Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-11...ye.exe

windows7-x64

9

2024-04-11...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe

  • Size

    204KB

  • MD5

    1020dc73c0c855fec71b874dbbc91613

  • SHA1

    cee58f17626149ec83bd88d72140407929ed2d7e

  • SHA256

    87ea24086f194ac2b65e5b9e0feff7c8971d20479d2e542a7ebc612ed143b986

  • SHA512

    cac24170fc90f9681d54c8cffefc33b95db1d324768a6938d803175e90718216db1772cd5791de7df474d3a60656990436e10314a6883000a50b1cbda0c2f012

  • SSDEEP

    1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 12 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-11_1020dc73c0c855fec71b874dbbc91613_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\{F3FA0521-E2D7-4f2a-8E7A-2464B88246EC}.exe
      C:\Windows\{F3FA0521-E2D7-4f2a-8E7A-2464B88246EC}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\{EB1EC8AD-1A33-4263-BF98-E070A3DBB154}.exe
        C:\Windows\{EB1EC8AD-1A33-4263-BF98-E070A3DBB154}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\{3A229243-7C13-4d56-AC09-FD361B7489BC}.exe
          C:\Windows\{3A229243-7C13-4d56-AC09-FD361B7489BC}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\{3DD612F8-7443-42c2-ACD8-4C0F52B63978}.exe
            C:\Windows\{3DD612F8-7443-42c2-ACD8-4C0F52B63978}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:588
            • C:\Windows\{F1192391-93E9-44cf-B54D-CB60DAB4ED2C}.exe
              C:\Windows\{F1192391-93E9-44cf-B54D-CB60DAB4ED2C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2064
              • C:\Windows\{E1A667CF-0FE5-4cf7-B60D-785C7288F4B9}.exe
                C:\Windows\{E1A667CF-0FE5-4cf7-B60D-785C7288F4B9}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1604
                • C:\Windows\{7FCA5336-9711-4a7c-ACEE-EB9B3B7ED7BE}.exe
                  C:\Windows\{7FCA5336-9711-4a7c-ACEE-EB9B3B7ED7BE}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:456
                  • C:\Windows\{F838FEE1-2449-46f8-AC31-E13ED6CCA4B7}.exe
                    C:\Windows\{F838FEE1-2449-46f8-AC31-E13ED6CCA4B7}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2716
                    • C:\Windows\{29250603-BEED-465a-A134-FAABB5620713}.exe
                      C:\Windows\{29250603-BEED-465a-A134-FAABB5620713}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1204
                      • C:\Windows\{0CCF83CB-A3A9-4c81-806C-6385ACCB26D4}.exe
                        C:\Windows\{0CCF83CB-A3A9-4c81-806C-6385ACCB26D4}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2928
                        • C:\Windows\{E76DDF7B-9102-4c42-BD8D-660413641DC8}.exe
                          C:\Windows\{E76DDF7B-9102-4c42-BD8D-660413641DC8}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2304
                          • C:\Windows\{8916BFCE-182F-4b86-A3D4-45C606CB42DA}.exe
                            C:\Windows\{8916BFCE-182F-4b86-A3D4-45C606CB42DA}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E76DD~1.EXE > nul
                            13⤵
                              PID:2828
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0CCF8~1.EXE > nul
                            12⤵
                              PID:1640
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{29250~1.EXE > nul
                            11⤵
                              PID:2792
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F838F~1.EXE > nul
                            10⤵
                              PID:2004
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7FCA5~1.EXE > nul
                            9⤵
                              PID:1272
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E1A66~1.EXE > nul
                            8⤵
                              PID:2172
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1192~1.EXE > nul
                            7⤵
                              PID:1412
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3DD61~1.EXE > nul
                            6⤵
                              PID:2256
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3A229~1.EXE > nul
                            5⤵
                              PID:560
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EB1EC~1.EXE > nul
                            4⤵
                              PID:3036
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F3FA0~1.EXE > nul
                            3⤵
                              PID:2452
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                            2⤵
                            • Deletes itself
                            PID:2628

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{0CCF83CB-A3A9-4c81-806C-6385ACCB26D4}.exe
                          Filesize

                          204KB

                          MD5

                          739d5f131f1ff280fa7b905b030613c4

                          SHA1

                          1f96fc729e8f049eb67f1caf0e8dd73dad04b70e

                          SHA256

                          25e4fdd01c271763e5e933d4413f5694f730e993c6f597ef040826f08651422b

                          SHA512

                          381daa6980b61a4609777a1facc87f77426f503ef5b654a4ca5813d04ea3dae858a7e0b16a40de9bd429686440f62b526d8a13c367fb0a12d8c78eb397dd6a61

                          Download Submit

                        • C:\Windows\{29250603-BEED-465a-A134-FAABB5620713}.exe
                          Filesize

                          204KB

                          MD5

                          202ae36e4b9d76f2e372fbd1724e59d2

                          SHA1

                          3df9971325d1c68f767f42d6ec7fbb4a1d85791c

                          SHA256

                          3fdd6afdb6f5550d4b4523392e9b94ffdf14852225a519f89f63fdbee1bc1256

                          SHA512

                          2466beaf762aed3a84707f6b17057d759f536309eed815d7412f41a5b0bc04006564a91cfa8af78691daac23cbe8892eb02184f42f93d6908b34a4b9ce930bcc

                          Download Submit

                        • C:\Windows\{3A229243-7C13-4d56-AC09-FD361B7489BC}.exe
                          Filesize

                          204KB

                          MD5

                          9d21d6c2b224def221fbeffb70a76a0a

                          SHA1

                          162c50e6ed45c1c9f72bf37aed0d076f11d14357

                          SHA256

                          7e7c10bafeff0dd1e1f019c3239b809f43840812b5272378f0baf29b42fe4ec8

                          SHA512

                          048a91b2ab51f68f36dd2d10697a86a372f839fd1596a69f22184f06009af0a6ebedbb7d4efe468ef4eec3178489b6040b4ddf31bc4f6a4e5c6b0c5f7508fdf4

                          Download Submit

                        • C:\Windows\{3DD612F8-7443-42c2-ACD8-4C0F52B63978}.exe
                          Filesize

                          204KB

                          MD5

                          0b281b6ac1b23aa83a1ae739fc483bde

                          SHA1

                          b4edd540f656f45f0891dc7c906a554326b0cc4e

                          SHA256

                          fb82bdc814eeb10fded79d29ffe1455d8c22267b6f61e04edcbe7270711545d7

                          SHA512

                          264b6bf436a62b260fb71aa34dae1efd867994ad0750c01cecd29cb50c49c886459c1c85b4eddf893c2b977d338cc7ffed3ce3335d950bc06fb0dacbc825b996

                          Download Submit

                        • C:\Windows\{7FCA5336-9711-4a7c-ACEE-EB9B3B7ED7BE}.exe
                          Filesize

                          204KB

                          MD5

                          7b26adea14161b606adea71f3560634c

                          SHA1

                          97b3e1d69c5da19e87e1b29e8d8a319dfcb67a07

                          SHA256

                          420d77af0980fec9c7dd030c4d484f77c2dc18b30bd8bd9597648e9701bbdc04

                          SHA512

                          b6414e3481ab36e905627741d3b5068a4caff84f114f1d293e9cea00fda4bfee341f7060721e0bb983a46baa797cc2fca22ddaa17f56b8568c640c615d7f9569

                          Download Submit

                        • C:\Windows\{8916BFCE-182F-4b86-A3D4-45C606CB42DA}.exe
                          Filesize

                          204KB

                          MD5

                          8d3fb41bd2c5d8f6b3406d8f81038b76

                          SHA1

                          8238d7b5beeb505d46d85609ff66883c7b81e86a

                          SHA256

                          2eca9e28afb48296ff36935254259a35c08d25ccbef0ed95920b6b67ebe2bff4

                          SHA512

                          6f4589adb9c34b9acd798ee17fe324c9720f0b6638986942c13885d35bc77294713d1eab20afb6f4738f9c98a26e45fad1802cfa18da88a5670cd6f12a1eaa82

                          Download Submit

                        • C:\Windows\{E1A667CF-0FE5-4cf7-B60D-785C7288F4B9}.exe
                          Filesize

                          204KB

                          MD5

                          bd7008d3aafb0ecb728af10ebe5e6a91

                          SHA1

                          3823eee30ede6a587208a6258ead7bd5fbac0dbf

                          SHA256

                          f7ad778471d526062f7d96ecce03e9a690d56c11b628709fa37546d8f0449a1c

                          SHA512

                          7b0ba8212ee261fb5b503389a25240b9cb5a43b02daa060d5f0a71298bacc175b5582043867c21098aa95fa56f737dcac76bab94a893c94cbab5b123daffd66c

                          Download Submit

                        • C:\Windows\{E76DDF7B-9102-4c42-BD8D-660413641DC8}.exe
                          Filesize

                          204KB

                          MD5

                          759212e6e4b2a8cae4c6939b859f7bbb

                          SHA1

                          820963657ef58f40324c4454ae27227b7312aa72

                          SHA256

                          50e5634257e979eb778587f20c4dbd315656bc41a02d3c71584a1a36bcdca16d

                          SHA512

                          ea2fc644ac91e5afc6f2d9842182c85858f36fbd8ea58761a9295ba710179b45ed2cd029a440d658055e3a229d0dee9a5381c7f5296abe0698281eb5913a3d44

                          Download Submit

                        • C:\Windows\{EB1EC8AD-1A33-4263-BF98-E070A3DBB154}.exe
                          Filesize

                          204KB

                          MD5

                          77fb042954f9c88cbd11d9e493777e86

                          SHA1

                          bef139c9ccad3ac00715936c389db1ba300b24b5

                          SHA256

                          83062e588a2c08b2cfd91d9ef6e6bc1544b691125e05c2abab6c1b57dccc0aad

                          SHA512

                          dcae4bfaa33daba9fadeb949749d575aa2277685d03b5df162b6547f93ec4586da1dfbf89a84450318dc8bfa301c9107924a0e1e37169a21a5fb3414c361370c

                          Download Submit

                        • C:\Windows\{F1192391-93E9-44cf-B54D-CB60DAB4ED2C}.exe
                          Filesize

                          204KB

                          MD5

                          88e83f35e7123844734af7e98328ae88

                          SHA1

                          b9d7a8f8e471897a6db5ed6246d0bcaf8a867651

                          SHA256

                          85b9261039ac523c76653b671e811d91f85ed18b5a2210056e9ef3ed791cbb78

                          SHA512

                          1d9c9344513b89941f0203902cec28ee7616a4bde51693818bd5c909724e8dfef980d93638e321bb6f7c78fbca5682e39ee684754e379cee161ee0fd5644ac3f

                          Download Submit

                        • C:\Windows\{F3FA0521-E2D7-4f2a-8E7A-2464B88246EC}.exe
                          Filesize

                          204KB

                          MD5

                          fbbf090423fc0884bde5ae21f9efc134

                          SHA1

                          93a7cbc06c1448db456fe8126a661ef5b6c3189f

                          SHA256

                          cd3458322309358eebe2b2a667dc5e2ee22e95a902cac351a5a969521d309b88

                          SHA512

                          d367bd6104dde8c76defc57099b1a64b9bf928b5a0278563099d954484d1b07505df9ec6e8cfc7ee3edacd9e12cfadcf336cb000bdef7f4b4c560e94225d6192

                          Download Submit

                        • C:\Windows\{F838FEE1-2449-46f8-AC31-E13ED6CCA4B7}.exe
                          Filesize

                          204KB

                          MD5

                          74c95f0b0f9988f3575b9de14b1a596b

                          SHA1

                          35e9ad92cbe19259abef70777bc3c234c06327b5

                          SHA256

                          5587cc09e8c14539d84907afc551be0e25703dca1fb6f3c2e6811e8bb0d45ce1

                          SHA512

                          f3c3b178f396bf182c73f69ade138ad9fa10be5d24ef73d77fce0443d403d5358a10870faf3df0c35b6bb53989216fb4eaddc677d7d995b7fb36bc9628d5c998

                          Download Submit