Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-06...ye.exe

windows7-x64

9

2024-04-06...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe

  • Size

    168KB

  • MD5

    bfcaa345f789f4dfc76ccccd1022676c

  • SHA1

    c6e146bdf22a1e17401064658883b6246b3c4030

  • SHA256

    e51d9134dbb065e51d79681002ceafd714ceef57c29925012598ac56fa7a3694

  • SHA512

    041e33bc14aa9fcec3e50c4bb882fe288c55c0b5b4e3516dd0098d636a4a05ba63f16e6a8ba806f6c4e977ea24f3e05299e70a3c44dda0fe53df8898847a92a7

  • SSDEEP

    1536:1EGh0oxlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oxlqOPOe2MUVg3Ve+rX

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_bfcaa345f789f4dfc76ccccd1022676c_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\{2DF8AEF8-5F5E-415f-8820-8AFFE58BC4D4}.exe
      C:\Windows\{2DF8AEF8-5F5E-415f-8820-8AFFE58BC4D4}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\{ED408C42-5DF0-4b33-B462-AED387F401FD}.exe
        C:\Windows\{ED408C42-5DF0-4b33-B462-AED387F401FD}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\{9E922B73-DCAF-45f0-BCEA-BB0D5DF24619}.exe
          C:\Windows\{9E922B73-DCAF-45f0-BCEA-BB0D5DF24619}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\{BC995298-4E62-405a-A6D6-12F4A880E146}.exe
            C:\Windows\{BC995298-4E62-405a-A6D6-12F4A880E146}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2496
            • C:\Windows\{04971852-ADE7-4ddd-ADF5-0906D328B470}.exe
              C:\Windows\{04971852-ADE7-4ddd-ADF5-0906D328B470}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1892
              • C:\Windows\{9D40D83C-FBAB-473b-B4FF-AB17212A1B5F}.exe
                C:\Windows\{9D40D83C-FBAB-473b-B4FF-AB17212A1B5F}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1196
                • C:\Windows\{8F94D4EF-5A18-445a-82D1-9C66D6EA1F0F}.exe
                  C:\Windows\{8F94D4EF-5A18-445a-82D1-9C66D6EA1F0F}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2480
                  • C:\Windows\{62A25060-76C3-45ec-A626-EAA93E966D6C}.exe
                    C:\Windows\{62A25060-76C3-45ec-A626-EAA93E966D6C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:800
                    • C:\Windows\{87B47819-F75C-4724-9B9A-6D1360C4AFF7}.exe
                      C:\Windows\{87B47819-F75C-4724-9B9A-6D1360C4AFF7}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2828
                      • C:\Windows\{04ECD480-9B55-47cb-893E-6932E20A463A}.exe
                        C:\Windows\{04ECD480-9B55-47cb-893E-6932E20A463A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2268
                        • C:\Windows\{341071BC-5949-47a8-BE79-4EBFD10C9E4F}.exe
                          C:\Windows\{341071BC-5949-47a8-BE79-4EBFD10C9E4F}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1452
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{04ECD~1.EXE > nul
                          12⤵
                            PID:556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{87B47~1.EXE > nul
                          11⤵
                            PID:1716
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{62A25~1.EXE > nul
                          10⤵
                            PID:2836
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8F94D~1.EXE > nul
                          9⤵
                            PID:936
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9D40D~1.EXE > nul
                          8⤵
                            PID:1080
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{04971~1.EXE > nul
                          7⤵
                            PID:2648
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BC995~1.EXE > nul
                          6⤵
                            PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9E922~1.EXE > nul
                          5⤵
                            PID:2724
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ED408~1.EXE > nul
                          4⤵
                            PID:2876
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2DF8A~1.EXE > nul
                          3⤵
                            PID:2628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3056

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{04971852-ADE7-4ddd-ADF5-0906D328B470}.exe
                        Filesize

                        168KB

                        MD5

                        424218c5cbf6cad9ead3d0a47eef2401

                        SHA1

                        c06de9e2ee766e09cd9ef3480f8d048f0a331e85

                        SHA256

                        87213fb145d8ff3602747af1d2babee4ffd44675f8522ac09805d91de5237d1f

                        SHA512

                        c5ea7b885b42282ecc464cf53228d04edb75830089ace81ea76afdecd38eda8947e44d7e0957b1cdb2adee9e6122a185675640108aad5469ec76b9fab983b42a

                        Download Submit

                      • C:\Windows\{04ECD480-9B55-47cb-893E-6932E20A463A}.exe
                        Filesize

                        168KB

                        MD5

                        c2a988ba0f692f7c5856f5ec3a0537b7

                        SHA1

                        cac52086cbf74d402ec1959da0be140cb1e0526c

                        SHA256

                        c71cc8c1ac73ac8ddd51df99b215dbee3eb21c1d149ec0521cf833bdf337328f

                        SHA512

                        f1e29c58497c3a7bb6a4a602255f177c39962f19fe4f6fdbd30bc207ddcd76fa8cb1c01a5d07f161861329bc09d0c3ca5f34ea34403bfea45276f0d0a3345174

                        Download Submit

                      • C:\Windows\{2DF8AEF8-5F5E-415f-8820-8AFFE58BC4D4}.exe
                        Filesize

                        168KB

                        MD5

                        593923fad5d063c5e7bf3a82a8208a0b

                        SHA1

                        2dbc0f88261a7185a1660454873ea9b276d4c2b5

                        SHA256

                        d46bd060c7aeb8a334785eacdb078bec753e454139d3c3236825a0de78788d2b

                        SHA512

                        55f3f98966fc0351c4d1a15ee38b6ab88bbc6aa955bf0a5d20d262e67abb42e5439cb8bb3c9d2402704a00abd4bab84db3c5f5568b9ba3d247f249522dc99392

                        Download Submit

                      • C:\Windows\{341071BC-5949-47a8-BE79-4EBFD10C9E4F}.exe
                        Filesize

                        168KB

                        MD5

                        8503f3d236e182085ae0a5b9c74aae1c

                        SHA1

                        0ff7be9961a64793f7496f241466bca522938e83

                        SHA256

                        4b5b13d424a43e9569d6fd3bda01e20ccfc0dd9999f13bd230e0e6edae664fc3

                        SHA512

                        629b0166b5b88e3504a1ef1ac9937f6412983bc7a09b1dce9508cb775c48d9f3bf416e23569716a25a72fe376398ab0c94dca4f335024de182afe427d789bae1

                        Download Submit

                      • C:\Windows\{62A25060-76C3-45ec-A626-EAA93E966D6C}.exe
                        Filesize

                        168KB

                        MD5

                        79bc9de2a79a112619051abceb099adc

                        SHA1

                        22ce63e40adcef9babf5fc644774bb79ae4f5ac1

                        SHA256

                        76774cff175f6dc02b0eee1a57b84825928fab72ce754072a18e25c179b6345e

                        SHA512

                        c756d82c17521bbd22fb0b21aa62229e69cd118d15db917497ec174510ad9b53d85af0c8c87102316882697a053f34774ad418b4a363d82743da77c8eb4f88b4

                        Download Submit

                      • C:\Windows\{87B47819-F75C-4724-9B9A-6D1360C4AFF7}.exe
                        Filesize

                        168KB

                        MD5

                        16db4944e2e105aa1d46e94e9756296f

                        SHA1

                        ceb006a52eaa84d09a7ba0d4d13fad12f46d5cf1

                        SHA256

                        3ac899b553fc6d651e982acefcb2b99832537fb2153b809977a44895183c1b4b

                        SHA512

                        b7fafa02d5cb575af7e806ee73947f5ad91fdd6b8ac9bffa68f89eb8c56e42f60cfbd26796b9ddfaa96317d201549f948911fb37f883fbf289af0c19290505f5

                        Download Submit

                      • C:\Windows\{8F94D4EF-5A18-445a-82D1-9C66D6EA1F0F}.exe
                        Filesize

                        168KB

                        MD5

                        689fb5f3e414c1183fc38f02a672afbe

                        SHA1

                        e2201841f4a4219dae1f3b945e8a6962ab8628ac

                        SHA256

                        76eda751f746dfd94327d3dc9aa82431b005d54009ef808e0ee4b0d0bb55fa32

                        SHA512

                        c0fc7c86d6d239e48cc72409dde22f8acd0948a86da5b3421e5d3ca4f7b15d4d12dd057df76ff01343a5a52f9dbb1a5fba48c03db8d63c9efd9268ed5796d983

                        Download Submit

                      • C:\Windows\{9D40D83C-FBAB-473b-B4FF-AB17212A1B5F}.exe
                        Filesize

                        168KB

                        MD5

                        d48404eb0547954862b0425b14f483d7

                        SHA1

                        0412e87043e052f6d8fd35a33ac090eba22b3e75

                        SHA256

                        39822399567cbeff029c3d0d036495da407b093567d2260768927c638cd218ad

                        SHA512

                        d39c3da2c35cb4f0e1436c89d75101ec18549e55d8849eae3ac0c0afa5a7042ee11a8d59187d52370427e6082d230b8441a3bfa072f08a0274abbb3a19bcbfc1

                        Download Submit

                      • C:\Windows\{9E922B73-DCAF-45f0-BCEA-BB0D5DF24619}.exe
                        Filesize

                        168KB

                        MD5

                        003713e6323f5e94089cd83c02e15024

                        SHA1

                        1ae3d57a792a96d7326b2159abb4805894595501

                        SHA256

                        cd447b979731b4470d5bbcfd150318ce6b1281615a35f0107520ded667fb3675

                        SHA512

                        28ee5537accbd0cdaf61687457a6c3bcedb3d61d651bdf2c35a87ea034f6e0be06de41fbcf22a7f388e7633c3bc363fbe65878e16c9b7e657a723b9cd3ca25e0

                        Download Submit

                      • C:\Windows\{BC995298-4E62-405a-A6D6-12F4A880E146}.exe
                        Filesize

                        168KB

                        MD5

                        0541f0d896ce280cd06e384551473d62

                        SHA1

                        cc455a5df2d6127cebffc6424e7fb0fa93413623

                        SHA256

                        6b3a35e01b9921ba90bfb6dc12781afc12e0ad42b2404246f6ee5a728e3acf01

                        SHA512

                        af90da2ba63711e1e3056b74e6efd3918fb81370c9f5e1b535dffc310b694c22e22cc4803b6b7948d4fe339a689f12e172fb425748dd87eb7369138d25f7d956

                        Download Submit

                      • C:\Windows\{ED408C42-5DF0-4b33-B462-AED387F401FD}.exe
                        Filesize

                        168KB

                        MD5

                        fa56891a8185927a84fa6a1dd2e568e9

                        SHA1

                        05624eec35a6612c5fe4e276e5acf8b49859bc20

                        SHA256

                        4705d9e46b03fa0e92c57a25791c4a28a0a0d3a3cae47efd40bba02dc3f5127e

                        SHA512

                        a39915f515772b103e58b7b1fe70255cc669dcdd1080fc9a97dfd01c46e494e675ec873fa9e1f42c8caec5c242d49a0b7199960ed0913bfb37296db92ac01805

                        Download Submit