Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-02-18...ye.exe

windows7-x64

9

2024-02-18...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/02/2024, 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-18_4848c742a84ccdfdb81fea25fbfbee7c_goldeneye.exe

  • Size

    168KB

  • MD5

    4848c742a84ccdfdb81fea25fbfbee7c

  • SHA1

    7c46053d89f15df7d8360a064531c23369028ffa

  • SHA256

    9765be7826adf144df01b85b2483b9a25e1618834e0af6222e18a65181865cc9

  • SHA512

    500a3c073b939e7cb9ad3fcec1a402904b91215c8657880591a125e690425c1a60427518b97a42bbbccaa6ea3e111617fa13bb65ecb21138052c9718fb023ee8

  • SSDEEP

    1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-18_4848c742a84ccdfdb81fea25fbfbee7c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-18_4848c742a84ccdfdb81fea25fbfbee7c_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\{4A7152AC-9BE8-4ff2-9B34-9609048F14A5}.exe
      C:\Windows\{4A7152AC-9BE8-4ff2-9B34-9609048F14A5}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\{B18A8581-D898-4ee4-B740-133724EED24E}.exe
        C:\Windows\{B18A8581-D898-4ee4-B740-133724EED24E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{B18A8~1.EXE > nul
          4⤵
            PID:2828
          • C:\Windows\{F410749D-3DDD-4c32-8D6B-FE9E4C0DF14D}.exe
            C:\Windows\{F410749D-3DDD-4c32-8D6B-FE9E4C0DF14D}.exe
            4⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Windows\{B64A0FC5-C888-40e0-8D70-18A73B1AB491}.exe
              C:\Windows\{B64A0FC5-C888-40e0-8D70-18A73B1AB491}.exe
              5⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2580
              • C:\Windows\{8F69900B-6410-40a0-9D3B-0686EC6D4843}.exe
                C:\Windows\{8F69900B-6410-40a0-9D3B-0686EC6D4843}.exe
                6⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2264
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{8F699~1.EXE > nul
                  7⤵
                    PID:1776
                  • C:\Windows\{0299A1B4-64EF-4c62-A7C6-030A154777CE}.exe
                    C:\Windows\{0299A1B4-64EF-4c62-A7C6-030A154777CE}.exe
                    7⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:784
                    • C:\Windows\{EB260F36-A2DB-4b6a-9CDC-1F70C1768303}.exe
                      C:\Windows\{EB260F36-A2DB-4b6a-9CDC-1F70C1768303}.exe
                      8⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1896
                      • C:\Windows\{D84C4C67-1E0D-4c6f-81FA-3A1C9C387240}.exe
                        C:\Windows\{D84C4C67-1E0D-4c6f-81FA-3A1C9C387240}.exe
                        9⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:344
                        • C:\Windows\{8C38A6E3-CD0D-42b0-BCD8-36DF12C0A22E}.exe
                          C:\Windows\{8C38A6E3-CD0D-42b0-BCD8-36DF12C0A22E}.exe
                          10⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1564
                          • C:\Windows\{1A89C9F4-B91D-4993-896C-FAE277A3CC4A}.exe
                            C:\Windows\{1A89C9F4-B91D-4993-896C-FAE277A3CC4A}.exe
                            11⤵
                            • Modifies Installed Components in the registry
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2792
                            • C:\Windows\{4187679B-3DD1-465b-9EFC-682D1524D357}.exe
                              C:\Windows\{4187679B-3DD1-465b-9EFC-682D1524D357}.exe
                              12⤵
                              • Executes dropped EXE
                              PID:2368
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{1A89C~1.EXE > nul
                              12⤵
                                PID:1884
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{8C38A~1.EXE > nul
                              11⤵
                                PID:1752
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{D84C4~1.EXE > nul
                              10⤵
                                PID:320
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{EB260~1.EXE > nul
                              9⤵
                                PID:640
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{0299A~1.EXE > nul
                              8⤵
                                PID:1952
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B64A0~1.EXE > nul
                            6⤵
                              PID:2560
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F4107~1.EXE > nul
                            5⤵
                              PID:2612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4A715~1.EXE > nul
                          3⤵
                            PID:1172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2188

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0299A1B4-64EF-4c62-A7C6-030A154777CE}.exe
                        Filesize

                        168KB

                        MD5

                        6b444e975ab181b0cc420516570f670b

                        SHA1

                        8adf13ed1299dd1cfc9e10208fd45723dfd80d4f

                        SHA256

                        685b52279455ce6b4eee49bae92c3726d81c202bccf1b66d4b76f6c52531db79

                        SHA512

                        ba85a6bb5562a5a513e4e9b5a9f4fb27c9c317725cc21bb0c3895cfae8e9c523f79cabec1eca4abfecdc43727c9da98f14289043f5b79f9e0e171245723219e5

                        Download Submit

                      • C:\Windows\{1A89C9F4-B91D-4993-896C-FAE277A3CC4A}.exe
                        Filesize

                        168KB

                        MD5

                        2de32ba2d0711e0e2117ce3726b3bb32

                        SHA1

                        264285a22bfc396509d03b735214d8b21ead5ad1

                        SHA256

                        ff2577caf5b1c7c9394453f70ca93193312efd303629572e637da691046565ab

                        SHA512

                        b561e1cfd9dc75da756d2445065f4ac02d4a364beb6f19de9ac04e35287c1d2ce5cbfa68cc1b88349ab244bc26872a6cda718d11d56a0f84f9768b6698a616c1

                        Download Submit

                      • C:\Windows\{4187679B-3DD1-465b-9EFC-682D1524D357}.exe
                        Filesize

                        168KB

                        MD5

                        d4f670382c27a51a598694b583ebe15a

                        SHA1

                        7fa06275ab3413b7c58c6b829f6ba87ebb941f7b

                        SHA256

                        f6255e1bc2f1c1f22e75f0e11b93cbeb140b4e142c0e8069ae82e2ff18016217

                        SHA512

                        95a63039f94ad08840819def5e7a56c04b9eb29cc13698c64ec0aa17edf0737c28e5f51373ca5604d4fe9d32139825de2b620d3090abb5127a29a521f2e7b11c

                        Download Submit

                      • C:\Windows\{4A7152AC-9BE8-4ff2-9B34-9609048F14A5}.exe
                        Filesize

                        168KB

                        MD5

                        72b7872f1df243b59eed4e7b2fb47cac

                        SHA1

                        798e553f6640717f60b405308e891182f86bbaf9

                        SHA256

                        24178e84a18502c7bb3a88e7a24abd2646964081a5e7709535d5a45d816985fb

                        SHA512

                        db603feac7c283fe19aec3ab4fe6a98cacdfd276011f248064c58868c9f8e7e19b1c11afcf7b8eb6d56588c63a2f2bb6fac0b47f573050ae5a6cd6996cf1344d

                        Download Submit

                      • C:\Windows\{8C38A6E3-CD0D-42b0-BCD8-36DF12C0A22E}.exe
                        Filesize

                        168KB

                        MD5

                        4742ef8119bfda94215ef6c69c400d04

                        SHA1

                        9a118ae4c753b07452b0193ec9bda61e70e4dcaf

                        SHA256

                        6b47bd172644c810e135fb10679f64d2780c17114decd9bd5331cf7c669332d4

                        SHA512

                        0e4d676f1d347ca70dfc253c82cc9fe09b6e2e4a97a86caa205ef2dbcd59bf42e8453f93b3205b1b8a3081f9e69f4281fcf839c5a7b61621b6daff91f750c06a

                        Download Submit

                      • C:\Windows\{8F69900B-6410-40a0-9D3B-0686EC6D4843}.exe
                        Filesize

                        168KB

                        MD5

                        0a11b15aed7f503360fa62011f7f1541

                        SHA1

                        2e02ee08a5d0edf3077f9ceef063d1687a5d88c8

                        SHA256

                        c330d1d515ac53be75dc23bf68c5fa7465f11f4521819be5b7c1302d5d654e5c

                        SHA512

                        ee4acadde7eea51429ee811c23a29592b4f18c458a98392434e0ab653699f50436c9caf24a53561680e8bc1bb15446c3dba41d878f8a04f25dbbee90495efb38

                        Download Submit

                      • C:\Windows\{B18A8581-D898-4ee4-B740-133724EED24E}.exe
                        Filesize

                        168KB

                        MD5

                        a08cd44ddbdc2be9d7680b5d48e25133

                        SHA1

                        059dd6108b65cdeb5275f4ac337c3fd73a1c6de9

                        SHA256

                        0a2df12ba7afd82722e2924609ce70f91b6726fd04f3fcc2692c5ab0ad862193

                        SHA512

                        143f00955f036e83497ad337a655bf71055db51b107fda9432f40e59bfad1fcb888350fec8a233b7bd58638a1e18028db7fe8bac4f27502ef65600aa6c4b6628

                        Download Submit

                      • C:\Windows\{B64A0FC5-C888-40e0-8D70-18A73B1AB491}.exe
                        Filesize

                        168KB

                        MD5

                        b0dd83bf764a41d627954b52d43d8e45

                        SHA1

                        89d444cbd3a8c15786f3bdcc23bf614359b575d5

                        SHA256

                        9d16ccb878ec44fcf7c04a573e5f1e00dbaa2fd6d87ea8a55266ff954016999a

                        SHA512

                        3809b2cc7b15860fe40a06379246a9d8cc9dc43f8e98c9edcac1815821695308db854527bedb256fa94cde6593a73c1677e966c733b9b9acc7bd1e100fbe8487

                        Download Submit

                      • C:\Windows\{D84C4C67-1E0D-4c6f-81FA-3A1C9C387240}.exe
                        Filesize

                        168KB

                        MD5

                        65e25591e2df10b2106c2e9b1ebfcf1f

                        SHA1

                        9dba5afebe42625cbb82b7caefc9e11b6fbd4939

                        SHA256

                        fecc2e9d5e370f701c2e2ca38089726611607d024e48ec029b113640a89b32dd

                        SHA512

                        449ed6e412410c28f409a935887e7ad3662598e7a75766323159eac80c7f545374f23a086b6858cb472b9d8e6f9bb0639add9dfb338d342a94ca3a217d5d7662

                        Download Submit

                      • C:\Windows\{EB260F36-A2DB-4b6a-9CDC-1F70C1768303}.exe
                        Filesize

                        168KB

                        MD5

                        ce8e204100ee8e174bc5a85102deedf6

                        SHA1

                        b6e1efe30e5c366608016251e4154152b4fcc3df

                        SHA256

                        44221e1a746268d371163e32c4124b5464f2e08ba6364a9d3502d35f225a4ebc

                        SHA512

                        a1f02a381d51c12efc32fc1f6fa1fcb79aff7c4377e72b30a2009db3f0d619b84feb5c1846646b756cb326c4e53abe92c5bc4e1a49da0cbfe6a8347391904138

                        Download Submit

                      • C:\Windows\{F410749D-3DDD-4c32-8D6B-FE9E4C0DF14D}.exe
                        Filesize

                        168KB

                        MD5

                        dd8174840d2482c7aca30d6dbc7431a6

                        SHA1

                        1a68433ac22474d94a19bea9d6491086cb04db20

                        SHA256

                        22ede4f47385f0df2ab8ca37c13305a86e2da703fb1d55f113aba13f5ca64500

                        SHA512

                        ac6964230e2031c68f1f2d7061438920eee3cd0902b949947cacfcb4d70d87e9477a44f0fc3db40bfdd37955ea41f5157c2cd74d6cf56089465375b749c872b3

                        Download Submit