Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-08-24...ye.exe

windows7-x64

8

2024-08-24...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-24_fea30277256688ebef83ab9eba939fa9_goldeneye.exe

  • Size

    192KB

  • MD5

    fea30277256688ebef83ab9eba939fa9

  • SHA1

    24ff0abd21fea01e5299f1311b652a836def94f6

  • SHA256

    2645168462e76958d6fcf639fa0def8a57b40f99f756efee902e734e5ffc402e

  • SHA512

    0a0e473471423d0b0f023b71428fd27848aa8eb78502356a19247e3d58254ab87adc236e194c6b317536a84f59902be35d7a7c481e6e7ee4140dde65e34f00da

  • SSDEEP

    1536:1EGh0oOl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oOl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-24_fea30277256688ebef83ab9eba939fa9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-24_fea30277256688ebef83ab9eba939fa9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\{B5DC687D-1ADC-4a55-85B9-A43FBF9675A8}.exe
      C:\Windows\{B5DC687D-1ADC-4a55-85B9-A43FBF9675A8}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\{66EB742F-6C87-4463-8EA1-78D9C9D3E8F4}.exe
        C:\Windows\{66EB742F-6C87-4463-8EA1-78D9C9D3E8F4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\{82CAA174-04F0-4a74-9017-E6C6A0C6C2B9}.exe
          C:\Windows\{82CAA174-04F0-4a74-9017-E6C6A0C6C2B9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Windows\{6C7C3D3F-EAD3-475b-AABA-CB43B94FBB7F}.exe
            C:\Windows\{6C7C3D3F-EAD3-475b-AABA-CB43B94FBB7F}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\{B32635D8-43E4-4ae5-9D5D-F7F82DE547D6}.exe
              C:\Windows\{B32635D8-43E4-4ae5-9D5D-F7F82DE547D6}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2564
              • C:\Windows\{EB287971-639F-4767-9259-3B99EFECC1DC}.exe
                C:\Windows\{EB287971-639F-4767-9259-3B99EFECC1DC}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2272
                • C:\Windows\{B4B7411F-F0DC-464c-87CC-74349929C226}.exe
                  C:\Windows\{B4B7411F-F0DC-464c-87CC-74349929C226}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1720
                  • C:\Windows\{2DD3C401-43B4-4dd2-B1E3-DCE61A6F8FD0}.exe
                    C:\Windows\{2DD3C401-43B4-4dd2-B1E3-DCE61A6F8FD0}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2820
                    • C:\Windows\{6EDDABAC-CE1F-4527-B197-8FDE507E77DA}.exe
                      C:\Windows\{6EDDABAC-CE1F-4527-B197-8FDE507E77DA}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1900
                      • C:\Windows\{3D839639-6C76-48c1-9770-37FD710D8B35}.exe
                        C:\Windows\{3D839639-6C76-48c1-9770-37FD710D8B35}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2204
                        • C:\Windows\{0266D0FE-6468-4c90-8D6B-7DC55874CA17}.exe
                          C:\Windows\{0266D0FE-6468-4c90-8D6B-7DC55874CA17}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2508
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3D839~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1688
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EDDA~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2380
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD3C~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2924
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4B74~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2032
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EB287~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2616
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B3263~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2816
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6C7C3~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2620
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{82CAA~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{66EB7~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5DC6~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0266D0FE-6468-4c90-8D6B-7DC55874CA17}.exe
    Filesize

    192KB

    MD5

    225a026953837d01e106d2e047d5a2fc

    SHA1

    52cd9fd091b03aa567324203d450c171a1220449

    SHA256

    91a35d7dbe54197069db5f8a3b4902e7a8570d148f568fbcb6f43a15fc423f74

    SHA512

    4ef0cdaff53b7a1433e3faef3d99a1639828e4ccd93717cb26ed0439b5f99cf34788611e9eebb4edbdafd00f0f77c30df188b778a8270540e551418fb1e39e2d

    Download Submit

  • C:\Windows\{2DD3C401-43B4-4dd2-B1E3-DCE61A6F8FD0}.exe
    Filesize

    192KB

    MD5

    6ee9ed4153532636dee32b561a7b2384

    SHA1

    b8ca32088f61c532b83d48578e290f50e25b7e65

    SHA256

    68784b055a79cfdad8195f767de8aa81b250eef7a76789b2d10dea824c71dc13

    SHA512

    e04218c3d1881d24c5dcfdc78ba2c8698901073c0d87737e6d451a76949e2042fc5292304964a84a843a239eb3c5e6ebcbfee8fe76ddcaf9ea2635fd7ba2e825

    Download Submit

  • C:\Windows\{3D839639-6C76-48c1-9770-37FD710D8B35}.exe
    Filesize

    192KB

    MD5

    f4b97add3b9cdcfcec3996bf1c1a9d45

    SHA1

    50b229cf22559a6bd73d9a8b3e28c88c68a11e15

    SHA256

    1bb7ed73f2924a3c176d350f8070825c77138d8843936ec2e9615ad66a0e47e7

    SHA512

    9ebd030c98fd9e1075b16a6ff3484f86fc89ab4204a8cc47f5e3f6f0dc1ac491b79ff8ee50564360a281d564b8468ff708f5f11d4674a3e424cdbe90f77316ac

    Download Submit

  • C:\Windows\{66EB742F-6C87-4463-8EA1-78D9C9D3E8F4}.exe
    Filesize

    192KB

    MD5

    ba22e4caef302f240a0aa2cfdfbbc2dc

    SHA1

    0ef64195a66345af7e5ad5e7dfb0e0c8516c9963

    SHA256

    c02dde13977d0fc8b16d5161472f5adca6b35aa2de1cab456fa12cee50ae9476

    SHA512

    e2ba6efcbae2db2ee7d3209925b793d409cf3ca765cd627d9274861e62914cd4c2fe7f64274166076d5c1eb8263a672b374e2296fe12efb9b2655d2c1f714922

    Download Submit

  • C:\Windows\{6C7C3D3F-EAD3-475b-AABA-CB43B94FBB7F}.exe
    Filesize

    192KB

    MD5

    02eb62b961386ddb8bf89620204ed044

    SHA1

    63c01f4c12375cda7fbf676b148c9895a90b62ce

    SHA256

    2325e7a1a9ebaa2b072a0aebfd4397da7d847f7d623edf7838778d8467cfb2f9

    SHA512

    6af9f2cbb7298fbc689f561742932059126d4816d835f07e1f1fd3ea3f03f23e954eeb29c5dab092bef09855b5a309aa1b308396a128f0215822814e02adf6ba

    Download Submit

  • C:\Windows\{6EDDABAC-CE1F-4527-B197-8FDE507E77DA}.exe
    Filesize

    192KB

    MD5

    1b62408ea978ae8d3926977207f849a3

    SHA1

    7bbf999b72c0882f99b3c43138399cccf0c3cca0

    SHA256

    76a8266902c59ed8b5f61aa862fd292eedd1f96960af03aa8fb6ac90f48d5c63

    SHA512

    978d49577d85766bc14915020290f93bb8ca2f6a26ba5f5a79c63166d0e6412216fa959661d9258eff8cc8909c616167c51b9e2d7e2e69d5e1701ff0d5c07112

    Download Submit

  • C:\Windows\{82CAA174-04F0-4a74-9017-E6C6A0C6C2B9}.exe
    Filesize

    192KB

    MD5

    06a5093b84ca4faca0097d6b98b6c212

    SHA1

    9c301d3af19d17db9eb9e0be2fd66eaf1d49893c

    SHA256

    99b7742944f4cb32cd883a0c1cd151b007653343df6eee9f447b7842234a2652

    SHA512

    00bdd9007db7f04a86f58ddeb93fe376de81948d11e98dfd1642c989e657a11740817b0016edbef7b61501eb82047a7d21cc9c5a3166428e04440c114b41b1cb

    Download Submit

  • C:\Windows\{B32635D8-43E4-4ae5-9D5D-F7F82DE547D6}.exe
    Filesize

    192KB

    MD5

    f012969f8817d63e0b3af637c14e9f47

    SHA1

    eae48cdb985801a08e36e5222dfa1ac521c7cff0

    SHA256

    531903f90949358534d77dea59c91beb843e439cc6db10ffcb992ce228d45f3a

    SHA512

    e6c8ee3860fdb5143757a17c4b372f079b028302bce25f02b947da99424f4d63ee56fff4042eace88342ca0a25f7cddc2fd64932b04666d0543f0ab5631d0627

    Download Submit

  • C:\Windows\{B4B7411F-F0DC-464c-87CC-74349929C226}.exe
    Filesize

    192KB

    MD5

    ffda5e46bde337f27c32e66078f34645

    SHA1

    c9d455f205c8c3f32baa896ac0d83ad42ebdc608

    SHA256

    54acbdf6385541841fa91c684fe5dd91a63203a29e218d8a58abb9288179e3c2

    SHA512

    3b9856193972c51a55995c95d227095858d612aa11467f3c904619ec95665b7773c8d807f3b645b21251bd4e98dabc9f9e3a4e13f8b91902ff78e3dc7bfb8280

    Download Submit

  • C:\Windows\{B5DC687D-1ADC-4a55-85B9-A43FBF9675A8}.exe
    Filesize

    192KB

    MD5

    f36e14dd4c5855b2f1fdd73e7a814457

    SHA1

    54d81a4a3385a8c9559b3813cb5f32321b8b9fe0

    SHA256

    57b0d0f629724e8443511d1168a0c3b0f6d69b93bd34a33eeb54bdadaa8f0fa8

    SHA512

    322a91abdad3fcbf120d9ac09db59eaea3221e31b51ea0faaddb7b091169438712ec936c400795c6d13cde976d33c754d4f4b629833c0251e947916936d8edf8

    Download Submit

  • C:\Windows\{EB287971-639F-4767-9259-3B99EFECC1DC}.exe
    Filesize

    192KB

    MD5

    e796d9400446aa5160cf23397a78e8c6

    SHA1

    53c80de0ab7e912349622c8e383c852eb87a6421

    SHA256

    0ea9ee71f8ca4e84725b99ca0eeabec9f5b5f536b287dab006e03b8b1ba3ea3c

    SHA512

    393c496cd84b3f9b70a98b6dd3d3a1612a973e50ab64623c276c1aad328e6a5d7ad2952f9be64b183417cde169b9df382f386923d0371a6fdc3477385ffc8fa8

    Download Submit