Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-05...ye.exe

windows7-x64

9

2024-04-05...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 02:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe

  • Size

    168KB

  • MD5

    a12cc0dc8dc50f8a5ff3abbd754eef05

  • SHA1

    e2aecaea74fc2ac3250e568df2071c3f2ee2ab50

  • SHA256

    72dadb9d239891deaa58ebde923eff2919c6ff218fc7ef193c16a83dba4a4abc

  • SHA512

    dca115bca57a4cfc51823e6834e41ad410d676a385e88eb5b41d82e23362171703a3ea08e76ebd6b64343e699e77a627102a6e29f0e5da257d2ce86e04d48ffa

  • SSDEEP

    1536:1EGh0oylq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oylqOPOe2MUVg3Ve+rX

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\{79A4F469-FDA7-4ca9-A0E3-1E85B79A3D7A}.exe
      C:\Windows\{79A4F469-FDA7-4ca9-A0E3-1E85B79A3D7A}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\{2E192E24-5DE3-4a9d-BC52-135E9CE0BDE6}.exe
        C:\Windows\{2E192E24-5DE3-4a9d-BC52-135E9CE0BDE6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\{5DDDB605-0074-493c-9C84-833ADC2993E4}.exe
          C:\Windows\{5DDDB605-0074-493c-9C84-833ADC2993E4}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\{F0538872-7A2C-4464-A04E-C85B32DFE7D1}.exe
            C:\Windows\{F0538872-7A2C-4464-A04E-C85B32DFE7D1}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Windows\{06FC5AEC-884D-41aa-99B2-B63C1D29CE91}.exe
              C:\Windows\{06FC5AEC-884D-41aa-99B2-B63C1D29CE91}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2708
              • C:\Windows\{A841A3D6-7E89-4bb8-88F6-F85022E53A06}.exe
                C:\Windows\{A841A3D6-7E89-4bb8-88F6-F85022E53A06}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2904
                • C:\Windows\{981817BE-DAF1-47c2-91E6-70DFAA62C9A4}.exe
                  C:\Windows\{981817BE-DAF1-47c2-91E6-70DFAA62C9A4}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2020
                  • C:\Windows\{48EA7B83-7AA2-444a-848E-219E42E36FBA}.exe
                    C:\Windows\{48EA7B83-7AA2-444a-848E-219E42E36FBA}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1644
                    • C:\Windows\{0227B2E0-2112-470f-89C7-587FC3720677}.exe
                      C:\Windows\{0227B2E0-2112-470f-89C7-587FC3720677}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1596
                      • C:\Windows\{819D0363-73B2-4687-B802-7445292C6544}.exe
                        C:\Windows\{819D0363-73B2-4687-B802-7445292C6544}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2364
                        • C:\Windows\{B5EFC8F8-04FB-4af7-9E5A-9A42EC521448}.exe
                          C:\Windows\{B5EFC8F8-04FB-4af7-9E5A-9A42EC521448}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{819D0~1.EXE > nul
                          12⤵
                            PID:1668
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0227B~1.EXE > nul
                          11⤵
                            PID:3036
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{48EA7~1.EXE > nul
                          10⤵
                            PID:2892
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{98181~1.EXE > nul
                          9⤵
                            PID:540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A841A~1.EXE > nul
                          8⤵
                            PID:1220
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{06FC5~1.EXE > nul
                          7⤵
                            PID:2328
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0538~1.EXE > nul
                          6⤵
                            PID:2740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5DDDB~1.EXE > nul
                          5⤵
                            PID:2596
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2E192~1.EXE > nul
                          4⤵
                            PID:2728
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{79A4F~1.EXE > nul
                          3⤵
                            PID:2784
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2680

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0227B2E0-2112-470f-89C7-587FC3720677}.exe
                        Filesize

                        168KB

                        MD5

                        2ecaf505c1a08614d295349e64dfe53a

                        SHA1

                        85906afafb5f1d2eba0509e1bc3dc6e2b06390d4

                        SHA256

                        ca1520c9a0eedb3ac2686e95a908f236e0bac12cbb18a7557c56241eb27421c1

                        SHA512

                        97cc1a5ca0358f526a08b2ae44b488c9268f33ff8f83bbee1c21383a36d919bb8806d470b259eca2bbe960858cca6bfb1bafb0ec9bfbe4b4f6f09d47ed42c81b

                        Download Submit

                      • C:\Windows\{06FC5AEC-884D-41aa-99B2-B63C1D29CE91}.exe
                        Filesize

                        168KB

                        MD5

                        b11baac5d247aed95f34e53d02dd1689

                        SHA1

                        1c36f943e019b641a3fa08ad0aa74cba4945b3d0

                        SHA256

                        fad5cc544ed8d49bb199aa3b5091438a2c93bcc49df9ad1712135ae028eb4c51

                        SHA512

                        a0fec5b5dee2350d4eb03248654b19175b66291070bbaa3bbdbc090e6ec7b51f0fb05907224357d315444eb47d72101f103acb14dd1cd8f8c871b24dbd674fef

                        Download Submit

                      • C:\Windows\{2E192E24-5DE3-4a9d-BC52-135E9CE0BDE6}.exe
                        Filesize

                        168KB

                        MD5

                        dce0dadc82f4de4e171e89eef15e3696

                        SHA1

                        384d9b5efb1c7baf692cd6a45811360ba7b4dad8

                        SHA256

                        0dd116d6a3563513dd0c5f377b29eab3dc8300eb7e4037098fe0df1efe6ca091

                        SHA512

                        4cf7d3a629a0b56e84bf60b029908a022e43b7dbf443246e87cb94d5b1697de642f981ecfe7b85a282fdcd80dbf1fbd0b5c4cc2ad0f7f0fc694cfec2dbf05281

                        Download Submit

                      • C:\Windows\{48EA7B83-7AA2-444a-848E-219E42E36FBA}.exe
                        Filesize

                        168KB

                        MD5

                        27bb895a17ed6abe7dc31941b0f0dc35

                        SHA1

                        e7afb33d4253a123422c8500b64b8217149193bc

                        SHA256

                        756f4f9eafcf289e4dfb6b9e3955cdebaf85ab91bb134eac6ac884211d01371d

                        SHA512

                        eed728b03436ed9dcb29d0f5b6cf49e4d3ceaab8fbc1d55d728c6b8b08bfa18e04d3ec215415bc46b2e06adb875f37aeb601d02e61189c9a587124053c2690a4

                        Download Submit

                      • C:\Windows\{5DDDB605-0074-493c-9C84-833ADC2993E4}.exe
                        Filesize

                        168KB

                        MD5

                        c787740e1deffa37d379ee25b5572ff0

                        SHA1

                        c50af604e73d1dd180089b15525278d3b91f0bc9

                        SHA256

                        11f14aea5acc6097933454944e8ce342d10661bf24911ef0b05059e764193027

                        SHA512

                        a4b58b40e6400582ed54be17818fbc54258da252aef032943d92e57470799f6e77759c2ea912f7c0d280bf6abc7a8962c5ce25748a0e95d8f5a5d3ab9f253e42

                        Download Submit

                      • C:\Windows\{79A4F469-FDA7-4ca9-A0E3-1E85B79A3D7A}.exe
                        Filesize

                        168KB

                        MD5

                        9096ed8c57683fc207c20b189439ec59

                        SHA1

                        c0326b14a118aab3b60b05dd33620ebdc494f2c7

                        SHA256

                        c26aa4c65f2dea2807dab1216223e52632b3944a90df3d41b96cbae9deb0ac0f

                        SHA512

                        5713e375d58e905a3a097d32d5fab597bb3f978c2f24e49a5236a102bd6c947c6abae418dffa8910fcbcd6ecd6027ed0ad81f02b1297ef548e90dca91b75d970

                        Download Submit

                      • C:\Windows\{819D0363-73B2-4687-B802-7445292C6544}.exe
                        Filesize

                        168KB

                        MD5

                        ecebf75a58a4e410bd879e8468deb75d

                        SHA1

                        4a9f8c406c30e3bb0a0bf12656f0d5edd9f573c7

                        SHA256

                        0d18f9cdcb7b59fad607f209d4f31e890f47a806072b1d6c6eab1574ff1bdcd5

                        SHA512

                        e4728a4c9dcaaad68f5f2a169e3341bb46a9fff8a1cc34f9c7e2c0f6be83926031aff409d861ac6b93e6340d53258df3d812ccaf734f8134f3d12105c40535c6

                        Download Submit

                      • C:\Windows\{981817BE-DAF1-47c2-91E6-70DFAA62C9A4}.exe
                        Filesize

                        168KB

                        MD5

                        229f1af0b73244ab76a6ab7f8463f02e

                        SHA1

                        0c3a9c72e04e9a26223b3d8a1c8f90a8aa447ac8

                        SHA256

                        fedbe769c4e9ed21528933f71c15ee61933cd599ebab352b43427ba144bed1a8

                        SHA512

                        66bea1e0708c9fbacedd88304fee5a0006327a24d733db751ce70c626019c8624a25d5177f74e0aaf599d0ece024e97728d8b89cda2fd4ce512c24e86a8bdefe

                        Download Submit

                      • C:\Windows\{A841A3D6-7E89-4bb8-88F6-F85022E53A06}.exe
                        Filesize

                        168KB

                        MD5

                        22efd644849fd95d8b927f3f5e1c331f

                        SHA1

                        3f1bb94d0d96c6eb6712799b3d708469fe406920

                        SHA256

                        d16dba8a484788ee4e7cbf626373e3f506020998454bff04874c19bb3b852497

                        SHA512

                        7b75b3c8a9c69397065279e153c6c777559767f3ccd1d09cdcdc5cfdcdb398beaa597a4b726eba30bfe3f2298ae25442a193d47660251ef5d8f981aea4b5bf87

                        Download Submit

                      • C:\Windows\{B5EFC8F8-04FB-4af7-9E5A-9A42EC521448}.exe
                        Filesize

                        168KB

                        MD5

                        2a427548456a47baa14ca950f55857a9

                        SHA1

                        f24ca9ba34d856b9f6187cad40517ae583047f07

                        SHA256

                        4c6dcd1d30fb85537c3ed0dcc4c61ccb1216cffb597742cc0bb3d8369256b578

                        SHA512

                        e7e9864862cb5ac6144cb4f854e22b9bee4f1cbfd13eed2a1bcc43127bc27b60444b68a34121f16d481e2da9dc3f6eb017db3e6b893dc012e84e044fe7281405

                        Download Submit

                      • C:\Windows\{F0538872-7A2C-4464-A04E-C85B32DFE7D1}.exe
                        Filesize

                        168KB

                        MD5

                        7d90ae09ac3009c31a883dcc314a6e49

                        SHA1

                        6e564cab4e613b732c52ff2c1e3f73b59a2ca1e4

                        SHA256

                        d6182b4a8f6669b6aa436a639785dbd8f168bbbb4103470b2cc3bb15a125b86e

                        SHA512

                        79a658411c99aa34e18e2b6760490b850db3b70995ee37f94c0ece0080f2b8dd4197ef0b93459422ad5af0b50abaae6cb56c383633880c0d02a2026af80ecc43

                        Download Submit