Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-04...ye.exe

windows7-x64

9

2024-04-04...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-04_1c98473e2cf3ac1b4b7648652e2ab3ff_goldeneye.exe

  • Size

    204KB

  • MD5

    1c98473e2cf3ac1b4b7648652e2ab3ff

  • SHA1

    e366129cb220fbd7616c3140dd84d41768a6ec17

  • SHA256

    d493ae1bd8436b31cd43789c20901f2a99c51946a1d5062662f8f8dcdc4d3203

  • SHA512

    5e8a37ba446eec068bd2bd300de8e62f01c4665eb59c5d751a4873fe31c6a617d158402d358e31ce2835a45ad8078083f35c06000acae69fb8a200cc2c146810

  • SSDEEP

    1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oxl1OPOe2MUVg3Ve+rXfMUy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-04_1c98473e2cf3ac1b4b7648652e2ab3ff_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-04_1c98473e2cf3ac1b4b7648652e2ab3ff_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\{80F0ADDB-4142-41f4-B1FD-FF80855B8E7C}.exe
      C:\Windows\{80F0ADDB-4142-41f4-B1FD-FF80855B8E7C}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\{D2E3B83D-CD59-48e8-91D9-4B260BE9C480}.exe
        C:\Windows\{D2E3B83D-CD59-48e8-91D9-4B260BE9C480}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\{A8FD3A19-B4BB-442d-8A9F-B8B1F2C0EFF7}.exe
          C:\Windows\{A8FD3A19-B4BB-442d-8A9F-B8B1F2C0EFF7}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\{217415D1-4171-4a2b-827C-F1EE768D9AC8}.exe
            C:\Windows\{217415D1-4171-4a2b-827C-F1EE768D9AC8}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Windows\{B588A459-0DFE-4b60-8129-A306E67A34B8}.exe
              C:\Windows\{B588A459-0DFE-4b60-8129-A306E67A34B8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2472
              • C:\Windows\{A014DD43-3DF5-46e5-BD19-1F598C12E6E4}.exe
                C:\Windows\{A014DD43-3DF5-46e5-BD19-1F598C12E6E4}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1124
                • C:\Windows\{8203E245-9F67-40f4-858A-C5F7CA2BE39F}.exe
                  C:\Windows\{8203E245-9F67-40f4-858A-C5F7CA2BE39F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1948
                  • C:\Windows\{F0FBB02C-43CF-4c9d-8E65-2A9B86D8FA12}.exe
                    C:\Windows\{F0FBB02C-43CF-4c9d-8E65-2A9B86D8FA12}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1868
                    • C:\Windows\{D928B7FC-3D95-4a53-B7D1-7ECCC74243DF}.exe
                      C:\Windows\{D928B7FC-3D95-4a53-B7D1-7ECCC74243DF}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3044
                      • C:\Windows\{257CBE63-5028-4903-AF1F-068DE965F2F6}.exe
                        C:\Windows\{257CBE63-5028-4903-AF1F-068DE965F2F6}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2256
                        • C:\Windows\{57AD90A3-AAEA-4c1d-80E1-9DE7C4FDA6C7}.exe
                          C:\Windows\{57AD90A3-AAEA-4c1d-80E1-9DE7C4FDA6C7}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{257CB~1.EXE > nul
                          12⤵
                            PID:1104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D928B~1.EXE > nul
                          11⤵
                            PID:1880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0FBB~1.EXE > nul
                          10⤵
                            PID:2868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8203E~1.EXE > nul
                          9⤵
                            PID:1692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A014D~1.EXE > nul
                          8⤵
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B588A~1.EXE > nul
                          7⤵
                            PID:2212
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{21741~1.EXE > nul
                          6⤵
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A8FD3~1.EXE > nul
                          5⤵
                            PID:2124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D2E3B~1.EXE > nul
                          4⤵
                            PID:2444
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80F0A~1.EXE > nul
                          3⤵
                            PID:2564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2784

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{217415D1-4171-4a2b-827C-F1EE768D9AC8}.exe
                        Filesize

                        204KB

                        MD5

                        57a43dba18ab6954b299b20a2a7ca4dd

                        SHA1

                        b133f79512aa2bedf1522d9beb6b68ca77e91c40

                        SHA256

                        a08d1cf313f30d0aada9ed4b173e30d2b2d4b12822a9332fe8bb85651e4157d1

                        SHA512

                        bfd1716a10665ae369d9637e5d2a1e5d6a5a1159ef77a09d980e8014900832e575b46f0fb66d80750c26cbf7d85eebfaabb0aaea747b7d7254fa20c8b0193b47

                        Download Submit

                      • C:\Windows\{257CBE63-5028-4903-AF1F-068DE965F2F6}.exe
                        Filesize

                        204KB

                        MD5

                        e4d8d14ef5c840d4731d846257f1efa1

                        SHA1

                        9e1ae0ec5834f0eb3e273eddad4f6633d7039550

                        SHA256

                        f9d5a577b2299fa7b4809f6d2330f6d5b34521ecb9779f5c5e8eaefa401e3fea

                        SHA512

                        0aaa0642e4cab5173425bbf030c3be744c9e3f0cf65c0fc675bb12b3503dcd420207516408c074399bebf509d33255deed4350487a31e423f12913ff4c80dba4

                        Download Submit

                      • C:\Windows\{57AD90A3-AAEA-4c1d-80E1-9DE7C4FDA6C7}.exe
                        Filesize

                        204KB

                        MD5

                        cd330e73c8c16e9d6132d0e751eeecf7

                        SHA1

                        322cc480f414daa27ffd955be38105eb98908777

                        SHA256

                        5c55dc99a98b7c764612d60546dcecaf66c82ec31ef7f39b1a29e4acb9124d98

                        SHA512

                        1142a2103c41769359cc318157b64a242c59b52565a974db844c2031ea6c92804ba6742039033052d4ea9349c44fb18a1850ecaf7c44faad02c2faa123d07a5a

                        Download Submit

                      • C:\Windows\{80F0ADDB-4142-41f4-B1FD-FF80855B8E7C}.exe
                        Filesize

                        204KB

                        MD5

                        f1c5b8e56069f65c2947fe8eed8f8a58

                        SHA1

                        9dbe2ada8b548a1869d034fef2b46ac35e6fbc01

                        SHA256

                        561254a3d0b59d99cc0fa7ba19b85e7df605011777b8688c36e34cfd34514b94

                        SHA512

                        405651c3f3dc756492d8f6cd2822d7850637fca6ac8fa62f5a86d3fa4668aa65e2dff50146d2e694e5ac4377cf831ebf0c938d0c8e97deee61ef35687fab30eb

                        Download Submit

                      • C:\Windows\{8203E245-9F67-40f4-858A-C5F7CA2BE39F}.exe
                        Filesize

                        204KB

                        MD5

                        f85231224a4e1d4ca6dd992609f2608f

                        SHA1

                        84e42305773e66c0b9d5060da61cfb1d70a279b1

                        SHA256

                        b742c627795b864f4e37a745ea1b3a20035c4ab22d27d652bba3727a2fc536b1

                        SHA512

                        184e5df7459d94acab4f4e9e2e8572c7ee70a3e56a0c24d93f81c6025c2aa8917a02c0666b83d28fba3acd9b235bdb67a7c57de35f79f8cc49298db28bf61b6a

                        Download Submit

                      • C:\Windows\{A014DD43-3DF5-46e5-BD19-1F598C12E6E4}.exe
                        Filesize

                        204KB

                        MD5

                        ac8e8550ea3eda86cf4421847f44fea6

                        SHA1

                        d4690baf71d877cc9652174e13ffccf05f575ed1

                        SHA256

                        059c8b89b4939577ac8fbe2d07893f1e32263f01c59cc08616b63fd6144779e7

                        SHA512

                        0b290582c854ca058dca4f81656e61a7a41a1b7f107c943701a1f85e5dd9338911bde9f15731a27d11137e2d7f58827cadd2dda74c1ab79ad282084b03886755

                        Download Submit

                      • C:\Windows\{A8FD3A19-B4BB-442d-8A9F-B8B1F2C0EFF7}.exe
                        Filesize

                        204KB

                        MD5

                        96a0c3a6eb74b035db92f2f371a0128f

                        SHA1

                        229f4f7134f2b3fb2d1fae24af7083013468b910

                        SHA256

                        68bee40454ff01f9368f531f778010529752d302b61026359683f71e49d9bff2

                        SHA512

                        a25115f8ec3de649c00fcdac5c1e4beb581d6bd667c1890b50f117704f9270a18f7365c7b913a19b82cfbacf69564cca0efc2cac8983b78aa839106b67c37d62

                        Download Submit

                      • C:\Windows\{B588A459-0DFE-4b60-8129-A306E67A34B8}.exe
                        Filesize

                        204KB

                        MD5

                        d474e6addf08425b097e57b8a8891407

                        SHA1

                        d82fca97909e505eada1fcd5a20252f1e6427bd1

                        SHA256

                        f9de92d85fd64190ffccc2bff614d4a770e1d4d6fc982310a22b0b075cd8a0de

                        SHA512

                        b15eebd0b42898aa499837d51383f2054ab5cb6a0e208bc0a20ae8b97920b5ae7f26775ef2d63d32ccd0dd549d565ef88e56f2adb6172a9df213fdfcc9b48172

                        Download Submit

                      • C:\Windows\{D2E3B83D-CD59-48e8-91D9-4B260BE9C480}.exe
                        Filesize

                        204KB

                        MD5

                        04af504dd2b4a1fb7bc0bb44f47b942f

                        SHA1

                        75ac241491ba0f9358f67fa5d243cda7fde28186

                        SHA256

                        6defd35df32675cc9ed7836cf3bdfc219c439552d2688c5525ddec01e3d3c450

                        SHA512

                        b47da3ee30c529006347feee31f069b2356bdd7b37206a011ad052a3b52c75d4e050994822bb0782619e5e39b102c4f201f15f1c63613aa3bf3b24e62b9df4f1

                        Download Submit

                      • C:\Windows\{D928B7FC-3D95-4a53-B7D1-7ECCC74243DF}.exe
                        Filesize

                        204KB

                        MD5

                        0b1b8e75d6a03bf4666b5714a36f8cce

                        SHA1

                        89cfb2c2c5c4ca7f2fb0bdcc4cfc1ae1fc7fef2f

                        SHA256

                        9f37ea00ee94c45589e0039946d5de82b9fe73e89f055f7bb596c3021c2571f5

                        SHA512

                        963cc463ed5f4a915af43e27340acc6f9aa83de02572ed2d41b71ff6bc6280f1a273869935ca75859400bae0ee0303c8d8a9b6ea8847bd0736897fcffd4ceafc

                        Download Submit

                      • C:\Windows\{F0FBB02C-43CF-4c9d-8E65-2A9B86D8FA12}.exe
                        Filesize

                        204KB

                        MD5

                        1553594df72fdca132ec61e5e9eb6340

                        SHA1

                        2f28884d9904a580adc25a807a965f6d747d3fdb

                        SHA256

                        8b24f7a8d47a72ddf8deb3bb7658cc797aeb50ea51e4c223b8490da34e3d177a

                        SHA512

                        38e965e5facc81917e4d642dc40c8d975e0434cc1b4a2dfa8421ad115811c2f295ed8a540a55c6d3adc9442a308880260e829b8066a6373253883f76361e47df

                        Download Submit