Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-08-29...ye.exe

windows7-x64

8

2024-08-29...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe

  • Size

    192KB

  • MD5

    94732171b0c3d44d3214a78e7ce6cfe5

  • SHA1

    7e3e0a24ceb2dd9e25cd64e1f88d9ff666b3b224

  • SHA256

    de0f85e2fcfc1fdd6eba7d140223452b8decda18dc5b56b702f249952057632c

  • SHA512

    7e4accc994446e7f6475b2002496a4a20ddf0af99e1ff0db9badbf58edf07f47122ed268f3fd7bece1d264df3ed5311f9381ea0a23d573291e98a90b5f2a09de

  • SSDEEP

    1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-29_94732171b0c3d44d3214a78e7ce6cfe5_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Windows\{D8240507-8F2A-44db-B7BB-92613133854E}.exe
      C:\Windows\{D8240507-8F2A-44db-B7BB-92613133854E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\{9493E7C3-C19B-44f0-AE49-B39FD41C2F99}.exe
        C:\Windows\{9493E7C3-C19B-44f0-AE49-B39FD41C2F99}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\{93AD511D-F011-45c9-AD15-7AFC4FACDC4C}.exe
          C:\Windows\{93AD511D-F011-45c9-AD15-7AFC4FACDC4C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:408
          • C:\Windows\{01DA5A6C-2615-4d84-BF5C-2E03C3D31419}.exe
            C:\Windows\{01DA5A6C-2615-4d84-BF5C-2E03C3D31419}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\{BB7E1290-1C38-4b9d-925C-6893CBBB6327}.exe
              C:\Windows\{BB7E1290-1C38-4b9d-925C-6893CBBB6327}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1460
              • C:\Windows\{3E250201-B38D-477a-9965-16D7D275DABA}.exe
                C:\Windows\{3E250201-B38D-477a-9965-16D7D275DABA}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1084
                • C:\Windows\{591E9FC8-0C30-4a1d-B5B7-2B2D31C88018}.exe
                  C:\Windows\{591E9FC8-0C30-4a1d-B5B7-2B2D31C88018}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1088
                  • C:\Windows\{1E820763-5AC1-4b52-BD04-4947C1AB44E1}.exe
                    C:\Windows\{1E820763-5AC1-4b52-BD04-4947C1AB44E1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4648
                    • C:\Windows\{B4A7110D-A993-4301-9132-DDEC9A7F1DF5}.exe
                      C:\Windows\{B4A7110D-A993-4301-9132-DDEC9A7F1DF5}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1100
                      • C:\Windows\{E6C44BCC-FAAE-4c30-8D87-5EC1680431EF}.exe
                        C:\Windows\{E6C44BCC-FAAE-4c30-8D87-5EC1680431EF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4476
                        • C:\Windows\{62DF0364-F668-417c-A5FE-B4461C4440F7}.exe
                          C:\Windows\{62DF0364-F668-417c-A5FE-B4461C4440F7}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2108
                          • C:\Windows\{044A73EE-44BE-4c1e-8DD6-B17C2B994FDF}.exe
                            C:\Windows\{044A73EE-44BE-4c1e-8DD6-B17C2B994FDF}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{62DF0~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2056
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C44~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2204
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A71~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1180
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{1E820~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1020
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{591E9~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2604
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3E250~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1504
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{BB7E1~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2924
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{01DA5~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2844
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{93AD5~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4856
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{9493E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3268
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8240~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3888
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
    1⤵
      PID:3320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\{01DA5A6C-2615-4d84-BF5C-2E03C3D31419}.exe
      Filesize

      192KB

      MD5

      1d1fafedb225d678c69b1ebc77d97b98

      SHA1

      e0eb1a2a33c3ded8692ce21bca5e482a148e7ea0

      SHA256

      a10e97bae1a25ae4956d0769085321f7f4f3a191d2d739e3e6f31b682c75219d

      SHA512

      6cf0ffb3c7c996671bb64f08e3e25e6a5cdb77ccd65edf8575d3e19c83672f84ae181125b33263e898d280744229c168815703da2ffbc786773318a848f19130

      Download Submit

    • C:\Windows\{044A73EE-44BE-4c1e-8DD6-B17C2B994FDF}.exe
      Filesize

      192KB

      MD5

      0785e4113a14e5e30d629f1d354b4010

      SHA1

      947849e07bbffffcdaae681296a7188c8f322a4a

      SHA256

      c6f7711b8342e50aee8ad96ee1e911c36a669a0a856f52f3882c339aa5ebf89a

      SHA512

      63fdc5e8cf82cee0c606cee1cdc58ea679562d5a0196646020d7d3e49582893faaf22c025cc7c3e1a61f1eda0a8e49f6b29f7cad5f39eb31180b0564223f834a

      Download Submit

    • C:\Windows\{1E820763-5AC1-4b52-BD04-4947C1AB44E1}.exe
      Filesize

      192KB

      MD5

      9b1870ee63bdbb20211dac2338a0adc5

      SHA1

      2fd88adfac1f4c1f9245c350391215af70b71afb

      SHA256

      ec7e1871ee226464041c068a749a5c3a2667fb3f025e9777fdd900c2f7c0e19a

      SHA512

      83cc4ad50bdf81d0721eb88f0632594b5d0c8a990bd0aa831c372ec0ffe84b74c72adf0671818fb84cc4e389a246e12e2d3de1dc3313363047ad14fa856d7727

      Download Submit

    • C:\Windows\{3E250201-B38D-477a-9965-16D7D275DABA}.exe
      Filesize

      192KB

      MD5

      93bfac032bb5082cb026509c3a7ae0ab

      SHA1

      a7b0f742b9afd84537777f730eac7d780a22c011

      SHA256

      9d367f4b4360da63747cef98a5b91a6d5b1aa5c1ce65aa3935c8a7b9d86de8be

      SHA512

      3a7fd1a9669cc0c3e3bb5c0652e608e90be4a326e8fafc34dd0aff5c7bcb2511978e6abc9ec02d6905c3a0eaeb4bab950235441716bd06dbc8048e899e0eb970

      Download Submit

    • C:\Windows\{591E9FC8-0C30-4a1d-B5B7-2B2D31C88018}.exe
      Filesize

      192KB

      MD5

      15476ca96b6c1165748c34c846233231

      SHA1

      b58bfe47348b1fc137bb56ab29ade77c6e049c1d

      SHA256

      bcf5fb0fce3302bd83a95c93cfa6c46c7f4be29107e302bff08a03d7f46bfe6c

      SHA512

      0f7a8bb9d77f36e936601bc050bea56bec7e57a6bfddb472baf34e87fcb6751c0f3d790b5a3f9504a9f8afde347e424b308d4c7df39dd0539c29325d0959dbc1

      Download Submit

    • C:\Windows\{62DF0364-F668-417c-A5FE-B4461C4440F7}.exe
      Filesize

      192KB

      MD5

      4156c4ed312b63f45ee93e85d482abbf

      SHA1

      2eb3aa382c21ad1d594c57b42f22ac6fcb1513ab

      SHA256

      af80c8b1a58f5174cd02521e285dbe9804c0a4b94bdf4733784c4d2b3a3b127c

      SHA512

      93277f5f4c11bf7d2f1fcfa5e011a7c647399df7eb829d8144d7723c7c483d1e25459532958ea5a24833cd9e047dd2c6ae7706ac077f47dc711da74f1fac9f02

      Download Submit

    • C:\Windows\{93AD511D-F011-45c9-AD15-7AFC4FACDC4C}.exe
      Filesize

      192KB

      MD5

      a6f9c01d3db496d58a9d3a242f232386

      SHA1

      e2db13e2ab5977a3e64ccad06d0f1e59ad6c8b28

      SHA256

      7c08be80f2e4cc7532616086e3de26882ff93c407ae389b843158aea67e73645

      SHA512

      5eb669b54b17d90625e6b60d79e758cec0a783bd9b560f7c3b60fa1ecf9251522068897f12d19ca177b29dc3e48d4f6628de877526c20fe47633e0579f3e4435

      Download Submit

    • C:\Windows\{9493E7C3-C19B-44f0-AE49-B39FD41C2F99}.exe
      Filesize

      192KB

      MD5

      3a2b063db85d9a88f42f415c948c465c

      SHA1

      f65355fb727eaa6b24e4e983459007e78ee52c96

      SHA256

      e0c04d8bdc2f8563ddc0ec14890f7a2acabf0d36c4f638d19087b7e08b93fc21

      SHA512

      a187c3da802f5f6af0115f408a4f6d0a6ee0ac53f1cc4c0fdb2bbf09a8fc36bbe2f5e315c857c182a1973acf7ec66cb39ce4195cbbf8dd02e3fd71f8c3b1bda6

      Download Submit

    • C:\Windows\{B4A7110D-A993-4301-9132-DDEC9A7F1DF5}.exe
      Filesize

      192KB

      MD5

      186dfe96c3b08fe69ad4bd89ed66a26e

      SHA1

      84cef195465ddb0e007aba04fe5c0e733eefbcb9

      SHA256

      abb76bce9c08fb82be6c40d9dbe8aa52818b1c1fcfb9390b3cf5921cead8a46a

      SHA512

      1fffd58368799ed4449fd97868a94dedee25de514dae97c0a2208577b5441331e241e9b4496b32d1714ca77bb6bddb87e3993d9c7f4e3bfdeda6f3330a4cbd20

      Download Submit

    • C:\Windows\{BB7E1290-1C38-4b9d-925C-6893CBBB6327}.exe
      Filesize

      192KB

      MD5

      0613246e7f312931bde944c31924d1f8

      SHA1

      7c46468fd30909f5e8b158caf1a02f39ab06b9c5

      SHA256

      a71adbe2bcd5feeb1324f04f0fcda1e86d2ec906e0f42b9be254fecac4597170

      SHA512

      c2a0ea0c474be32eb3821516708e075870a2071a6b202ed2567cdbb2ee5652c323feacd87f79b73249fde8fac2ddacbf73a2014eef2732cfdbc92c4c4e4e769b

      Download Submit

    • C:\Windows\{D8240507-8F2A-44db-B7BB-92613133854E}.exe
      Filesize

      192KB

      MD5

      6b58acbb61fee87edee12bb1c6e541df

      SHA1

      4f2fc736533c8524478c55dc27f47165bf10b139

      SHA256

      a32760aecbe520d303b1f4f9fd58286bc189ae547a501967996f5ad7e3e3acb9

      SHA512

      c5ff7aa890701f690397f51e8691c534b20510727c1ab856e2f3010f369130beb004d5f6d3a3aa6fbf546255f832030751bbec5c67d7aded9f4a909f20138361

      Download Submit

    • C:\Windows\{E6C44BCC-FAAE-4c30-8D87-5EC1680431EF}.exe
      Filesize

      192KB

      MD5

      b4e56c78bbe4e134ea94ac95cb1f44fa

      SHA1

      c4c0168238275aa6b62cd201096674c8d9a8b303

      SHA256

      e9ebd2c6d202caf225e46b805d94836bccb130d606fd4d882cb56ecf4ef36574

      SHA512

      171a66785c0009c70c88537fb76d890920d6ecb13d68798371ddf0e177d27af0f8d0154d36f87c13ca4ff99343455fd0b505a45efb3fbd980c4b7e94b2cd6b45

      Download Submit