Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-16...ye.exe

windows7-x64

9

2024-04-16...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe

  • Size

    216KB

  • MD5

    b8680a52977490ac4a1841252c0a2dc8

  • SHA1

    9dd2384cb5b1e0ca2ed1fb921e6345875f9f18b5

  • SHA256

    344e49da626af3c7b2f9ed75611263c42ccc9ff465ff49623a02faac18e74e79

  • SHA512

    51b7f5e92bcbec9238a1c6cd7fc0d0593eec867a709c6aab600596d8ea2d9e86bac346cca1e22b8fec36ed5634269d33d396161c152508ed80acf1680dc93f3b

  • SSDEEP

    3072:jEGh0ogl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG2lEeKcAEcGy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-16_b8680a52977490ac4a1841252c0a2dc8_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\{30A5A150-65B6-4d14-9DCA-6A8E1FF5F633}.exe
      C:\Windows\{30A5A150-65B6-4d14-9DCA-6A8E1FF5F633}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\{8092D12A-5F46-4e36-9438-C09424A89E1D}.exe
        C:\Windows\{8092D12A-5F46-4e36-9438-C09424A89E1D}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\{7FD21884-B811-45bf-9370-CEA1E55F0105}.exe
          C:\Windows\{7FD21884-B811-45bf-9370-CEA1E55F0105}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\{B16094BA-0DAF-4428-90C3-BCE7123C87E0}.exe
            C:\Windows\{B16094BA-0DAF-4428-90C3-BCE7123C87E0}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Windows\{1DEE586F-3AA5-44e8-80B1-022CBB8E5191}.exe
              C:\Windows\{1DEE586F-3AA5-44e8-80B1-022CBB8E5191}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2776
              • C:\Windows\{17EB31CA-169C-4581-9AFE-55DBB287D977}.exe
                C:\Windows\{17EB31CA-169C-4581-9AFE-55DBB287D977}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1584
                • C:\Windows\{5A7AD4B4-D652-46ec-B5D1-073C1A6AA23A}.exe
                  C:\Windows\{5A7AD4B4-D652-46ec-B5D1-073C1A6AA23A}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2460
                  • C:\Windows\{2652EF15-A0AA-49c2-8D2A-DA4EEFAF7109}.exe
                    C:\Windows\{2652EF15-A0AA-49c2-8D2A-DA4EEFAF7109}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1480
                    • C:\Windows\{967EA5A1-2A32-4261-905F-BFBB103BD9D3}.exe
                      C:\Windows\{967EA5A1-2A32-4261-905F-BFBB103BD9D3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2348
                      • C:\Windows\{DBB7DF40-F0C8-4904-BB2B-5636186A3B7C}.exe
                        C:\Windows\{DBB7DF40-F0C8-4904-BB2B-5636186A3B7C}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1996
                        • C:\Windows\{FC7AF1FE-3370-4058-A794-4DBAB80DB898}.exe
                          C:\Windows\{FC7AF1FE-3370-4058-A794-4DBAB80DB898}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DBB7D~1.EXE > nul
                          12⤵
                            PID:2288
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{967EA~1.EXE > nul
                          11⤵
                            PID:1492
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2652E~1.EXE > nul
                          10⤵
                            PID:796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5A7AD~1.EXE > nul
                          9⤵
                            PID:1176
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{17EB3~1.EXE > nul
                          8⤵
                            PID:1352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1DEE5~1.EXE > nul
                          7⤵
                            PID:1652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B1609~1.EXE > nul
                          6⤵
                            PID:268
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7FD21~1.EXE > nul
                          5⤵
                            PID:2608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8092D~1.EXE > nul
                          4⤵
                            PID:3064
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{30A5A~1.EXE > nul
                          3⤵
                            PID:2548
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2632

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{17EB31CA-169C-4581-9AFE-55DBB287D977}.exe
                        Filesize

                        216KB

                        MD5

                        b2dd144938e754718b6f1508981733a2

                        SHA1

                        fb18906ec73f20f4d72ec0970c79127140da17a4

                        SHA256

                        54f9a320757d2630316e3a95a0640e9e2b4f1ba65097820558ae3d8b8541ac0b

                        SHA512

                        47aab0d9e874bd5c825bb020df66fd42e154a46b91242ccfb6dd693a29c05a871610f23822653b668dd66a53ca4f715c67c41b0fc1ed300f09be18a0440dc0f2

                        Download Submit

                      • C:\Windows\{1DEE586F-3AA5-44e8-80B1-022CBB8E5191}.exe
                        Filesize

                        216KB

                        MD5

                        e4d3ddee20969f5ce5557311a7499548

                        SHA1

                        b6460b57050d4497868c77977c2c36bbc76bc530

                        SHA256

                        17955e5bcc2659efc8de807fb56606c4a4059f2a2c44e71ea17f021c9264c50b

                        SHA512

                        624b8968c020a46ed9912c7e268b0fc2fb46cfc338bf315b9fe6798dbe972beb354bdfaa67f3099df3dcc9db26d645c3ed92b40e5ec6fc2c0a4ebc8f84773b71

                        Download Submit

                      • C:\Windows\{2652EF15-A0AA-49c2-8D2A-DA4EEFAF7109}.exe
                        Filesize

                        216KB

                        MD5

                        3d724c55d29dd630604934ce8e603bc4

                        SHA1

                        e67ad521063707e667551301a6820000a2856cc8

                        SHA256

                        4121780e378859fc46f15b09d9bd5ccf0c32dfadd206837fcab11f503b43bd3d

                        SHA512

                        650de1724768f76456273147b39d5c2a4b26f5c6a9fb4f8edc8e36ad913cf2b980a0df131b4b043b55ed2dda6237b0fbab4c4d692781e0ceca3f05dd5410c0ec

                        Download Submit

                      • C:\Windows\{30A5A150-65B6-4d14-9DCA-6A8E1FF5F633}.exe
                        Filesize

                        216KB

                        MD5

                        368ff049ab9c6fdd9853dd272d13d21e

                        SHA1

                        a3dbfe8aee2926554962b5b2592200871433d1d2

                        SHA256

                        904a1963e40b4d323c1035ca5df19651dd5939d9351f7cc4c37d6cd212321c1b

                        SHA512

                        34812b2ae321061b25ed7af46422c0b35959821b99742e93954a276610ab19c9c832ad68b93a1b57c3b04b41a028336c64f27b58bbed15c8c63cd8a7a12ddf83

                        Download Submit

                      • C:\Windows\{5A7AD4B4-D652-46ec-B5D1-073C1A6AA23A}.exe
                        Filesize

                        216KB

                        MD5

                        486b07dd965c1f484a6b8c444c147c1b

                        SHA1

                        29ac62dfbb4159755f47232b23d3428132236699

                        SHA256

                        05dd4054b464d70c5134cc590f20a778fb2057ad31e068df801fa74efa9de728

                        SHA512

                        ddc0ca77d5afdc5966b2966e90650413c91f7fff1b7de1ca285543b7c74f01a035e25d358567c7f6df7ca9d4347b66870e8a08e367afb26671b738b1892ddb09

                        Download Submit

                      • C:\Windows\{7FD21884-B811-45bf-9370-CEA1E55F0105}.exe
                        Filesize

                        216KB

                        MD5

                        f0bec3cc1fe4013571b27f03f0cb2735

                        SHA1

                        3374c9c98ccc9cc5eefdcaed193142d5a8c3951b

                        SHA256

                        3d61fea317dcd4a76ede2f3b95dfdf7355dae8c9afc5fc936fab44e4a8d829ae

                        SHA512

                        684d179523db5290c6299bc6105ab484b3ec7402c89b220a7d3b92174c06eacf1455c631b645cf9cd48a47eebddefc42ba95f8c2db04668a03f809d5c1e6903c

                        Download Submit

                      • C:\Windows\{8092D12A-5F46-4e36-9438-C09424A89E1D}.exe
                        Filesize

                        216KB

                        MD5

                        2d1ba78369a49d17b830fd9dd0f92248

                        SHA1

                        b9d07151d883086b967e9697c2e58f4fb8c8aba3

                        SHA256

                        1f4a21ad9e47e23933963b51517c6c454cb7b67790af1ed4241e7bdb413f89ed

                        SHA512

                        aa1fd2f6e4835464dc8114a8b44d147f5ccced136b9a2b8b1f4b1ee59caf54c459722db63a1af571082c6f2d7a4407c6e9d13a7a8502b7bee000f8b7d01ef1e3

                        Download Submit

                      • C:\Windows\{967EA5A1-2A32-4261-905F-BFBB103BD9D3}.exe
                        Filesize

                        216KB

                        MD5

                        ee8c673428bcb75491b0ca4cbf2b0097

                        SHA1

                        33956bc2f235c1b4fe394c439cfdba3a23e1bc13

                        SHA256

                        fa0e14a9b4fd84cca5c4ee19e7c3bab1aba6191206690c644e1052b8aeef9c75

                        SHA512

                        2ab6f51bbe1dd6ab9ddeba35e8c94a602599e80a9dae46d6c5ed67bb0885bf199d1456975a92ae1e783e5c4387cd79a2e2074be5ecfb21da38d0db065e7171d7

                        Download Submit

                      • C:\Windows\{B16094BA-0DAF-4428-90C3-BCE7123C87E0}.exe
                        Filesize

                        216KB

                        MD5

                        11781c01ff1de1c78b6fa5acb9acf984

                        SHA1

                        def446d9300fc35d8f819c634a60380ffdeff76d

                        SHA256

                        5fa1c16c1d305ac0797872e3d444b6cb42899bf43e52049b4a93df02fc11ab25

                        SHA512

                        91b86c8700e9a4113bb5cf0077824cbde5bbeb3198476ed243eacbfc64ce3e957795e9ac7a3d31e41a6be6506bab8b3b1cbaee5e6092e1121aa0569c544a382c

                        Download Submit

                      • C:\Windows\{DBB7DF40-F0C8-4904-BB2B-5636186A3B7C}.exe
                        Filesize

                        216KB

                        MD5

                        ba74cdf1486d66266196f7817ab052e5

                        SHA1

                        a11e36b40fe5fbcf9cb79a8cd65da57cabbd7410

                        SHA256

                        f9aefbe35bd6ad382e05a5fa8562763fee9df678b952f0f5abb0ebb159e13099

                        SHA512

                        800f381898edb9a668019fa4e9c1fdbab966443fa9511b4807815605caae69691e4a92570fd7db37190ba26732422fe2d3bd15cda6e0cb4c5f3164b5a4fa488c

                        Download Submit

                      • C:\Windows\{FC7AF1FE-3370-4058-A794-4DBAB80DB898}.exe
                        Filesize

                        216KB

                        MD5

                        bc565663a24ed37f872ade32373d9849

                        SHA1

                        410adb760c25797355322fa28337760cc57fac1f

                        SHA256

                        dc1d3716c7239002e160fd7bf9e50598d991a593cd123affafe066b94fe2cf23

                        SHA512

                        c77d62228e01a8fd602eb39e4c2d1230a0c0149832d05e6ed0c0e72ae98e5b662c2c9d78e4a4696acd742c6818c91a00816db1d907bdddcb286303a1fee09895

                        Download Submit