Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-08-07...ye.exe

windows7-x64

8

2024-08-07...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 03:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe

  • Size

    216KB

  • MD5

    3c39eed2d3ff3f55ed1c0ad0e434b5d4

  • SHA1

    661e25b519026342b34027b92d57bbccf2f87fb5

  • SHA256

    ec6f662fe878a756c1acbfb24ccffb64813100da25ac08d052441135a26c6da5

  • SHA512

    e454155e1bca8f8171a484075850e976e1083436a51db65acd83d3668edbb6350f9b53f6caef8cf34acc1db3441c2f71a19cafbad53329a6524b8c6db4b7d8f1

  • SSDEEP

    3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGjlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_3c39eed2d3ff3f55ed1c0ad0e434b5d4_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\{648EECA2-00C5-40e6-8E9E-2674B1236256}.exe
      C:\Windows\{648EECA2-00C5-40e6-8E9E-2674B1236256}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\{979A19F8-6B84-4e46-AB96-3033DCF264DE}.exe
        C:\Windows\{979A19F8-6B84-4e46-AB96-3033DCF264DE}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\{E806E7E2-A2FA-45b7-B1F4-7A8EA86D886F}.exe
          C:\Windows\{E806E7E2-A2FA-45b7-B1F4-7A8EA86D886F}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\{B5E99049-0DD9-4276-BEAC-B98D19C192FB}.exe
            C:\Windows\{B5E99049-0DD9-4276-BEAC-B98D19C192FB}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3064
            • C:\Windows\{86BA9FD6-9CCD-4138-AB86-60C493F0BA29}.exe
              C:\Windows\{86BA9FD6-9CCD-4138-AB86-60C493F0BA29}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4428
              • C:\Windows\{1DEA30C7-7745-4f73-8260-45F2EA739B07}.exe
                C:\Windows\{1DEA30C7-7745-4f73-8260-45F2EA739B07}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1900
                • C:\Windows\{5A219592-C9D9-489d-A52C-028B6E30F205}.exe
                  C:\Windows\{5A219592-C9D9-489d-A52C-028B6E30F205}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:264
                  • C:\Windows\{53128476-37FC-41a7-AE94-FAC89418F1B1}.exe
                    C:\Windows\{53128476-37FC-41a7-AE94-FAC89418F1B1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4640
                    • C:\Windows\{D4D733B7-D01A-475a-9017-651F86676412}.exe
                      C:\Windows\{D4D733B7-D01A-475a-9017-651F86676412}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4856
                      • C:\Windows\{085E981F-E0B1-4cdb-8D7D-2E7FF3BDC986}.exe
                        C:\Windows\{085E981F-E0B1-4cdb-8D7D-2E7FF3BDC986}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2508
                        • C:\Windows\{CAF340C9-FD21-4841-BC72-68EFCF5090EA}.exe
                          C:\Windows\{CAF340C9-FD21-4841-BC72-68EFCF5090EA}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2804
                          • C:\Windows\{04E39E90-9BF7-44b7-97C4-0BC40C876716}.exe
                            C:\Windows\{04E39E90-9BF7-44b7-97C4-0BC40C876716}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2656
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF34~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{085E9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4492
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4D73~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3212
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{53128~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4560
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A219~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2468
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1DEA3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1660
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{86BA9~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2144
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{B5E99~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E806E~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{979A1~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3924
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{648EE~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1264
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1904,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
    1⤵
      PID:400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\{04E39E90-9BF7-44b7-97C4-0BC40C876716}.exe
      Filesize

      216KB

      MD5

      9e6f61ff1bcb45dc98840e8a2ded1b11

      SHA1

      958130e48d665f400063ca132994dc6b64700e51

      SHA256

      185b7d2b8631aca8052972c4114b4afca87644f7c2907931f908bb73a088cda0

      SHA512

      cb9d77711319acf5adbcfba90231475ed23574da301107d17463b8bb5fd2a954c55d6a5fe19bb84032f40a01928137c822715f91a6e8cd00515a7e5eedc27c13

      Download Submit

    • C:\Windows\{085E981F-E0B1-4cdb-8D7D-2E7FF3BDC986}.exe
      Filesize

      216KB

      MD5

      13b2d6508de840d6a441fe4aeea23967

      SHA1

      994fea0a2ddc579e2bda998187c626335aacc7d4

      SHA256

      8fc1b46348591baf56e428b042cea468bc8aacac00fa3c01276491fc2c073347

      SHA512

      0660554f361f5823c132b831c306983aeb8e84e65e45dea86d2f88fc6e6b362b2e8cd13acc02d1ad05c6e0998c084ea49798b65de8f15befb9db87bd81b66e1a

      Download Submit

    • C:\Windows\{1DEA30C7-7745-4f73-8260-45F2EA739B07}.exe
      Filesize

      216KB

      MD5

      ce0b95d30263657c55d2864d353d1e6e

      SHA1

      f1c833b7f0fd030618cb5cf45e3d23c4afa23fff

      SHA256

      3b793357efe38e6638b30b6875616598949a8be0f6d18a35fb71a91b0a2a04d5

      SHA512

      6105574919e5d3fef46947624303c04d84e10d637950ee8406337a91a246bf90d098a84a522b621d518ef2123ce3d2c59317d875ad4fdecd94ca18431adf6525

      Download Submit

    • C:\Windows\{53128476-37FC-41a7-AE94-FAC89418F1B1}.exe
      Filesize

      216KB

      MD5

      c1e19061722f438e84751d7ef54e87e8

      SHA1

      8aa9b695a299026856a598051943b9f167c5d3d6

      SHA256

      6bdfe228ea1a6fc01c3a3be55fee5530a685145c509a354e6ae70e1adf437ee7

      SHA512

      d983af84e4e1b03df53b48fb924ffc1105421eb36f54cca088d915821acf2d1d6a01313924dd64d57f91560959337a2a21aa9bddb37e76dc8d7d77b7e79306cb

      Download Submit

    • C:\Windows\{5A219592-C9D9-489d-A52C-028B6E30F205}.exe
      Filesize

      216KB

      MD5

      66606452060274d0e2ea1481be799995

      SHA1

      5b916a30dc47e3e6e39696f7fc28d440f07fdd3b

      SHA256

      4d4c99b02b3dfecdb106390ab87d4b95a84918d5eefb82c38a6cc3a19f932a1d

      SHA512

      d362f468d49c1c58f8f4853cb363bb774953524c69ba1446879371b3c72bb3268432910bf01f74a9d05b86f7621eba0c3ba49feb044676d986bf0f117bdedfd8

      Download Submit

    • C:\Windows\{648EECA2-00C5-40e6-8E9E-2674B1236256}.exe
      Filesize

      216KB

      MD5

      c88f42680fb6d4e68d20e28e6f782ced

      SHA1

      41aca2a3347db3a179b72dd580f7893594369c1e

      SHA256

      106432b842b41abf8b73f09559d0c2172165d025f01b1f3be5765ed3e33c43ba

      SHA512

      97cb1b13ddeecfaec30be40a29607c44e403f04c65640083960fb0afc4893a6dc6cb515a91a6c2a6e58fd910d81bd93c824f04732ffc914ead540b9d19d20a5a

      Download Submit

    • C:\Windows\{86BA9FD6-9CCD-4138-AB86-60C493F0BA29}.exe
      Filesize

      216KB

      MD5

      ebc76378c46368bf04511837c79e3241

      SHA1

      e8dd9d8419770ef9613331f55ad7a66f8560da3a

      SHA256

      e6bf8e12844690370a39d52da3fa75aff7c959f5e99e643fc5229e6beccea078

      SHA512

      2cf7726e3bc4867b6c7d5f65799158733125d8407c3a44787232b4a670f0eb40d083328b168d7264add2ab054554da5d9ae32ba098210f7e510a889a5caf77f8

      Download Submit

    • C:\Windows\{979A19F8-6B84-4e46-AB96-3033DCF264DE}.exe
      Filesize

      216KB

      MD5

      9064d3d3e687bae303066043241a210b

      SHA1

      14b48b0c56a211f8e319b9fc17b0e70e723236c3

      SHA256

      e1a35685dc8edcca20d131fb049c2a7a4296c2b1993ec3f427ae007a436fed98

      SHA512

      5093e22ef1bdd7fa6dec8d9e10e18201bfc8def0da8ac0e00061bc81afb02abfc2568b108cd5dfba9ff9beaf496316926b287169d4a3060b39851ba44aaf3b4f

      Download Submit

    • C:\Windows\{B5E99049-0DD9-4276-BEAC-B98D19C192FB}.exe
      Filesize

      216KB

      MD5

      8231347fbb9b2c1c3ff95792f7bc4291

      SHA1

      531cb718a093403ed456e9579901b7679d40ea90

      SHA256

      3998aa9bcba40973779ce26a4535fe02a2831dff22ab1cc3a864ae27b96a149c

      SHA512

      52e0c05be3a778371b72b7cd08480f60f541b8e0f2225c70bdeb5c47a192b0966bcaf391e182275a4e209b56a32dbcb3e38e2f69b21ef6ba1a3b945cb3067002

      Download Submit

    • C:\Windows\{CAF340C9-FD21-4841-BC72-68EFCF5090EA}.exe
      Filesize

      216KB

      MD5

      25e410678d582533ca3c7f0647161fb5

      SHA1

      7b4af0177fe29316568d3c1af1d8699eb5a8f76b

      SHA256

      df227fa8666f211c079d10453b3391bc7c34a7c221bb662a7bcc5a91fcd17cf6

      SHA512

      c76016466e022cd09615368c1ae5a7f82456251f402afc50ace95b749f8f192408468eb333236cf55af56e9cb67e5fcc2d2003d3f353c8acb7d7759df2de6408

      Download Submit

    • C:\Windows\{D4D733B7-D01A-475a-9017-651F86676412}.exe
      Filesize

      216KB

      MD5

      98c63ada96167da05609662da8d4bf95

      SHA1

      5346271f49cd1ea1d0e37f89851aac706401543c

      SHA256

      03d892f399b506d9072e84a2b6c55a9f3875e396f593cff2bccc13f71f6792df

      SHA512

      ca65011f46f7fe6d34b19a8d404ac0b04b2a4adae02842f052a0e6ea162e8085194be610097c8076bbb8b9156b67a2c18f1d10aae33a4992a24abc2570c27e57

      Download Submit

    • C:\Windows\{E806E7E2-A2FA-45b7-B1F4-7A8EA86D886F}.exe
      Filesize

      216KB

      MD5

      a6054fe02a6313485b77ee863fda1b96

      SHA1

      cb93ef29e8f95e88a95ad9f0ae66f1c2c1af0dc2

      SHA256

      e6f815b4bcb8401ead922b0046df91e688636262ea1a2157d0b2f10a3a1ce292

      SHA512

      d14ecc525db192f5c12cd871020a9723a16342822011f2e167ba6758697346fbda50a75445f3f28777ef1124222b05e6e49d4514a5ac911449783a2d8ada4502

      Download Submit