Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-03-13...ye.exe

windows7-x64

9

2024-03-13...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe

  • Size

    372KB

  • MD5

    c2c514d7f2b142f038b25b5e7ad460be

  • SHA1

    6f809d95c1b94b4e70e6a08d1912ca84363c94cd

  • SHA256

    1fc583205a7cd041e146411c4714f665a94cbeacacf0b680dee743062e05d9f3

  • SHA512

    d8d7d8d7c84b97206ac55a8cd156df17588dc8d71abb788dff31ffd78a5601dda46ffe7060938847f77fd58c7b4760d0dd3c6ab9d64096c99741bb265d36c85f

  • SSDEEP

    3072:CEGh0ogmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGjl/Oe2MUVg3vTeKcAEciTBqr3

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-13_c2c514d7f2b142f038b25b5e7ad460be_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\{36FADA7F-4124-4293-95A6-3B289A3BE4AE}.exe
      C:\Windows\{36FADA7F-4124-4293-95A6-3B289A3BE4AE}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\{5F43D9B5-8623-49d5-BBF1-4817140CD740}.exe
        C:\Windows\{5F43D9B5-8623-49d5-BBF1-4817140CD740}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Windows\{792E9449-1C4F-47a6-97B8-6CC9450B1612}.exe
          C:\Windows\{792E9449-1C4F-47a6-97B8-6CC9450B1612}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\{D7064AF0-F929-41e5-BCA8-8EDAF0C4ECED}.exe
            C:\Windows\{D7064AF0-F929-41e5-BCA8-8EDAF0C4ECED}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Windows\{7A4AAAE7-9E77-4847-8DD6-547586F46A28}.exe
              C:\Windows\{7A4AAAE7-9E77-4847-8DD6-547586F46A28}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4576
              • C:\Windows\{37C4F42A-F5AD-4792-8209-CDB96F1B1FB9}.exe
                C:\Windows\{37C4F42A-F5AD-4792-8209-CDB96F1B1FB9}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1292
                • C:\Windows\{BAE0A8C4-9E27-48f2-BF35-2154E5C307D6}.exe
                  C:\Windows\{BAE0A8C4-9E27-48f2-BF35-2154E5C307D6}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4476
                  • C:\Windows\{FF75624B-0B9C-4c0d-94A3-F60D455162EB}.exe
                    C:\Windows\{FF75624B-0B9C-4c0d-94A3-F60D455162EB}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2888
                    • C:\Windows\{074CE211-F962-4ea2-892B-2561F70B30C0}.exe
                      C:\Windows\{074CE211-F962-4ea2-892B-2561F70B30C0}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3060
                      • C:\Windows\{5970EE27-87D1-4d57-AE6E-90CA0B690AAB}.exe
                        C:\Windows\{5970EE27-87D1-4d57-AE6E-90CA0B690AAB}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3204
                        • C:\Windows\{D95A68D6-D03C-4dcc-B59D-151EFCD3BCA9}.exe
                          C:\Windows\{D95A68D6-D03C-4dcc-B59D-151EFCD3BCA9}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:884
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5970E~1.EXE > nul
                          12⤵
                            PID:4572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{074CE~1.EXE > nul
                          11⤵
                            PID:1952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FF756~1.EXE > nul
                          10⤵
                            PID:3428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BAE0A~1.EXE > nul
                          9⤵
                            PID:884
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{37C4F~1.EXE > nul
                          8⤵
                            PID:3096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4AA~1.EXE > nul
                          7⤵
                            PID:4552
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D7064~1.EXE > nul
                          6⤵
                            PID:2312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{792E9~1.EXE > nul
                          5⤵
                            PID:5024
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5F43D~1.EXE > nul
                          4⤵
                            PID:2900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{36FAD~1.EXE > nul
                          3⤵
                            PID:3652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:4964
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=3136,i,3192284747741020952,1225278682167953346,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:4712

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{074CE211-F962-4ea2-892B-2561F70B30C0}.exe
                            Filesize

                            372KB

                            MD5

                            7d2636fcc91a03cd0b6bc5cc5df3fb21

                            SHA1

                            a5d55345bc71f02fe2e06ea83259e76c8636a9ff

                            SHA256

                            2c1c2f455ab7457008dc0636742ca8c246e9edccf26c8a142a3e13e2b456007a

                            SHA512

                            695d8f8cda449722cabe0dd00273b57a11a54be4ab93ed8fa01b99d86d15a9f5cb7486a41adcf445da9e1491814689e8f9aa9535118a20f97a59625cd30461c9

                            Download Submit

                          • C:\Windows\{36FADA7F-4124-4293-95A6-3B289A3BE4AE}.exe
                            Filesize

                            372KB

                            MD5

                            f151c4b3102498e30d4d9f3261842b61

                            SHA1

                            948004008e37b4bb0c8425349daca832606d1a3e

                            SHA256

                            e1ef120759186139ee5174ee1de6eb1c8ca667e686b77fe9bb3b9940a25d3db4

                            SHA512

                            ed1d7120ae4fde7a79872a49241d10c88c9fc79bc217bbaaa1a63d01810c79a841cdc83e0961fdaf26f68bebea3836f2d907ef7b2ba243d81c9561244f8a755c

                            Download Submit

                          • C:\Windows\{37C4F42A-F5AD-4792-8209-CDB96F1B1FB9}.exe
                            Filesize

                            372KB

                            MD5

                            d25a4fdf5f0c1a7918f3448a04948808

                            SHA1

                            a4b33af8666660a96fbb4b4f16529b1c6d3fdfdc

                            SHA256

                            2aced0340b55420076cf38f0dcb625d59d1289c810cd34e5fe663da08a4fa670

                            SHA512

                            dc65d132108ad5db519163cba554f037a6e5b19fd459bb398ef62c776653449a04476eeffb088436a7ef133db59cf6c56a213ec60a8c2ff00c90fee615f7dfb3

                            Download Submit

                          • C:\Windows\{37C4F42A-F5AD-4792-8209-CDB96F1B1FB9}.exe
                            Filesize

                            175KB

                            MD5

                            bf69b61953626d245a0388d9650511ad

                            SHA1

                            b2a3347ebfef5590cbf8ad1d03a4fb95ef5d4124

                            SHA256

                            02de20c5b0f41f091ddde559ee3d06af4e9fa9971816c40d24f409635be23122

                            SHA512

                            0cc29a1a23299b23dde5a17679da0067dc915bcb6bf843ea6948214e7ea420ee6f4f40f3ead9605b562b9e9c9fcdc6f2b4ae935aaf41b34a01616759aea75328

                            Download Submit

                          • C:\Windows\{5970EE27-87D1-4d57-AE6E-90CA0B690AAB}.exe
                            Filesize

                            372KB

                            MD5

                            36680e38514eb40c8b7c999142267ece

                            SHA1

                            9156b299a8b2d2a972a0f69173e22be9437143d5

                            SHA256

                            ef3324c2e08fb83b10109f9a8d7883b73e4f5be63f624187278ea2f53fc7bcaf

                            SHA512

                            a851096f19372adbba21807da49de426054e545bbcf5dffbf1515efd8073cb0c2330631eb7a0a778f5215a8532b354d8a10b384b2f3b2f0ed72c8a6295fb985e

                            Download Submit

                          • C:\Windows\{5F43D9B5-8623-49d5-BBF1-4817140CD740}.exe
                            Filesize

                            372KB

                            MD5

                            7cb53db5252632768bd1f58df5d5a5e3

                            SHA1

                            98dc918a905a0d13295e2a5ba5840adc28d5f237

                            SHA256

                            0b6a92f1ab48ee040f82a4ed8fafb547a5353c2f10bcd36d72fb87fad240208b

                            SHA512

                            bb7e5280be65025018b559282a213b39cdf585bea3dba3bf8ccda7aa6698b178934b9cd76e05a5e9dad1837d3b8fab827aa829bff773d1e389e68f836aa23509

                            Download Submit

                          • C:\Windows\{792E9449-1C4F-47a6-97B8-6CC9450B1612}.exe
                            Filesize

                            372KB

                            MD5

                            38795dcc0fb22a7e39201d77a72f743f

                            SHA1

                            d0c16193144e3fb9aae789a11ca88c74e854d8a1

                            SHA256

                            20104b3603b0e4074ad0735bc2c0ea8b532de9f38bc8e52cc3772fe2c517d040

                            SHA512

                            f16cda2f6a93e7f3e0bb4447edac0863625e2b399e88a35840b874cb4c401f18f0688b5393bb7f0da6f6f7bdacbfe77d35db412be1aee6c1c5957bd258087b44

                            Download Submit

                          • C:\Windows\{7A4AAAE7-9E77-4847-8DD6-547586F46A28}.exe
                            Filesize

                            372KB

                            MD5

                            002dacd4db5ceba0c7968a586af5b7e0

                            SHA1

                            fcaa758e939ea32fc2e1a34965260d518599b7a4

                            SHA256

                            1d8d089b847a278fffff3dd228e4a2aef82db6bbc695a32466e89b5552d06d7a

                            SHA512

                            addedf3079eea9e9682c1bf002ad429ce1995c69aba601d9f303900ab11e8c71060b9e23a555257dcf25ba4b90df01756b9845d2201db7c6351c51caab47b31b

                            Download Submit

                          • C:\Windows\{BAE0A8C4-9E27-48f2-BF35-2154E5C307D6}.exe
                            Filesize

                            372KB

                            MD5

                            e61e0afff5d780f87960f885fa19689f

                            SHA1

                            1c45320bdf96cfecfeec5648c298fd7208547888

                            SHA256

                            0bb642303c9e6a4045e158214c062605cc3707f82de7a7c5c55097d8c2d9d761

                            SHA512

                            d01276a8c1e967c971a15dfc64503212a6991ffbac1ce42ae5a6ed1067996ec945fdf32022bf457a973d99a9cb7b7c035fdbecb0557675ee07ed22270e20b809

                            Download Submit

                          • C:\Windows\{D7064AF0-F929-41e5-BCA8-8EDAF0C4ECED}.exe
                            Filesize

                            372KB

                            MD5

                            66fc3692357cc58f84cf3fcbfb5cf158

                            SHA1

                            7672f5bc3907856baa1ac2ae6893943715458091

                            SHA256

                            08f0c93f68313eb60b570967d5f6217a1d701000350b5e66570a165341402a8b

                            SHA512

                            f557d33504b7adee12eadeec363e7311012f0d0e1e33066bf1231962ecc0ef81a67e85dc7631a889f473f1c6c606fce238b5fdec52d534a2ff3516ec1755ee89

                            Download Submit

                          • C:\Windows\{D95A68D6-D03C-4dcc-B59D-151EFCD3BCA9}.exe
                            Filesize

                            372KB

                            MD5

                            1495ad1219e5b16ced675dd97c073eef

                            SHA1

                            cdaaec8e74b89d29ad876ce23bdecb0a4933799d

                            SHA256

                            1b953f35ff810a569d6a3e35d95a5f51551c53f8bc2161905943618fb08c914f

                            SHA512

                            21a8034da797801a10dca2d35768e652853f936dc528a9de7403814de6cb3d2401c3629ba7ea6b0193c04cfe0f98cc437d9063c4e9ae9a86a863ab0f5df9f2a1

                            Download Submit

                          • C:\Windows\{FF75624B-0B9C-4c0d-94A3-F60D455162EB}.exe
                            Filesize

                            372KB

                            MD5

                            26afd5b53d2d8ad999de23ecc4d81d5f

                            SHA1

                            fe2b8fd48283dca590628beaf1f1a414056a6a9e

                            SHA256

                            693d38aa9e2ba73632f6c035d8ff2a625ae4009e606d48b3f0d6de018ffc3879

                            SHA512

                            680e671633c29ed516ccc21e869a6d3a7289584d5f0ec2c21585bf0f5ca481e36bafef31664f84c6c182650dd3b6bf784bd3996b73271959d6fe1b3812b80780

                            Download Submit