Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-06-25...ye.exe

windows7-x64

9

2024-06-25...ye.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe

  • Size

    204KB

  • MD5

    e842df2e149d65afcc8e40a43d7ce684

  • SHA1

    575594b48341bc6ced47314c0e3bbc43ccb2276b

  • SHA256

    17df57b00bf37994bcb9fdb61ee02bce1f0eeaf87c6e130d77630ab33c57cbcf

  • SHA512

    5b442f23b41ca36b4dfc41bd5635c6078ffc096291ae5a48d27d480fe975ae1085d0194df820ff131e91a2fbd993ea25edcf03a45af50b49916acdb781de3015

  • SSDEEP

    1536:1EGh0oJl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oJl1OPOe2MUVg3Ve+rXfMUy

Score
9/10
persistence

Malware Config

Signatures

  • Auto-generated rule 11 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-25_e842df2e149d65afcc8e40a43d7ce684_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\{CAD8214C-C4D6-48f8-8DA3-695E6689493A}.exe
      C:\Windows\{CAD8214C-C4D6-48f8-8DA3-695E6689493A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\{B2302A2A-3AF2-49c8-B2DF-74373133B2B7}.exe
        C:\Windows\{B2302A2A-3AF2-49c8-B2DF-74373133B2B7}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\{6A6243D7-9BC9-4795-99EC-C1640393A5A4}.exe
          C:\Windows\{6A6243D7-9BC9-4795-99EC-C1640393A5A4}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\{B38288CB-F48D-44f5-BC5D-0564C1CB010B}.exe
            C:\Windows\{B38288CB-F48D-44f5-BC5D-0564C1CB010B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\{6A9C76F2-E930-4fcc-833F-7C244607F714}.exe
              C:\Windows\{6A9C76F2-E930-4fcc-833F-7C244607F714}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1856
              • C:\Windows\{AA110502-FBE4-4234-9D63-8E9171D50CB9}.exe
                C:\Windows\{AA110502-FBE4-4234-9D63-8E9171D50CB9}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2308
                • C:\Windows\{6914447D-20CE-4e78-B9B5-A992BD42232C}.exe
                  C:\Windows\{6914447D-20CE-4e78-B9B5-A992BD42232C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1752
                  • C:\Windows\{56F7AEA1-A401-4321-9D08-947B40BC7531}.exe
                    C:\Windows\{56F7AEA1-A401-4321-9D08-947B40BC7531}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:580
                    • C:\Windows\{AB0AF7E9-8C72-445e-B264-E3647A623B06}.exe
                      C:\Windows\{AB0AF7E9-8C72-445e-B264-E3647A623B06}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2696
                      • C:\Windows\{A6D88CF4-EF00-47b5-9B9F-C244F92FB86B}.exe
                        C:\Windows\{A6D88CF4-EF00-47b5-9B9F-C244F92FB86B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2768
                        • C:\Windows\{2D6CD512-0D70-4acd-929D-74254F6AB3C3}.exe
                          C:\Windows\{2D6CD512-0D70-4acd-929D-74254F6AB3C3}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1696
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D88~1.EXE > nul
                          12⤵
                            PID:620
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0AF~1.EXE > nul
                          11⤵
                            PID:2508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56F7A~1.EXE > nul
                          10⤵
                            PID:2616
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69144~1.EXE > nul
                          9⤵
                            PID:1292
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AA110~1.EXE > nul
                          8⤵
                            PID:536
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6A9C7~1.EXE > nul
                          7⤵
                            PID:776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B3828~1.EXE > nul
                          6⤵
                            PID:1944
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6A624~1.EXE > nul
                          5⤵
                            PID:1564
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B2302~1.EXE > nul
                          4⤵
                            PID:2428
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD82~1.EXE > nul
                          3⤵
                            PID:2712
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2640

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{2D6CD512-0D70-4acd-929D-74254F6AB3C3}.exe
                        Filesize

                        204KB

                        MD5

                        9bc56524dff1536fcc5fc453ba9a5715

                        SHA1

                        1e0065d0677da027531ff3cbf1966b8c8de0609e

                        SHA256

                        33dcf3f3d8b00cfb3dafa8e64c40244239d2bc3701293e7c95b2a982d314f10e

                        SHA512

                        b084f57e0ede7214eeace4904a6d04637400a5882f7aceba3524cff8f5d9c74eda342525654a33288503c63952c6e88ab55dc90040b25074699ccdc877525bde

                        Download Submit

                      • C:\Windows\{56F7AEA1-A401-4321-9D08-947B40BC7531}.exe
                        Filesize

                        204KB

                        MD5

                        d74652dd9f53728e29704a6457212fbb

                        SHA1

                        197b7d1ae54f61923c082cb56d3c3a2edb8f38e3

                        SHA256

                        47a343273373cea0dd3a4fdd6d1bf88e70f8e99d07e2b84be6a218a1b77f4351

                        SHA512

                        6560dbbe2a5bff037846a1b46332cf974af2316e747699e07481cf7e64db844a7e1887e5fdac471eee149186a88b9cfe995f128f4493d96c3f1b79bb0d56f089

                        Download Submit

                      • C:\Windows\{6914447D-20CE-4e78-B9B5-A992BD42232C}.exe
                        Filesize

                        204KB

                        MD5

                        70520bdd07be73b6974c00102d7d4a38

                        SHA1

                        3a677282b1975f13ff54ef6677f953c0291c88ae

                        SHA256

                        16b3363e52bb24cae6ca288a9c538451ffdb1735dd42ddf8fff411d8eaa4af2c

                        SHA512

                        bb1e73b247b106ae8097e47a91753246da3447c4dbe43fdf3bd6a9516847e6eb672bcfc7798f65e503727adebf9152cfab2a6ffbde7f8b43e3cadb0e17de59c3

                        Download Submit

                      • C:\Windows\{6A6243D7-9BC9-4795-99EC-C1640393A5A4}.exe
                        Filesize

                        204KB

                        MD5

                        73e36c020ba0bfd814b2607376b54b1f

                        SHA1

                        a06c580bb2a6b6ec62f8794be215224e35290987

                        SHA256

                        46b69beb451c28b41317d5d63473229435afc829c632e4e0fc425c0ecf7ab85f

                        SHA512

                        272f4cba71993588efb1fcb01ee4b41d6a138306bfb3d9db4f2eb66e07e787cd804d0748b6b8c5628142ebb9b605e60db5165a7c20590d1089bf468017b5263f

                        Download Submit

                      • C:\Windows\{6A9C76F2-E930-4fcc-833F-7C244607F714}.exe
                        Filesize

                        204KB

                        MD5

                        2613801f049434d640ca73be4445cf23

                        SHA1

                        a1d45f6ff33ad424e269bcc8ea5ee820467e0682

                        SHA256

                        d379e977ee956773d0e21fda5dbeca2d6d74973f36bd3bbda229eae3afbf8888

                        SHA512

                        5c84a7247f210f07244ef0ae7e10e4cb2ee2b07cce843ac0f2ca2b55f1ea1b036c08c7bef1a722f96becb0737998d124c04342aa2f7ec36df5792c45d318be5b

                        Download Submit

                      • C:\Windows\{A6D88CF4-EF00-47b5-9B9F-C244F92FB86B}.exe
                        Filesize

                        204KB

                        MD5

                        408a4187d2641746db4b010d76f1b0d5

                        SHA1

                        30fb214966c861faf4b78f7b8ed38d71eb9ccf09

                        SHA256

                        f16f8163f64241af6cd618fd62475783c2b442c7f781125052cc1dce37322c03

                        SHA512

                        1f02dd86ae7533589cbe5cb8a81bff7b10c1e75038ae3f0784b6cd3e9327e226502f5f51c7c150db2988d3e644cbb37c23f2b9fdece22a5691c7188697384e8c

                        Download Submit

                      • C:\Windows\{AA110502-FBE4-4234-9D63-8E9171D50CB9}.exe
                        Filesize

                        204KB

                        MD5

                        00a23b14c4978f37d1a85c19d185a641

                        SHA1

                        3caa8e6c762cf9e4271e80b4a4d66cba574575e8

                        SHA256

                        e277401f5474f5e089b701b2886b0cac514979c1464b941222ab92d4bb0143b2

                        SHA512

                        a2a6f5f167a2c2bf1b652d01e77c84879c39c430bf4e02c025798e351489bf0998a38015f3a00f9273332e97c5f798227c7ce50ed27a5de3449402819bcec28b

                        Download Submit

                      • C:\Windows\{AB0AF7E9-8C72-445e-B264-E3647A623B06}.exe
                        Filesize

                        204KB

                        MD5

                        97fcd12fb9bc2814905347a607a540f7

                        SHA1

                        aeb53bf49c8474616a09466c429a15757ae1fd27

                        SHA256

                        c260f8cde3e67a02a946162debee67beb27ed70670e9e79e34b80ccce2fe4d93

                        SHA512

                        c3a49f16650f7de661a2964529a57b61c713cf7f9e7371f15ed25187e81457f1e47e42591a30491c8a8d2638fd153a2763a46fb0becaac80ddfa7b4f931c3c3f

                        Download Submit

                      • C:\Windows\{B2302A2A-3AF2-49c8-B2DF-74373133B2B7}.exe
                        Filesize

                        204KB

                        MD5

                        eaf19dd0bb4ded4f5b47583df83d16c8

                        SHA1

                        f6c37dfa7222cbc013d0a7179e98f9db385b5ce0

                        SHA256

                        d10ea00a66710b2d1241309a78a064bab990a60ded65484f1c7a874d24433b41

                        SHA512

                        86801e2951bb8d6613acb9d82f7fc9b4e21dfda5bc50a027d4355d1042a389721e2bde4c505f65a757a1ff582613ce6d560a353f64795f701b085546c0580cad

                        Download Submit

                      • C:\Windows\{B38288CB-F48D-44f5-BC5D-0564C1CB010B}.exe
                        Filesize

                        204KB

                        MD5

                        ecd302dd40aba9f29c329676c3f2670b

                        SHA1

                        f85382d395191041ae4d8c238bbae5b22aa59eb8

                        SHA256

                        2383395135f73c9c15f2d85a04cf3725b7107bf8e08710e98fb949a774a01999

                        SHA512

                        a3cd5b4ffda8f9c34d20ec2bab707e771ea9074410f4093b451122b4212d3fdb9ac1ea7be6ea262d1cc239352c27dac1c7e23bc817268990bf42706be98347e1

                        Download Submit

                      • C:\Windows\{CAD8214C-C4D6-48f8-8DA3-695E6689493A}.exe
                        Filesize

                        204KB

                        MD5

                        912c57f936c56769b5adcded1412d429

                        SHA1

                        d7cad48203d1371f244d31d2c2f867e56f075fdf

                        SHA256

                        96c53875971bb7b094ec3c398548d1413213cb8c8912921548e33b5dd0b2a819

                        SHA512

                        8f08bbd0460c63c1b6653de343298f7269675e2ccdb3f26979893e82787c07c91a648c95b43ab712a15342b779f1ea5d6e3aa724352aec0171de3ac356adc0c7

                        Download Submit