Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-06...ye.exe

windows7-x64

8

2024-09-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe

  • Size

    216KB

  • MD5

    f142d2bee57c37de55c69e8558f89e78

  • SHA1

    a9534315143d1550ec9d1ed7f07b5808244af99e

  • SHA256

    037f16a08772fd8ddc8178abcef40fb27e6082356ab8859dec17af4a5e816721

  • SHA512

    4438f0116a12f5a20f69bdee3e38058c4ec46fb2f7f66515c042a55eea6b5341d14f04c1699f7d9d0b71163da12a9d27d50b935a18cef6375bfec49b5e7560c2

  • SSDEEP

    3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGSlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\{6EB2A74E-7462-41fe-AA04-E68E80C6FD1E}.exe
      C:\Windows\{6EB2A74E-7462-41fe-AA04-E68E80C6FD1E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\{C11B5150-4D26-46b2-8056-E30AAB307D69}.exe
        C:\Windows\{C11B5150-4D26-46b2-8056-E30AAB307D69}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\{94ED4A31-6B30-4aa0-A347-C03412E62A34}.exe
          C:\Windows\{94ED4A31-6B30-4aa0-A347-C03412E62A34}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Windows\{99FA2C8E-64E4-4eb1-BF0A-87DDE91282F9}.exe
            C:\Windows\{99FA2C8E-64E4-4eb1-BF0A-87DDE91282F9}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\{5B6934DA-AF4A-46b0-BDED-124B814A4F83}.exe
              C:\Windows\{5B6934DA-AF4A-46b0-BDED-124B814A4F83}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2592
              • C:\Windows\{F433CD8F-E3C6-4d7c-8591-2FEF0A4781E2}.exe
                C:\Windows\{F433CD8F-E3C6-4d7c-8591-2FEF0A4781E2}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1792
                • C:\Windows\{85DB8AE0-4147-488d-AC39-DB1B7543A745}.exe
                  C:\Windows\{85DB8AE0-4147-488d-AC39-DB1B7543A745}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2312
                  • C:\Windows\{25DB3136-9E09-41f5-9AC0-E6DB02E93126}.exe
                    C:\Windows\{25DB3136-9E09-41f5-9AC0-E6DB02E93126}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1284
                    • C:\Windows\{4922429D-FD93-4fe5-9AD9-ACF7C21E4427}.exe
                      C:\Windows\{4922429D-FD93-4fe5-9AD9-ACF7C21E4427}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2548
                      • C:\Windows\{34B79B45-0F90-436d-9447-87EF13386BDA}.exe
                        C:\Windows\{34B79B45-0F90-436d-9447-87EF13386BDA}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2452
                        • C:\Windows\{2F8382AE-75BA-400d-A975-FD7C4447CE0E}.exe
                          C:\Windows\{2F8382AE-75BA-400d-A975-FD7C4447CE0E}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{34B79~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1460
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{49224~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2892
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{25DB3~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1656
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{85DB8~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1288
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F433C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1744
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5B693~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1484
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{99FA2~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1912
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{94ED4~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{C11B5~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB2A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{25DB3136-9E09-41f5-9AC0-E6DB02E93126}.exe
    Filesize

    216KB

    MD5

    ce4a81f2ef6ab7c02f20a754bee31946

    SHA1

    be484ea89d614e8dd2726565353837efc9026e0a

    SHA256

    b5048362a1d077a84d0825ac48d816c5f81f0347900511067f308d7b020c19b1

    SHA512

    4c62399df3304c061adc27430a8998b14a8005c45ad4e4a92f95ead3db2537586833f6cf6b0bd93edca205f873ac81ed41a21e773d6600ae32de402caf08bd2e

    Download Submit

  • C:\Windows\{2F8382AE-75BA-400d-A975-FD7C4447CE0E}.exe
    Filesize

    216KB

    MD5

    a8dd5881011f20f8e19bf124521f7fe7

    SHA1

    7d3fd986066b4039f9d8096fb8f7c711dfe5d17d

    SHA256

    cc9210658a2af5ae89f6a734b102574dfdd70df569e6a258f8a6db161c560f70

    SHA512

    68ed2db62087ce16aec9b4ed91ee010e5aebe0303b91897c8c9f8782d3a4fdbbb5afbeaf5db174ce2a6b0c6cd8f27870f049651769b81e04aafa36b69481d3b0

    Download Submit

  • C:\Windows\{34B79B45-0F90-436d-9447-87EF13386BDA}.exe
    Filesize

    216KB

    MD5

    a5282b7adef26177a1a51261321b37b0

    SHA1

    ad4b9fc3f883fc3d6304f53b970c2acbbc866f7a

    SHA256

    1840cef64b4f9ace58da3b5b1e1005f409e6b4e0233b924f41dc17e8fb36a5f3

    SHA512

    e4fa2ec95a403cee75090a5c3fe38bd02d8d8d59ca4ce26ae32903ff0b551d6c69ccd682728cdcada81533d3e13eb64a65fef289485fafd28817b99f91e84140

    Download Submit

  • C:\Windows\{4922429D-FD93-4fe5-9AD9-ACF7C21E4427}.exe
    Filesize

    216KB

    MD5

    ad2d5dcf718a457503c03756a0db4cde

    SHA1

    24be05ec54dd171038cd799855ecc6b753696d21

    SHA256

    2d9eb9a99d434b91b733d54539f1a6d8847cc76679b552c3a46f661ca2054787

    SHA512

    c3360be8025061597eb62b5a9da8b2985fb94a0af7bd5dd38cca6411f28ff533ace680acfbbbcb62cc83833be6d2a961be8b6107b99b98f9593833dabe7ede60

    Download Submit

  • C:\Windows\{5B6934DA-AF4A-46b0-BDED-124B814A4F83}.exe
    Filesize

    216KB

    MD5

    d1b81d5f7d21ec869c347dd8bd494466

    SHA1

    23a656011b3c4b7dcea237afd9d94d866534a565

    SHA256

    ca9e39f37d3fa18c915f9cdb4c66a795a506fae77d0dd75f8a6bf4294c60a18c

    SHA512

    402d59fbac84e5e93810c23c4fb126aa9b81b368e9d7997687b1a70aeaa9b7dadc0467d4228e80b249e61761e9554ab47d80dde622b5421d2b74f482403fa699

    Download Submit

  • C:\Windows\{6EB2A74E-7462-41fe-AA04-E68E80C6FD1E}.exe
    Filesize

    216KB

    MD5

    a3a26c604f6a1ea34ee135e4559059c1

    SHA1

    6d769babb748f37f0dc893bd8308a801c9743e56

    SHA256

    1c49545e0840ff77a88357f37acc6b608bb6943d067cc85150e1fd5e2a7ddfa5

    SHA512

    8a9b142b5aa61ef5d636c9482389d4482338aee1db158deac264aac71305291fcc39f9889335baa5e1297928d1fc83c2f3f0160293df3beea63f82d723ebb359

    Download Submit

  • C:\Windows\{85DB8AE0-4147-488d-AC39-DB1B7543A745}.exe
    Filesize

    216KB

    MD5

    b3a9ebd2ead103c3b4a606c1e0ce6597

    SHA1

    63d047032e78a40c36c8fe09aca6b1b51df8da5b

    SHA256

    f9abd367bf518ae58a120de5e2437de1b4a92231c1ff46d18e3b0a046bee8676

    SHA512

    37726f82826299ef955cec83c5862570558ee025e0c4ec03d62db0b617d7bbc215c840237b987ae7812ab50825f611c05863562845c5b9b3132b84ec4e7037ae

    Download Submit

  • C:\Windows\{94ED4A31-6B30-4aa0-A347-C03412E62A34}.exe
    Filesize

    216KB

    MD5

    522cb057746f920608aac84bc1ed0142

    SHA1

    d1a58f370fd1fa9ab458e9eba2a938bc00da2728

    SHA256

    df7b1c9a3e651f7664cbd1062440bde9d2bc28fa485a37df52817ff1ccb6c555

    SHA512

    6042f6647583cbf0d884cfa29d5b6842230b009af70494adfe96a761232c41fa9ff43ed16f19ce83a3de0d75d9cfc7b539128a4d1d9f5b9057f312f72d727e17

    Download Submit

  • C:\Windows\{99FA2C8E-64E4-4eb1-BF0A-87DDE91282F9}.exe
    Filesize

    216KB

    MD5

    28a67ea261b2550a45c3beec0dcd6ae6

    SHA1

    1f4aedac8557d720903e194ebbdbf8d850e05cc7

    SHA256

    f6e7fc55bec999133888040d3cdefb863e81f65404dbdcc7699d77cd9ebef419

    SHA512

    195b98abafd09720ee7025085e150666c7822b24bee3756240acf4c03437ecf9dc5fd327e38c7c652a0741f385ab46ea9f2421cfd6c2bd00885ec8a7285bc9e0

    Download Submit

  • C:\Windows\{C11B5150-4D26-46b2-8056-E30AAB307D69}.exe
    Filesize

    216KB

    MD5

    23742c95419344444082150b9cb67d1c

    SHA1

    0889fc2dda226b87acbd82ae80663b67e325af6d

    SHA256

    ffc87cf5fa61ac43791476e3af3b37463fa7eb921d9c86e632d2c90bde2ecac6

    SHA512

    5cb777180b20601428969bf06ad3e75a5845e561e7b084c158ab55619cd295dc857affa4d53f64a6cb1fbf8cf4513d97604447d9067ff4e75df747b28575bc17

    Download Submit

  • C:\Windows\{F433CD8F-E3C6-4d7c-8591-2FEF0A4781E2}.exe
    Filesize

    216KB

    MD5

    45ed718012626cd496ccaf604fd0aaf3

    SHA1

    3851c92f61de9e77e7c1d135f104d961d39a1cfd

    SHA256

    0a400e270cb0ef6d86e7ed4b308eab073b6befd214d17432d1c0774470af4355

    SHA512

    77c903bf495ba030ff1ed582926834ccf3c748ce7ebe6f73ff969a1a5478f76f83c66a6de1123147fbf0d92de478825079fab2e384e4df4a932f32bff96185e1

    Download Submit