Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-04-18...ye.exe

windows7-x64

9

2024-04-18...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe

  • Size

    408KB

  • MD5

    31cdad6f6ca6b31819b235b0d62adfc2

  • SHA1

    e9d4940c2d418cfd9a3119dcadc9f1b5aba8fa4f

  • SHA256

    454ae04bef06f2201227f29b53c5f1fa9bbf6c4c2412347e801a9b25fe63dd2f

  • SHA512

    04c2ce725f159df0586e90fbca36a7265f3dc5c304bd72a76f75cbfdeb7dae85e63496489cea1fa9277a63bb84bcde251bf1c93849437477ea401c2ebf71bb6c

  • SSDEEP

    3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-18_31cdad6f6ca6b31819b235b0d62adfc2_goldeneye.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
      C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe
        C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
          C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
            C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3976
            • C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
              C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:116
              • C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
                C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4208
                • C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
                  C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:632
                  • C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
                    C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:384
                    • C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
                      C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2932
                      • C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
                        C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4572
                        • C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe
                          C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:988
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A89~1.EXE > nul
                          12⤵
                            PID:2924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{60B82~1.EXE > nul
                          11⤵
                            PID:2816
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B3302~1.EXE > nul
                          10⤵
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7E7EC~1.EXE > nul
                          9⤵
                            PID:860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E36~1.EXE > nul
                          8⤵
                            PID:4496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D8AF6~1.EXE > nul
                          7⤵
                            PID:4320
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1C933~1.EXE > nul
                          6⤵
                            PID:1132
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EB592~1.EXE > nul
                          5⤵
                            PID:4348
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{60C24~1.EXE > nul
                          4⤵
                            PID:1356
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{20982~1.EXE > nul
                          3⤵
                            PID:4740
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:2908
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:4784

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{1C933318-FF2D-448f-8467-581F5272F0CB}.exe
                            Filesize

                            408KB

                            MD5

                            27ae2fbced0872bc8862a74e69d6d130

                            SHA1

                            cb969b34556b01b03e3d4ce083b97f6ea243bdad

                            SHA256

                            0873410ec93248b0ee997aad60e4d7230ac0f1e6c5204558cee41031a69d65b9

                            SHA512

                            5b42a233bd9cfeabf124060268695ad3ff747bd0ad2cc8901c47b7c8c1f8b97cbb277795178d3c0a9595860af2f84ec3a9a6a506fe4c003573d9ff1c77a1fea1

                            Download Submit

                          • C:\Windows\{20982204-0D4A-4ea0-89DA-A23208B35A05}.exe
                            Filesize

                            408KB

                            MD5

                            130566922a0a789058addcdefc85a888

                            SHA1

                            e4758119c4e84b5fa04f44160ab7dc243f24454c

                            SHA256

                            4227aa8c33039fa1ad999000dce83a717b86e3e0cbf4cec6958c7cd9289c8618

                            SHA512

                            99880371b572cd2853921a9957c521ed455c536d04f06fce9c75ff0313649c7331754c1582797b8c9a97152356cf84d3ed5904213c46186bbb2c37a3365c1568

                            Download Submit

                          • C:\Windows\{60B82599-E70E-4b3b-8BF0-9960BF3703C4}.exe
                            Filesize

                            408KB

                            MD5

                            486b4e7ed63127cace10683aacb1f4a5

                            SHA1

                            ea2a980e093b1aac005d4569eee23c787737c089

                            SHA256

                            c01abb9dfb9b2207eb21dbf314c774f2352ed25ada185747768b2c17125141c4

                            SHA512

                            d52ecb5995c5134e395f241eb84ae418127bba78b08b438571380d0f6c821e121bb7130db053077f8cf6a728b293590c1661d48ec313b056f5c88e6329bfe54b

                            Download Submit

                          • C:\Windows\{60C24E0B-104E-4681-975C-F871654B85B9}.exe
                            Filesize

                            408KB

                            MD5

                            c10bb6b997a0ad7783005d79c71f48de

                            SHA1

                            631f1bc6cfbeae5359ff7cfbb5b11acacbd22d07

                            SHA256

                            aca9a08f954b1083a94ec75a22b59be9c16afe670a4a4bc488ce07f1967a307b

                            SHA512

                            072d9e8e2f0af3aafc6c8c2df4c0a97c1ece122943ed304f66b459a0f1c37c7d55be19604e31d8538fd1f8711590d1b1f5ae1ba2f1b1eaf44a08466a25e6b5cd

                            Download Submit

                          • C:\Windows\{7E7EC3CF-93EA-4129-8D26-64F1C7AD210D}.exe
                            Filesize

                            408KB

                            MD5

                            de0560378a9b5602c996ce4cb15ffccd

                            SHA1

                            731e31beb7c627edd990f3fa65d9d25f6c409523

                            SHA256

                            c076f97389adcc33d9d854df85acbd7b68b1de921e585b67b181b59d49796854

                            SHA512

                            97b60ae5409f4433429384f508cde2874209fb7d6e9aedf30acde4791d35ad83e1ee9ecaaad1b03db2484ec407a3aa755cf515d4e9b9f7fb7061d604bb732dd1

                            Download Submit

                          • C:\Windows\{B33027D0-9697-424d-90EA-6B9708BE99AB}.exe
                            Filesize

                            408KB

                            MD5

                            87bfd1d84c84b245b5166725b52d8e3f

                            SHA1

                            13b44a1cbbe8f15ef731c1cfda2ab58415d229cc

                            SHA256

                            fb17e0ab9c562d95c9da6462333fa854ed2ab53f943ddd90c843a5d31704fe8a

                            SHA512

                            41056c5f654dde5eb0874c6bccfec1c2ddc26559e3d95a6d6cfb1865a483ab4a5ba47df9b3006382a15cd30cb89290fb75ebba8fdb17cbf0cadc783327b34651

                            Download Submit

                          • C:\Windows\{C2A8952B-E45F-425f-AB1A-B388FDE4F1D2}.exe
                            Filesize

                            408KB

                            MD5

                            af3b25e4e8d33036691ff56c3f0b932c

                            SHA1

                            c1f2691f95c953dbb400808e0194ef6262ac741f

                            SHA256

                            462b05204a34e3c182c88b7e3475c93e38c3a77dd10ba99d9294d3a60e86bdb6

                            SHA512

                            090ce0722b343c401bd63c3f923409e3341fad5f9d03167e8723334d2bddda13f3391adc9b12dd972e75ebb832b4d213e95051819a4748fc75b5c2802921ea6a

                            Download Submit

                          • C:\Windows\{C7E360A8-DB0F-4288-9526-D3D095DC7508}.exe
                            Filesize

                            408KB

                            MD5

                            e82b085dfab085849fd1948f284a3455

                            SHA1

                            14975b9c432cac18c9d5da2b108b1e0db8cc7c55

                            SHA256

                            fe11853a4490d62577c34951623886ee87b156d8b1f6bff34b89c35c25dbc598

                            SHA512

                            3b2397454b887868863b20961752076ccccfb2ff9fc1a1334e565997dd62d012a3130ffcc2d99dbcca62d2eb8698b016e2556475be654e88ccdcf2e38a94b42a

                            Download Submit

                          • C:\Windows\{D8AF6CC4-72A6-4413-AFD0-55B8AD05CDC6}.exe
                            Filesize

                            408KB

                            MD5

                            fcdc9cd7c9a951c7cbad2a0b5be92145

                            SHA1

                            16d637da7646e5fefce4168c54e244aa68b9b10e

                            SHA256

                            d0e4a12bc5f1b50f28efec5d184e5cebc2be378a2312946ab3b5be10935caebb

                            SHA512

                            881e7ed8a3d178b6016f41336ee12dc81bbc11917d47be15251f3662fe0f292943cc515b8fb3e19a07b270c0d7999567ca5f156d5450a81ff83a180edefccccc

                            Download Submit

                          • C:\Windows\{EB592587-7A8D-4b0f-9268-3D36DD323343}.exe
                            Filesize

                            408KB

                            MD5

                            8f0620613ea8c1979aa1bd3326581051

                            SHA1

                            34a105f3567747c6f7b5251571e5661461473d3f

                            SHA256

                            f3fc2c8eb12c22e416df2bfa8c9a7f5e0022a8510d6b3bbf29dc37e976e1676b

                            SHA512

                            f9ca896da075f1dc233c4495f48bac074a1285c64e42591a9ff41aa7578ffe5ce884d260ff6e9aacf73ab0b4288d352268c20e14d9441afe4241869c16dd3405

                            Download Submit

                          • C:\Windows\{F6C337CD-F5AE-4256-A970-D2D50A383FB2}.exe
                            Filesize

                            408KB

                            MD5

                            8f86f5c76c8449692db2ba2c207c9d47

                            SHA1

                            00a57789cc61096dd12ca9e3dfc02a021447c4a7

                            SHA256

                            3ea38e64b0b1d48b327fee5be691611565b136f267437946282e2cddd55c0467

                            SHA512

                            17da7d9bb78f355857964d88247bd76299d2d327eae40fae5f966b9ef11ecb39696ea3cb05442472ad606ac40d3ae56db58ca9915d6d8c901bc4ef44f106277e

                            Download Submit