Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024090666...ye.exe

windows7-x64

8

2024090666...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe

  • Size

    168KB

  • MD5

    66853db4bffd27a9c158ac89cc5e6782

  • SHA1

    d79157f0edfd3f82f978710d62b8a9e7e89870a2

  • SHA256

    38c45ea7d7382e3fbf9ba478f2134260550cd8195615b109dcbab739bb765a34

  • SHA512

    af5d29a31083b668389473d1d62f8854247b5cd420ebdcb26f719a30dec55ee0ac4ef1d6b6756a8c9066c389c418a13bdca88fc2ab6b9a8042effb06760bbaa2

  • SSDEEP

    1536:1EGh0o0li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0liOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024090666853db4bffd27a9c158ac89cc5e6782goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\{348C4CF1-F19B-442b-A90D-273070CDAF85}.exe
      C:\Windows\{348C4CF1-F19B-442b-A90D-273070CDAF85}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\{5D894FC6-CE07-4038-A213-4B70DEA4AD2F}.exe
        C:\Windows\{5D894FC6-CE07-4038-A213-4B70DEA4AD2F}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Windows\{B062AF1B-DF45-4299-9733-A8DDA04A0BF9}.exe
          C:\Windows\{B062AF1B-DF45-4299-9733-A8DDA04A0BF9}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4132
          • C:\Windows\{57A145A1-C376-4467-B458-5F796D45523B}.exe
            C:\Windows\{57A145A1-C376-4467-B458-5F796D45523B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Windows\{589D3E4E-F9E9-4e10-A381-A89C2AEE5AE8}.exe
              C:\Windows\{589D3E4E-F9E9-4e10-A381-A89C2AEE5AE8}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4500
              • C:\Windows\{1DF6A068-EC6F-4e48-9B55-92378935C4E3}.exe
                C:\Windows\{1DF6A068-EC6F-4e48-9B55-92378935C4E3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4324
                • C:\Windows\{641ABBF4-E6FC-4b40-AA91-80D2C8AC1788}.exe
                  C:\Windows\{641ABBF4-E6FC-4b40-AA91-80D2C8AC1788}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2720
                  • C:\Windows\{E30929CB-B749-4b01-B9D1-E60A5A8FEC1A}.exe
                    C:\Windows\{E30929CB-B749-4b01-B9D1-E60A5A8FEC1A}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1524
                    • C:\Windows\{448696BA-D9A6-405b-A4C4-ECE3FEC579B7}.exe
                      C:\Windows\{448696BA-D9A6-405b-A4C4-ECE3FEC579B7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3368
                      • C:\Windows\{56F17758-C897-4c9e-853E-C045B473A32B}.exe
                        C:\Windows\{56F17758-C897-4c9e-853E-C045B473A32B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4992
                        • C:\Windows\{000FC6D6-E2AD-447a-9CB7-B0B3E5E69898}.exe
                          C:\Windows\{000FC6D6-E2AD-447a-9CB7-B0B3E5E69898}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5024
                          • C:\Windows\{E894C56C-8FA5-43e8-BA97-CC9AAE6BF295}.exe
                            C:\Windows\{E894C56C-8FA5-43e8-BA97-CC9AAE6BF295}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1088
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{000FC~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3832
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{56F17~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4432
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{44869~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2580
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E3092~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:3936
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{641AB~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1692
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1DF6A~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4616
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{589D3~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4292
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{57A14~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:848
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{B062A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5D894~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{348C4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{000FC6D6-E2AD-447a-9CB7-B0B3E5E69898}.exe
    Filesize

    168KB

    MD5

    955c166743a2ee9720e431e5c1fe5289

    SHA1

    bbffefb5e324246d9c31bb0a0bd69fc0ec61d44e

    SHA256

    1b16570889398f00d1def0428f369299ff594f7a961a0676371560827126b1b0

    SHA512

    fa5eb616e01988b26ce7ea5d3b1c6c1db9c689027218268e3a4231df13e8c379806834324c5caff7d6d003e2d0319a8725b78537156f311c1d207e9f0d4b4e9f

    Download Submit

  • C:\Windows\{1DF6A068-EC6F-4e48-9B55-92378935C4E3}.exe
    Filesize

    168KB

    MD5

    772d683d77507ed4c11334bfc44fa482

    SHA1

    0f02dde5aefa4f84424702a2a72d0ca7bf0e7865

    SHA256

    b5a300565a96aa656fd7ceee44e0a66791480921582aa92bb2530f369fc7eed0

    SHA512

    23db4516d5fe80fd8ce0fbb89d099a1a6a6820a48c13ffd2c9746d064561d21e200f35e9a05328cfc6526ae2be2af03222a0a54e3368cce160ed18ebc139e5b5

    Download Submit

  • C:\Windows\{348C4CF1-F19B-442b-A90D-273070CDAF85}.exe
    Filesize

    168KB

    MD5

    a8ee2405d1aba5f2760f6543b6617384

    SHA1

    9fa101e2c4d81e06718487be09e50bcb93d09e46

    SHA256

    a213e4f4bb1f5ccd3abb30914d555cf539b758c350ff611793e3d179a0b786d5

    SHA512

    6d65869d4b56fd934c6fb2571a874786d7e56d678997e26985a9c3bff75b5f6a8157eb1547265ccacb732d1e24c73fabec58bb0c1afded15b2532335fdeebb12

    Download Submit

  • C:\Windows\{448696BA-D9A6-405b-A4C4-ECE3FEC579B7}.exe
    Filesize

    168KB

    MD5

    caa5f9249fcf01e17cc2f891e68469fe

    SHA1

    7347b0dc9082d47fa6337151361d7f65d757fbf4

    SHA256

    cc714863750ef7ade413a6758d5d6c1071218b2198880aa7e8e116ce86c05c89

    SHA512

    95d5e07a630624eafbb1185d8c9cbd173be848fc23720efc3c6e21c03568f6e41eefa5fe64162b13db1e0fb90e1636bff5d195003af70696ac7445acba619b70

    Download Submit

  • C:\Windows\{56F17758-C897-4c9e-853E-C045B473A32B}.exe
    Filesize

    168KB

    MD5

    e213022b666d995508862734f6ad334e

    SHA1

    b65b143bc8cc19ff48ebce651927279b9ef7713d

    SHA256

    cf525da177acd7aafcaefb2b1cbd307a575623ceab5c1acb885bb45637e1ed29

    SHA512

    576bc6a6f5c730dd72eb05e343743bee9557545141899105e0b95014965618f708b8ea2642b37b70155d03578d57e500fc73bd8a4ef8d770234b7ca3262bf635

    Download Submit

  • C:\Windows\{57A145A1-C376-4467-B458-5F796D45523B}.exe
    Filesize

    168KB

    MD5

    9e2103222a2e19aa804808d2b8486092

    SHA1

    3d64727b16d716412a150dfb9060050ec45aeb25

    SHA256

    ff52a1411b9ba59036950531fbf10ce327c0d89bbc5b2e292682f87b8e42888b

    SHA512

    65889b5b8ca52b57e005966541a575765470fccf9245097f8c40778bbbb063f3054915d24f1c1f6632146134bb3736a4eff5b71ef7cbf771ce44ea5ccd315f42

    Download Submit

  • C:\Windows\{589D3E4E-F9E9-4e10-A381-A89C2AEE5AE8}.exe
    Filesize

    168KB

    MD5

    9ae0750d2505d52264d0b9cc4676fe80

    SHA1

    86f4c1142bb764727c7b85919f301c2869065b1c

    SHA256

    5f9eeebf3a546127c76ab95d970a0f1334ef4055dafaeb243987a745c5d97c42

    SHA512

    5d07f8fe04bad1e64e40063b8d6e9f4986922d4b77fc331684b6f9949b787d8b8f74863881ae7a94c05587c4c50c8498ee0fc4316434413d21cb109d809f450b

    Download Submit

  • C:\Windows\{5D894FC6-CE07-4038-A213-4B70DEA4AD2F}.exe
    Filesize

    168KB

    MD5

    e0cd038c24849e00a69a65b72c94f96b

    SHA1

    2a533c6ae8b107b1272c2712fd69c0daa753fcb9

    SHA256

    19c338a59a99762b1bc7b1b81a4e7a9857c434df0c8c6dbd19772e2a7d0db867

    SHA512

    538ae1713b90a2ddccc2a158bc475bbfef4af78385e6a10a73548c74889e23b7c727c71ccef2013de7b463ab96149aa03e8e93c64125dd9665317d6e4fd8f44c

    Download Submit

  • C:\Windows\{641ABBF4-E6FC-4b40-AA91-80D2C8AC1788}.exe
    Filesize

    168KB

    MD5

    33bee7c0b5754ed344a813a446b65161

    SHA1

    f575eed41dfb5b0b4a0086a09100963b83d7d49c

    SHA256

    f88e00a17dc55b8b9ecf9f0ccc1ab94b0a67bf002e0d706c6795aaf539c73adb

    SHA512

    02401f3f243539d6ef9d069934db2bb8123181a5be7e247df7bf7884457ff3f96b238718262654a822a01b1d4ba978819d15fffe53764a59ec6370b729bcd2f2

    Download Submit

  • C:\Windows\{B062AF1B-DF45-4299-9733-A8DDA04A0BF9}.exe
    Filesize

    168KB

    MD5

    561cf80c91d6ea3da5ea11eec52726b1

    SHA1

    73e0df5a22395dbc3527e68b6e8f53d3b7155aff

    SHA256

    305ac1db2086236b5419a0ab1c321facfdc405acf260f5994bf0d69704300c4c

    SHA512

    4a47e4f0d65bffaed7e81dea1879dd2636ef147843c2e377a16d53025031626cb6c9a835ddec1b651af09a48dccff123bb811146f2f0cd3e32cc3db703b0d981

    Download Submit

  • C:\Windows\{E30929CB-B749-4b01-B9D1-E60A5A8FEC1A}.exe
    Filesize

    168KB

    MD5

    dd700a700780f6042c55a9161a2866c7

    SHA1

    b5238441b89386d5785ae03851b729243a1254a1

    SHA256

    48373ff78c680364c19c862a44d5697fbdc18ff9b7b50c8aa10f474ae3585598

    SHA512

    e58a61f7509bdf75a86abfb8a5d7a6b84101d581daf599269c5e2b98c870dee90f7ad4c0ce1b342e4c9932c77b4eb2aebf0ebf6395bc692d40b7a412f0fe8fc1

    Download Submit

  • C:\Windows\{E894C56C-8FA5-43e8-BA97-CC9AAE6BF295}.exe
    Filesize

    168KB

    MD5

    f2989074d78ff29cec74f8cf23657f30

    SHA1

    f38fdb0016aaec7bc07106c306fdf2acaf559a7e

    SHA256

    2c8243225d40d5f672ac1d042ea27afa2f403bb02e08382ec62a4906a36c0482

    SHA512

    d5220ca8e4ff17d3b857ee042ae8f65265942474c045892c8a765424949935977eef3aae6b0c0eb1520b058a4d03fa0483ed8abe485730ee6da69b2909c802d2

    Download Submit