Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-06-24...ye.exe

windows7-x64

9

2024-06-24...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-24_967bf0a45c55b443bdc00c8d5667fbfe_goldeneye.exe

  • Size

    168KB

  • MD5

    967bf0a45c55b443bdc00c8d5667fbfe

  • SHA1

    052c944b5801fdf63751b561bb970d676108efe9

  • SHA256

    177eaae3c62e10d2edb9952de087b2d0657377b7d778fc90422673535da54391

  • SHA512

    797b4ace057f3e5dad73864c562d15042bbf86539040b8270455943f351eb55344132f149c75d64e34d2cc9ba9d4e83edfc488beb4f47847265f0fb0d9947ac3

  • SSDEEP

    1536:1EGh0oylq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oylqOPOe2MUVg3Ve+rX

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-24_967bf0a45c55b443bdc00c8d5667fbfe_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-24_967bf0a45c55b443bdc00c8d5667fbfe_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\{DC508A35-0910-4e7a-88DC-45973E17DC06}.exe
      C:\Windows\{DC508A35-0910-4e7a-88DC-45973E17DC06}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\{F0C8F3FC-0E5B-4d1b-AE65-1FAF94FE52F2}.exe
        C:\Windows\{F0C8F3FC-0E5B-4d1b-AE65-1FAF94FE52F2}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\{26E77711-A642-4c80-8F60-66A6C409436A}.exe
          C:\Windows\{26E77711-A642-4c80-8F60-66A6C409436A}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\{52FD406C-68C6-42ca-8E4B-8CD38A09951A}.exe
            C:\Windows\{52FD406C-68C6-42ca-8E4B-8CD38A09951A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\{BDDF6B15-BD0A-4f29-8F62-E94EBE4DC926}.exe
              C:\Windows\{BDDF6B15-BD0A-4f29-8F62-E94EBE4DC926}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1460
              • C:\Windows\{89BF531D-E516-407e-8209-B9CCDDD98AC9}.exe
                C:\Windows\{89BF531D-E516-407e-8209-B9CCDDD98AC9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\{A682471C-366C-48c4-8400-21CAC1BE29D5}.exe
                  C:\Windows\{A682471C-366C-48c4-8400-21CAC1BE29D5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1076
                  • C:\Windows\{C20D1D31-0AD0-480f-8649-EE8C967C1BB1}.exe
                    C:\Windows\{C20D1D31-0AD0-480f-8649-EE8C967C1BB1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2564
                    • C:\Windows\{AC1F6F59-6582-4601-A429-12AC39DCC921}.exe
                      C:\Windows\{AC1F6F59-6582-4601-A429-12AC39DCC921}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3032
                      • C:\Windows\{11672AFB-78C4-46b7-88AF-5E8C6CDA8C67}.exe
                        C:\Windows\{11672AFB-78C4-46b7-88AF-5E8C6CDA8C67}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3048
                        • C:\Windows\{814690F1-6176-437b-BC60-8353FE440038}.exe
                          C:\Windows\{814690F1-6176-437b-BC60-8353FE440038}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2108
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{11672~1.EXE > nul
                          12⤵
                            PID:2236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC1F6~1.EXE > nul
                          11⤵
                            PID:3004
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C20D1~1.EXE > nul
                          10⤵
                            PID:920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A6824~1.EXE > nul
                          9⤵
                            PID:2852
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{89BF5~1.EXE > nul
                          8⤵
                            PID:2536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BDDF6~1.EXE > nul
                          7⤵
                            PID:2544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{52FD4~1.EXE > nul
                          6⤵
                            PID:812
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{26E77~1.EXE > nul
                          5⤵
                            PID:676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0C8F~1.EXE > nul
                          4⤵
                            PID:2528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DC508~1.EXE > nul
                          3⤵
                            PID:2600
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1152

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{11672AFB-78C4-46b7-88AF-5E8C6CDA8C67}.exe
                        Filesize

                        168KB

                        MD5

                        83fb647744c4a07192b79fe24f0524ff

                        SHA1

                        44e57fd58f44731503cc715f4615821a32620176

                        SHA256

                        a62247fc02ed40d91a4ea7cd923f2ad5331b1f47ac5a2751aba6630b89d26b1c

                        SHA512

                        f71fd5d81e7844262c0507d7e4a56be106f34a021e8d0a7d616045b4e1d17103a68305360b1b3e38a2b493a91a1c4244589e9dd308fffa8a078fe8d6db7afa47

                        Download Submit

                      • C:\Windows\{26E77711-A642-4c80-8F60-66A6C409436A}.exe
                        Filesize

                        168KB

                        MD5

                        768645a9313515bd0c209140a5c9337b

                        SHA1

                        ec04525aa0c52ab5ba83dbcf2dff8fe7568709cc

                        SHA256

                        0b8b1b465acab3442d6d289b4fadd2b0cb94cefa18208622c49f7fff8aae006e

                        SHA512

                        44af46923cb3535912b46107e5f908c84eaf1679ceaa36512b17490b632204c1ad4c0baa57b84f2dd4e9f515417d203ded16c4b60f9757a4fee6467af9d5bb11

                        Download Submit

                      • C:\Windows\{52FD406C-68C6-42ca-8E4B-8CD38A09951A}.exe
                        Filesize

                        168KB

                        MD5

                        929b7322e7762ab4571c0d905fd47d76

                        SHA1

                        74be090f74b8a4a0846f6e768eea37044893e5c2

                        SHA256

                        395819956f5652e3edf64dd02dbc771b4fcf68ff64e0894d9bdbde37d7c7b6a7

                        SHA512

                        aca241606ab70fb17f9d450692b4527f0849e5d5b2f46b6873e6e6ce67e8dfc011f0c1d583c02a5c4e9cbf9d3572f9346b991db42b255ca8071b280a73f7a09e

                        Download Submit

                      • C:\Windows\{814690F1-6176-437b-BC60-8353FE440038}.exe
                        Filesize

                        168KB

                        MD5

                        cebd008b540d150ca4caf6f9732f89f0

                        SHA1

                        c34f8a8a352299bb2263c3d6e1ff55bc4feafbf4

                        SHA256

                        7aabb47ab027c623a691f23a1fbea8f1570cb5acfe605f7569280857d4364d0a

                        SHA512

                        477f8a82fce2ee24d6d235edcf164764185292cd4b735bf4f57d79fd80048f99d6fb722594b2aa69641a777d6cf2ef71970238bc4380a24210b02748ec01a1b1

                        Download Submit

                      • C:\Windows\{89BF531D-E516-407e-8209-B9CCDDD98AC9}.exe
                        Filesize

                        168KB

                        MD5

                        885de19611dce37715527404f7a862fa

                        SHA1

                        0054de92b8e7325e552a113d3f961e775d969232

                        SHA256

                        2a164ecc1f60dfad5f6cfe4b01d9f4d1379a117e02406a131c41de6bf02f55ac

                        SHA512

                        515d85d454eba253d35706e58b50b9c525442f50cda1b897874e7a39c15837c203c8689410dd54b0d0b257bf399a96da7a4d85a2d623a4ca1ca11c0c94599ef3

                        Download Submit

                      • C:\Windows\{A682471C-366C-48c4-8400-21CAC1BE29D5}.exe
                        Filesize

                        168KB

                        MD5

                        5f56ddcce38e0da348729d30a50266a3

                        SHA1

                        19ed918bd01a6d3602f9c9bb26aff9153a0be238

                        SHA256

                        8d8c0b7e45865eef8e7052d0b8e0c6a58595b591d9cacd2e525340821cd3dee8

                        SHA512

                        415da620cb46633716b6bea7cbe7226672ff2e2ccb9e3e80416e2508c1be969e2b447727ee3e7e062c4b3ec8388ad4135dc398962a4dcb4534286c742b4fcbec

                        Download Submit

                      • C:\Windows\{AC1F6F59-6582-4601-A429-12AC39DCC921}.exe
                        Filesize

                        168KB

                        MD5

                        b08c61694c925810d7b836805383922d

                        SHA1

                        aa1ba3a4f42f5fb22ec5cd7ee5b0161d1895ad48

                        SHA256

                        6db64a0c13519dad2d6c28cf1881abb447b525a138117a009e19a2801a8a216e

                        SHA512

                        88c2f013bd5158e15aaba3dc68ede0de74a1917a88cdd6c868934104da08c49aa1398745a8dfe58a2e05dac2247ae7761d883eb18a433c7da27a19a87a8f5ad0

                        Download Submit

                      • C:\Windows\{BDDF6B15-BD0A-4f29-8F62-E94EBE4DC926}.exe
                        Filesize

                        168KB

                        MD5

                        5aa75e7bb9bc3e8163a758dc75a74030

                        SHA1

                        e9916548f236882edd1a0fa184531125537ea5be

                        SHA256

                        58c09144e6a31a7d4889c290c9c7f6af97b1f8330a4087ee2b8c8c101e4d2d5e

                        SHA512

                        3922688e59634b3b7262d147bdeee67dc3b5a5260a0219395c2306aeb41373945a2055a8e00b76d6c41d883a1d6b2168c9038375fa7cc93bdb28e6e84da292f8

                        Download Submit

                      • C:\Windows\{C20D1D31-0AD0-480f-8649-EE8C967C1BB1}.exe
                        Filesize

                        168KB

                        MD5

                        60a9f20298e2ff263425c24154773cfa

                        SHA1

                        a98348ff191dfb6dd4c1b9f87a0a51fd42789637

                        SHA256

                        40dd227294e05ecfeb3c2466b3dc003b65a2960965bbf48a8cbd536ec67040a6

                        SHA512

                        d0a87c697877f8ea3781a92151f36073858641cd7867b530edbebc9f29448e6faa7161142478857b6f57c7d4fc4d267906d90a5e5ffe8acff1e79298456faad0

                        Download Submit

                      • C:\Windows\{DC508A35-0910-4e7a-88DC-45973E17DC06}.exe
                        Filesize

                        168KB

                        MD5

                        e2bfc1d697a30cd0ae0c791fef9b64d7

                        SHA1

                        1b179fa067c08c1fe4adca12c9b196b407ec76c0

                        SHA256

                        197e11455a0b7731ba794b10c63d99ea084c7420f76eb2723cbc1a878e253b5c

                        SHA512

                        3f4e2df1edfe0b635a601187d281eda18faf0c34b3814ec36bc74247f5e4d74b53dc5dab69b44bc7c012d8ef1c76555d6db674c5c88add93cfe17d962fb98629

                        Download Submit

                      • C:\Windows\{F0C8F3FC-0E5B-4d1b-AE65-1FAF94FE52F2}.exe
                        Filesize

                        168KB

                        MD5

                        81a5ac051bf9a128158926b52681c977

                        SHA1

                        dea63ea75dff5bc5ea5f3ec534c9f4465dfeaa0f

                        SHA256

                        f2b9c4133e58b4e7527f421a8f382727e8dda69f392e3f51a0f52c4e89f4f0a4

                        SHA512

                        4a70f5b1fe6966039813cd72791856733755ed9ee877540b96135bfd3e325a5a9a7a3edbdfc3ea210b085cebf612da2ae38ef7b29f90c64f412e1ff6a07f20b3

                        Download Submit