul
                              10⤵
                                PID:1980
                              • C:\Windows\{E70EF9EF-E795-4d13-A21C-8A5B75952A80}.exe
                                C:\Windows\{E70EF9EF-E795-4d13-A21C-8A5B75952A80}.exe
                                10⤵
                                • Modifies Installed Components in the registry
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1708
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c del C:\Windows\{E70EF~1.EXE > nul
                                  11⤵
                                    PID:1988
                                  • C:\Windows\{ED74BFD8-8800-4e7c-B08E-633E9CCAF013}.exe
                                    C:\Windows\{ED74BFD8-8800-4e7c-B08E-633E9CCAF013}.exe
                                    11⤵
                                    • Modifies Installed Components in the registry
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1484
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c del C:\Windows\{ED74B~1.EXE > nul
                                      12⤵
                                        PID:1068
                                      • C:\Windows\{064ECD75-6F68-4c3e-9961-010ACDA862C7}.exe
                                        C:\Windows\{064ECD75-6F68-4c3e-9961-010ACDA862C7}.exe
                                        12⤵
                                        • Executes dropped EXE
                                        PID:2956
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c del C:\Windows\{380CE~1.EXE > nul
                                8⤵
                                  PID:2132
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFC4~1.EXE > nul
                            5⤵
                              PID:1736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1C3BC~1.EXE > nul
                            4⤵
                              PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2288

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{004FB988-3CE4-465c-BE9A-7D2CBB27845E}.exe
                        Filesize

                        380KB

                        MD5

                        2a9096eefadc3bd7e288494c203f7817

                        SHA1

                        f53952acbfb269f9d2c81cb5bb39f10928bee69a

                        SHA256

                        40deaf9db2f29112e31f1f44b201a682d56667f00cc8cd9c904a42181936a0e3

                        SHA512

                        2260daa74d0ef0855b7167bad7bff8fb7d71ea08729e21e065bc798c7dbe21dc2571d180fe987924a02faee32b898563a821e13efd348ab5b86a7a79d7bfb09d

                        Download Submit

                      • C:\Windows\{064ECD75-6F68-4c3e-9961-010ACDA862C7}.exe
                        Filesize

                        380KB

                        MD5

                        877a9ecdb1090a7938d05b8e463b0f0b

                        SHA1

                        6807db020dfeb48f388538564f73145bd892e5df

                        SHA256

                        a21a74d114ae59e541fd76892541ff486096fee6f3ecccfe9c85b235cec82c3b

                        SHA512

                        a70933f02724b01a028ff7d019268a2dd346214f82b914b32f498f9d83036e54a58d86a0af2b3edb01ce8784d93442b04900d5e7863985b93a029e69d5538793

                        Download Submit

                      • C:\Windows\{0A5722E6-60E7-4103-AF5E-29B42410EF12}.exe
                        Filesize

                        380KB

                        MD5

                        23a7030778974d4227a7fe8efb8cdd53

                        SHA1

                        39076097fd15de02ea96753cd74ce4dd11fb6597

                        SHA256

                        9674b29654a33b6b0f22d184f94a021d5693daeaea34048d27850431e4ac1df8

                        SHA512

                        0d2ebd49f7bb9cc5cb493e1174f7918f86c48358d0b955aa92d6a91e37a3071d9f5002868c40b85d8b08fe1b377035e2bc18fd3e2cbb966b4cb484adeecec820

                        Download Submit

                      • C:\Windows\{1C3BCF8C-5D50-4cbb-BF8A-B9BECCEB4AB4}.exe
                        Filesize

                        380KB

                        MD5

                        40a40f940e821cafdecfe195acf819c9

                        SHA1

                        6c86b42907cc3dd43c1cb718216e2ccc2593019a

                        SHA256

                        d47364c034c6bada0817b17a5241873527677a5097db442f609bd502048a6553

                        SHA512

                        78891649cfc78cdd47c8f3c8355b1362d7cf1e945c31b39ffb6f9b87b01c50b5232d8d8cdf31a676d991c836084aa5089de90f9d609179733fb2f85ec0b37d5d

                        Download Submit

                      • C:\Windows\{380CE2DE-B93C-44f8-BE2E-1B3ECA73FC6E}.exe
                        Filesize

                        380KB

                        MD5

                        0d07922c009bf0cd95e499b3ca37a5fc

                        SHA1

                        b05fdc7de940460bbdb0825828746c063caa3b0f

                        SHA256

                        6ced9a4c44cdeccd3f53b63b5a372cf3c497d08570d5bddf8b92427bbc796ced

                        SHA512

                        4ae5c84939cf9b91a5b3b368611816518a3d5b94953a311c1a3cd3b4c04d2b08e9f02024a0367a6afb9bcc970b66659bca8b0e9cf1ff04097339705d3160b1a1

                        Download Submit

                      • C:\Windows\{95D4224A-3DF1-4c0f-A308-9E1837E85C1E}.exe
                        Filesize

                        380KB

                        MD5

                        bb4df679477ab960d4f274a16694f0de

                        SHA1

                        e2f2c1b168b5bab048d4eb34fe16e76b7cd1c36b

                        SHA256

                        90679c40b414a745b49fc9899b46128e2ef2fe82a59d782e8e9a429ba2c73c4d

                        SHA512

                        4267a26c7925bc613f55da4cacbb2cbb9f280cd4c0485881efc50039c7f0f01ef9434e04c3cf11ec7c51500b7d675caa91eadc4746fc2de50b3f8b401628f425

                        Download Submit

                      • C:\Windows\{CDFC4921-C4B1-44fa-95E3-C59B8F5AEED2}.exe
                        Filesize

                        380KB

                        MD5

                        39e5911abcce8fe0f56a3c35777510b0

                        SHA1

                        fa28bd0ad81f94fada0a9375b32323e7d8bed347

                        SHA256

                        dd46c49f0474fa4282dd046651c1eca3da5d032e435de91560ba3cce1eee72ea

                        SHA512

                        fbdb273834947353f84f5bcdfa68c84688c7c3eaf273a4d4011dce6eb41158ff5c49cbd53bd037a5b94edfb675e6b54cf39f9d827c9b5c246ec0f85e0d38f747

                        Download Submit

                      • C:\Windows\{D1739094-64FD-4e56-9211-313E4E5F90B1}.exe
                        Filesize

                        380KB

                        MD5

                        84b6fb9202c563025b5e095fdc162be9

                        SHA1

                        6fea9e38b733df8ad1165d659745d22c6cb96aa8

                        SHA256

                        9421dd68e90ee1cd231e1226ab5ea88f698ce158efa093f96aa97682c42ef2e9

                        SHA512

                        8595ee45f6e9744130548f627c0a48d9346cc35d9adbcb0495a64a5fa2a0397f36898940d16f3bd583edebdf20a774288bf1a80cb312b641b248b205a5f81341

                        Download Submit

                      • C:\Windows\{E34E81E7-F969-4ad0-A7FB-E072B12CDE8C}.exe
                        Filesize

                        380KB

                        MD5

                        d5264ea9677078a22b418387ae3982ea

                        SHA1

                        ca88022044edd9afe27f8711930451216bcd16bf

                        SHA256

                        e1a9ff94a6e421a150d113e254255a595c809c406b46fee59c7c1c8d3a0d130f

                        SHA512

                        e758447b61e2954f883491896b1ce96aed2d2eef4f435fc95d0d7ea76a9268e004e17d8e225e753beb3e40c50930aebb8731ebcad88dd0d52e653ddaede71308

                        Download Submit

                      • C:\Windows\{E70EF9EF-E795-4d13-A21C-8A5B75952A80}.exe
                        Filesize

                        380KB

                        MD5

                        f59b727fc721b00947501fe12e8aa7a7

                        SHA1

                        7225e1610e9deedb048977ea6985740b1b397742

                        SHA256

                        2df7f61fbc9fba8f41bde7ae6ca7369d9e1e1426307ade04883ef2d418648de3

                        SHA512

                        e2afab39f7eb3b690b740f8b82629cd2bb6be9e395f3b22d2f01ebf555c7d48477d2a6b112a6b87a73781669cef6fe83f242343dbba8bf1cc2d656dd9c2078a4

                        Download Submit

                      • C:\Windows\{ED74BFD8-8800-4e7c-B08E-633E9CCAF013}.exe
                        Filesize

                        380KB

                        MD5

                        839d0d220fcd3583c5e5726fa607ae45

                        SHA1

                        e91d8dd02237d96c961437f864a214714914bfbc

                        SHA256

                        0a1fab0e55639885c4d0d0abf7ee60ea6d13bfab378397bf20e9df6f954bf8be

                        SHA512

                        b4e4d9b852adb94385628fd781fdc599ab0bfba7eab4cb5d0b12767cdf3d8eed5bde8c78d75f059720f66f0f5bcd01439ceadeca0c56d31236807c7ea394cdba

                        Download Submit