Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-06-24...ye.exe

windows7-x64

9

2024-06-24...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe

  • Size

    344KB

  • MD5

    227d7b377cff96068fbb75ee0c57b572

  • SHA1

    a5d1142c3b040452a796057988829216613f7b7a

  • SHA256

    a6bc704a2097160cca4ec3d5e71e22afccca9ed47e57d5e789248dc5ac2dcf3f

  • SHA512

    5402b1e324f3c7d4ee99720c6fdea35d4a9ef0507e2a1d7c556eac8f519cc8dec85b88d84b0db9acc7b19903cf0539d30139b835bf1facffa3129bfcf4df2b0a

  • SSDEEP

    3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-24_227d7b377cff96068fbb75ee0c57b572_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe
      C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
        C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
          C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
            C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
              C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1988
              • C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
                C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2360
                • C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
                  C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1708
                  • C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
                    C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1904
                    • C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
                      C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2852
                      • C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
                        C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2332
                        • C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe
                          C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:640
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{59B90~1.EXE > nul
                          12⤵
                            PID:588
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{39390~1.EXE > nul
                          11⤵
                            PID:540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{82DE1~1.EXE > nul
                          10⤵
                            PID:2328
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0485B~1.EXE > nul
                          9⤵
                            PID:1664
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4E16B~1.EXE > nul
                          8⤵
                            PID:1736
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D61DD~1.EXE > nul
                          7⤵
                            PID:952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BB84C~1.EXE > nul
                          6⤵
                            PID:940
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{719CA~1.EXE > nul
                          5⤵
                            PID:2796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0A13D~1.EXE > nul
                          4⤵
                            PID:2868
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7DCF3~1.EXE > nul
                          3⤵
                            PID:2688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2396

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{0485BC84-DAF9-4deb-8010-E68132652DA5}.exe
                        Filesize

                        344KB

                        MD5

                        15dd62c11ca89f32577609166d649f86

                        SHA1

                        b6239ce81f480ff5dc6fa426fdafb5c336854352

                        SHA256

                        33a246b289779912ecb4fd6f41b31603acfe1e51e94e52dc88c2e1bcee8d4af3

                        SHA512

                        0bc111f3d04f19f158a367ea2cb10a80ee0a2dd17513c31d4eab40cd198b4ae277553ee5fe2ad8c97bcd228145b7b1abb354e0fba6761883fa48a06bace9f923

                        Download Submit

                      • C:\Windows\{0A13D7B0-BACF-4501-9C3F-6872A43D9BBF}.exe
                        Filesize

                        344KB

                        MD5

                        ca825449638ef9e611a6f764c67c7f25

                        SHA1

                        17e2875f6788a52a788b11f05cff953fdfa4d3c5

                        SHA256

                        254cab64ee0139c7587506ac8dbbf383d5cde619a4e57d358e7945e143c85a10

                        SHA512

                        4179e467423201fc663dcf6b3cf8679e0a2065dc61fe0626bff7754e91588ae54e5eb44444a4eb75350609c13f58b81a8002ffd4cf05d3d37008ad6f3efe1b55

                        Download Submit

                      • C:\Windows\{39390FF9-A955-4e8e-BCF6-4BD97D87DEDE}.exe
                        Filesize

                        344KB

                        MD5

                        f8d5291da606b8e94339d1558c7af8c6

                        SHA1

                        3fad2fea10ac97addf4d56e4e4c69ea213c9d07b

                        SHA256

                        4143c36c2ede93a9903897590099be34ffd32a36f8bc1f5545eb3e66123f4cb4

                        SHA512

                        38167ca4c6e44fb526b2147e5415550c780d7fa2febfa371498aa6ff7554b80ca6665934a77205c279680d78b6d6f710c6440d2819c55ee86792c1b5c9e0285f

                        Download Submit

                      • C:\Windows\{4E16BF41-8474-4b87-A1C2-F3BF7FBA6E85}.exe
                        Filesize

                        344KB

                        MD5

                        5a3436717f6f2e2350c9b8e630c032e4

                        SHA1

                        d2e6faeb62c14aaf61a7ea42a2bf94051fa14615

                        SHA256

                        15f6c8bf5594794e1db7f07ce418d1445b691b17fe6ce6048b515ca3684aa0fe

                        SHA512

                        a480940ef3d18f31b9524386a8e71f815ae0f20f595eb6808fdf827847dc03abbc7389f6bf8d969131d2a3c03df4ec10525936c15326aff3270eea6791877b61

                        Download Submit

                      • C:\Windows\{59B902D6-68AD-469f-9F52-39C21DBD4BA7}.exe
                        Filesize

                        344KB

                        MD5

                        edc4e679f4574a3053f1f4e532a8502c

                        SHA1

                        6501ed6a4f6b9cb92dbbe679595963085cbd672a

                        SHA256

                        0596e4faedd1d934ef586db86436201ad50cbe71ad93497da1632dae62614060

                        SHA512

                        22b22ce9a3c8943660fc59e0435ed752dd1e1cd78f8789c343289f7f21cb753ea8f7e3754cc03491f0b74af9b910c9828a6440730b45fe82cd2a7f519e51bfef

                        Download Submit

                      • C:\Windows\{719CA3B5-7BD1-4895-9CCF-80F7586D789C}.exe
                        Filesize

                        344KB

                        MD5

                        a5a171c6f282d8614b59562fc709601a

                        SHA1

                        8380e64727df1f976bba3a23f320732942ada310

                        SHA256

                        f6858296662a0ba53b5cb3f868aea769b203573f3a64a08f7af42c98188c5468

                        SHA512

                        86634f1dce46ed47ba2be31b1d819faeafc9371f5c5da3e997163e714d531a3900bb3c35776b59b324e8650cf8c308abdf24252814f8f41adcdaba66a48a7cb8

                        Download Submit

                      • C:\Windows\{76D8F7EF-B8DE-4e02-9866-BDFF9900E592}.exe
                        Filesize

                        344KB

                        MD5

                        a089ad975b0e21aef67511ac51ad6567

                        SHA1

                        31ce128b5ab24b0b6406626fce4102f14959e19c

                        SHA256

                        45ef968a2549c6570d7f8c6648e036f180c15f11d1d8b3d95dd3d4950d078fb5

                        SHA512

                        143de9f9dd7c5764d646b515501d3e8628b86785df934dca3bf78ad4fa68ec52c51e6aaa2815b86afdd409f6671dc04bd229c4cccbb6bbf7d6e4c03c3baed12e

                        Download Submit

                      • C:\Windows\{7DCF3296-796A-497a-8647-565073A58DA5}.exe
                        Filesize

                        344KB

                        MD5

                        e525e93e51eaff6545b0066931cbc29f

                        SHA1

                        bfc300cee5c098abd0b8eb1ed5ffa2033a45c76c

                        SHA256

                        2602b325bac4b9834f02f0d69c1191093cdcd3b84f96cdaf529e28b63bf5929d

                        SHA512

                        de9c163d89abfaf1488dc4466369e92fd588aa20af22cb5c1fba2ad67efaf27a705400327b97cd5e53adbc3c819c9103e1f01ebced911ac3fd420e6b973421fb

                        Download Submit

                      • C:\Windows\{82DE1B80-9304-4c12-B967-DEFD138CDFDF}.exe
                        Filesize

                        344KB

                        MD5

                        ac3ca3d9a77fa161536de523f3d86aeb

                        SHA1

                        746349b34b9f0041aba546bdffb79629b5c1f60f

                        SHA256

                        a161296ebb0915b7b3947923099ed46d79d8b04c2d8a6dbf7cdc4c3dfe24f81e

                        SHA512

                        71b6a4ca5010b9f23e9e7ce1c662c327a0f8beb4a792ba0cee8f3d6c54b1232bca351776de7ed2d76f71c78ebc962352d0ab1ff408639a1ea9383cfd43d0786f

                        Download Submit

                      • C:\Windows\{BB84CCB2-012E-4e75-BAE5-F9345CB78FDD}.exe
                        Filesize

                        344KB

                        MD5

                        2cb8e6a1b26f48445fd9334e6ad05de9

                        SHA1

                        c4a41a4a78546de0209cb2dfdbbc805476e3f85d

                        SHA256

                        72a11baf3fc8a684ca0aed0394eaf8377f0b93ae537f87f2cb9d9299f85458ad

                        SHA512

                        41063f9fe5f82c1bd38dfd8e36d79178dcac4410cfdd7188ba855241def9b031795165ef0c4504c10736e63123b605135102b091cec691a3b21976b7486a136d

                        Download Submit

                      • C:\Windows\{D61DD46F-6D96-498f-AB66-560A6070469A}.exe
                        Filesize

                        344KB

                        MD5

                        07c9fdbe5dba5a3738ad054ea7d5f908

                        SHA1

                        82bd8ebb5c90cbc8e1bb5fd36bdd0757c26aeac3

                        SHA256

                        6576e94eec72820d9d71f31198b27c8d5dc3a381c57ab1859295a0a4610fb298

                        SHA512

                        c8c7797bacf075e7c7171541bb3ca6149e7b47ce6f0b3eff3b4e70cf628b408631e002ad4ceccf8462be9f4a3a16917cfd7113c61db0d5f68f019124635113d3

                        Download Submit