Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

20240906b0...ye.exe

windows7-x64

8

20240906b0...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240906b058d60e02378a272481c4603cf3c246goldeneye.exe

  • Size

    408KB

  • MD5

    b058d60e02378a272481c4603cf3c246

  • SHA1

    bec78dd7b65073ddee62cdd626baecb3899dbaa6

  • SHA256

    73a5ddc6fd7b55869dcd0dfd21bc948386a7d58c3b66c235e1afd1e38304bb35

  • SHA512

    7b4482ca0be4f6569f75bc4f9b8ce97bdbffbd191d870fff1822e99957eb6785ff6bc5fca5d5e3110af8c8c29a7dc8974f561f1e01ce4a1f71e0c1a70cc2250d

  • SSDEEP

    3072:CEGh0o4l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGmldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\20240906b058d60e02378a272481c4603cf3c246goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\{E506DC8E-D83B-4bc2-A819-A1B9919EFF9A}.exe
      C:\Windows\{E506DC8E-D83B-4bc2-A819-A1B9919EFF9A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\{AAFECDDC-E2AA-4426-8126-70B2102D2AF3}.exe
        C:\Windows\{AAFECDDC-E2AA-4426-8126-70B2102D2AF3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\{A56D7C8D-27B4-4507-BCF6-95487AAD6557}.exe
          C:\Windows\{A56D7C8D-27B4-4507-BCF6-95487AAD6557}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\{0AA69816-2F6E-4ec8-86C9-14150C7D2E0A}.exe
            C:\Windows\{0AA69816-2F6E-4ec8-86C9-14150C7D2E0A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\{F85392FF-B119-4642-B93C-A2082329D72C}.exe
              C:\Windows\{F85392FF-B119-4642-B93C-A2082329D72C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\{40FC50B0-CEDD-430b-B6EA-4F72CA63AE2E}.exe
                C:\Windows\{40FC50B0-CEDD-430b-B6EA-4F72CA63AE2E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:696
                • C:\Windows\{3AC8BD1A-8CB4-4085-BAFE-A31E86596B93}.exe
                  C:\Windows\{3AC8BD1A-8CB4-4085-BAFE-A31E86596B93}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2712
                  • C:\Windows\{E4C78D2C-8FEA-446f-BAD0-6BC537773152}.exe
                    C:\Windows\{E4C78D2C-8FEA-446f-BAD0-6BC537773152}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:864
                    • C:\Windows\{C4001424-40DC-4d6a-AF70-F1C8C3DCC073}.exe
                      C:\Windows\{C4001424-40DC-4d6a-AF70-F1C8C3DCC073}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2372
                      • C:\Windows\{07D808E3-F037-47e0-99C5-FBE0C930D93D}.exe
                        C:\Windows\{07D808E3-F037-47e0-99C5-FBE0C930D93D}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2136
                        • C:\Windows\{4BCEC66A-738B-436a-918D-4DFE0C5CC5C0}.exe
                          C:\Windows\{4BCEC66A-738B-436a-918D-4DFE0C5CC5C0}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2540
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{07D80~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:684
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4001~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:800
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C78~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1160
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{3AC8B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1920
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{40FC5~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2824
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F8539~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1496
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{0AA69~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1412
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A56D7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AAFEC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E506D~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{07D808E3-F037-47e0-99C5-FBE0C930D93D}.exe
    Filesize

    408KB

    MD5

    4591a0eaaff776522d724106fc00cdd4

    SHA1

    3cdb94d33cade5dcf7a61fa45ac8a270edf26c25

    SHA256

    bc8165a00c30873085046f2e71c15f0ea3514981ed1cd3d896b39e5c6c0233e5

    SHA512

    0eda0b826eea8105e405fd3351e474dd2a34acaa6c667ba34048e00ee080c13612bae55ac39677655a9b5674017212cea4f04652af5f214f5a36e09bd92e00ea

    Download Submit

  • C:\Windows\{0AA69816-2F6E-4ec8-86C9-14150C7D2E0A}.exe
    Filesize

    408KB

    MD5

    d824f370cb65c8d50a790d6490db82a6

    SHA1

    7d4942500c9688a4eea4f599a3ad32f8c881b0f3

    SHA256

    869d3ff945fc0f07b47369db52007d265a3ac5690ae9fac7153c542ad4b41433

    SHA512

    d53c9f9b3655833146678a95736b11826d01f125dc2b5256b5397ec03b8d2fd0bd7f6a656fc9476ed4c70aa82268205febca24cf8eb7a6a728bf9f2270dfe2ca

    Download Submit

  • C:\Windows\{3AC8BD1A-8CB4-4085-BAFE-A31E86596B93}.exe
    Filesize

    408KB

    MD5

    69db954ff9a393fe0375c58ea027670a

    SHA1

    e943b7429f7bd4ef5925926bc275630535c8d77d

    SHA256

    5acc2c6297db2dfaf3a82c123c73f9e6a68ebd383ef9ee5a72c87561ad26d29a

    SHA512

    da901eb748680c21085054a0c292685f1c2a432084f58347a54308c8ea961738682bdec88c8120d166dfe7cf01f2e616f90c69532ca75fa647f726bb556ac4e3

    Download Submit

  • C:\Windows\{40FC50B0-CEDD-430b-B6EA-4F72CA63AE2E}.exe
    Filesize

    408KB

    MD5

    2bb9d13c89f6082423e051e2cb0d45ec

    SHA1

    10f0adf79978bc93ecad12699eb7c8d7166f8488

    SHA256

    e1e24971ec1e5d1b270b842624b90d6471abbc25cb76b14c1a64b09f2be16118

    SHA512

    184ac2caab31a6c743a7a33eeb9c33b1e3bb86fb8086fab96bc896a2110b97eea667d8ea8c0e150351302f68ade552b5727a04ef8bf00b6bf43b312916b63a61

    Download Submit

  • C:\Windows\{4BCEC66A-738B-436a-918D-4DFE0C5CC5C0}.exe
    Filesize

    408KB

    MD5

    2c2469ccea6c147c9f07a588f1d30850

    SHA1

    07d245df4533703dbc271cfd302c6a8766513783

    SHA256

    2f8b3c89d971408402936e44bdaeff0d548306711854c7fe3c42ea2d59c64df6

    SHA512

    27a8ff3e74e56d5136998c0ba6fc1c10ffadc7bf4a6e2659592b048d3a9a037484d0b6b7b7dcbe7020fd29de91658747b7c70c72931077d66b8320253da7f921

    Download Submit

  • C:\Windows\{A56D7C8D-27B4-4507-BCF6-95487AAD6557}.exe
    Filesize

    408KB

    MD5

    4fac4eaf84aa87b473a7c7d17bfa3786

    SHA1

    2915a672ba394abb5e6a6dc730550d87aa1a2c76

    SHA256

    0a545303ecfe4a99208272d1c4558accea8a2e7a463fd0b6ba91cdd26a4109a9

    SHA512

    97049afb6839bd99108322029804941d6f17702d845c27a559a0f3790f44e1fc2e9c5306a97de79cab8b5f3571e454cb4c11868bb72f7ee8955b0698b36a8166

    Download Submit

  • C:\Windows\{AAFECDDC-E2AA-4426-8126-70B2102D2AF3}.exe
    Filesize

    408KB

    MD5

    505354aabb03ee9addf0470279f65b08

    SHA1

    1eebcdad9f9198033603bdffbc0782989f5806d7

    SHA256

    4f781e5d2b269a87fc931dee1e9e31f5e41b1d5bb18f65afc8a3835f80290765

    SHA512

    7d00d5711e73eae4f282cc852e5a09f3e8f64b62621148cc8c1432b2a185096f468f34992b87e73804b59ee3cbd213384b4adc21be16c3dcc98fb0b72a49dba1

    Download Submit

  • C:\Windows\{C4001424-40DC-4d6a-AF70-F1C8C3DCC073}.exe
    Filesize

    408KB

    MD5

    0b82602327c89ac732b3b47d776bd9f8

    SHA1

    1f76c5f903ea3c0a67f50e3a80c09155ab0e6822

    SHA256

    f38d30d2b104df937d90838e62c8a804308db7b43493f046c9adf0f2c51300dc

    SHA512

    94d83fd8350d632395f8187122dc5c4f01d270a8f1853c58b9c27024845b471d4836ca5cd794303441e514d2465f4ee1bac400da82150b23a6a66107e1d27dda

    Download Submit

  • C:\Windows\{E4C78D2C-8FEA-446f-BAD0-6BC537773152}.exe
    Filesize

    408KB

    MD5

    651891770afc170fb39388b7fa0761e0

    SHA1

    14a6557672969d765075c5cbc7d75c32e6d6e386

    SHA256

    c803a44a31c33d8ad9d2a994791d0ee2302329757159741c0232ff44101df649

    SHA512

    b5627d29424725588787ad253f1623e2ebea737e44276c433c1bd12b7d318d2b77e828d912e5760992b0fa4d6dac9df1e5516b966a0cbddf959b19f989d6517c

    Download Submit

  • C:\Windows\{E506DC8E-D83B-4bc2-A819-A1B9919EFF9A}.exe
    Filesize

    408KB

    MD5

    a2bf0904dccbbe85892eef927f67793f

    SHA1

    a8191367a9138a3a800ff643f13e3df977f66f61

    SHA256

    ff8c36477a753f9de0f3f33b57911793c8af886fa4656c47b482ee5326bec0bb

    SHA512

    ae1a57589bfca1ae45588f7b17dd67b18c590f16a91c3239140d058d6434e474bbb2b60446d6769128e63e95953febc79a56569ec136ae267b96d17c765d36a7

    Download Submit

  • C:\Windows\{F85392FF-B119-4642-B93C-A2082329D72C}.exe
    Filesize

    408KB

    MD5

    998707fe5b1dd3fcca76051758a3ff7a

    SHA1

    2ae2a10640a5f4cea73c2b01f8b4f806b72f895b

    SHA256

    3bf5e16e7e4947e9df634bf4c9c714da604a191b4b5b2bf1536b37071812a7d3

    SHA512

    256fe488d6159678566cf94bb5607625493344ab9c7c112beef0375a9c0785fa905ace82efaf277f607e920c050fb58f9c61ee51b3fd09c0201e5454cd3919fd

    Download Submit