Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-06-24...ye.exe

windows7-x64

9

2024-06-24...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-24_967bf0a45c55b443bdc00c8d5667fbfe_goldeneye.exe

  • Size

    168KB

  • MD5

    967bf0a45c55b443bdc00c8d5667fbfe

  • SHA1

    052c944b5801fdf63751b561bb970d676108efe9

  • SHA256

    177eaae3c62e10d2edb9952de087b2d0657377b7d778fc90422673535da54391

  • SHA512

    797b4ace057f3e5dad73864c562d15042bbf86539040b8270455943f351eb55344132f149c75d64e34d2cc9ba9d4e83edfc488beb4f47847265f0fb0d9947ac3

  • SSDEEP

    1536:1EGh0oylq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oylqOPOe2MUVg3Ve+rX

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-24_967bf0a45c55b443bdc00c8d5667fbfe_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-24_967bf0a45c55b443bdc00c8d5667fbfe_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\{FFA7AD09-5D52-46a8-A92F-83F254C0C148}.exe
      C:\Windows\{FFA7AD09-5D52-46a8-A92F-83F254C0C148}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\{F0EEC369-91D1-4691-9D4B-82F291504953}.exe
        C:\Windows\{F0EEC369-91D1-4691-9D4B-82F291504953}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Windows\{ED157924-CC10-4adc-B21B-C6860C5AE716}.exe
          C:\Windows\{ED157924-CC10-4adc-B21B-C6860C5AE716}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\{D6DDB17E-4DD1-4ebf-90FC-375C23F37D8A}.exe
            C:\Windows\{D6DDB17E-4DD1-4ebf-90FC-375C23F37D8A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1612
            • C:\Windows\{D3889642-D400-4bfe-AFF2-931427BC0839}.exe
              C:\Windows\{D3889642-D400-4bfe-AFF2-931427BC0839}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3916
              • C:\Windows\{69DE93CA-C170-4106-A531-BD10D60293C8}.exe
                C:\Windows\{69DE93CA-C170-4106-A531-BD10D60293C8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2348
                • C:\Windows\{D4EA96BF-8DA6-4e7a-870E-0526E0B5A8F2}.exe
                  C:\Windows\{D4EA96BF-8DA6-4e7a-870E-0526E0B5A8F2}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3816
                  • C:\Windows\{0BC7779E-74D3-42cd-BFB7-04B205D0644A}.exe
                    C:\Windows\{0BC7779E-74D3-42cd-BFB7-04B205D0644A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1820
                    • C:\Windows\{D1FB8351-FF9F-41fc-ABF0-B74E95C4B732}.exe
                      C:\Windows\{D1FB8351-FF9F-41fc-ABF0-B74E95C4B732}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2372
                      • C:\Windows\{57026389-CA3B-4529-8F80-85A5F82BE2F6}.exe
                        C:\Windows\{57026389-CA3B-4529-8F80-85A5F82BE2F6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1244
                        • C:\Windows\{E2F5FD48-9D67-494d-A59F-8586F1E651AF}.exe
                          C:\Windows\{E2F5FD48-9D67-494d-A59F-8586F1E651AF}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:4140
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{57026~1.EXE > nul
                          12⤵
                            PID:1568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D1FB8~1.EXE > nul
                          11⤵
                            PID:2120
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC77~1.EXE > nul
                          10⤵
                            PID:3672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D4EA9~1.EXE > nul
                          9⤵
                            PID:4128
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69DE9~1.EXE > nul
                          8⤵
                            PID:3612
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D3889~1.EXE > nul
                          7⤵
                            PID:3108
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D6DDB~1.EXE > nul
                          6⤵
                            PID:2880
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ED157~1.EXE > nul
                          5⤵
                            PID:1856
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F0EEC~1.EXE > nul
                          4⤵
                            PID:2328
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FFA7A~1.EXE > nul
                          3⤵
                            PID:2372
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:2344
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:4284

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0BC7779E-74D3-42cd-BFB7-04B205D0644A}.exe
                            Filesize

                            168KB

                            MD5

                            70ab9429e40f56350b4d0383b477e7b7

                            SHA1

                            c8b1a1de29ae67c58dc749f507aa21a99947d8c3

                            SHA256

                            2474fe4a6bdce045c929e74601a6e646b64cfb9151f156415e33d20c6b18efab

                            SHA512

                            5ff2f1bbcd2e0712ceb49c00a33d92bf74a3d3e1b247c5c488978d5386ab33f3ee55b36b58b3a564c2f65e81c8881d609ab5acb0abdbb5a89a95d4a467608be3

                            Download Submit

                          • C:\Windows\{57026389-CA3B-4529-8F80-85A5F82BE2F6}.exe
                            Filesize

                            168KB

                            MD5

                            d434544e1e871a6d6aefc50ea684886a

                            SHA1

                            1c62c6915025ff6c711a4df5cca11481cc08bd67

                            SHA256

                            85c831ca1a6f06461246e3891420cf6e4804e5238f09a6df5fe66d588cc01a2d

                            SHA512

                            273f0502135feabffabe9dc09d14ea166ad99a19f92de0c93274655a455d6b4cc6ea322f0648b9f4e74fd9a790dba5a4d1e2b632c4b72f44ee88f8c14ab9ba2c

                            Download Submit

                          • C:\Windows\{69DE93CA-C170-4106-A531-BD10D60293C8}.exe
                            Filesize

                            168KB

                            MD5

                            6963d543608695b04bc8367d0b411557

                            SHA1

                            d073767dd0e6a23f62d3b3e994d55cc105311551

                            SHA256

                            ca010a495ded5607bea1ef0ac879f979e022be2ce8f5622f13c94c6ae9bca48a

                            SHA512

                            880a27d00b80e18ece6f98f9ee5a53f99bb19f57dc3b48cec1d25da93cec0f5f95b5903a6a9924bbba248282e22c7c6c26de68c901351086713651725370225d

                            Download Submit

                          • C:\Windows\{D1FB8351-FF9F-41fc-ABF0-B74E95C4B732}.exe
                            Filesize

                            168KB

                            MD5

                            b1529e6f31173d4a3db9586b0c07d7bc

                            SHA1

                            1805195e4a6320f94367806e77565ee6c69edae8

                            SHA256

                            65c12426c54502b1c0edcccd1e02a38be864fa415a85b03c3a5789c299f2bad8

                            SHA512

                            780aee4b204dbde304fc07f4bb2bb3c9077aee60d5740da637a0472f75948514365e6a362060cba1212183697cfff32852f69a085177e822fe368c9121394c61

                            Download Submit

                          • C:\Windows\{D3889642-D400-4bfe-AFF2-931427BC0839}.exe
                            Filesize

                            168KB

                            MD5

                            caa12efa25241947eb66acfd4762521a

                            SHA1

                            3121be3a7b9a8b82e2d9dae12dc0f505454010f3

                            SHA256

                            01f6838bb292086e6c591f86e395f53d83f7cd3547f2521b1a24db4116299dca

                            SHA512

                            dcfa7d8e4c1db89f6902aeffa8d785a20cb93d3a9b42afcfff566420aafa1edc4a42a40ff9901d8209ec5772f9672f1b2792374a72dd7c7dca3da4396178dcc4

                            Download Submit

                          • C:\Windows\{D4EA96BF-8DA6-4e7a-870E-0526E0B5A8F2}.exe
                            Filesize

                            168KB

                            MD5

                            561d2ad1e7d5f44528c99f403bcf7e8c

                            SHA1

                            5c33211b5c114edb4744803983fa75a124a350ac

                            SHA256

                            0691ffb2347c2ee7274239f58cf06cb2fdc5c0c9705f91b796da45d8375923ca

                            SHA512

                            1c2c9677a5a3868b5f9d0dbd00d6e0b094c7359e896137081837e9193a3cdfe76a0c4c479a7d0bc4c6632f8d5e0c8a9d62e7594f58af95cf1485093c020f0dde

                            Download Submit

                          • C:\Windows\{D6DDB17E-4DD1-4ebf-90FC-375C23F37D8A}.exe
                            Filesize

                            168KB

                            MD5

                            d2b4230a3945cad3a4ba6ca9bf2740b6

                            SHA1

                            771b4f97910761c99e1843f829bc32aba1873f2e

                            SHA256

                            243cf80ffba089214002085cc9e8fcdba46e647a011c2d97be65a73b29bc7911

                            SHA512

                            cc1ef7f98c264be8483e5633dc8900eb8ecf38a848307788a21c3959a10343f81e56d6cafa16a369343562d12f650accd18f067ae92cb7a8f0d3a1fc1be2008d

                            Download Submit

                          • C:\Windows\{E2F5FD48-9D67-494d-A59F-8586F1E651AF}.exe
                            Filesize

                            168KB

                            MD5

                            214db8e3cb917eea55fbac94664df176

                            SHA1

                            91f8c0953384090a5e86b7c1f5e9b5fc6432dc1d

                            SHA256

                            207ba01edae2f8094ab3f3e07806842649defe58450f340d786b812c6045969f

                            SHA512

                            4da8ccc59499d2f537d35b1931b04e471c1b22e299c3a3982b262e3f2ecc31ee7af3b70c46cbcedd9185302345537d2ecc1a86b28e4bc024169e0e7c6dbbc476

                            Download Submit

                          • C:\Windows\{ED157924-CC10-4adc-B21B-C6860C5AE716}.exe
                            Filesize

                            168KB

                            MD5

                            b2f47cade7debc826d08012621ce27c6

                            SHA1

                            667d2950cef8b5362d1e2fc4c67b22880af879ae

                            SHA256

                            0551d64d4ee387cd67dedffb5817a36eb99bb84752a0dad565d1515d44bf033a

                            SHA512

                            eb525c2a9a7ce98f9bbdfad0fc21dfc068391cec291e449e872afda227131375b1b5ca930111545b12d1e96e2889058034ce44203f392d975626470a750d3905

                            Download Submit

                          • C:\Windows\{F0EEC369-91D1-4691-9D4B-82F291504953}.exe
                            Filesize

                            168KB

                            MD5

                            691c6b3338e2e3cac32d64a859142be7

                            SHA1

                            37c29b448f522baea77be508d8b7b932d84fdb2a

                            SHA256

                            d281916fd649444edb6577f765d9687e1c9227d667615b2350abee4ca81f1e6e

                            SHA512

                            fd00817351b497b74f325690ade31beab9160b277a314588a86d5c5a3ff592788cbafa2c172ede9eb7a0d0c1ed85b1d0a0c1743cf87fe58519fadd2470c9e380

                            Download Submit

                          • C:\Windows\{FFA7AD09-5D52-46a8-A92F-83F254C0C148}.exe
                            Filesize

                            168KB

                            MD5

                            b7a12ee2e25e05e92959741285dbaf6f

                            SHA1

                            682acf7b145c44d7cbdc6fb3064257cfff2c193d

                            SHA256

                            ca646ea5c1cdd72be02d6bad9bebae78f3a8d7fb99ae2eef1c1b7c2f8bb5194f

                            SHA512

                            2eff61a5b7b9729dcdbfbecf4370fbe7da0c2d86b17f9613bdd4190cf4a27bea3632aab6012d921cbcc1c8dd4cc217217fcc41d574e8bc1089e5e7cebb1f2d5a

                            Download Submit