Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-08-10...ye.exe

windows7-x64

8

2024-08-10...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe

  • Size

    180KB

  • MD5

    469d59cb12d4b8fdcf5f96b156736d76

  • SHA1

    b1255858095e652f181f77ad82c699241e079589

  • SHA256

    a07953552d337b40ccf6add58d742877b85d03699e959712b3eb7020a6b57487

  • SHA512

    f86a47a0632bdf20625fcbea427b8d25f61d18f57f400c82d394203c8ea3f360713fc822fee5ecaf94c3a261ad3503b98a368866719664c08b2ddc9f8deccd9d

  • SSDEEP

    3072:jEGh0oRlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGXl5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\{D8B46198-52F9-43a0-BE35-64FEFE41C4F7}.exe
      C:\Windows\{D8B46198-52F9-43a0-BE35-64FEFE41C4F7}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\{AC8E632E-5E6E-4084-8D41-EAE13B18686F}.exe
        C:\Windows\{AC8E632E-5E6E-4084-8D41-EAE13B18686F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\{92003DB8-0E28-4d3c-94AC-A8F28A15DF78}.exe
          C:\Windows\{92003DB8-0E28-4d3c-94AC-A8F28A15DF78}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\{123E8152-59BC-455c-9E2E-7B9677A8535A}.exe
            C:\Windows\{123E8152-59BC-455c-9E2E-7B9677A8535A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\{156F4070-F040-47ae-8C57-4A155EE34CC4}.exe
              C:\Windows\{156F4070-F040-47ae-8C57-4A155EE34CC4}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\{89DC9CDD-DC70-484e-B47B-6592426AE97B}.exe
                C:\Windows\{89DC9CDD-DC70-484e-B47B-6592426AE97B}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2968
                • C:\Windows\{305C6767-668D-4438-BA15-B9E519F80A7C}.exe
                  C:\Windows\{305C6767-668D-4438-BA15-B9E519F80A7C}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2956
                  • C:\Windows\{FAC9B7EB-51D6-473f-A66C-CE3CD5565C4B}.exe
                    C:\Windows\{FAC9B7EB-51D6-473f-A66C-CE3CD5565C4B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1540
                    • C:\Windows\{77EE3074-B42A-4f2e-9FCE-0AA007F2D2E5}.exe
                      C:\Windows\{77EE3074-B42A-4f2e-9FCE-0AA007F2D2E5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2240
                      • C:\Windows\{C1AB235E-580B-415b-92D2-C1C95BF79D89}.exe
                        C:\Windows\{C1AB235E-580B-415b-92D2-C1C95BF79D89}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1984
                        • C:\Windows\{6A6FFF95-5023-476b-BCFB-BDD87B31E1B3}.exe
                          C:\Windows\{6A6FFF95-5023-476b-BCFB-BDD87B31E1B3}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:496
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C1AB2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2092
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{77EE3~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2068
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC9B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2328
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{305C6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2008
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{89DC9~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1712
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{156F4~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2868
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{123E8~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1156
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{92003~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1636
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AC8E6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B46~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{123E8152-59BC-455c-9E2E-7B9677A8535A}.exe
    Filesize

    180KB

    MD5

    350ecd26bee98df9f50c1a33675f94de

    SHA1

    c9c6dc77d1ad488146f7a4d65ba9e8e236d80cbf

    SHA256

    5af5c51d28a74477df230d2b0bdfb124e5125f8da38be099e88446ff18d42d7d

    SHA512

    185f89906d1f4f2b8b49c6e4c24df34ebf4a9c1cf4d978aada41cb2a9b3530a97961a8d878827f8bd0c5e93d97dea8ed7ae9fac748adba69349701c7b15875ef

    Download Submit

  • C:\Windows\{156F4070-F040-47ae-8C57-4A155EE34CC4}.exe
    Filesize

    180KB

    MD5

    67d42b4d0c6bf69faee20f4d8322f627

    SHA1

    774826dcdf842d5bcf920fdf1faf8c7ec18d90d1

    SHA256

    39d1610e092a2e01f8c6c3206035e0ccb83d4436d31b058db08e8e2754e58171

    SHA512

    7fa5909ff2874c89b57b5564e1320828b1ed9c82092e41936ceb91275ba774bddcbe83dccb4b7c522ef89986ea714fff86c81abe88afb8498502248555ced2e0

    Download Submit

  • C:\Windows\{305C6767-668D-4438-BA15-B9E519F80A7C}.exe
    Filesize

    180KB

    MD5

    2c49b4f76fc5fdf561285cca13be10ec

    SHA1

    825db438b65ad3a53c8c14f909fe91c07ffef744

    SHA256

    d3d7f1cebafe9154df249e0b0a74b50c72b63178b7c6591f82476a616dc64a34

    SHA512

    665f35b0c527bc32c5c0547252fcde04dec271984a7d53f1622d27d8c6b479ce9293fff471ac5d2ca190f85fe5ea0a99c1a68366dc519b2db6c3100195b99b5e

    Download Submit

  • C:\Windows\{6A6FFF95-5023-476b-BCFB-BDD87B31E1B3}.exe
    Filesize

    180KB

    MD5

    877593eb75122e64a50f84a80ce400e5

    SHA1

    abf8f9e91872162c37a7580156faba331fea4130

    SHA256

    dab0d03171fd4d98d04d0576834aebd78947e194fbd6f8fb49f852f67c3ac97f

    SHA512

    e5cb3b2ee88df919c1e64e348ec64afad871e13f7fb76f7ce2ed83d2b2ef6c049a7f2a865a809ca0dbaaa9c998e3d3b542f0c0d2c5e2b9475decf5e3417aa893

    Download Submit

  • C:\Windows\{77EE3074-B42A-4f2e-9FCE-0AA007F2D2E5}.exe
    Filesize

    180KB

    MD5

    e2201cdf4edeadbe76e27f6a4ef19372

    SHA1

    a42dee3d65562fc7a349cbd0263f0aa3dccb9c6b

    SHA256

    c2ef374b89ddd33a4c4ac4460b4497bfe3fa01583d6cc626062da75b4d9c3f15

    SHA512

    15c41b78f0e7e57d9eab7e6995ec4e890a30fc10b4effbbedbdc96f01eaa45c54eb39db1f4cea64ada60e708cc251e1a9d2f4b8a3b35786576783a21de99a267

    Download Submit

  • C:\Windows\{89DC9CDD-DC70-484e-B47B-6592426AE97B}.exe
    Filesize

    180KB

    MD5

    3da6706d8ed9e5003b4b2534ebd56755

    SHA1

    7f57442aeabc71a0534dc431224db8578bd73921

    SHA256

    a8cb58fc38c95d2604317ee491a59f69993a18138d720774a787d2681bd2719a

    SHA512

    a1190726049d183cce90f52105836f6a7e487eda37cbc22e12db8226e218cbcbd347c555a0c2a29335c0c06badfe67aa94cec73e7b3fd09b0b2c25ac74ebf006

    Download Submit

  • C:\Windows\{92003DB8-0E28-4d3c-94AC-A8F28A15DF78}.exe
    Filesize

    180KB

    MD5

    51c136fa75dbbd64d55ca6524015a213

    SHA1

    9d74973089b77993304ffcdc635cafb651d20cc8

    SHA256

    1ec31320c17c8f721a3bf91a2a9fe027dc431964088b7333a570e023e06693f3

    SHA512

    98692bbc0ab8231cc974e692bd658478ed4a86dd190b45e8797a6f4074655b32ff5e908ef540ef73f945d89ff7536634f7cb107496620ca097d8b646d0537156

    Download Submit

  • C:\Windows\{AC8E632E-5E6E-4084-8D41-EAE13B18686F}.exe
    Filesize

    180KB

    MD5

    16c83f24163d58c9233b779f437bcfe1

    SHA1

    4d6a126ffc01a3588ba55717f1b28cc0be055735

    SHA256

    2edb7c7a8118933a3845e2e4c26c9ff00e1017e35e14c92b65eb5ed80e14845a

    SHA512

    a76e4fcd90d9be879b32ab5a940568bea973a268696e5c806a849f48b5af11708d2caef4dd718830304246aace79e0811b17a12df069505f482c3871d7a5fcd5

    Download Submit

  • C:\Windows\{C1AB235E-580B-415b-92D2-C1C95BF79D89}.exe
    Filesize

    180KB

    MD5

    73ceb1c7d3e66189d10c68d8854db4c3

    SHA1

    897a0fcf3940486745fe74cb9da3ce020231d00c

    SHA256

    06e65e5c1a47d6b1040de7de8073d7bdb67db4e4b9332948715e8df55cea3b4d

    SHA512

    15fd53a99d7895b1109bbea33fc207a8437d97923a9b6b7fd59b79b03f3501db10f1816609a39e8a0ac0aa41c770fe5d848b0a11ac731f4d3d74eb54cd6ca7cf

    Download Submit

  • C:\Windows\{D8B46198-52F9-43a0-BE35-64FEFE41C4F7}.exe
    Filesize

    180KB

    MD5

    32cd597a21c04625f2fd8b04f6a358fe

    SHA1

    a121d0c6241d3a74130dd14c302b4014b9203281

    SHA256

    a40fbb94c41244f80c4bb978bfd84c602563b2e3340ba9643fb9d5ec991b3160

    SHA512

    d54b0fa4bef1ddd7ef3ca36ba9207db61d8dbb1e3bd35911ced5696492d2c7a8475cc294f1783e25eb1e50c0e11a3efe1b2a77349a9950dfdac5e85e700c2452

    Download Submit

  • C:\Windows\{FAC9B7EB-51D6-473f-A66C-CE3CD5565C4B}.exe
    Filesize

    180KB

    MD5

    645b7ccecf7aeca4060907ea1973133d

    SHA1

    df877f92dccc764ae93f3b89f3e8ad97659ec9be

    SHA256

    322b49aae030d2380a52629d9401f5a48a687933977527a4aaa2f9c4d7b637b8

    SHA512

    bed0fbd6b29f142a3498cf1f994da62a9191714d4173e73194b70e7ab3ca308a9f464816c2a7316101c664859792a0034757802e0cea01ee7f40d75af201d14a

    Download Submit