Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-13...ye.exe

windows7-x64

8

2024-09-13...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe

  • Size

    344KB

  • MD5

    3d14ad92d1e04c5d77ec8f8a4db8a999

  • SHA1

    ab8636a84f775ef18f2cb30f66e6dfb7868c23b6

  • SHA256

    c2bc3d9e40a9c322f9d4d3330353168b5121c4ce9d2cfb78ae923370efb7e741

  • SHA512

    0f2a84cd0a3204c308468eb65bae29f06bcfe221843e66f2754eed750e1baea3944c455ea907a1bbb20e091f1ba23cb456d0f973788fa72baac00f129c15ccda

  • SSDEEP

    3072:mEGh0oylEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGElqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-13_3d14ad92d1e04c5d77ec8f8a4db8a999_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\{C1722B49-3658-4c0d-8DF1-EA051E7FD7AD}.exe
      C:\Windows\{C1722B49-3658-4c0d-8DF1-EA051E7FD7AD}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\{7ADE2C58-62C6-4ac4-B8A8-5E33CFCD0A3E}.exe
        C:\Windows\{7ADE2C58-62C6-4ac4-B8A8-5E33CFCD0A3E}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\{7F0F60AC-57DF-40d4-9EFB-77DFE14570AE}.exe
          C:\Windows\{7F0F60AC-57DF-40d4-9EFB-77DFE14570AE}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\{54E60DA7-00BA-438a-A5E7-E5AEBEF58F03}.exe
            C:\Windows\{54E60DA7-00BA-438a-A5E7-E5AEBEF58F03}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3132
            • C:\Windows\{B6F2A812-CFDA-48d9-B2D2-6DB85FC0A3F7}.exe
              C:\Windows\{B6F2A812-CFDA-48d9-B2D2-6DB85FC0A3F7}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1188
              • C:\Windows\{A1F999DD-9A8B-4e2d-9984-7A48CFA5F1A1}.exe
                C:\Windows\{A1F999DD-9A8B-4e2d-9984-7A48CFA5F1A1}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2356
                • C:\Windows\{A7D54909-4637-4596-A3C9-BD9E8EE22A16}.exe
                  C:\Windows\{A7D54909-4637-4596-A3C9-BD9E8EE22A16}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4440
                  • C:\Windows\{28810E96-C703-43bb-8BFD-24B07EAA2151}.exe
                    C:\Windows\{28810E96-C703-43bb-8BFD-24B07EAA2151}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:5056
                    • C:\Windows\{410CCEBE-57A5-41d2-A462-337AAC9C90BE}.exe
                      C:\Windows\{410CCEBE-57A5-41d2-A462-337AAC9C90BE}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2532
                      • C:\Windows\{965A3CCD-478D-4ed6-9DD5-44A8C5465300}.exe
                        C:\Windows\{965A3CCD-478D-4ed6-9DD5-44A8C5465300}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3280
                        • C:\Windows\{BFB9830F-8CF5-4f10-9EAF-7D9B4473FE20}.exe
                          C:\Windows\{BFB9830F-8CF5-4f10-9EAF-7D9B4473FE20}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3368
                          • C:\Windows\{0C8BA37D-22F7-41b9-8DF4-FE355FCE2AE5}.exe
                            C:\Windows\{0C8BA37D-22F7-41b9-8DF4-FE355FCE2AE5}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2956
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB98~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:1088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{965A3~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4244
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{410CC~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3888
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{28810~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2092
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7D54~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1780
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{A1F99~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2276
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F2A~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2328
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{54E60~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2608
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7F0F6~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3244
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{7ADE2~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4108
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1722~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0C8BA37D-22F7-41b9-8DF4-FE355FCE2AE5}.exe
    Filesize

    344KB

    MD5

    0c42f5db5f342e943dbe9f4241f651d2

    SHA1

    28e2cccb87933d3db556826292d5c331c359f9fa

    SHA256

    8c25b90a73ad0a407ff830d0e28919f00c9568747436cd10867476b30599982f

    SHA512

    73f485d04ca7a7db060b7b5e882458a0be6a3874674b77977d0e7820a75c349ecb3a13d72c74712c7dfcae4c6583137d4bbded91b4c351f6a3c28458729bc38e

    Download Submit

  • C:\Windows\{28810E96-C703-43bb-8BFD-24B07EAA2151}.exe
    Filesize

    344KB

    MD5

    ae0df389628187d159164e7c7ed9948b

    SHA1

    b73a055fd16a950233c4500fa82d0ee7039bfdbe

    SHA256

    4f1afb3358984f2f9d2af8747c9dcc9408f78171e9a1816cd16086eb9d01194a

    SHA512

    285dfa264b87aa0a3b1005e1ae05aee4756ba115c5198998b7ecc90e2b1319740410f4749dd11fb0be20944e2adeba2c4b30db8c4533ae5f7ab630648df5d216

    Download Submit

  • C:\Windows\{410CCEBE-57A5-41d2-A462-337AAC9C90BE}.exe
    Filesize

    344KB

    MD5

    1a746d3c88a30ba905665edf9c375241

    SHA1

    2c69dc91f7b64aa8634d25c818748ab98150623d

    SHA256

    254ad73c33b53470e5e553aceeb03ff01b84f131984d4607a1a07fa057967239

    SHA512

    778671501d61070ffed89ad02454a3d7e6b92228384240c20bfbb65c0580d697eca629c4464a5d70718eca8324dcae1a336967c1581c1674467ecb809cb61a9e

    Download Submit

  • C:\Windows\{54E60DA7-00BA-438a-A5E7-E5AEBEF58F03}.exe
    Filesize

    344KB

    MD5

    4f7e49d9af0fc4610dcc19bd1b25b08b

    SHA1

    f0976f73a4342f4771086ede7bcbeeae2b4b7364

    SHA256

    fac92ab55255b832b42d3bbce21032d49e90506380ef5007c44e10e45c0ab49e

    SHA512

    97b1ffa711ffbea15ba8946ae3ce6b3978e10593d40867e401e2fe58151b31f4f77f4f6d8316340d7f5967bbba37a9632801e4dd150ee8432074d773f01578b3

    Download Submit

  • C:\Windows\{7ADE2C58-62C6-4ac4-B8A8-5E33CFCD0A3E}.exe
    Filesize

    344KB

    MD5

    e8f92fa45947d930c62fcb04af7326c3

    SHA1

    d3ca4f6407c4ba1c7647d19bb5e3ea6bc6a219ce

    SHA256

    0b45f900d0c8e3fa07ce98c7d22437b9d599f3127f47423b3ce5c73c02738814

    SHA512

    8602b54444bceb033b4a6087b1910aa8c5cd7f353ccb8c5ff8b2d14dc46fa341174961871c860ec1e74890a4e8a42d7103efa687fa4393f60aaf3742f3bf425b

    Download Submit

  • C:\Windows\{7F0F60AC-57DF-40d4-9EFB-77DFE14570AE}.exe
    Filesize

    344KB

    MD5

    4bbcadb371e70c306a90d73abf7f7b1f

    SHA1

    1437991ba8a04e9058226cd3f46d7fa03bbf962a

    SHA256

    fb0b80bca0543a86d5f3e4c34997f8f7c4ccbfa491cd78b87e5483b386bb1dc0

    SHA512

    6871657014bd687944ea6d1f3b5c78408718d12bfce8378ded74a8e0807363e354e3ce2eadc8a498aa389c31ba3db18ead379e2c3551a4c4f1bcd4c0289e42cb

    Download Submit

  • C:\Windows\{965A3CCD-478D-4ed6-9DD5-44A8C5465300}.exe
    Filesize

    344KB

    MD5

    94cbb4e1ec0c15eb90fcbb764f931d02

    SHA1

    c1dc0754cd938e224d36ffca48e0c0e3848ea789

    SHA256

    f860d733adbfe98b34d2b07884bba8b1957267663daacf4470c57c054ef09af4

    SHA512

    03a1a691033f1285b3740c6e6a3980a7d937d91141cf64af2fd1ebfa8003c57504ab78af4b35acf92caa10a9ee4500135f497e24b0285a73132a8affa5e7e8bd

    Download Submit

  • C:\Windows\{A1F999DD-9A8B-4e2d-9984-7A48CFA5F1A1}.exe
    Filesize

    344KB

    MD5

    4adebc18cb82222d5948c071e28040bd

    SHA1

    6b13fc7c077190bb9264f6664a8733e0fc75eb6c

    SHA256

    5e1bb7efeaef246013d1fe1055e8921f0710911514cfb9a7e0514307602a3c83

    SHA512

    58499c1e8564dbeefb0b426681804991f9c2f26521c2943453ee9d93961bc773427df73a80b9010b26c18cd0e059697f77248da8db55d604d4345304fd69ab75

    Download Submit

  • C:\Windows\{A7D54909-4637-4596-A3C9-BD9E8EE22A16}.exe
    Filesize

    344KB

    MD5

    ffd8a3a40c8aef46053a8c1337a41beb

    SHA1

    2debc16cee1cbad9e660459d9417069180f7b108

    SHA256

    6bf9768c71dee0354fe89697de8b72be2f52b3ed12155b50d3975390ca02ccd7

    SHA512

    953f8cf249a8d2d858d6046dc6bd900160093f48cb761524abad67b5ea7bc05bb70ac53f1ec17401e4cdc52481a3c6da8fb0724d649988ba8972fd8ee172d5d2

    Download Submit

  • C:\Windows\{B6F2A812-CFDA-48d9-B2D2-6DB85FC0A3F7}.exe
    Filesize

    344KB

    MD5

    7acbbffe1f87bc0b0d1043bf94639a88

    SHA1

    8e3d2d9ffd8e341fa890ad88c0375c07e3b1c275

    SHA256

    3cbb9c37906e7c6c58032985cc6e26e9f9c53cd5ee94666f276eb4c67273ce6d

    SHA512

    3b900131a5d922835da516284622c1ac15356e242afa4bb6f8c469fee98793f30df832dbb8648333bfce78adae28bb225f41faff29a7e449a02efd1de899ab5e

    Download Submit

  • C:\Windows\{BFB9830F-8CF5-4f10-9EAF-7D9B4473FE20}.exe
    Filesize

    344KB

    MD5

    f8863f8a0763534f7c30f4b30d3c71a3

    SHA1

    b2ac7dd950c1254f89d6c0da1aea5c6f290c2be7

    SHA256

    5ca9985e3656987d68c617acc004a4ad46b520e1b5bab3af5f2d84fb549b3701

    SHA512

    0e31b04f9ba47c9aa7085295cb09ab403ef3fa545c4783a2423c66f494b20dba64047ac7374425dfe03a1b6e7fbe3257ac00036b9aeaabe21fcaa35a293e68a4

    Download Submit

  • C:\Windows\{C1722B49-3658-4c0d-8DF1-EA051E7FD7AD}.exe
    Filesize

    344KB

    MD5

    13c08fe2aed667f7d37ebaad64cd989e

    SHA1

    1847d334fc4cb170a63dd037f205d3b2af9ca363

    SHA256

    481ffadced845b53b2f817eb15c331b345bba5d1a2aea27891952aa73827c0b0

    SHA512

    49d0f17df32ef6ff87ad1d54bf108fe02fa8573ebd786f724f96223a70f8127a6cf9f39eaf84fb66edc6acda4a430df3407c9587958245a644f34ba8c6662925

    Download Submit