Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-13...ye.exe

windows7-x64

9

2024-03-13...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    155s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe

  • Size

    204KB

  • MD5

    4ede1f20c01989f6fc2afefd1c7fd0c8

  • SHA1

    9fcb63da846cfc5b37d933a77819758806c123c1

  • SHA256

    0db813dd449574cfd56b459480a155167338e8f5e19a5ab02c8335d98be295d1

  • SHA512

    37db6856dc67475166c05a86eddc8582789ad3227d3e15d1abfdcc005e3fa305373a835d99264ff775804db758e970e689a16369e24892145b54808eac17a460

  • SSDEEP

    1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oKl1OPOe2MUVg3Ve+rXfMUy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-13_4ede1f20c01989f6fc2afefd1c7fd0c8_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
      C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
        C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
          C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4488
          • C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
            C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
              C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4312
              • C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
                C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2908
                • C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
                  C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4048
                  • C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
                    C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3936
                    • C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
                      C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2912
                      • C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
                        C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:916
                        • C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe
                          C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6FFA1~1.EXE > nul
                          12⤵
                            PID:3864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5B038~1.EXE > nul
                          11⤵
                            PID:4332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8ECCA~1.EXE > nul
                          10⤵
                            PID:3956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDEA~1.EXE > nul
                          9⤵
                            PID:3184
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B209C~1.EXE > nul
                          8⤵
                            PID:4860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{99B3F~1.EXE > nul
                          7⤵
                            PID:2316
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C65DA~1.EXE > nul
                          6⤵
                            PID:3004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5C6F0~1.EXE > nul
                          5⤵
                            PID:2332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{488AB~1.EXE > nul
                          4⤵
                            PID:1692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E3B15~1.EXE > nul
                          3⤵
                            PID:1224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:4960
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:4336

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{488ABBEF-D8B2-4f92-9839-0BDD4B48BEE8}.exe
                            Filesize

                            204KB

                            MD5

                            3707aa55bb4f261cee597394af0998c9

                            SHA1

                            6e54b41411afa2d2f2ab580678e8ba3dfd5bf54a

                            SHA256

                            cd4a9abda2339e330cf045a18cdff82aba0a6ffdfafb5aaf45086fca05fc3b76

                            SHA512

                            6775af8ab26b7f7f7564377659a3c92379d93d4420af7f0dc9ee5b3922fd1a47a07ac21ead0990ee475ff8fb438a936992f97c130c2bfb8e4aec0b2ab833ae42

                            Download Submit

                          • C:\Windows\{5B0385BE-CB6D-4614-A25C-1214ADD33D67}.exe
                            Filesize

                            204KB

                            MD5

                            9fcd8e28f7cc65f4702cff964caf0125

                            SHA1

                            8426750636474a3cecffc706201666afd7f582f8

                            SHA256

                            970c725d7bef71a793a218579038197e47e4f4927f5fc76eeb417e42986213c2

                            SHA512

                            b20f267b49ae5cb50c95b69006ad18c078bcef1ce9c4326517ddf08bd5b2a51cc8201117a04aa16b9ae85a02494664136eee26e146fbe0020f568f0639802b2c

                            Download Submit

                          • C:\Windows\{5C6F0EE2-2C08-47eb-A4AB-A83DB739BC2A}.exe
                            Filesize

                            204KB

                            MD5

                            1e78964082663840f17b6438b6b9d121

                            SHA1

                            6c090d0dbc225262c72d7afce30ac076883f1d2b

                            SHA256

                            ff9071659468ff338ede9f080fd333d0bc79d23a9ae3fb14d1e3d194616b7797

                            SHA512

                            a452e1df87d4e8bbd6d6179d9806a7f9d85c250d4e40d0f53119cbb43ea2ef13fab7d3da379598026fd2cd769270c9a58aa372f46111e460a74b502ffef702c6

                            Download Submit

                          • C:\Windows\{6DDEA412-122E-4900-9163-315CBCE669A2}.exe
                            Filesize

                            204KB

                            MD5

                            4e5169d219950cd21bda608a02982230

                            SHA1

                            948e021131888453fc657a52b27cc365d7762a14

                            SHA256

                            e2888f7ca8076485c753d4eb2a97316bc8bcd80626908c33b14fb322c7998320

                            SHA512

                            eaa12020dae69644d403e69aa5f1760b7e2d8e001a11868e5999440799bb9bc7ee487413ad92d93ea0e97d8b4ab0fb84dc913af57b051fff7cf51e9effc38a58

                            Download Submit

                          • C:\Windows\{6FFA1A9A-0F2B-4648-AA05-9BB51156ADC7}.exe
                            Filesize

                            204KB

                            MD5

                            df84ab456d75eedeb04557ecfc235d37

                            SHA1

                            aa36d78eb4de9fea9a0cd2e9f9c64586856bcdd3

                            SHA256

                            798ad8b4da9d0f36710cc8ee25b72052fae5a51273d1020783dfc2c8317ae3f3

                            SHA512

                            6a81f9172aff4cba0c58923a41862ceaf31539bf83e48db06a7962807ca7ba114b092b8a4f52948fe26b807c73afb24d93320caeac23825022f2d50bd71c2698

                            Download Submit

                          • C:\Windows\{8ECCA8FC-50E7-4128-8FE6-8D007B8ED54A}.exe
                            Filesize

                            204KB

                            MD5

                            95b63b2603507b79a465d2c478238f3a

                            SHA1

                            aec1303b20d913283b129faeeca906b75d9ec053

                            SHA256

                            36b39ea3c6e7d6045f0dcab2e07de100cc8d97ae495062fdac3eda3d3f5b77bc

                            SHA512

                            4793b12a7ea661b23a02b35ee34174e8a9d2cb2e9e6699a09c4ad51f526bc4083bb540f3deeb5ff4cbc1b58d65c72ad0f1937d3b5715ad2da6155ac092dbb619

                            Download Submit

                          • C:\Windows\{99B3FAFA-D218-4c10-8DA3-044A936CA7CF}.exe
                            Filesize

                            204KB

                            MD5

                            121bdc5d6d98f33c981b3ae71c39d377

                            SHA1

                            e088e1ff6ef0740bcc2b929a9dbb66e685c19ca1

                            SHA256

                            987a6d1921b108659e77f2a6054a10ba7f6f57d3fbd0257d4ad0f4cc06ed05d0

                            SHA512

                            009141dffb5b4b6941625c9dd3da091a781a19c8a45032e7e2d49ad64c43177149029ef64dbea3d5525d980b43b5f94e3a2e11f1d6654568527fc8b78c08db0e

                            Download Submit

                          • C:\Windows\{B209C36C-FAD0-4e1b-A6B6-4E1E0A2ED94C}.exe
                            Filesize

                            204KB

                            MD5

                            2a5f276e5ed8f6bb4e1dfd152f7aa416

                            SHA1

                            331daf1cbd0e9c60f353f98d033b61c45d800f0e

                            SHA256

                            c5dc4a0a9249fa3126a95e8d2231fd4f31c2a2bddf337e8e7f9568a35bf08a8d

                            SHA512

                            f6c3ba4d400c4e3c7199b26c8741b631c08898de69fdfce2ace4c4cd9919242746a000d4aaef2e4503512963aa28710a0f6932a0977ebf98bc7b894e217ef0a9

                            Download Submit

                          • C:\Windows\{C65DA071-055D-4502-AC1A-85C740048BF7}.exe
                            Filesize

                            204KB

                            MD5

                            c063a09380b6ad42b4afde75cd198c3a

                            SHA1

                            4e922d06683efe892b5f655d05d9d4ec6c967763

                            SHA256

                            867df88719a2ee349e76a632ae1fbd73ff17f86b2cbb04b6680f4364710139ed

                            SHA512

                            469200451bb6ebaa97d3afc6b2acdd3236bbf022138841e18f2e4b50e7931556432ea6cf8abdc27618d6b7ceca4b25751292a55b052e29880facb7060a630872

                            Download Submit

                          • C:\Windows\{E3B155EC-3F38-4447-AD82-3986FD7CCA0F}.exe
                            Filesize

                            204KB

                            MD5

                            73aca31b90af96e17a820e39986de67e

                            SHA1

                            e72196ebb103da3bd6d586625b4cf74ea913cb47

                            SHA256

                            6d3be06623f026f275662702345ca4f1678e379b21016301a6a9e97222b311be

                            SHA512

                            43355e8b797c8718d14810c1b6e81d1036ae4c14fbbb518ab1cbc14ea568a78be6e626fda0ae72954658e6319fe57fa799e4d5ffcb01e8125e1a14270ca276f1

                            Download Submit

                          • C:\Windows\{F78E82F6-C2D7-4730-813B-8D3CDBBF6B8C}.exe
                            Filesize

                            204KB

                            MD5

                            ac9efb539b47871df411c0ee36220542

                            SHA1

                            6e348352b6430755d9b4f3ddc6c04bd65c242dca

                            SHA256

                            9c848a0a94f565d22c50030743a7a8efed4a097f63a8c61ec8658e9eed4e2662

                            SHA512

                            b513f4bf9254f203b79788687aeeb9d6eb1679ee7454159ce313ae0d78f6bceb701bbb6d08690d38bc5b450c358ea01dc954a5f5fffb059a6ccad556d75ba4a2

                            Download Submit