Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-07-05...ye.exe

windows7-x64

8

2024-07-05...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/07/2024, 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe

  • Size

    372KB

  • MD5

    e2a1f51489b4b04073e76aa2cb43b374

  • SHA1

    76efee2664ce8d47285ffe1009705f5af5fc73c3

  • SHA256

    5b28384365492cebc5d210e1c554162f16d459a6f62b2894a614e95c77970d5d

  • SHA512

    91633056701b4cd9bbdf8919aeb7aec61d9064b7f6812d41cebcc391b42e755e366c7435f60da7fc2b674a7f81acabb6f70a1e2d6004b5e848ba374fd89f625b

  • SSDEEP

    3072:CEGh0o9elMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGClkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\{25FA2BE6-18F0-4133-9093-3D3267B6D36D}.exe
      C:\Windows\{25FA2BE6-18F0-4133-9093-3D3267B6D36D}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\{CD97D450-3422-43cc-AE4B-FFCE320751DD}.exe
        C:\Windows\{CD97D450-3422-43cc-AE4B-FFCE320751DD}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Windows\{A1AC104E-078F-4930-8957-5628D4591932}.exe
          C:\Windows\{A1AC104E-078F-4930-8957-5628D4591932}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4260
          • C:\Windows\{EE4FC730-8658-46c9-9E5A-1A3C74A21784}.exe
            C:\Windows\{EE4FC730-8658-46c9-9E5A-1A3C74A21784}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\{ABCA9AE9-7AF6-4721-87C6-0C2EF4233C2E}.exe
              C:\Windows\{ABCA9AE9-7AF6-4721-87C6-0C2EF4233C2E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3448
              • C:\Windows\{152D2229-ADC6-4093-B868-1A43D163D342}.exe
                C:\Windows\{152D2229-ADC6-4093-B868-1A43D163D342}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:640
                • C:\Windows\{69A0DBC7-21D2-4f16-9A0F-F81996EB43F1}.exe
                  C:\Windows\{69A0DBC7-21D2-4f16-9A0F-F81996EB43F1}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4864
                  • C:\Windows\{345C9B3D-7F42-4931-A721-195E51F68459}.exe
                    C:\Windows\{345C9B3D-7F42-4931-A721-195E51F68459}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1572
                    • C:\Windows\{ED3B54A7-1AD8-42a6-9CB1-772E626A3900}.exe
                      C:\Windows\{ED3B54A7-1AD8-42a6-9CB1-772E626A3900}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1892
                      • C:\Windows\{0C774079-0E3B-4a27-A465-468A494B6203}.exe
                        C:\Windows\{0C774079-0E3B-4a27-A465-468A494B6203}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3188
                        • C:\Windows\{1D58CD61-0D2E-46e9-BDA1-D88F70ADDFCA}.exe
                          C:\Windows\{1D58CD61-0D2E-46e9-BDA1-D88F70ADDFCA}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          PID:3136
                          • C:\Windows\{6F3BDEFD-C3FF-4fcc-A877-5A074B2BF24A}.exe
                            C:\Windows\{6F3BDEFD-C3FF-4fcc-A877-5A074B2BF24A}.exe
                            13⤵
                              PID:916
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{1D58C~1.EXE > nul
                              13⤵
                                PID:4592
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{0C774~1.EXE > nul
                              12⤵
                                PID:4396
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{ED3B5~1.EXE > nul
                              11⤵
                                PID:1980
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{345C9~1.EXE > nul
                              10⤵
                                PID:1428
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{69A0D~1.EXE > nul
                              9⤵
                                PID:1728
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{152D2~1.EXE > nul
                              8⤵
                                PID:2640
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{ABCA9~1.EXE > nul
                              7⤵
                                PID:2612
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4FC~1.EXE > nul
                              6⤵
                                PID:3520
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{A1AC1~1.EXE > nul
                              5⤵
                                PID:4868
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{CD97D~1.EXE > nul
                              4⤵
                                PID:3872
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Windows\{25FA2~1.EXE > nul
                              3⤵
                                PID:4012
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
                              2⤵
                                PID:4152

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\{0C774079-0E3B-4a27-A465-468A494B6203}.exe
                              Filesize

                              372KB

                              MD5

                              9532088bc2b03ea44d3ef899cff3cf58

                              SHA1

                              14f08d71b1c2e20d00d690c3a6ae8c4d128d305a

                              SHA256

                              875201e35dabcb276434fbd863cf114ac2e6a5722f763cdda096299a70db77d6

                              SHA512

                              c972b80d0d90c5ebf39e7e5d185c111963fd73532cc865ec0d0746b0062873169b41134b2ceefb01b8577d9181ad5150d0c35ad2a57cf27eb112c296cb2ccaa4

                              Download Submit

                            • C:\Windows\{152D2229-ADC6-4093-B868-1A43D163D342}.exe
                              Filesize

                              372KB

                              MD5

                              12da5def79e68ce1f7774431c95a833d

                              SHA1

                              100f581f0d11e7cbf9c981875a496f9f53e36653

                              SHA256

                              c5f461ab4de2faf80a6ce90120bc78eed8ae8fb4a83352ef1e2db8a78f6ee7e0

                              SHA512

                              b10940d681d7bd22e9f09609cc028c27f8e3554d81897cfffed3a17cf0194e64cda631fd6d17f647e60a55b1026e8d51a2b9186ac0bb459ecdeaaed874250764

                              Download Submit

                            • C:\Windows\{1D58CD61-0D2E-46e9-BDA1-D88F70ADDFCA}.exe
                              Filesize

                              372KB

                              MD5

                              b39c31c0e65e8f46f1db454e68275a95

                              SHA1

                              6233576fba630b64d60e5c01d0ed3e90d0223681

                              SHA256

                              57cb902cca4a5553a349a7865b84d088ed94c9943d4b65d58d3db73cb9f621a9

                              SHA512

                              ffa25e8db2d4268a309b98d2915e47836c9b267cd574edfd09e572152958249e4e0e4930acfe849c1e51ae4d1a77becb69c8ee5a7d8002b681270e845938e7db

                              Download Submit

                            • C:\Windows\{25FA2BE6-18F0-4133-9093-3D3267B6D36D}.exe
                              Filesize

                              372KB

                              MD5

                              8389eba9328cf7a7963cc0533d79ef1d

                              SHA1

                              a6bc5db64418286c5880c9cebf719be1dfade0ed

                              SHA256

                              67cfbf137ac0b481e35a616da7c6ee65a19cd8313bd67a83a136d5f98b63dbdb

                              SHA512

                              48fb12c0887e9c0031666959e894555e9cd0d4aa94f5fa5d07db9356e2719f9db49d98929cc3b6972b4dd2381aca1762d0fe98243d68fd3bd540535377e32f42

                              Download Submit

                            • C:\Windows\{345C9B3D-7F42-4931-A721-195E51F68459}.exe
                              Filesize

                              372KB

                              MD5

                              5c2c4dfe45a161bb31197d89779fe42f

                              SHA1

                              f5166cce2e72802e538fa55ab214843a445920c5

                              SHA256

                              e4d14e784b83fed5f1dd7b6b08805a177c22624e0a387c984fd80bd34b0399b9

                              SHA512

                              7c764859ee043255109527964c6e5062ff1a1019ffed97f5b766694a6e603a084499d07b50d9a7416d543615f28318bdb9416ec1cd0b875286bc92e9a9e2c372

                              Download Submit

                            • C:\Windows\{69A0DBC7-21D2-4f16-9A0F-F81996EB43F1}.exe
                              Filesize

                              372KB

                              MD5

                              d0a3ffbe598667e97cfb8bf695993092

                              SHA1

                              8e031aa94069267fa21f630fa0941b158e212844

                              SHA256

                              a5bbe34035a80d230bf4268219c9853ee3aad7cc4d60f6291d7dcb576fc4ecc7

                              SHA512

                              7ec9207a0919ba1e1a99e03aece0370327af47bc7cdf74cad85059f3020adc1ae59d35720aeb5bc4739a56d89fc79a7995991776d1ecd1de5ca2c1db0d9b6d56

                              Download Submit

                            • C:\Windows\{A1AC104E-078F-4930-8957-5628D4591932}.exe
                              Filesize

                              372KB

                              MD5

                              0835a733846b28f2cf34c1c418ac61e2

                              SHA1

                              f2b66a51ba89081b0931ad3f3e15830ea3427df3

                              SHA256

                              8d0f12e15ce161e1c5a1abd67f379c0efb3fbb85604c47f65d200f1db5f9a6ea

                              SHA512

                              69dd5bd378adde1505af3e3bfd7620b02e1ab9399d29d22a2c1db27f5a42e58effdb2ac678c369205a1435474bc9367f77bc8b36a850ca57ad9511d12eb9c98a

                              Download Submit

                            • C:\Windows\{ABCA9AE9-7AF6-4721-87C6-0C2EF4233C2E}.exe
                              Filesize

                              372KB

                              MD5

                              19aff57cd80bde81eae58b3d7f08d8dd

                              SHA1

                              d604d371bed3ac8021c920888f0157c6f1bacfb1

                              SHA256

                              6f3bcc6bb5e3944f77f8bd88a0a3b16ff02744b02ab96348150eb29e1347c1e0

                              SHA512

                              31f4248719bf5c298fd823e019ec8cb93311764516a0fe41eede40a129ffcce65a946ed9fcbdfebf3fd146678a8100a847ba79b67b0b108a681d0923e366c217

                              Download Submit

                            • C:\Windows\{CD97D450-3422-43cc-AE4B-FFCE320751DD}.exe
                              Filesize

                              372KB

                              MD5

                              c8c307e2549dd3126f1b6c49947973e5

                              SHA1

                              38beb6d31ca95c894e1c381d821f75ce51962e1b

                              SHA256

                              78fa286a08adcd3d056d1f79e1c333d1fb009f2181bf5c20244d4ce839a29c1b

                              SHA512

                              d4f0893e8d826274ee55a5e4e964e383680c658b38fb83712a5e038431f54dcef000b71a44b1b3987112f9b043d36bee4be2efec2d542ae65d82a2a1e34b4be8

                              Download Submit

                            • C:\Windows\{ED3B54A7-1AD8-42a6-9CB1-772E626A3900}.exe
                              Filesize

                              372KB

                              MD5

                              aa43d2d04bcaf09153db4117632ebaec

                              SHA1

                              082b0e3b59d3f92bd328e384912fc7aadd3822db

                              SHA256

                              bd827a9a9ec446ec25bc3c167c342aaad9938996de54a6da9b156813f30db0e9

                              SHA512

                              baa631648d1ec54c02bdaff09e86fee44515a6a7a2990d228dda08d6f92c57084bbc8bd5abd622f6710d59da66b052ff880b30645f8d4c09d1b3c0f3339f4d1f

                              Download Submit

                            • C:\Windows\{EE4FC730-8658-46c9-9E5A-1A3C74A21784}.exe
                              Filesize

                              372KB

                              MD5

                              45bf0bf0817e325a19b1250a443d2210

                              SHA1

                              97cdd5adfe43e453d2bf2cf4bdb1a1bf9cb5cef5

                              SHA256

                              8f90f3d05dd31bb63e56fb0c73be92a49bf1877fef0b8ddace1bb5be6d859d84

                              SHA512

                              7da03b4421097ee4023f32271098b0aeaef8c0b982740fe1da97a1d29b4bea6b2e85f3107ba1ce89d614d71e95cf378811839381d4a7080f607062de1c54afc7

                              Download Submit

                            • memory/3136-43-0x00000000038D0000-0x00000000039AB000-memory.dmp

                              Filesize

                              876KB

                              Download