Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-05...ye.exe

windows7-x64

9

2024-03-05...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe

  • Size

    408KB

  • MD5

    0239b222ff451ce500b5844dbcf3b6aa

  • SHA1

    e7daedf8210b60b51762523c347782d8118a0fff

  • SHA256

    1191080d6a84425682b11e776774080bea16ab23033cfb8cec42a17752464e0f

  • SHA512

    1b3c1ab0a380ea4c262a55d519b75829bbd5cd1a6a450d189bfd15627f7098daf47abbdeb26b8d3d5f8625b253a6fa90d466e8e7359945df5b10cb69ec34f2e9

  • SSDEEP

    3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGDldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\{00D8C740-64D2-4efc-AD59-D74E19B4C01C}.exe
      C:\Windows\{00D8C740-64D2-4efc-AD59-D74E19B4C01C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\{BCF4E44C-D4BA-46e2-BC39-3D966764C482}.exe
        C:\Windows\{BCF4E44C-D4BA-46e2-BC39-3D966764C482}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\{D739C23F-A91A-442f-83C3-C06EA25CC3DD}.exe
          C:\Windows\{D739C23F-A91A-442f-83C3-C06EA25CC3DD}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\{6E49EB20-32F7-4445-8547-32E98D0DD940}.exe
            C:\Windows\{6E49EB20-32F7-4445-8547-32E98D0DD940}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1120
            • C:\Windows\{A432F9BB-B191-41b3-A86D-75A27C20422D}.exe
              C:\Windows\{A432F9BB-B191-41b3-A86D-75A27C20422D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2704
              • C:\Windows\{C14AEE91-BF49-4cf3-91CB-20BDF4A77C96}.exe
                C:\Windows\{C14AEE91-BF49-4cf3-91CB-20BDF4A77C96}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:536
                • C:\Windows\{E2795A8F-D7FD-4166-9A0C-DE942B6A51E8}.exe
                  C:\Windows\{E2795A8F-D7FD-4166-9A0C-DE942B6A51E8}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2148
                  • C:\Windows\{C66550AB-3C2E-4aab-8CFF-1E03AA483B07}.exe
                    C:\Windows\{C66550AB-3C2E-4aab-8CFF-1E03AA483B07}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:572
                    • C:\Windows\{45A89A2A-A1EC-46ac-8939-14C988868A0E}.exe
                      C:\Windows\{45A89A2A-A1EC-46ac-8939-14C988868A0E}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:624
                      • C:\Windows\{DD021573-3543-42e5-9504-21074BD492CC}.exe
                        C:\Windows\{DD021573-3543-42e5-9504-21074BD492CC}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2060
                        • C:\Windows\{25FAE468-BDE8-4d83-B29D-50F7DF4FDB1F}.exe
                          C:\Windows\{25FAE468-BDE8-4d83-B29D-50F7DF4FDB1F}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DD021~1.EXE > nul
                          12⤵
                            PID:1648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{45A89~1.EXE > nul
                          11⤵
                            PID:1632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C6655~1.EXE > nul
                          10⤵
                            PID:1764
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E2795~1.EXE > nul
                          9⤵
                            PID:1420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C14AE~1.EXE > nul
                          8⤵
                            PID:284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A432F~1.EXE > nul
                          7⤵
                            PID:1600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6E49E~1.EXE > nul
                          6⤵
                            PID:532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D739C~1.EXE > nul
                          5⤵
                            PID:672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF4E~1.EXE > nul
                          4⤵
                            PID:2864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{00D8C~1.EXE > nul
                          3⤵
                            PID:2484
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2516

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{00D8C740-64D2-4efc-AD59-D74E19B4C01C}.exe
                        Filesize

                        408KB

                        MD5

                        dabd8b0aa752bafed011ddd2a7877d1f

                        SHA1

                        1f18c2954b0f76508d0f5a3ab542e3a61997b1af

                        SHA256

                        e7ea11ca0a08117267cd135d559ec3def25155b68de0f40e2ee4c4ce4ae135ab

                        SHA512

                        7c893a7d01cad2e1844835373334b51e791d295f9455578affa8d478ef80579bf79bc6a3f42b70a8659f02351eea1b2a75287549fc6b97521a30443085669174

                        Download Submit

                      • C:\Windows\{25FAE468-BDE8-4d83-B29D-50F7DF4FDB1F}.exe
                        Filesize

                        408KB

                        MD5

                        9fdccb17a8c37d1e1bdf77d0dde2ca52

                        SHA1

                        28f1455597aba49680ee564e526ee0175e620365

                        SHA256

                        84b6424b2ddff6a4d35fad3baa1dde638c42602ad0d16c7020e591a19c9959ed

                        SHA512

                        c78ea263c4d80d9d36e731f399044ec078c7ed7712435ad27f8d7cd8682df4f1ad68d02cceb650726577991cc080be32cdbbdd687e356f5db9521c2d731e9b5d

                        Download Submit

                      • C:\Windows\{45A89A2A-A1EC-46ac-8939-14C988868A0E}.exe
                        Filesize

                        408KB

                        MD5

                        7e324e46b2710382f2704a8e5f2ee5d3

                        SHA1

                        8e256feaafdbf85d74e88bba29923b831ff1951d

                        SHA256

                        35e9c19584022981c37cd8435aa6cb433456738e733d7562819578ad46ac11aa

                        SHA512

                        5d752be6a51f8334f44c54ae3c943f2c919bcec8f815c8cc7d60e77f92728668175c1e0fff392b341c7ebfa46b30af5a3011109690c3d332464e74c1ccd4f8f7

                        Download Submit

                      • C:\Windows\{6E49EB20-32F7-4445-8547-32E98D0DD940}.exe
                        Filesize

                        408KB

                        MD5

                        cbf450f1871294ec35d6c73c6ee9d2b5

                        SHA1

                        86c19c77f94b330f7747eef6aa4304b5f87d027a

                        SHA256

                        4260a9bb8ad2ee2ddc7dda0d8fc86f72e22c22761df2cec4b023107e6b27f98c

                        SHA512

                        5e0f6eb99d01fabf3cd13a925b7a6fe16cb154794d57f9e631f6a4cd5f8de2cdbc9f2100aa57cb71c29bf0a8ead5a7b5d7f0aacf9ad8ea0362ec2ee628af074b

                        Download Submit

                      • C:\Windows\{A432F9BB-B191-41b3-A86D-75A27C20422D}.exe
                        Filesize

                        408KB

                        MD5

                        f94650eb47c608c6c8be8382b15a3ca7

                        SHA1

                        2d490726bfe7e535e4999ed3433c5d1ea99c9f4e

                        SHA256

                        d612262277e121b6a810083c896e82d5aa3872ed2fc046d91886b66e02683b5d

                        SHA512

                        3dca391eb92a530cf673db3f9be5e0e5096404f905dc517a2c52db1790c3e843017a02e7fdf3920c14a388291b5382fd93c47744624570a85f640158d25de26f

                        Download Submit

                      • C:\Windows\{BCF4E44C-D4BA-46e2-BC39-3D966764C482}.exe
                        Filesize

                        408KB

                        MD5

                        91b2bd09f1b6cce683b91d7cd3e842d9

                        SHA1

                        15b51972c978304b95fddf8f011d8f71be56bd7d

                        SHA256

                        40ac57966e7fba120b75410183f86802eeebff27a521d51af4aa0b48ca57f775

                        SHA512

                        677f8a8a662488fd3c47a696d831826b4919a3c0eb229eb3a73bb9c46ba70841944b0419b6466fc6fa0df57c2f62dcbcd11e648d2f695d971e82bdea3c92134b

                        Download Submit

                      • C:\Windows\{C14AEE91-BF49-4cf3-91CB-20BDF4A77C96}.exe
                        Filesize

                        408KB

                        MD5

                        ec1e5359599e538c5bb1279bc25f6c7d

                        SHA1

                        c11f266d412a616ec6c2e3229e314abf467efc5f

                        SHA256

                        313258128a504d172e5b01e99a9c9dde52072aa85cd2d706ef4190daf51f685c

                        SHA512

                        fb9e750f4af365c8b7d10a48068346af1ad285ee98ba0309a8cb27d8082b4ead1332299ef2d6f5149f8e5cc52b79f564e0056f947585cc7fb9c8cf01a200f8a9

                        Download Submit

                      • C:\Windows\{C66550AB-3C2E-4aab-8CFF-1E03AA483B07}.exe
                        Filesize

                        408KB

                        MD5

                        4a3b74a3dabb86777d626509d8d41641

                        SHA1

                        e6fd4fd256cc2e3d49d21de27f95930fd0c4e430

                        SHA256

                        9a5cec6302edbc1696380dbb0c8f32d3889730c56bf9fa5989918c3733e07848

                        SHA512

                        f8489f420cd0b8ccfa88db399461fd3ffa14b6e6f3b72f34e97680ad31be6c3e45207dc0cff33c9af41351503f96da0f7b574e65e3c81de2386aae5865c4e44b

                        Download Submit

                      • C:\Windows\{D739C23F-A91A-442f-83C3-C06EA25CC3DD}.exe
                        Filesize

                        408KB

                        MD5

                        7620719e84dc7ee41408baf4824922e5

                        SHA1

                        95175c210440cb4f41b5114de5868179af17a5f5

                        SHA256

                        5a7f8d01f17a2d1d4c4a9720adcb570645528b017ab45e5a3a31e220532426c5

                        SHA512

                        60c2ba9a66541472e393aeceb9c7a01f157708a5c9a7b3ecfd656df3478f554fc231ac1a8ee6b91f81d53c2244e4741c536bc60739086fc447c9e4576b40a74c

                        Download Submit

                      • C:\Windows\{DD021573-3543-42e5-9504-21074BD492CC}.exe
                        Filesize

                        408KB

                        MD5

                        4ceb2f238d5542a649c21dd217ff1af0

                        SHA1

                        bd1329f44c60f9e8c5ff4624f0e6a9e07abfcd9c

                        SHA256

                        4acb44ea075112c85e68e27ea03a05f85cc534fde9a6657b62dba71b479c9b25

                        SHA512

                        946318902646bb5faf04ebe728ffb10565d6f87bd186e13e5b05961f93550ce7913acaaec7781cbf278adfd857daa88b63bdd4c20df51a716e114208f47947d2

                        Download Submit

                      • C:\Windows\{E2795A8F-D7FD-4166-9A0C-DE942B6A51E8}.exe
                        Filesize

                        408KB

                        MD5

                        2b06abd970745d1971c465b532b9e7bb

                        SHA1

                        68c80e1c4b8c630c91809099eda155bc834be8ca

                        SHA256

                        a3569fa163fad2278e2c798a8a7d7c4cefbf7d19360505ce941afd056a64dfd7

                        SHA512

                        61337b9f701ba4643325e665cd0d20cffa0ce2c2d2374bd4517494891f99e0aa421e724a83c0cce34ec355263fd976f0167efcefc54db35faa0257635d42989d

                        Download Submit