Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-15...ye.exe

windows7-x64

8

2024-09-15...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-15_9cd2c36f8f7bb063cf9d87e417d6733c_goldeneye.exe

  • Size

    216KB

  • MD5

    9cd2c36f8f7bb063cf9d87e417d6733c

  • SHA1

    f3dc848bd2f1c99ef5caca715290fe57608058e9

  • SHA256

    7b0a319d943664637b7d620b9593823fae5f3a9a737abe494470035f9f2e1fc8

  • SHA512

    26de0a3f7bb5263c50c5556d2383ff6f7e5c2760bbd62f50e687f43494789261f151c38e8c927a3912a9e4da3b37b149af9e776d93675edd6c1a11c4e880697d

  • SSDEEP

    3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGclEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-15_9cd2c36f8f7bb063cf9d87e417d6733c_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-15_9cd2c36f8f7bb063cf9d87e417d6733c_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\{51A68C7F-5F14-48b7-9229-41BD7C8ED6A4}.exe
      C:\Windows\{51A68C7F-5F14-48b7-9229-41BD7C8ED6A4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\{8D8B6B68-EF81-4aa9-B8F3-C851B5064681}.exe
        C:\Windows\{8D8B6B68-EF81-4aa9-B8F3-C851B5064681}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Windows\{8FFC7850-12D9-4b01-9F77-D61AFBEACF01}.exe
          C:\Windows\{8FFC7850-12D9-4b01-9F77-D61AFBEACF01}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Windows\{CAF5A26F-7E32-4f04-AEBC-CCB87987B3F5}.exe
            C:\Windows\{CAF5A26F-7E32-4f04-AEBC-CCB87987B3F5}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Windows\{EF10085A-B5CB-451f-A4E6-A4DBA547488A}.exe
              C:\Windows\{EF10085A-B5CB-451f-A4E6-A4DBA547488A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4376
              • C:\Windows\{63D96CEC-5E3F-4898-8A61-5EEF059E2D85}.exe
                C:\Windows\{63D96CEC-5E3F-4898-8A61-5EEF059E2D85}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Windows\{E42A6E7F-7EDC-48f4-9449-BD98F87DDEB5}.exe
                  C:\Windows\{E42A6E7F-7EDC-48f4-9449-BD98F87DDEB5}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4736
                  • C:\Windows\{E9677CC0-9B74-42f2-A7A8-AAF02D014327}.exe
                    C:\Windows\{E9677CC0-9B74-42f2-A7A8-AAF02D014327}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4404
                    • C:\Windows\{A06056D3-8004-4259-BAED-44439EE19862}.exe
                      C:\Windows\{A06056D3-8004-4259-BAED-44439EE19862}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:60
                      • C:\Windows\{BFBB95FE-EB1E-4c02-914F-E1BEFDADE8DF}.exe
                        C:\Windows\{BFBB95FE-EB1E-4c02-914F-E1BEFDADE8DF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5080
                        • C:\Windows\{C19F509D-6C03-4dc1-B6DE-3022BEF71E8B}.exe
                          C:\Windows\{C19F509D-6C03-4dc1-B6DE-3022BEF71E8B}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4820
                          • C:\Windows\{C9241B80-7082-44bc-9126-37550246A25C}.exe
                            C:\Windows\{C9241B80-7082-44bc-9126-37550246A25C}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2480
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C19F5~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BFBB9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3268
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0605~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:3988
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9677~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2260
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{E42A6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3636
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{63D96~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3352
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{EF100~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4348
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF5A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1444
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{8FFC7~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4240
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{8D8B6~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51A68~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{51A68C7F-5F14-48b7-9229-41BD7C8ED6A4}.exe
    Filesize

    216KB

    MD5

    ced74b0d561314c66e99c158ce0c2cc3

    SHA1

    f5e630952d0ec9501fa066397c8b5f69e4cdb71a

    SHA256

    ce40f20052140943d8c9fe06d388a264a7d89508006fc96a151051df3548ef4e

    SHA512

    1eae6d6b819f5e2723ad5dddc44c8312d7316435f48af7421c80f2b486280e847da7184abd1d49356565b9dbb24f2f910616c70229bc0eee68cd1a26fbe070f1

    Download Submit

  • C:\Windows\{63D96CEC-5E3F-4898-8A61-5EEF059E2D85}.exe
    Filesize

    216KB

    MD5

    4a667525a513a45f90ca7b382b79118b

    SHA1

    c0812eeeb74995ce50c37f32f13f8e1fca0df276

    SHA256

    1b1f22047858197a3376fd9d5c7fa84c80d6975c7cef94e3649907a0e56a1cab

    SHA512

    8c107887683516e9a8cb0ae71f578edf8aca3f1c5a140c3fca57326d6a7b27292657397739d93fb75bbfe7da10c1e3010b876937f9121625e543e035fbfdff47

    Download Submit

  • C:\Windows\{8D8B6B68-EF81-4aa9-B8F3-C851B5064681}.exe
    Filesize

    216KB

    MD5

    88c36e9951e2340996cfd2d0b5621c50

    SHA1

    64e0dbe619877231590f29970869075dee6e170c

    SHA256

    f0ec180444ba47006f8a862768e6185c625a738ff9f6c53cac77edce77533742

    SHA512

    295acac30303d6e708e9a5520d5602c8567f6a3d689240920adf2401a9c44f36b6fc921fa2436b0becd4a41e180ba33b87711f65d285a29477b64f34fc5a6fae

    Download Submit

  • C:\Windows\{8FFC7850-12D9-4b01-9F77-D61AFBEACF01}.exe
    Filesize

    216KB

    MD5

    2074acdd55db59c847937bc0d66f3574

    SHA1

    e9365eb05492d57a8161aabd37b8ea572e3814f9

    SHA256

    28bf0d899a100027b4ae4f7dbff558165544617eb6f6791dab1c90923a15644e

    SHA512

    2648473b70b52110562e8a164727f36084ed6995653167d1d14fa1543cab5855002dfd45e82ab57dd2492aa7426b2ed5e5b32ec80701ea4ea1b2537ed4b3f065

    Download Submit

  • C:\Windows\{A06056D3-8004-4259-BAED-44439EE19862}.exe
    Filesize

    216KB

    MD5

    a593fd36959f1b7c21cd64ade9024618

    SHA1

    a45fb509d6b145fbb18b629d035933bb04ff8921

    SHA256

    75be1865f5b8e3234983c56c67a848a1282ce0ef0f7968f87c88a0853fdfae2a

    SHA512

    d187e3141f4a9236bb3b7422c2d57df428fa771bc20df1863e677e9c8b9ca1301e49d231ad490e3f67de6d128857365ca2dd01e784332b64f10a693b5cbee931

    Download Submit

  • C:\Windows\{BFBB95FE-EB1E-4c02-914F-E1BEFDADE8DF}.exe
    Filesize

    216KB

    MD5

    df3eb8c4346bf8b46b7b95bbba65e034

    SHA1

    6de93cdba31a497778646d429a31e9611c5f8e3d

    SHA256

    7a145d148bd647c1ccf5d412acbfc07458c48244b099fcd735de2af747e535f3

    SHA512

    ed5ffbcf568d9ba05fd5ddec8620fde8d2a320552303e347321b4c85d57b53f2c62218a7a463b7cdaa1730e57a899b6ba66642c1abd22fd083c37116eb465aca

    Download Submit

  • C:\Windows\{C19F509D-6C03-4dc1-B6DE-3022BEF71E8B}.exe
    Filesize

    216KB

    MD5

    4d564ca77e0385ae744084abf4d43a8c

    SHA1

    4cb2e47ee60f2db20b01d1f47f4aed15fecc73e3

    SHA256

    e2549031a40ec089945b1d2e11349b4a1461f67a34287c31ef7dcd10feef12c0

    SHA512

    90732fc0418dee6083625fce0975d2a4c7677b6adaee71ce964a01ee7491e51b72280c12767df3eb0598bbc5c578769b34a9964ab58c252be3e1198a538aaa4e

    Download Submit

  • C:\Windows\{C9241B80-7082-44bc-9126-37550246A25C}.exe
    Filesize

    216KB

    MD5

    e6006bebb207a0b1a84af991fb308fa2

    SHA1

    5a1d80fb704ae91cb425b231f98d44539e843c4d

    SHA256

    739a47aa7390f90c576c2a9605395de95a85d8e27072f719c0641d4374f9920f

    SHA512

    09d91f347b30635b1eb5cc90b23d67f3cce66abc3cf1ed1634f3706ac364d17051321274165c176d1a59e62505bf5e62475c947c530e564058e065eb7f6d16cc

    Download Submit

  • C:\Windows\{CAF5A26F-7E32-4f04-AEBC-CCB87987B3F5}.exe
    Filesize

    216KB

    MD5

    b4417c27be73757080754c8fbdeb6787

    SHA1

    84d52bc37818e4cae59742544ff53911a69e9e31

    SHA256

    f36443f7a258884ea8564f081b6f33e97670dd8ca2b2a1f96236ca754f6c1669

    SHA512

    670399bf9f47f7609dfe8edc2131f3f240a7967003fdaec41eee6e9bd0f9a581ae6d001412fba6332fd67aab0e9e0e080d9d6bc117efa66580b06b304f71e1ff

    Download Submit

  • C:\Windows\{E42A6E7F-7EDC-48f4-9449-BD98F87DDEB5}.exe
    Filesize

    216KB

    MD5

    ca19a62b9463e33b00b6b05481ad1160

    SHA1

    dee61218dfca47c50c79845917041d7a8bf433bb

    SHA256

    43db46b31269f2e079e79d7ffdcc37e36c50585d6c7b327478ff7190443b93ee

    SHA512

    c8a066b00ee55fe6700d8e1a9d9c40308ab93f97615cf3ea72943e92f81e3a304e01535830a6ae6d56d4ce396591da33b6bbe9ceeb48eb42c0ecc1be20b48b74

    Download Submit

  • C:\Windows\{E9677CC0-9B74-42f2-A7A8-AAF02D014327}.exe
    Filesize

    216KB

    MD5

    7d902443f3947feceb6bef44f3617481

    SHA1

    e80e94110ccb0914d231a4eace2819d5d7fb9061

    SHA256

    d0a9cfb7a929780e8c3334220d118ab088d1ce81431651c509321b5a31988c55

    SHA512

    25472ab6557c2b680b96925e7aafbd4274c6e54f17af6bc6906cedaff1d7d9029a054a4cf340ec41293ac521610e2f4ff994076a46a6b473629c7437e68ad908

    Download Submit

  • C:\Windows\{EF10085A-B5CB-451f-A4E6-A4DBA547488A}.exe
    Filesize

    216KB

    MD5

    98a8a685f7ea300534f7bd7ad3f8b5c8

    SHA1

    482762d94a5ab53b703e5092da9fde74e025b960

    SHA256

    fa9c6c05215919005dae980bfd0fcdbbfeae072e44e6bc2763af607c0d14d39b

    SHA512

    4da4ef7b972924fbf32015c92f398af754f2ffb0850082626da4105e626bca13e8c0da425fe2c5203e7941c44621d04dce93dcb73172f7e42ec18f3398ea3d61

    Download Submit