Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-07...ye.exe

windows7-x64

8

2024-09-07...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-07_2ba24fcd5880931b1aa18dcd0c337064_goldeneye.exe

  • Size

    197KB

  • MD5

    2ba24fcd5880931b1aa18dcd0c337064

  • SHA1

    9d9bceb90e0f02bafd6e56de8f9ff8f206806438

  • SHA256

    65e61dfce3122e15e7b2eff2e20590419da45647e5fdb94a0a8f2ec3827e1138

  • SHA512

    7849008624e20a9d0e01baedb36561294f8767bfdf3f492f8b0be7d72f6646d8317872e88716a2ba6b311c6959c448b94a09a954f4e13e32dc3ea2c1914184ff

  • SSDEEP

    3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-07_2ba24fcd5880931b1aa18dcd0c337064_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-07_2ba24fcd5880931b1aa18dcd0c337064_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\{364DC631-A028-45b7-82C8-B5C60F237043}.exe
      C:\Windows\{364DC631-A028-45b7-82C8-B5C60F237043}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\{786CF8AD-E756-40bd-B370-E5690EC49A8E}.exe
        C:\Windows\{786CF8AD-E756-40bd-B370-E5690EC49A8E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\{4F3B0293-C88A-4a36-ACE1-2017D256C1A4}.exe
          C:\Windows\{4F3B0293-C88A-4a36-ACE1-2017D256C1A4}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4696
          • C:\Windows\{BF9988B3-56D6-4617-A822-C015A0270750}.exe
            C:\Windows\{BF9988B3-56D6-4617-A822-C015A0270750}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Windows\{6BFEA0F9-EAC0-47f0-97A1-A5F03D7290EE}.exe
              C:\Windows\{6BFEA0F9-EAC0-47f0-97A1-A5F03D7290EE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2396
              • C:\Windows\{1F4C3291-35ED-4023-A13D-A9BEFF649805}.exe
                C:\Windows\{1F4C3291-35ED-4023-A13D-A9BEFF649805}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4248
                • C:\Windows\{06EA7C0C-CCFE-4a7a-9CC4-BD741805D1F7}.exe
                  C:\Windows\{06EA7C0C-CCFE-4a7a-9CC4-BD741805D1F7}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4372
                  • C:\Windows\{431E8B78-0D27-46e1-A135-02009D7564C4}.exe
                    C:\Windows\{431E8B78-0D27-46e1-A135-02009D7564C4}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1696
                    • C:\Windows\{D33503EB-0199-4842-9CEF-263F0D3B2380}.exe
                      C:\Windows\{D33503EB-0199-4842-9CEF-263F0D3B2380}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4444
                      • C:\Windows\{B915C394-BFCC-422d-AE37-FD4865361650}.exe
                        C:\Windows\{B915C394-BFCC-422d-AE37-FD4865361650}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:736
                        • C:\Windows\{B9C7CA43-EEAD-4488-906E-F410BB59C4D4}.exe
                          C:\Windows\{B9C7CA43-EEAD-4488-906E-F410BB59C4D4}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1644
                          • C:\Windows\{3BBE5AB9-83D9-430f-B39A-33C5B0F7D208}.exe
                            C:\Windows\{3BBE5AB9-83D9-430f-B39A-33C5B0F7D208}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C7C~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B915C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3350~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2392
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{431E8~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2628
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{06EA7~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4496
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{1F4C3~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2400
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{6BFEA~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2732
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{BF998~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4176
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{4F3B0~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3032
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{786CF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{364DC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5104
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{06EA7C0C-CCFE-4a7a-9CC4-BD741805D1F7}.exe
    Filesize

    197KB

    MD5

    8e520154571004ef563f6f840477c829

    SHA1

    9ced8cf8e1352642ab09e0529afccc88235c27b6

    SHA256

    626a1f63b9d15b6d832edcb1360dc1eccdb8890d186550897641b35d42604078

    SHA512

    d69ba2e1037b49aeaa53453916203aa3eeeba1be9ed0ea654da3ea8687b6ebb1f3249d3ec5186766395ee4162b8b296bc66cda5b42254c9d960e6205a7d74e38

    Download Submit

  • C:\Windows\{1F4C3291-35ED-4023-A13D-A9BEFF649805}.exe
    Filesize

    197KB

    MD5

    2f52b271f1d0e96d02ddc27b53c74c07

    SHA1

    d0f7260bfcc19e2fd74d441b8414f011ee9c7487

    SHA256

    13594c7b0c3b0a2979594c4322e69626edf3d19550d734c3903f00a6b9b91dbd

    SHA512

    0f1063b568285902f410fb83a1e8dc0e245f97e4e7a4f9abae8218ab25003111c4550979aa6802cb9964e84baf1845a8cccddb3a66020d1c86f0003a7fb27afa

    Download Submit

  • C:\Windows\{364DC631-A028-45b7-82C8-B5C60F237043}.exe
    Filesize

    197KB

    MD5

    35227c92d34e2ce4ba7c1c48f36aeb92

    SHA1

    8aa9c0b45ed58e34d6017a835ba834a2218ec4ca

    SHA256

    5866411a7099b5cf786b19a4f277b4a8605569f9ba15abe5ea626588d6398319

    SHA512

    ca59835c5d47f26439015d8779367ff3e7b2e167d0fad321b5ae140311ece06b1475cb9ed270ef3ef3473f795dff876a251ca9263ffe90c55e3a31492520dbf5

    Download Submit

  • C:\Windows\{3BBE5AB9-83D9-430f-B39A-33C5B0F7D208}.exe
    Filesize

    197KB

    MD5

    9ad717fc25dd22fe2f3c9dd27246ad67

    SHA1

    23a1878287d4c9429ba359e5a32c95c1814a345e

    SHA256

    55296261e8aa2259e37ad70d668714f0c9fd19cdf0d5ca5f8c6b1ddf4e6a959c

    SHA512

    6b74ca8af9a06c771e8dc18955601a5dd59a62368fea517f70ee83fe4fd3c5f6556c2b78185e96fc99790d8a2f67349d1d4ee1cbae8762b6eae38d3ffa2dad99

    Download Submit

  • C:\Windows\{431E8B78-0D27-46e1-A135-02009D7564C4}.exe
    Filesize

    197KB

    MD5

    c2d03ca9356067f4f5723d016e08ae12

    SHA1

    12c998dfc7fd8dea61bd8de3afbd3e811dd1c14b

    SHA256

    a777029276e49cde176550bfe6e28cd28d0eb44b99b9db2a62ee2b53d10f5509

    SHA512

    2e5fca90aa3844c5bf497d822a5dbfe5f2a52d10af20db13642266eddfa1df5a27bbd1c97057fa7ae4c7b06f5eb746af6cbc51b8c4f0075905d1275f9ea70c17

    Download Submit

  • C:\Windows\{4F3B0293-C88A-4a36-ACE1-2017D256C1A4}.exe
    Filesize

    197KB

    MD5

    a42e0addb12b3fe0fbe993586ff0a4e0

    SHA1

    42bd18d374e81015f8b6365570766784db69c974

    SHA256

    a24b54488b6827730b9f2d3b3acd95bfc6beec3b43a3f98da6c648666b834a8b

    SHA512

    a092f80be5d2769a7b23932c748c1a7cc81c4d4eca0fc314cd8706044b213a453a0f3f059e25ac7ad6b53ece3b8e7bc8b5540092bc8c6a43aeb8aa88b3e13b27

    Download Submit

  • C:\Windows\{6BFEA0F9-EAC0-47f0-97A1-A5F03D7290EE}.exe
    Filesize

    197KB

    MD5

    e48554ad0a79f6e31b46a7587db159cd

    SHA1

    9922cc831881378c41246df884c4ab3e8f5c4656

    SHA256

    97ffcb9cf9870652e70b18104c6f5eb341f35a9e6637f0513759e639c3d49f16

    SHA512

    9dfbee8f13cefd580f7994ced80177a8264343282ea8183374a3ea1ebf0abec265911bbf9810ac013883d329bb62a7a2320e171bb43a5f42e758fc0ee9864500

    Download Submit

  • C:\Windows\{786CF8AD-E756-40bd-B370-E5690EC49A8E}.exe
    Filesize

    197KB

    MD5

    2dc224c47c6d56fe924320e9cc387088

    SHA1

    0bd78a593b16c7e3485ef9587fb00f525c363ba8

    SHA256

    d4ee86191b9fd4eeec8e064fe1ecac327cd8e7affa077a41bc73ea5c6e10e210

    SHA512

    637ede5a9e8550c3e2802168030480c9ec08092585256fd8497d7b64b2637872b260fa1669312618e712e92f9c4f9771300d5be43632a2d0db726bff8f6fac47

    Download Submit

  • C:\Windows\{B915C394-BFCC-422d-AE37-FD4865361650}.exe
    Filesize

    197KB

    MD5

    69f02761c2e47b1a5c63ee67be2ee39d

    SHA1

    91949ab3318bfceac8eaca9afedf04ed38f91a46

    SHA256

    b19ddb34d0cece47efc39978d740743ca18f1a2bb45668c10a2d6e6af3befee1

    SHA512

    2d479c06a1ecd963d099787415b4dee6eb2595089e4ab6751651be03a6548b0b32f186d5706edb04568e3e47cc03adec4bb36b9887526174cdaee814df3409da

    Download Submit

  • C:\Windows\{B9C7CA43-EEAD-4488-906E-F410BB59C4D4}.exe
    Filesize

    197KB

    MD5

    13410a069ceef4653d9a65c1bb64aa7d

    SHA1

    95444d5bce525aa66bbccf6a3e22345554e36b49

    SHA256

    c1d288cd038f3ae7aa37ac4f42b5721e82b82668dd217f48f0c90a11753b637d

    SHA512

    cd9ec52e3a19297ee99777c9583ee957ab18cde0898c2bd71899bcc15d7debdb85bdd5e3a92006daf7d6bc5f6908d5f0c18b9500e4ef58cd16fba739fb77077c

    Download Submit

  • C:\Windows\{BF9988B3-56D6-4617-A822-C015A0270750}.exe
    Filesize

    197KB

    MD5

    0a7ac4092475dc80685a313602c66da3

    SHA1

    3c7664c28806fb98648c28a6f7e8a398fdfd8900

    SHA256

    062618e404790e1db5f497f6ef031120d0ab2fbda3fef677e990136f2932b2eb

    SHA512

    b79f8b0a8eab1346f478d0560664809306757582df23cec88c6ece50cba56b6326569b1a475bd6d1c235f286992f856237e358606cbf6c1ec1f65a77582ca555

    Download Submit

  • C:\Windows\{D33503EB-0199-4842-9CEF-263F0D3B2380}.exe
    Filesize

    197KB

    MD5

    3225bf53a9b2d126a55934311f03b466

    SHA1

    d2567d9afb6b751c6e9c9e995684f30fed7413ea

    SHA256

    2ce12646015280e04353dacf9090112373b1806af21083fc8c78f86a23ae8208

    SHA512

    6610170a9ade6ea11374addeb0df2a94602cdf2bdafffd078b1ecec111d04456669898fbf9aa7214f2e4bad89eb138b90d9ebc294cfa2866f55d9053d85ea667

    Download Submit