Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-01-28...ye.exe

windows7-x64

9

2024-01-28...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe

  • Size

    380KB

  • MD5

    1fd7e3cca40c7f82df0600b0cbaf9e6b

  • SHA1

    598f362a5be790be66a9e98bfe1d086bc098ad97

  • SHA256

    1552e79932ec94fadc185809463989d8e2aa37662b0aa4169ae40000704700ed

  • SHA512

    d271c87ecf74240f3e1de2076fc861afebb630cff0bb36ae000e9595e5575fcfdc8135496bed183edf64401b4ebcde2b34c184411d14745a8424628380a0ce91

  • SSDEEP

    3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\{F0C056FA-C55C-436f-AC2A-A2D9E0BB53B0}.exe
      C:\Windows\{F0C056FA-C55C-436f-AC2A-A2D9E0BB53B0}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\{26CDBDDA-ADDA-44d0-B907-70BE44F8BE32}.exe
        C:\Windows\{26CDBDDA-ADDA-44d0-B907-70BE44F8BE32}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\{F12B51A8-CF7B-4e2c-A25F-8280FA0EAE96}.exe
          C:\Windows\{F12B51A8-CF7B-4e2c-A25F-8280FA0EAE96}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\{3FD1E643-3115-4e2b-B9B0-1A5368BC027B}.exe
            C:\Windows\{3FD1E643-3115-4e2b-B9B0-1A5368BC027B}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\{2F462AA5-B3D0-4965-B79B-5B0A9ECA5AEC}.exe
              C:\Windows\{2F462AA5-B3D0-4965-B79B-5B0A9ECA5AEC}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1508
              • C:\Windows\{0969A439-7D35-4e8a-86DB-E8DDE0CEDBEA}.exe
                C:\Windows\{0969A439-7D35-4e8a-86DB-E8DDE0CEDBEA}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2900
                • C:\Windows\{83BBD5F1-82D9-4d4b-A1BF-87FE7A78DD7A}.exe
                  C:\Windows\{83BBD5F1-82D9-4d4b-A1BF-87FE7A78DD7A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1952
                  • C:\Windows\{9F9A10D2-603A-4910-9A8F-D87FA705741B}.exe
                    C:\Windows\{9F9A10D2-603A-4910-9A8F-D87FA705741B}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1720
                    • C:\Windows\{6E37AB46-D88A-442b-890B-2479923BDA8F}.exe
                      C:\Windows\{6E37AB46-D88A-442b-890B-2479923BDA8F}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2472
                      • C:\Windows\{44CE1C8D-B505-4477-AAB5-F738BB4C5D95}.exe
                        C:\Windows\{44CE1C8D-B505-4477-AAB5-F738BB4C5D95}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2232
                        • C:\Windows\{5D5F6D1E-548B-4d25-9991-884D9ED3C2A6}.exe
                          C:\Windows\{5D5F6D1E-548B-4d25-9991-884D9ED3C2A6}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2340
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{44CE1~1.EXE > nul
                          12⤵
                            PID:2152
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E37A~1.EXE > nul
                          11⤵
                            PID:2416
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9F9A1~1.EXE > nul
                          10⤵
                            PID:2564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{83BBD~1.EXE > nul
                          9⤵
                            PID:1860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0969A~1.EXE > nul
                          8⤵
                            PID:1944
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2F462~1.EXE > nul
                          7⤵
                            PID:2912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3FD1E~1.EXE > nul
                          6⤵
                            PID:1504
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F12B5~1.EXE > nul
                          5⤵
                            PID:560
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26CDB~1.EXE > nul
                          4⤵
                            PID:2500
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0C05~1.EXE > nul
                          3⤵
                            PID:2768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1820

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0969A439-7D35-4e8a-86DB-E8DDE0CEDBEA}.exe
                        Filesize

                        380KB

                        MD5

                        a4d17a681b99dd64c1565c80662a3303

                        SHA1

                        e7a577ea9c6bc5174f22e08b4d4960a740ef6fa8

                        SHA256

                        9aa2967d03bccff51ae0e05bc214c6d04b00c7426197f4c9eeb08db282cd1c30

                        SHA512

                        ee0317d4b4c54b28385f56dab95eb1d9a2c6c07196698e105fc345e2f04e4130af79725e3d0909cf9f947c449eee3651c10877fd49437581de1fe33ed6d790f6

                        Download Submit

                      • C:\Windows\{26CDBDDA-ADDA-44d0-B907-70BE44F8BE32}.exe
                        Filesize

                        380KB

                        MD5

                        2514599c99ff43dc9b0386e371bf9b09

                        SHA1

                        f5e2bc6a7f0136559446fa5c3782bce6365067d8

                        SHA256

                        d1c0044f9e33002cc4cb4e471512b18d31f427cc13f6b311459b0b1f5c1a4908

                        SHA512

                        5db9aafdd0fb6ee4b0280275fc3e747d23207fc2aa6701e7bdb2f260244cbd207a27a78d8b63927cc5c1b773908d65dcb0f39ff711ce4694db36070f3ece2fea

                        Download Submit

                      • C:\Windows\{2F462AA5-B3D0-4965-B79B-5B0A9ECA5AEC}.exe
                        Filesize

                        380KB

                        MD5

                        15c04a42dbcfc6770af614e2c581f786

                        SHA1

                        94ff55948f932be3d0b2d1bf33dc04f91758cc78

                        SHA256

                        8f5b6db0c9e2667cafeaeedb134130d3a0e79e56b17b77ee82dedadecb1d51af

                        SHA512

                        be621e16bc86cfbf868ccf57633ffc5b5c8f641a4cbaa10fe1c950b853f3e421e3a86fa37a2594bd6394b9737bb934e02f334fb1de3cf3a9a1f7ce9d410cfb0f

                        Download Submit

                      • C:\Windows\{3FD1E643-3115-4e2b-B9B0-1A5368BC027B}.exe
                        Filesize

                        380KB

                        MD5

                        7e53f8dbe8d722e3b3a32bfaa66d4340

                        SHA1

                        8be6a44a5e0a4b260c6ab67bf2ff1a614cc0932f

                        SHA256

                        29eed82eb95708020a5ca6fdccd942bb3837848ea50c9d9a1725992106b28dff

                        SHA512

                        365338455d2899dc81948e99fd4f668ea470e5f41ecdd450a3b4420ae3aab4636b7f5bf8213047dda8abc5a9ffb8a6ca31f5f978f6f7c6622046565b307e988e

                        Download Submit

                      • C:\Windows\{44CE1C8D-B505-4477-AAB5-F738BB4C5D95}.exe
                        Filesize

                        380KB

                        MD5

                        1eefe2fd05c17d3e53dfeeb718d84af1

                        SHA1

                        c9dd6bddb6523c5296bfd8c30f65ca0c3a16745d

                        SHA256

                        04abdce60381de8fc06ce2a41f79e07bda4aefa10699b8707b6efd30e002012e

                        SHA512

                        17f73265965c8e7ea89cc42cc84449345a8b1859fed88993a89665cac51e90164548321e8ed2f2f8ae924951a571b9f8cf49d558b4fe6b0ff5257360ed08b871

                        Download Submit

                      • C:\Windows\{5D5F6D1E-548B-4d25-9991-884D9ED3C2A6}.exe
                        Filesize

                        380KB

                        MD5

                        90a4db6c5a915955f8b555a14c7b9cf0

                        SHA1

                        a2a83c3a5370dfb6a9173997ed6e2acaa04ab2bf

                        SHA256

                        caa5fa9e443e267e292f891cf1a95d82089913ceec061ea8d8eda2b2386b5ad7

                        SHA512

                        f9c0164c501a00b80d2c3a7f492f3ec2c3e78611f48ad025573fdad1da68bc175cfa9dcc4d587785c49c83233798e5eeb66aedf95a1dcb7793891ae44035c35b

                        Download Submit

                      • C:\Windows\{6E37AB46-D88A-442b-890B-2479923BDA8F}.exe
                        Filesize

                        380KB

                        MD5

                        10b544e4c9470d24c0467aded39b9780

                        SHA1

                        d63e229f01f1f0fdc3a037ca29260f7f31bbdf67

                        SHA256

                        e64419949b275f3557c2658301413e86c0344759ded8fe1d57337351c4271b58

                        SHA512

                        d04b40e58d7feab50b16cbc569227fd95217afa1b166d40510b3f45543fb7f1b38e93a7d48026ccab09d8ae41d089c7fd1319c776acb977a84c6d2585160b918

                        Download Submit

                      • C:\Windows\{83BBD5F1-82D9-4d4b-A1BF-87FE7A78DD7A}.exe
                        Filesize

                        380KB

                        MD5

                        474482e56425cf3c6d8ea6d9505488d6

                        SHA1

                        4692289876c4e89c864e79229e4d70cf4ee4ad19

                        SHA256

                        d6fb84461ec7309a4dddc75ea12fc387b2e7398134516da6f517fb681fdb5e89

                        SHA512

                        b687a9d1b9acb1d0c1bcb854219007cfbbd96604b00503b91f07d5bac26ea1a363de0ddd9f5a0afd60da1e8c6b36cb892f6de19f4e4a23f6bca925c4d43f6cf7

                        Download Submit

                      • C:\Windows\{9F9A10D2-603A-4910-9A8F-D87FA705741B}.exe
                        Filesize

                        380KB

                        MD5

                        568a7ea52dbecfc4fd5b4fe355b4bf9f

                        SHA1

                        1f43723f1f195abc82f4457766c996c1b74b9176

                        SHA256

                        ccb65b2384b9dd72bb9c25649e051690bb2673398bcfd66540419ee4df5cd7a2

                        SHA512

                        16e2e52f42daaf30734f47888ae6db34fa5672434aab39e5158657779c68072362e7b71099e7f79276a3795207aa069c680bd25ab54477e9b095cc1aebd9eedc

                        Download Submit

                      • C:\Windows\{F0C056FA-C55C-436f-AC2A-A2D9E0BB53B0}.exe
                        Filesize

                        380KB

                        MD5

                        372ca42566e9a92934df551313422dcc

                        SHA1

                        af19eeaeaf3e094414339caa1a93a67ced6e9fd2

                        SHA256

                        c1388327e992c25ec6d4270737ff2da8c4eb892549bc018f80ce8f6362675efe

                        SHA512

                        3e6592a40059238050a46f7e282fb610aa924340b4d0c9d19d70545ee86e9ca3612dfdc485f5da8fe9c7101400bf742d4b5c8e8d9b6482c35418e69325264fac

                        Download Submit

                      • C:\Windows\{F12B51A8-CF7B-4e2c-A25F-8280FA0EAE96}.exe
                        Filesize

                        380KB

                        MD5

                        7272f47d02d361bb3eb78932e8c74dd5

                        SHA1

                        af0ffae7c7d1f85b1914917168845c2e99ef6c40

                        SHA256

                        bb897997f0f644dd6ccce7e53f4c13f397c3b5ba4fff15ba9df9b27d716ba27e

                        SHA512

                        8901093f0f64a7d4ad29de0f54b73aba22f1b316a2865ea5b1184ea1a6b9b020d56d3bc0b6bd9eb3c923928dbe4ed8f2cae893e04f6371603512f2cb8e1d00ff

                        Download Submit