Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-02-18...ye.exe

windows7-x64

9

2024-02-18...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18/02/2024, 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe

  • Size

    180KB

  • MD5

    4f4c0cdb0aa8e4464dda8833320d2839

  • SHA1

    47883e23fc1be462a4b885cff02c5e0e18fb92ae

  • SHA256

    31d7f2ee1c13ecf334764a4d0e0e57fec167c0104b3d753e50980fa29da63d5f

  • SHA512

    8f62eb3ff1e9fbc86ef6f2f3538caa6f63b7f304faed50f700bd16ff9ad0d94c46e125afa1f8d9e99fe1681c880b4740f0fdacb8a36f3aa5f18e17cc4a741e79

  • SSDEEP

    3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-18_4f4c0cdb0aa8e4464dda8833320d2839_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\{3DE39337-37FC-4fe0-862C-D60E4F8016EE}.exe
      C:\Windows\{3DE39337-37FC-4fe0-862C-D60E4F8016EE}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\{03966BD0-B16F-45f5-A7A5-5E40AE1A3C2C}.exe
        C:\Windows\{03966BD0-B16F-45f5-A7A5-5E40AE1A3C2C}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\{AA31F3B9-61B4-4fa8-9F45-00F3E64648F9}.exe
          C:\Windows\{AA31F3B9-61B4-4fa8-9F45-00F3E64648F9}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\{FB58BB70-8EC1-4518-9887-322A3D07FD8D}.exe
            C:\Windows\{FB58BB70-8EC1-4518-9887-322A3D07FD8D}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\{0AB8FA7B-E576-4723-9AA4-619DD60A84C7}.exe
              C:\Windows\{0AB8FA7B-E576-4723-9AA4-619DD60A84C7}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1728
              • C:\Windows\{F623F21D-BBE1-46fa-9232-8B038F049F79}.exe
                C:\Windows\{F623F21D-BBE1-46fa-9232-8B038F049F79}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2332
                • C:\Windows\{0B090B4F-8E6D-4267-A63C-F7E857FCC9A1}.exe
                  C:\Windows\{0B090B4F-8E6D-4267-A63C-F7E857FCC9A1}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1616
                  • C:\Windows\{E7CFCDC4-25DD-4404-ADA4-31F83FDD659D}.exe
                    C:\Windows\{E7CFCDC4-25DD-4404-ADA4-31F83FDD659D}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1408
                    • C:\Windows\{E4140934-E53C-45ef-936E-CCFF58C72704}.exe
                      C:\Windows\{E4140934-E53C-45ef-936E-CCFF58C72704}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:540
                      • C:\Windows\{76A6905F-2A65-4b02-9784-C584734402C4}.exe
                        C:\Windows\{76A6905F-2A65-4b02-9784-C584734402C4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2272
                        • C:\Windows\{9544D5CE-5B76-4d99-8688-DE3C45008123}.exe
                          C:\Windows\{9544D5CE-5B76-4d99-8688-DE3C45008123}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{76A69~1.EXE > nul
                          12⤵
                            PID:608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E4140~1.EXE > nul
                          11⤵
                            PID:336
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E7CFC~1.EXE > nul
                          10⤵
                            PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0B090~1.EXE > nul
                          9⤵
                            PID:1456
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F623F~1.EXE > nul
                          8⤵
                            PID:2776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB8F~1.EXE > nul
                          7⤵
                            PID:1664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FB58B~1.EXE > nul
                          6⤵
                            PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AA31F~1.EXE > nul
                          5⤵
                            PID:2920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{03966~1.EXE > nul
                          4⤵
                            PID:2836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE39~1.EXE > nul
                          3⤵
                            PID:2692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1104

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{03966BD0-B16F-45f5-A7A5-5E40AE1A3C2C}.exe
                        Filesize

                        180KB

                        MD5

                        ff713f324a07f84380795fd740232696

                        SHA1

                        f0eff341be2e05611ee736d7ab9790252bc2e267

                        SHA256

                        b5aee5640805dd29d04c79c8b07488891e685ee24a4dad71e1deb1a4f511e052

                        SHA512

                        0f22feaa4a5f7d7392a623efab92bcdf3b61d06f42c48b79d1c988f8136e2423b5477247a333a66fe93b575b18bd29678a6c38e8646378f40a9b41f6771dd9cc

                        Download Submit

                      • C:\Windows\{0AB8FA7B-E576-4723-9AA4-619DD60A84C7}.exe
                        Filesize

                        180KB

                        MD5

                        b429a3662d824f0d6ad7b1a323d3974e

                        SHA1

                        5a1bd56da2b3250ad0e5c3d3e01c946454861888

                        SHA256

                        ea6956720743a5186c1468175fcd02fac1b8b42b0991bdc577d39572aa363fc2

                        SHA512

                        efddaffe32a93d1f316afb1bd0904a32303505d350539238ef3bb81afee8a952e94ad7db60bf319b9570d61320659f9465ec94a874becbfcf79ef562525dc7e7

                        Download Submit

                      • C:\Windows\{0B090B4F-8E6D-4267-A63C-F7E857FCC9A1}.exe
                        Filesize

                        180KB

                        MD5

                        0f4605339e1eed8e6d1ea70e358eb4e8

                        SHA1

                        fecb60b98f569de48fe33b772fd0f0e08a80592e

                        SHA256

                        982d96e3473f97998988c57669ad9e4f3949dd50e76c11dd974af2c7f050dbd1

                        SHA512

                        5b1c44c99ce2e14588f853aa0038c6bfa972a0f94895b7747af82edff1d8df2a0d2b8c9e9802644afb872532781f808cfa2aecdf7da2c6f9897e1ac822d78fa8

                        Download Submit

                      • C:\Windows\{3DE39337-37FC-4fe0-862C-D60E4F8016EE}.exe
                        Filesize

                        180KB

                        MD5

                        0ead6a394497803e336a384a202c42e2

                        SHA1

                        de737ec2eb2e9f51ddbb3622ff9410b62b621a37

                        SHA256

                        837a890ff5213b552e79ad4c5d50244eac3c87ad2ea41617300b208ee8d6193f

                        SHA512

                        b4a147db5e45b3c1bf0bc1524e9164cdbd259e06b8511edeba714718063e77c7aac6c066a105bcba9c0c394fb1fb619e7ea801ef1acabd9486822671a0f53f53

                        Download Submit

                      • C:\Windows\{76A6905F-2A65-4b02-9784-C584734402C4}.exe
                        Filesize

                        180KB

                        MD5

                        f86d1e753844e8bdb4cc5474944931b7

                        SHA1

                        abf1578873682c2af8bed6bb93cca5d20dc3befe

                        SHA256

                        f975b953e0e03d5e756ede5eaf5a7e587e4ea186671cee3b2b6e72b9f35b5106

                        SHA512

                        2d15fc126cc3f2d1bc3930c9d15d3d4b1840c92916c47857d38c65f07110f5e2b5f7d44d2f17082c37dc8c3d7b79aca34ec3a38db50169fb97e39637507fbfcd

                        Download Submit

                      • C:\Windows\{9544D5CE-5B76-4d99-8688-DE3C45008123}.exe
                        Filesize

                        180KB

                        MD5

                        3bc6b5338a3d0e0679ae4f628ba9b78c

                        SHA1

                        72cc670069d8f75f21d3a7115ae55423506997e0

                        SHA256

                        06ce3924577e296f590aa04afd9a68500e8899d6a2410535bb9c05a040a6a19d

                        SHA512

                        31ec1c27a5490eb0220070b7f0186cfa59b1095da713b1b67ef05f70a266211bf74fdb15405c33fa74b9a41356b22d991821b126c51485e79b1162c732a55956

                        Download Submit

                      • C:\Windows\{AA31F3B9-61B4-4fa8-9F45-00F3E64648F9}.exe
                        Filesize

                        180KB

                        MD5

                        6a7fbe40110dfecd6f55d8e95d26656c

                        SHA1

                        34b9bc086fc23eded30c7b23daf8e7be452cda68

                        SHA256

                        60216226fd69f265582b2329952d55c320875ddf819af3564299d44c636f08ad

                        SHA512

                        c54a8ed40797181c0a66e7f42a1f8b6ab799e20810b3c851c9a4e04cf961c0c7bb00b89e3e9ee1a4bbd8b4896f94fcbfe685e66a96fe933cf73be5953f74df77

                        Download Submit

                      • C:\Windows\{E4140934-E53C-45ef-936E-CCFF58C72704}.exe
                        Filesize

                        180KB

                        MD5

                        4e3a7c183c0cac288eceed0c0003a7b2

                        SHA1

                        c3e0e772de65551ad4567590c879830390be1f73

                        SHA256

                        35ff58edf7f4dffd62515b4742c1049c485755c9475ea041f85f68a6b5f15fe8

                        SHA512

                        dff2bd62bf73a7c567bfd39bc5a473c40e7e7c92d42832d8c1ac0845037bc3aada51f04e1f767ed4d80854484ab984e687223d26a231e4b9faf45cf3564321c7

                        Download Submit

                      • C:\Windows\{E7CFCDC4-25DD-4404-ADA4-31F83FDD659D}.exe
                        Filesize

                        180KB

                        MD5

                        f63c4822f606126ff62021299e14f431

                        SHA1

                        273b19847a223d0e60db00475eefeaf193bf225f

                        SHA256

                        d2ddcb2d71438bfbbc8b98e23ccd91bf1a68c4a20409b8e4f1b879bff578c45d

                        SHA512

                        10dc35633790fca0dc0397b963cc460ee1b6cd9f3494550fe2570b1d2128669295160ae198b630225cab4571a73be243d1b520d2fdac025d677819368933d9bf

                        Download Submit

                      • C:\Windows\{F623F21D-BBE1-46fa-9232-8B038F049F79}.exe
                        Filesize

                        180KB

                        MD5

                        da1ef825d2705405e05e8eebf3dbba07

                        SHA1

                        158749d38b54aa3b7840fb03c14ecddeae91e9e1

                        SHA256

                        254a5b558e533ee346b56ebea19e6f17053aeb9d9393ac85cf63d0e000ac0ead

                        SHA512

                        f51682d2ab6d2e4e00dbd145a81db6fb5fc680add0438f651c3b80c0815b5669561bd3d98a3f06040e9ccc7ba1d63f5c1ee20432ee609b007acc401f9409a269

                        Download Submit

                      • C:\Windows\{FB58BB70-8EC1-4518-9887-322A3D07FD8D}.exe
                        Filesize

                        180KB

                        MD5

                        52a76e601a306cc96e23e9903bf73641

                        SHA1

                        43a065537b2e41ca3cb25e1212d1ae997d2af973

                        SHA256

                        885a1a6de2631573ab1a300eee178943932f91e9e95ed65858621b4aedb360e3

                        SHA512

                        cdc6f222c59740dac5577fea468329f2645024329517502a230751ad9b53ad1b5eee1269ffe2f962d5cb8635a7fc1130a4774e7db9ecc51213f75a815ceb02b5

                        Download Submit