Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-08-12...ye.exe

windows7-x64

8

2024-08-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/08/2024, 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe

  • Size

    344KB

  • MD5

    11bcad7c984f0d68447b017b2ffa67e1

  • SHA1

    0da1708a903a2197d4e42bd8d2f6a4cc0bc3e100

  • SHA256

    08f5acbab5ea7f6ca3d94ec0dec08788c099426c60968574dad54b7e8f817c41

  • SHA512

    03b4808893562b52d9865912dd0c9392f285c9ccef9deeeb2c1c7ddee4ea09d15f102c905902190f7db9d90d22b6214b5ef54be4ddd3264616a990a66e71f280

  • SSDEEP

    3072:mEGh0oclEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\{C11A877E-5470-465d-8E3E-6CCD17A952B6}.exe
      C:\Windows\{C11A877E-5470-465d-8E3E-6CCD17A952B6}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\{EE30ABD9-98F4-44aa-A791-41415FB1F92B}.exe
        C:\Windows\{EE30ABD9-98F4-44aa-A791-41415FB1F92B}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\{B7A404D9-BE05-4acc-8984-B23FE0FE6BCA}.exe
          C:\Windows\{B7A404D9-BE05-4acc-8984-B23FE0FE6BCA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\{FB0402D9-7A94-4d9b-B7A2-0114D095F01D}.exe
            C:\Windows\{FB0402D9-7A94-4d9b-B7A2-0114D095F01D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\{91BE1BDD-CE43-4d68-A974-1C3A44228347}.exe
              C:\Windows\{91BE1BDD-CE43-4d68-A974-1C3A44228347}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2596
              • C:\Windows\{739961BA-463E-4883-9D10-800074BA8638}.exe
                C:\Windows\{739961BA-463E-4883-9D10-800074BA8638}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1828
                • C:\Windows\{594FF90F-E4DF-41bf-A78B-2444EC8D5420}.exe
                  C:\Windows\{594FF90F-E4DF-41bf-A78B-2444EC8D5420}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2876
                  • C:\Windows\{40617D8B-F1F2-413f-90A0-C4D4A3DF9F9B}.exe
                    C:\Windows\{40617D8B-F1F2-413f-90A0-C4D4A3DF9F9B}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2892
                    • C:\Windows\{1F17A182-A9DE-406e-A21E-6A960B27C2DD}.exe
                      C:\Windows\{1F17A182-A9DE-406e-A21E-6A960B27C2DD}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1132
                      • C:\Windows\{BA71584B-A234-4cde-82D3-99D0DF104556}.exe
                        C:\Windows\{BA71584B-A234-4cde-82D3-99D0DF104556}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1296
                        • C:\Windows\{FA1F35E3-3F5D-44e4-8A23-B78A58A4D284}.exe
                          C:\Windows\{FA1F35E3-3F5D-44e4-8A23-B78A58A4D284}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1096
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BA715~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2992
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F17A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1180
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{40617~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2188
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{594FF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2352
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{73996~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1584
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{91BE1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2728
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{FB040~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1524
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A40~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{EE30A~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C11A8~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1F17A182-A9DE-406e-A21E-6A960B27C2DD}.exe
    Filesize

    344KB

    MD5

    2c1f3ab50985268508edd6ffe36452c7

    SHA1

    21f36ca9ecc939579661f5cfa9d7091b2feb67b3

    SHA256

    19e4c3afc0ddee7dd7f526546bd07ddcb3598faf9da7072952a527466092e430

    SHA512

    cd987e9c1f2ddee8d5255a9ba9b39520658abbb1c841662ac09ba7aa394aad923c16e214aac672e236c8673396daf3650846a290eb79223dae5f36a2b2a31272

    Download Submit

  • C:\Windows\{40617D8B-F1F2-413f-90A0-C4D4A3DF9F9B}.exe
    Filesize

    344KB

    MD5

    7c53c3cb57e31fccf2ea8bdd93de9168

    SHA1

    4dbb0a7c670bb094eb30fdd4caf784f2e72898a6

    SHA256

    5d9542d36cff52cf3d2cea6c0de71d5c390bcbd0542ac65e0ed3f8ad6a5ada7e

    SHA512

    bf961135799ac6acbdf8dec1b219fc4657df7e4084286d9d3b3106e08cb74df0ff157b2714703e94656ba3c3447ef1cd9a607b9b9b8850d31894606e05a1afc4

    Download Submit

  • C:\Windows\{594FF90F-E4DF-41bf-A78B-2444EC8D5420}.exe
    Filesize

    344KB

    MD5

    ad9005358ac36323934b413d3a509b1e

    SHA1

    c322ede1faf7845ec03eaaf40941ebfe41f57ce4

    SHA256

    a66beab01ff70326663601959adaf939157f3318296384eb45b43eac3a29f739

    SHA512

    08d564b923effd92dfe078982a4e01f3796c880288164e3ecb7d0276490105de091520ea0d029ddc22e956e492399d591e21517ab43834297af88bdb2a2f5bc2

    Download Submit

  • C:\Windows\{739961BA-463E-4883-9D10-800074BA8638}.exe
    Filesize

    344KB

    MD5

    82508b0df884f72d2049374cdb1d86cb

    SHA1

    d00fe223f1ae8339ff2f30d2f731b120f39b637e

    SHA256

    3ddaf470e16a161ddcade9f69644b6a29b83d61555f96668400dea004d0d27a5

    SHA512

    2f4ba51dcd0646f604aa040e296fa29908f9e80ef57b87483d98c826b23b5f8e8638ad76508508f178a662ca556a7674e07cfc64758991e069e4bed74e7daa2f

    Download Submit

  • C:\Windows\{91BE1BDD-CE43-4d68-A974-1C3A44228347}.exe
    Filesize

    344KB

    MD5

    37344ffb79218b060077242e2ce7cbd8

    SHA1

    5799abe770e78551f6e563d386ef0871a3d30a5e

    SHA256

    fdf7a241a370e0963e886217ca27ce9eebc12f00cd2977d50a8e4a58d7c51c36

    SHA512

    83ff6cac0394b76e73264b453388eaeae88874d4c1d6ecca0bfa1f7edf9c86b74a06839a3dc5f5dabf690e0ced12887250776300329a5cd3bd048cbe4c261ca8

    Download Submit

  • C:\Windows\{B7A404D9-BE05-4acc-8984-B23FE0FE6BCA}.exe
    Filesize

    344KB

    MD5

    dffed40085a8bdfce33dda7c1a7ed394

    SHA1

    de84e55a684666139ec1fa4ea875bd0e9932afb5

    SHA256

    840a1f4abe8743a9386e807caa1f7aafb8b6627e1cde9b37fbaae8b2b174c2c5

    SHA512

    f70faf4516ac28f249ea5e45cd8b2feb519219fe1bbfd5cd2f50c705e45ebaba35a7a2c8b95446ecc2dc96ca7be057881f8db1a53224cb99eeb72549f7f3b367

    Download Submit

  • C:\Windows\{BA71584B-A234-4cde-82D3-99D0DF104556}.exe
    Filesize

    344KB

    MD5

    4ed702941f20c26636e6aed8c24409f0

    SHA1

    f3a66656b3f6c9e602d57ebb9a31c991e072c653

    SHA256

    559eb198cfada0600b2a6428efe1e0291b6d5da19d3dee9721e82eae44e25a90

    SHA512

    c07b25861df68f34e31b06f439e2a33a8e8ce863a1e991eff181cc11409a9497caca945012c79ef87b2ffdd251dd4dc9e0d68189a448b348451f4b84b86e0bc6

    Download Submit

  • C:\Windows\{C11A877E-5470-465d-8E3E-6CCD17A952B6}.exe
    Filesize

    344KB

    MD5

    bd234aa258299d5d9283f4dc08a58beb

    SHA1

    bfe2222112545327db4e5e26533e375e45fcf94f

    SHA256

    3b3abeb726e741a2e6437d6ad22abb00b431af31b0fe0445545aee33e90dffd8

    SHA512

    5ef4cf2046eeb1da570060d9dcad68fc577a5d4c201abf082b4815190bf68276b8d98286e1b4cc4817d20b7672e63887eb93ff851183cb3c15f5dca2a0df92b5

    Download Submit

  • C:\Windows\{EE30ABD9-98F4-44aa-A791-41415FB1F92B}.exe
    Filesize

    344KB

    MD5

    f3073042ec954e51b98e41f1fc063bcb

    SHA1

    a8a2610f093ab2d34497df77323a641ccd4bcdbe

    SHA256

    4c9265440b6685ae6811e7713fec05bd29325ff375027c8470ad4913de391226

    SHA512

    c306de7a377de51176d6aa6817c71c4b4b1e75a177cc83f3ab6f55ef9dfac1bc1d27fa78d60c1376b3c345278f37a09ae8ae1ba8f97c6bb4ae83849f02356f99

    Download Submit

  • C:\Windows\{FA1F35E3-3F5D-44e4-8A23-B78A58A4D284}.exe
    Filesize

    344KB

    MD5

    2c80c5459934eb1eaa5858079500189f

    SHA1

    9db0b981894161e9e075b106a0f336ab30e8c41c

    SHA256

    aeca328810c05f773c7df9a88981ce567aa22b85690a3af6c3debdaac39c6842

    SHA512

    21c57f1d34546fc65819251185986e68875dae1691b7dd613bf12fbd577eb85296bb275406ee364805b4c4673b311c679c8fa2702958f40d93150fcbc1ccbf97

    Download Submit

  • C:\Windows\{FB0402D9-7A94-4d9b-B7A2-0114D095F01D}.exe
    Filesize

    344KB

    MD5

    c9445bb315f7296d8741ef28876d10fe

    SHA1

    97e684d47117969b691382a10324078d861ab53d

    SHA256

    10dd4af94244160fb682593f1dbc7e35c3dc3166751b431ed7fb6a68d6d38b84

    SHA512

    a6c5a1debebb86469d64afec7b12d2f9d24df9fde2aa180e44557ab4ccbac7212533f0bb1feec89544f7eefbfb7369c758a689932e1363e63219afb1870f077d

    Download Submit