Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-09...ye.exe

windows7-x64

8

2024-09-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe

  • Size

    344KB

  • MD5

    c0db2e3360c456376bd99685fb559069

  • SHA1

    1d1bc3824d30e263815e79513c9c8440535d0bd8

  • SHA256

    29bf32dca63dd2cda1a7c682714c5a89e71ba32e088f6353c8f170f1b22701e2

  • SHA512

    6c0f50c7f07dd6a0b6c61434cf0cd2fde3816743f9cc9a4357643da1f7d4ee29b9b859fc2da30246ea12ca2193038b23335adbb7217e0b2a8ed7e91cf6e5ffa9

  • SSDEEP

    3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGJlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\{A713EDA8-5528-448c-BD8B-4692E5E0C4B5}.exe
      C:\Windows\{A713EDA8-5528-448c-BD8B-4692E5E0C4B5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\{FFD40ECA-1720-45e5-8018-2CB9F4CEC4AB}.exe
        C:\Windows\{FFD40ECA-1720-45e5-8018-2CB9F4CEC4AB}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\{BE33ADA5-20D8-4392-8C64-5B5B31A5570B}.exe
          C:\Windows\{BE33ADA5-20D8-4392-8C64-5B5B31A5570B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\{1B620E0C-F57B-4a07-B841-573457AEC1CE}.exe
            C:\Windows\{1B620E0C-F57B-4a07-B841-573457AEC1CE}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\{FF425D1D-E061-4249-86E8-D3636D05ACDD}.exe
              C:\Windows\{FF425D1D-E061-4249-86E8-D3636D05ACDD}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2400
              • C:\Windows\{18FD6587-03F1-43c9-B300-58159B880DC4}.exe
                C:\Windows\{18FD6587-03F1-43c9-B300-58159B880DC4}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1480
                • C:\Windows\{D7542412-12EB-41d7-AC3B-B49F84C52DCA}.exe
                  C:\Windows\{D7542412-12EB-41d7-AC3B-B49F84C52DCA}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2424
                  • C:\Windows\{03767130-D406-4284-AC07-21ED7A015E69}.exe
                    C:\Windows\{03767130-D406-4284-AC07-21ED7A015E69}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2208
                    • C:\Windows\{E0A71C38-A230-44b1-8A4E-7B3C735F7097}.exe
                      C:\Windows\{E0A71C38-A230-44b1-8A4E-7B3C735F7097}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2960
                      • C:\Windows\{8EAC490F-EA0B-4748-8BC7-062539E583EC}.exe
                        C:\Windows\{8EAC490F-EA0B-4748-8BC7-062539E583EC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1128
                        • C:\Windows\{83623DCD-10BC-4748-B6C2-6E46A0F7C4E9}.exe
                          C:\Windows\{83623DCD-10BC-4748-B6C2-6E46A0F7C4E9}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8EAC4~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2436
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0A71~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3044
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{03767~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1996
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7542~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2044
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{18FD6~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1144
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{FF425~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2848
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1B620~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2460
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BE33A~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{FFD40~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A713E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{03767130-D406-4284-AC07-21ED7A015E69}.exe
    Filesize

    344KB

    MD5

    be7774dec6c6a89b50157c8f2a9322c8

    SHA1

    e51b3d0fd707d38c46919fe75b5f32606aa0e409

    SHA256

    41d47438312e372fb316f9b632310c9bd80a5514117f0afe8c0e0e6ee59fb3bf

    SHA512

    af07bb8aa61d9feb8ce89212776561c6a4b16c395db163df5bf2c4f974d43e5e59153f0598c79b67f496d7d9c1f78a13c999ac2d2c901dcdccf0b2cec4ced78c

    Download Submit

  • C:\Windows\{18FD6587-03F1-43c9-B300-58159B880DC4}.exe
    Filesize

    344KB

    MD5

    0c3b33945e01161e9cc9077137cd1f46

    SHA1

    79c9f11446f70f9dff289f945a048261666738f2

    SHA256

    528826d5aba5d3304b7ab002a97a27f668481c3792aa7c78e959ae3eadcec659

    SHA512

    73455c848da6564b760d685cdf132e21fbe42aa273a42a7bd212e6231f338cef8d8d57dc6b9f038502d928f73ca5bf87ae2099753e0f5170803d9127cfc24cbe

    Download Submit

  • C:\Windows\{1B620E0C-F57B-4a07-B841-573457AEC1CE}.exe
    Filesize

    344KB

    MD5

    ab84d6ac5bed1f220ff5d1df93374f7a

    SHA1

    853cfd353486d9186de570373b8fc2be16622f16

    SHA256

    b0c8e3996d8ac0eee07413172fd8e95fa288a53d0707aecd812f068bb257a5de

    SHA512

    1b10cb22bbae329a6208c1d43a3cc3a918c508cde5a091c175ea63cd059027cedcb277b198d91c16c7bf4bbd0d6f7f4e27b34080ae050a4a15f7e5baf7c7db92

    Download Submit

  • C:\Windows\{83623DCD-10BC-4748-B6C2-6E46A0F7C4E9}.exe
    Filesize

    344KB

    MD5

    1f8327598bac94abea25ced18b70243b

    SHA1

    3b5d66a8fcaa9bf372c30b7bf61ad337d9784270

    SHA256

    57b52fe62d22544c67347899d8638199f1cf3c83b052e2f5d8e0969389c66c29

    SHA512

    182f45c34f93229016d1af6c8a035dc66b2f9051a2e46956eb6e9943f84df4608bea887772ec20a2d863e3e4c70ea88e038b07d72510b4630e960aecf5875c85

    Download Submit

  • C:\Windows\{8EAC490F-EA0B-4748-8BC7-062539E583EC}.exe
    Filesize

    344KB

    MD5

    f557bed56627bdb83cad942c10ecb43a

    SHA1

    6f114410856520172dcb68d847b6126147d743db

    SHA256

    8c67d6799c0e3f11702299bd05e7a79e6105eee24fbcd7c5afa47c44682b0ffa

    SHA512

    c9e38767d643c4271fed6a634714a0e7c707500c7c516c2f986443e0c738770ed40b3fd93da4f2e69fe3e1ad68266aa69fb5765fdfaf904edba60eb935ba57fc

    Download Submit

  • C:\Windows\{A713EDA8-5528-448c-BD8B-4692E5E0C4B5}.exe
    Filesize

    344KB

    MD5

    c1dca38d8d5570a4689a561d9b45aa44

    SHA1

    38e71de90d26e5e99689e0c0bc470283a079548c

    SHA256

    23358194139d2faebb51366fb935328aa3f1436e6be4c52794e19edd2da99f1f

    SHA512

    8ae45ae028eff0cb3135ea424ad718e588be83be3e9bab6c04baf6d65fa70134a949f87a31d9174d4afbce4018caa381e03616087d62d31138922f2acad54c20

    Download Submit

  • C:\Windows\{BE33ADA5-20D8-4392-8C64-5B5B31A5570B}.exe
    Filesize

    344KB

    MD5

    b80e3b1c5a2dee8db4145a382b3050d0

    SHA1

    afef2936cdb5475cb2ee2eb2a3b5b170749ea861

    SHA256

    db63823e776086dfbc4b52063d3c6f789bc29f3cf7a73cd7dc4ad1c72e74838e

    SHA512

    3a7aaeaf638500c1ee689f5bb55d948da8bf88572b417dcf720357680b40402bef214cca81c5fdcce03ae074e2a9e02ee3e1e9353521df1c13fba151c1cb31c2

    Download Submit

  • C:\Windows\{D7542412-12EB-41d7-AC3B-B49F84C52DCA}.exe
    Filesize

    344KB

    MD5

    1f058c9e9cd98e73c42cdd9d9e5060fc

    SHA1

    67ddd0426c90fc0c7b07321098c4ab30f6e61be2

    SHA256

    5b1ce16fca6c09c7b7c1fea247ef5a46e1d12eb6478dcd787430d33f867a2263

    SHA512

    31cd457fdff198a8293c8f76b1c5e175ee22bfe2ab665dc8122338273f46ea49bbe251cc6e79a021f6a497a2b59075bb715a75d273d0ddb303348a45e7382bba

    Download Submit

  • C:\Windows\{E0A71C38-A230-44b1-8A4E-7B3C735F7097}.exe
    Filesize

    344KB

    MD5

    e1613ab273136a9826a99fb560eb3f06

    SHA1

    6bfeab3551c0f9767095208dd132eac496676997

    SHA256

    241db1a66b0c92dfc229761f84ecb40c78b9f86a5f2ff6f008442c1ec559fc43

    SHA512

    1e8a911bf1fab8cfa2422d85a60f3d6427f60ddb6e49c2a50ab86c698a1e2ceeb9ceab08bd1e81f5f372f66de93d6b08a579f99f91cfe0abbcd54b781214676f

    Download Submit

  • C:\Windows\{FF425D1D-E061-4249-86E8-D3636D05ACDD}.exe
    Filesize

    344KB

    MD5

    946e1e4440ad7d503da54734326ab504

    SHA1

    d0e9de7146f36e24c17ea89c4d70ce788119259d

    SHA256

    ad76f7760442b1613f39c472383e22f9f86562e484e363d2b6d562e3c8ba554f

    SHA512

    efae14b2342241cfecaac6df820b2d6bbee4980ed5598109eb78f0338302871618b4494ad921d7216116bec9dbd93d7627705a57ac1e4caa8c95fbf80bb34a74

    Download Submit

  • C:\Windows\{FFD40ECA-1720-45e5-8018-2CB9F4CEC4AB}.exe
    Filesize

    344KB

    MD5

    d2d67f54748c49c28e5739e9aa5375c9

    SHA1

    d9ee84d2bbc17ce1f17c9b1c8a0d9272274e1386

    SHA256

    c2f8e814ac155edd65c4dc6ec54183fa79a23f99df4cd6f5d3b1f7cf083e3171

    SHA512

    39fe56f40984f00fc5bc6cb15e7f549b756a719e1195eb89215c1afe77e53d7fb7235e35adef20257c184a22304617b7300057001420d044946553dc117e2a73

    Download Submit