Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-12...ye.exe

windows7-x64

8

2024-09-12...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe

  • Size

    168KB

  • MD5

    aff699114277258f9ef88f4ea395480f

  • SHA1

    497fc86aad678c7b28997b81ea3af641c5f91170

  • SHA256

    603b079457c690bd029d3af76fbfe1187310d4a517cac0d967f514828cbe2ac2

  • SHA512

    88c1df78226c11ae1d6100a6cfaeafb9d9299e5cc6de945e248c7c377dd118eeec528045af77d8253aa33884a8ae09f28b4126d9b3fa15558e34f7ef9d1678f4

  • SSDEEP

    1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-12_aff699114277258f9ef88f4ea395480f_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\{CFE44A40-A382-4889-9F97-76FFDCD4D119}.exe
      C:\Windows\{CFE44A40-A382-4889-9F97-76FFDCD4D119}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\{07BB34F0-9B90-4e38-8DC4-0F9F70334829}.exe
        C:\Windows\{07BB34F0-9B90-4e38-8DC4-0F9F70334829}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Windows\{BEC927C3-B373-4a9d-9D7E-3B795F84BF06}.exe
          C:\Windows\{BEC927C3-B373-4a9d-9D7E-3B795F84BF06}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\{DA71220A-41A0-4817-AA96-90861300A2D6}.exe
            C:\Windows\{DA71220A-41A0-4817-AA96-90861300A2D6}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\{B3C32B4E-5F8B-4cd2-BD3A-35DEAB56D534}.exe
              C:\Windows\{B3C32B4E-5F8B-4cd2-BD3A-35DEAB56D534}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2976
              • C:\Windows\{99555D8A-B87D-4b65-8EED-FB775EAA74E1}.exe
                C:\Windows\{99555D8A-B87D-4b65-8EED-FB775EAA74E1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1948
                • C:\Windows\{0C718999-7658-431d-BB83-5774AA35DF61}.exe
                  C:\Windows\{0C718999-7658-431d-BB83-5774AA35DF61}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4004
                  • C:\Windows\{AA14B0A1-998B-43b0-8FDC-B617D1346A90}.exe
                    C:\Windows\{AA14B0A1-998B-43b0-8FDC-B617D1346A90}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2428
                    • C:\Windows\{37DAAE6E-374E-4fcd-A57E-99215EA20AC7}.exe
                      C:\Windows\{37DAAE6E-374E-4fcd-A57E-99215EA20AC7}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4336
                      • C:\Windows\{5852C94F-3137-4db0-A8DF-E424191D232B}.exe
                        C:\Windows\{5852C94F-3137-4db0-A8DF-E424191D232B}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1412
                        • C:\Windows\{2F791292-7D41-4d1f-92BE-04A8A87B1694}.exe
                          C:\Windows\{2F791292-7D41-4d1f-92BE-04A8A87B1694}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2432
                          • C:\Windows\{53F75F25-FE42-4e1b-B501-3602721A6F2C}.exe
                            C:\Windows\{53F75F25-FE42-4e1b-B501-3602721A6F2C}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:1772
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2F791~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4592
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5852C~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3200
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{37DAA~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4800
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA14B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:116
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C718~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4644
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{99555~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4288
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C32~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4928
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{DA712~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{BEC92~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{07BB3~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFE44~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{07BB34F0-9B90-4e38-8DC4-0F9F70334829}.exe
    Filesize

    168KB

    MD5

    bd1d8f37858fc71a23896ca6b5761a9f

    SHA1

    55796f1e635e21410b5ba23871b754d0bc4e1118

    SHA256

    f8195ec0af910d3f79df39258e3750f1d3d6e347e6495f07ae7881a59e49c7d5

    SHA512

    ad71c53132259e33a519b042edc349e5a996f10db078e54c2a9cb2685fb439fe16945bb143dfb4c2d1a3385dda72e44249be5fba03dc9f4ad4f66f50c38d3ac1

    Download Submit

  • C:\Windows\{0C718999-7658-431d-BB83-5774AA35DF61}.exe
    Filesize

    168KB

    MD5

    4e575cc0fcbff35478d875a92ff9518b

    SHA1

    d37c213e2a2390467953c280766440837ca365c6

    SHA256

    ed1e192e20dd9a86ac8b0c2820e4bc7bc6c57fb2de640d369ecf894067bf77fc

    SHA512

    bd3b4f8e30fbe18e9ec6e20d2d1ab71db33034bd8a7120d35fc2681aa12a05f5ec0b4f4dd09436a38fca9a0f225d7fd7bad9941d1de08d5adb22e03eb5f6cc25

    Download Submit

  • C:\Windows\{2F791292-7D41-4d1f-92BE-04A8A87B1694}.exe
    Filesize

    168KB

    MD5

    df3cfb740f86539b176a1e955ac9ec6e

    SHA1

    d4d02acbe552cec28e3fa0d643fa2ede560c3b6a

    SHA256

    08a7da25a303888c822ccdedad21d18dd7c2b160427ecaffdbd3adf3bfc50444

    SHA512

    6b2a7c0d5b5e078510442ffb8da16aa238dd4a007e5d722884117219045f66964a7d1e75635b9180ecb5fb97311a2239f3528a6687e2ff85900d69f49175170b

    Download Submit

  • C:\Windows\{37DAAE6E-374E-4fcd-A57E-99215EA20AC7}.exe
    Filesize

    168KB

    MD5

    bc529be1b01d890b2a19342fcaddfc35

    SHA1

    42021b7cfee23f4615ea26b703afb55e0b74b201

    SHA256

    90c637c38bd8cf099bb544c1a10b68406c6b636bd301770b8a91932f9788b206

    SHA512

    9c04a374feea611b7a50e962cc55881bdc9c7802f49866aad34d99239a998cdcfddbf2370615cca50363366dd6c284fd2af7d786e056a2ff466c558ec72578fa

    Download Submit

  • C:\Windows\{53F75F25-FE42-4e1b-B501-3602721A6F2C}.exe
    Filesize

    168KB

    MD5

    5d8b2a0efb7b4a1b526b7aa590f56c3e

    SHA1

    a82ede92e9065f425a36681456b1128e3ccc4a91

    SHA256

    ef90fbf235bafa9cc537da5972d184ccdb15cca3f88f2b338c6f807db27c59c2

    SHA512

    5c74b7fc784905d2d8307c5515b6feeb19fbcb82047502c80aa6944108fc868e7eeca66f1b5d1cf30858d5306beb1036d62b90aad162374aefb82eb8953a587c

    Download Submit

  • C:\Windows\{5852C94F-3137-4db0-A8DF-E424191D232B}.exe
    Filesize

    168KB

    MD5

    1527b8ca1d1e81ae14349cb594eabb90

    SHA1

    2e6e2a7739b9e02fdfb0036e93df9bc0b7fc7b73

    SHA256

    a4e80e32a35e6539ff2a078d1169987ae6242f5ab369806eaebb9883c258267f

    SHA512

    59059021fd13eec27e5467f673884d9c0d6b126f87433009cfcb7953fe230bb544cfeae8acbaaf19246bc6b06ed379ec4e8bb2087563fbeba8a8c42acd09009c

    Download Submit

  • C:\Windows\{99555D8A-B87D-4b65-8EED-FB775EAA74E1}.exe
    Filesize

    168KB

    MD5

    897a8173404a8e5758eab4554730e33f

    SHA1

    75fdcc19450bf2c507adbbd41d465b3f09cd2d76

    SHA256

    d0873952a666b6525cd918821d873d8a7dbd1007841ebebfdb1fbb5f1ccbca9b

    SHA512

    aa44fe03458a3969fd9c6c1105c8bb5cf698a3e2e1ff511a8ef4ec312cecbdba42bfe450e39e98572d9f2edd30d2b2fd8de46f0ad70b2541e9465bf88b3c0d11

    Download Submit

  • C:\Windows\{AA14B0A1-998B-43b0-8FDC-B617D1346A90}.exe
    Filesize

    168KB

    MD5

    8676e0158fc048f7166a6f2c04b69d7f

    SHA1

    b91218d0b3afb833854f2d14aa7534ebee96172c

    SHA256

    7f0eef9b5fa33b00878eee4cb876e021ba36dd239d1417c0cadc5459684f1da7

    SHA512

    8790e41bb1b8648275118d84ad7705d3c7a7b920b2a13f8dda7edc6cd98ab164707c731a019f4f8c57d38664214cbc54f1686e8775f6796cdbba2017dc7b0979

    Download Submit

  • C:\Windows\{B3C32B4E-5F8B-4cd2-BD3A-35DEAB56D534}.exe
    Filesize

    168KB

    MD5

    1d4979bd75393be3b7b201cd4eadb879

    SHA1

    4e9e11255011bd0ca883f3dac820954125da087e

    SHA256

    358f0f9196e660c8c0fb8e3030d0e7ab3cfb8869fe6d2b1db44d815b5a2b9719

    SHA512

    85b12be561ace1f6fedb07b0773ebe8f3471109d729b9585b9543b3d7ef6c856e2170542f39640ae148cf86bb6251ea0f5251a7b7b41d7b8398577fa5f448f56

    Download Submit

  • C:\Windows\{BEC927C3-B373-4a9d-9D7E-3B795F84BF06}.exe
    Filesize

    168KB

    MD5

    85678e897658301d7e7c29436f7798fb

    SHA1

    322aac52b68013e52936fcd5c662aef8886aa368

    SHA256

    058f78ccd9e927269efa52d7db5f5b26a20b037d20f03a5961e8ad4adb603251

    SHA512

    625b117ab456c191868de1d5c6b870c001fa25a85e665535f666c00ad9d1cc339db4249e5fc5062fe4a6787fe3054f987dc8fc290f060534d09767dab89015cd

    Download Submit

  • C:\Windows\{CFE44A40-A382-4889-9F97-76FFDCD4D119}.exe
    Filesize

    168KB

    MD5

    1d87b5901a7404c1fffea8f8fc2f84f9

    SHA1

    289d3587d4bef1dd4e6796acd3cfdac3861e2dad

    SHA256

    23d5cedda5e6de904a3ea4a9cb237d8a3f37670f5723f0b6727e6c382dbc6aa6

    SHA512

    53b5e012c1827854d0ce629f403753ecf0d2f67e746701fa71904d1619b529780f2f1b15d29d4c41117584568667f826037c70e36a5b5ce3fd3535f5c0cf6c83

    Download Submit

  • C:\Windows\{DA71220A-41A0-4817-AA96-90861300A2D6}.exe
    Filesize

    168KB

    MD5

    a62ebd368dca50647f48d8d6eea6278a

    SHA1

    a266ce6f2440713b397eccfbd766525666e1104f

    SHA256

    df9e554b387fc1a79e642f19fcd90ccf1a79184df5f5f966ebd7535210bfd541

    SHA512

    a37d346069a7cdc3106c16853f4f1b1aa2fd91c00bc03bdb91c0bee762efa75712c350233727fb578bae9e74f2f875823fc9a78c454c1f9188f5e722c9ec8b5d

    Download Submit