Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-07-01...ye.exe

windows7-x64

8

2024-07-01...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2024, 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-01_9d1fe7d17517bd7369f642e839235c31_goldeneye.exe

  • Size

    216KB

  • MD5

    9d1fe7d17517bd7369f642e839235c31

  • SHA1

    781bdaa49ba7f4629cdf00251be01b2c35c4b27f

  • SHA256

    0867ba00b210a2b2e44f258f9b8fb43a4fb44ca59e0fa3c0c29ebd412c2895ce

  • SHA512

    85b1f3257671ed384421b9a960722dbd3217191fd1fdbb6441699e382505197ae650fe03892d47eb7992b3d7ec5673772652cf3f0e2a752b5f9ee3e33c741417

  • SSDEEP

    3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGGlEeKcAEcGy

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 10 IoCs
  • Drops file in Windows directory 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-01_9d1fe7d17517bd7369f642e839235c31_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-01_9d1fe7d17517bd7369f642e839235c31_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\{5239B356-5775-4cf7-9B86-11C2CE5E1894}.exe
      C:\Windows\{5239B356-5775-4cf7-9B86-11C2CE5E1894}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\{DCEDF1AC-194B-4b60-A629-AD731063EAEA}.exe
        C:\Windows\{DCEDF1AC-194B-4b60-A629-AD731063EAEA}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\{8E4331B1-A65C-4a41-B18C-0A6952DC87DD}.exe
          C:\Windows\{8E4331B1-A65C-4a41-B18C-0A6952DC87DD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3176
          • C:\Windows\{CD27FBC6-DDA4-484a-AFF4-89868DA2A061}.exe
            C:\Windows\{CD27FBC6-DDA4-484a-AFF4-89868DA2A061}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4928
            • C:\Windows\{4F755348-6794-48d7-97C3-C65CBB3A8ECA}.exe
              C:\Windows\{4F755348-6794-48d7-97C3-C65CBB3A8ECA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5076
              • C:\Windows\{95BA367D-152F-459a-B4D7-D31658381145}.exe
                C:\Windows\{95BA367D-152F-459a-B4D7-D31658381145}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                PID:1796
                • C:\Windows\{948956D8-E935-428b-9274-DED021B62FDB}.exe
                  C:\Windows\{948956D8-E935-428b-9274-DED021B62FDB}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1224
                  • C:\Windows\{C5D77862-0BB3-41b1-AC52-07FE15B1CE3F}.exe
                    C:\Windows\{C5D77862-0BB3-41b1-AC52-07FE15B1CE3F}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1272
                    • C:\Windows\{E1C40F88-D9C4-4d56-862D-D8D83227267D}.exe
                      C:\Windows\{E1C40F88-D9C4-4d56-862D-D8D83227267D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:384
                      • C:\Windows\{905E0B7F-29EE-4949-84E1-701235E247E0}.exe
                        C:\Windows\{905E0B7F-29EE-4949-84E1-701235E247E0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4912
                        • C:\Windows\{F9967C80-ED98-4d4f-8961-F0E614F0FC0D}.exe
                          C:\Windows\{F9967C80-ED98-4d4f-8961-F0E614F0FC0D}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2216
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{905E0~1.EXE > nul
                          12⤵
                            PID:3016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C40~1.EXE > nul
                          11⤵
                            PID:1332
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C5D77~1.EXE > nul
                          10⤵
                            PID:3172
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{94895~1.EXE > nul
                          9⤵
                            PID:860
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{95BA3~1.EXE > nul
                          8⤵
                            PID:2808
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4F755~1.EXE > nul
                          7⤵
                            PID:4348
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CD27F~1.EXE > nul
                          6⤵
                            PID:2016
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8E433~1.EXE > nul
                          5⤵
                            PID:3524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{DCEDF~1.EXE > nul
                          4⤵
                            PID:4620
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5239B~1.EXE > nul
                          3⤵
                            PID:2628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                          2⤵
                            PID:1272
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:4616

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{4F755348-6794-48d7-97C3-C65CBB3A8ECA}.exe
                            Filesize

                            216KB

                            MD5

                            284c1d889fc5263e97d6f86a94d6b60f

                            SHA1

                            4a3890468daab87035fbe4a364412c289948a934

                            SHA256

                            e8d6aef2af055f56efc19794209cc885b1e1b19db47a06d64992d9fa9500685c

                            SHA512

                            a25524fd59639a9caeabe0256e648ba6c1785b5827d4591eb514db530a81c17e7790b7fd8b12adec191a960f907d60b6b6b187dd8a22bec38285a3d1f05a3e41

                            Download Submit

                          • C:\Windows\{5239B356-5775-4cf7-9B86-11C2CE5E1894}.exe
                            Filesize

                            216KB

                            MD5

                            d5725a6ed4b958962dd489d471be7e99

                            SHA1

                            8abd5b398f911ca80412c833d3e32bedee002179

                            SHA256

                            d9458909ee5c71eaea70b88866cb494531d946aff413730e8948096358b3b190

                            SHA512

                            85ff959a30ca7c7281fd55303633e4d75dca133e67eb1766da2b78f8dbe27c8f7aa510c47c2d42fb7acf3313c8904fa3a1332bbfc30ed1ac5275b9cc1b753266

                            Download Submit

                          • C:\Windows\{8E4331B1-A65C-4a41-B18C-0A6952DC87DD}.exe
                            Filesize

                            216KB

                            MD5

                            27a646569f113b727c1520b103a1584a

                            SHA1

                            d4b509b780d5a1a55c7f23913627cf22d1fb52bc

                            SHA256

                            8f2e466e0b422f6382180a5d5463dc0437c0822e95220d0fa04efbb61da664cb

                            SHA512

                            07a8e7755f77fc3898accd38e68d8957e4ed849cf6c302fce7091a859ce9788bdda5306289e7a5b496d911d7c48366ee41530a16d61d5575eb942ddb12a50f8d

                            Download Submit

                          • C:\Windows\{905E0B7F-29EE-4949-84E1-701235E247E0}.exe
                            Filesize

                            216KB

                            MD5

                            43400db13ecc0144f62f8b65b81dbaad

                            SHA1

                            415c93833ffd63899815d2b9cbb833f69340db1c

                            SHA256

                            e278f70ffeac20abe653ceabfa1433e45477891dc98c0b7fb5e853a324de4ebd

                            SHA512

                            9d73cf0165f333cd5838896ecc491d6b51010ecd907d08464af8da321111cfdf22437bf573e311a64481a7dc763efd3b6b954630b9a848fc1530bc075bc56650

                            Download Submit

                          • C:\Windows\{95BA367D-152F-459a-B4D7-D31658381145}.exe
                            Filesize

                            216KB

                            MD5

                            b3f84a02e0e92563f4fdd505c32735c3

                            SHA1

                            56e8699aa9b14b0e39aa8e90aa861f9ff3fd8934

                            SHA256

                            a2490675dfc7dc873190687fe801619d5b07a0570fd38e990166238721b1c5cc

                            SHA512

                            e8121d3c6fe3fa9c3d83fde4a4ddc56aa06ab5302209f63c8e96c8d6e70472366432bc43035f39c6069a907dc338e68a96b8077fc7834df41bd6d1c5d971b595

                            Download Submit

                          • C:\Windows\{C5D77862-0BB3-41b1-AC52-07FE15B1CE3F}.exe
                            Filesize

                            216KB

                            MD5

                            8dbc9bf57f78bf8248cc80cbb2d21006

                            SHA1

                            b72d07fd28c57bb78a5744bd8aed3914ab86e305

                            SHA256

                            2886d556580eb304c03365205645a8592bd1f84131c1b598de93d4fcbbb01f12

                            SHA512

                            2c3f88e61e4f98d58afdf076eb15bbd3761587fe4f745739d4e07e2eef4c1881c6c046dcc5abf5e0744645da829e790186f0db3ad3c2e2379c0e0a5e1521d827

                            Download Submit

                          • C:\Windows\{CD27FBC6-DDA4-484a-AFF4-89868DA2A061}.exe
                            Filesize

                            216KB

                            MD5

                            dd43603f164da13c2acc98d281a0fbc9

                            SHA1

                            d7c085b8c438400a6cad66a69b6beec704ced005

                            SHA256

                            b1cb07a3a7d206666972f1e1ec471fd1fead5d93498f6dc723d94cd0bb38ffca

                            SHA512

                            901114f0a09bd09cdc2b22d4e3be35c2dfb7e946731056873a2b44526d0024892460a73614780a5f56fbf878c9f1aea9052042409972e6e4a29c28c9945b3b26

                            Download Submit

                          • C:\Windows\{DCEDF1AC-194B-4b60-A629-AD731063EAEA}.exe
                            Filesize

                            216KB

                            MD5

                            530055f037bac9c76ab8fc6c92d2c958

                            SHA1

                            dc2b64cea9714eb86131fad2a99a478827f50581

                            SHA256

                            c8f2690c52b0cc22b5265bc4009c78e6efa22d07b32a6519096daa0e6f725689

                            SHA512

                            0085ce4063a2f86835288b6253c9187d5491e3292db0287a1ab893f2958f33fc67cf8657bc991ed08450181530b01ac8b803dcb03a36ef9d080e90c627eac4f2

                            Download Submit

                          • C:\Windows\{E1C40F88-D9C4-4d56-862D-D8D83227267D}.exe
                            Filesize

                            216KB

                            MD5

                            12dcf55484e15d397309185479b0f0e7

                            SHA1

                            c758f27e50719c795d9a2493393283caada28cba

                            SHA256

                            94c9891a8470078bfff563dda2a185a91a9dce19c703306ff271ab7b41127260

                            SHA512

                            7307eeebb8d9f44da94295b256c9593cf1e9931eeeeba225ca49bbc2155cf601114343746277c1db545781f12e0003b4b14eac994a996a3a6de528947a08a79c

                            Download Submit

                          • C:\Windows\{F9967C80-ED98-4d4f-8961-F0E614F0FC0D}.exe
                            Filesize

                            216KB

                            MD5

                            92b192234e8ab3994f8157c1fed5d89d

                            SHA1

                            299c3cfc5dbe4a64d5bba9c9bf14ff241c77423d

                            SHA256

                            48af58fd53fdc25d32967dd7c3068ba05f4e0b35dca776350540d40170e8c2da

                            SHA512

                            d0b725807ee26552e232037df605018c024d50c5768d25b1c5c3cc057e2d31600c12f9bd762fb9d0beba788c2fb9c93352b3551864d0d7b38088eacf87762ed4

                            Download Submit

                          • memory/1796-23-0x00000000039E0000-0x0000000003ABB000-memory.dmp

                            Filesize

                            876KB

                            Download