Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-08-09...ye.exe

windows7-x64

8

2024-08-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/08/2024, 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe

  • Size

    408KB

  • MD5

    861ba9e5160627afeb501d4344a8e064

  • SHA1

    50a89d43e608b0da5324c141357e4176f81e925f

  • SHA256

    90a80e974aa001b00076cb2bbe7f8d0fe6a5dbd942aa5f174ebcc62a23d02e3d

  • SHA512

    47a508f0a4697521bcca0d21f7c359b3551461282cfa209a16dbb2ceb441ec0bff3a7f0a5aa47b4ed20ace06bf1626b4b2898d86c0f014daec947494382f56d3

  • SSDEEP

    3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\{1EAE6740-F243-40ef-BC8D-ACA3B4685341}.exe
      C:\Windows\{1EAE6740-F243-40ef-BC8D-ACA3B4685341}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\{060CC83C-78D5-4978-A535-6695816DC15A}.exe
        C:\Windows\{060CC83C-78D5-4978-A535-6695816DC15A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\{E815FB18-F84F-4b63-B418-F62F93E76FB3}.exe
          C:\Windows\{E815FB18-F84F-4b63-B418-F62F93E76FB3}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\{C1163601-06CB-468d-8DEF-333004C7D523}.exe
            C:\Windows\{C1163601-06CB-468d-8DEF-333004C7D523}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\{E67D5182-DB63-4f56-A511-2385F9C0C80A}.exe
              C:\Windows\{E67D5182-DB63-4f56-A511-2385F9C0C80A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:564
              • C:\Windows\{79B6E53C-383F-4555-ACBE-F1DCC8EA3BEF}.exe
                C:\Windows\{79B6E53C-383F-4555-ACBE-F1DCC8EA3BEF}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2352
                • C:\Windows\{127600B8-7526-4191-A9C2-45F3097C34F7}.exe
                  C:\Windows\{127600B8-7526-4191-A9C2-45F3097C34F7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2460
                  • C:\Windows\{C502F301-E991-4767-BD6E-68E775A89ADC}.exe
                    C:\Windows\{C502F301-E991-4767-BD6E-68E775A89ADC}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1600
                    • C:\Windows\{A192B397-0C93-4a18-8B88-262420618649}.exe
                      C:\Windows\{A192B397-0C93-4a18-8B88-262420618649}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:676
                      • C:\Windows\{80DE6FDE-C983-424f-BF5B-34E646B1CD1C}.exe
                        C:\Windows\{80DE6FDE-C983-424f-BF5B-34E646B1CD1C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2556
                        • C:\Windows\{435E8180-DC2C-4506-9A12-F26EB4D09B60}.exe
                          C:\Windows\{435E8180-DC2C-4506-9A12-F26EB4D09B60}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2208
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{80DE6~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2408
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A192B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:492
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{C502F~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1620
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{12760~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2452
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{79B6E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2684
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{E67D5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:568
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C1163~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2308
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{E815F~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2424
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{060CC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EAE6~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:592
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{060CC83C-78D5-4978-A535-6695816DC15A}.exe
    Filesize

    408KB

    MD5

    8901deca7467686d9a3be1e8c2ef1880

    SHA1

    5788a1af755a3fe026712e1d65ce347256552623

    SHA256

    645941f4b5aa75824776930361568f286106810a932f6b0768ac226df163a0be

    SHA512

    5b339e4618847a77a5633cd8edbb4afca5422421582ecdb87089d4deedfdffdf19a537cfdf01012c0f76f8f6c3c0010df3eac55d88ebaabc5f3d48631f71c8ef

    Download Submit

  • C:\Windows\{127600B8-7526-4191-A9C2-45F3097C34F7}.exe
    Filesize

    408KB

    MD5

    34eb6a1d615bc1e14935a0a8e7df5caf

    SHA1

    5dd4cf8c3054323e5fff9b15d60de161bf5f60b0

    SHA256

    ec67754e6b1a35117c80993d1710991608e9582e816531a9bb57935d16514654

    SHA512

    638bd0fed4995cd589192ffd68d34c2a20409e4741319c40c6467c72f19b4e8ed348f1cd2b91182827697c986b4e36a277d10a50650ee139c05ab4b2b88f0327

    Download Submit

  • C:\Windows\{1EAE6740-F243-40ef-BC8D-ACA3B4685341}.exe
    Filesize

    408KB

    MD5

    df483e875ac4bd343c7c73db4e67a1b9

    SHA1

    2d2579de2d39922a93743914f192375c19427bbb

    SHA256

    87e41fe4bcc6ad6b867a53b4a2cc1104b2d495573415961da3ca070dd7e25989

    SHA512

    00c9e0e6c0fd4ca533621cdceeb6dc7c1df9e32df37088135a04220ee9e3ea0a720df0b6a8c7e2d19e4f4da085a19ee1823038c4b432855f596e84bc3d3b983b

    Download Submit

  • C:\Windows\{435E8180-DC2C-4506-9A12-F26EB4D09B60}.exe
    Filesize

    408KB

    MD5

    fd2c73939a4a2515fe9c8e1e21d5a57c

    SHA1

    3c3e2ebd663ce1bd879223c0841dac93d8b9e9f4

    SHA256

    a4d5951251c9720d79bc93c554f1b887d59aa70aa1d5c876b8f2aecefd260687

    SHA512

    07f8a29dfc93ba1a70bf43af87c31e2d2c19737cf963fcf476a33b35422bf5505ee2043c8521bee657c1dfe16c853eed23acce67fb85ad13eafb5e55bfca808d

    Download Submit

  • C:\Windows\{79B6E53C-383F-4555-ACBE-F1DCC8EA3BEF}.exe
    Filesize

    408KB

    MD5

    97648d1ce270b50dbe58adf5af7c160b

    SHA1

    090df4f0e64a51e5952194b9709ddd8bdfd68f05

    SHA256

    91d427448640276783d526923aeef9a9b55746853fc34fc44568de5c42934ccd

    SHA512

    8bb1accb6bf22deeca35a24b5b9ef6ac72853422687312f617a67bbaf369c9362c48b588fc46b33a58526466e24b3b4b7bad599d6346cc577604f79411f28cfd

    Download Submit

  • C:\Windows\{80DE6FDE-C983-424f-BF5B-34E646B1CD1C}.exe
    Filesize

    408KB

    MD5

    5263035e6053e1814aaa30075afe2d83

    SHA1

    f2227e7e05ff72c714e99dbe3df74bcce421f18d

    SHA256

    7ec763261eaa031dddb434552d3edcddce8c041cbbcf72911d9230bee8df1f7a

    SHA512

    22550adbaccc3328491febdc47767837687916e41de54ae7376bd5e872b134cb4247ecedc6cf83f9176f51e6428f1a73458dae6020bf27b0cbc97f35c8aa946f

    Download Submit

  • C:\Windows\{A192B397-0C93-4a18-8B88-262420618649}.exe
    Filesize

    408KB

    MD5

    b24d101459aabd7de4558ea7bddd20d6

    SHA1

    7a25d316b44fe39674b6ab289c1db0a068d94302

    SHA256

    9130bdee6a4e05967d3d71855502fce84b391e5af900444d385a08f5463e1e6d

    SHA512

    061e90bef30dcc9908b52808a9f28db542bf6f6b8f0be96e4f87757dffd83aa35a640fe3a5fff3fc612abadd5c360577dda23d8dcff78047bfc6df9b236c38b8

    Download Submit

  • C:\Windows\{C1163601-06CB-468d-8DEF-333004C7D523}.exe
    Filesize

    408KB

    MD5

    891fe421f9c163a8a1fbfd9afbbed1f5

    SHA1

    370d2c14bfd77a62ab39c0363279c7d55936bcf8

    SHA256

    ae61d8547f6eb637d4e694a71b1dbe2c6d29d9d80f825ca67b9f1a2f1305fea5

    SHA512

    831fe65deaf5d90dd1683ffe5c637831f49538adbe911b48a286f98174c3ef6ae0d69f696ffc37bd62631d230d63fb2db202c5b8a6ef854af9c48c11e812e9da

    Download Submit

  • C:\Windows\{C502F301-E991-4767-BD6E-68E775A89ADC}.exe
    Filesize

    408KB

    MD5

    26914873a5d083eb5543e2ba9b021563

    SHA1

    a026dc6c34613e713590878b6b29996d5deb4069

    SHA256

    3049bb48d86682cb46bcb18ba478240f779b23c9a5b4baaddfbb11050259d7a1

    SHA512

    48a7f3b06cf46f4a2ad3bb2aaee13be6fe04fd3ff0fdb21b679b56ecf86ab0dfd4035f06bfdf870d742e52527d7dcfbe29b06e23e1c886e9b46b44d0657130e7

    Download Submit

  • C:\Windows\{E67D5182-DB63-4f56-A511-2385F9C0C80A}.exe
    Filesize

    408KB

    MD5

    d52fc60a339492e196d6ee54837c26b5

    SHA1

    0476fc1eb614f3394eff342ed039cc1ae095ff11

    SHA256

    67b919f526d02af8f006fc6ede1f1360fbb8c17e577132fbf3a265180282edce

    SHA512

    3c2ff0a006315f008f030c43fc8e3957573d4cd28f1f5a0fb2ba03b3d85a67608dbad6e378e1f39f358186187adde24a010cbecdfd3d52134acd162cd6ff81d1

    Download Submit

  • C:\Windows\{E815FB18-F84F-4b63-B418-F62F93E76FB3}.exe
    Filesize

    408KB

    MD5

    9412812580cfaf1e1a9db8360fbed245

    SHA1

    fb0e1a40fa3c2856cd2365eaafba4c040e5b1367

    SHA256

    3e3b972b81f01dc21fdf49488d458f48c6a6bd818b95890b736c24484e9efe8f

    SHA512

    dc2653ecc238438ff5797eb37b4d2e8d98c80f6a83d45eb5b0e94bdb28c5652e8f9bc77ed8d6b34ab90befb5cd82aeb31c7cf916e63032be960fe9b0c7662434

    Download Submit