Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-19...ye.exe

windows7-x64

8

2024-09-19...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe

  • Size

    197KB

  • MD5

    9206b0dcae78734c7ccca68e6104babc

  • SHA1

    8f913d7abcbbbfe748f50d9bdcb163cc9a92f68b

  • SHA256

    c99dc5efdcdf7bf29b9f883e71ee392252fa7c431056c81a602ce4dd19d7f83a

  • SHA512

    624b8c85733792e92915d459d2049df66798f10821032b05723e1567cfa85522b7dff81c92016c06d116a8c4ad89177a89d8a81dfce4cf4c6e539d03816b9738

  • SSDEEP

    3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGJlEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\{C60E4C93-9D95-4221-945F-9D229C01E276}.exe
      C:\Windows\{C60E4C93-9D95-4221-945F-9D229C01E276}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\{E742C79B-531E-459f-B02C-582F50B67AD2}.exe
        C:\Windows\{E742C79B-531E-459f-B02C-582F50B67AD2}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\{26A2CE61-1496-468a-91F7-5CA10CDCE2BD}.exe
          C:\Windows\{26A2CE61-1496-468a-91F7-5CA10CDCE2BD}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\{10A93BC5-FE08-409a-9DD7-E3FCC0E22A2E}.exe
            C:\Windows\{10A93BC5-FE08-409a-9DD7-E3FCC0E22A2E}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2372
            • C:\Windows\{A931C154-54BB-40c8-A850-236603F230E1}.exe
              C:\Windows\{A931C154-54BB-40c8-A850-236603F230E1}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:936
              • C:\Windows\{29076C8F-3DB7-45a7-A3FD-366D1FD5361E}.exe
                C:\Windows\{29076C8F-3DB7-45a7-A3FD-366D1FD5361E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2096
                • C:\Windows\{25FFFD7A-8211-441f-9BE4-E5614DC1891B}.exe
                  C:\Windows\{25FFFD7A-8211-441f-9BE4-E5614DC1891B}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2380
                  • C:\Windows\{FC545188-DCCA-4602-9925-DC9A8EF300A5}.exe
                    C:\Windows\{FC545188-DCCA-4602-9925-DC9A8EF300A5}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:264
                    • C:\Windows\{82E61106-D18F-49df-8969-87FA99719D9F}.exe
                      C:\Windows\{82E61106-D18F-49df-8969-87FA99719D9F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1296
                      • C:\Windows\{F47A9B7C-635F-4405-AABE-164107479D05}.exe
                        C:\Windows\{F47A9B7C-635F-4405-AABE-164107479D05}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3004
                        • C:\Windows\{06BC41DC-274D-4853-A059-663FA4E3203C}.exe
                          C:\Windows\{06BC41DC-274D-4853-A059-663FA4E3203C}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F47A9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2404
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{82E61~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1852
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC545~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2160
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{25FFF~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1784
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{29076~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:832
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{A931C~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{10A93~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1512
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{26A2C~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1252
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{E742C~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C60E4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{06BC41DC-274D-4853-A059-663FA4E3203C}.exe
    Filesize

    197KB

    MD5

    6fe7da4255be9b3fdb62f0c6942f73eb

    SHA1

    57fe49a75cbb5c7f84a9e2b4e9d24825ad061129

    SHA256

    96a26962f23935be7d6b3e556f63c34d1eceb2b55a1293b30e18dffe4cc599df

    SHA512

    b8db4280c17db556c81d727a19f6aacab39ba334cf859d4e5f80bb7613eded0a4773b08a5a253086674423c11136da706b7e253ca7ca0e693aa337802b4f1e99

    Download Submit

  • C:\Windows\{10A93BC5-FE08-409a-9DD7-E3FCC0E22A2E}.exe
    Filesize

    197KB

    MD5

    97a3c79b3100812bb3415ddf7cb6f793

    SHA1

    abbdbc46806fb207527edb66b2a991fec1b49b00

    SHA256

    4abd72117c4eb4d8f0aac0ff46163cecf63a1c379b25b784f7c2e1d3cd4f03ed

    SHA512

    cb67632762a2ba6d75dbdff36066cc59413189bf2f1666d999fa2d65f1c1595201bf98b9b3b25883df6dc7e73b34d7f4dca7dcad9009fa3fcefa53aafab50ee2

    Download Submit

  • C:\Windows\{25FFFD7A-8211-441f-9BE4-E5614DC1891B}.exe
    Filesize

    197KB

    MD5

    d26a96efdde12a767942a0b78e0bfc09

    SHA1

    d8e2c839c5ab3fcdc8b28ea88f9fbf2db2606870

    SHA256

    2ab7fe73ba776a7cdef09147c5ab35c0097be7e5be587cb17042d2fa4dd13c30

    SHA512

    bc33214cb3c831bd2862d1674ca1ab16e1c86f5a3b6eea5caa1862d8e7895ba527006856915aa0b001cec4dc0954dce9202ee98218eb343099d0ed8587225877

    Download Submit

  • C:\Windows\{26A2CE61-1496-468a-91F7-5CA10CDCE2BD}.exe
    Filesize

    197KB

    MD5

    2c8d9b86b5c9f457ca1d44e02d387ca0

    SHA1

    3f8cd816167432127127ece820b29442d3b7f270

    SHA256

    c7ba95cca73535575a452a536a1ce32f7b7f472ea99fed1c46d872c708dcfe50

    SHA512

    51d2f4ccce4f1c1d9dca0053117e1f1b0604c5a5a78339dc18bea1ce2f51e94f25a0f39ddcb4457ff394f03e2680739e0000e1c1c64582d386dc6631621516a3

    Download Submit

  • C:\Windows\{29076C8F-3DB7-45a7-A3FD-366D1FD5361E}.exe
    Filesize

    197KB

    MD5

    e6975dff8574d6eecf633060810e315a

    SHA1

    dbdbe339ca4119bdfb11b35d844a1c4486a76f53

    SHA256

    9358f936476fcffbdbd8b20205ee2097da3dc2a8ea009180276538a81ba864dc

    SHA512

    1cc623b076f6cdc478653e6a04e6f346e359f78e2d2a2187478f8cbc81c952aea3b036db9a219b2c77b636ba12bc81ce2fcfa47dabf72f81a574a1c7192f4c9a

    Download Submit

  • C:\Windows\{82E61106-D18F-49df-8969-87FA99719D9F}.exe
    Filesize

    197KB

    MD5

    68309886cf69d9aae79a35ad08d8ad59

    SHA1

    cca5ef4bd936aa01d385c096ef5aeac68f734540

    SHA256

    de3be6658b21e0d71019713912f1581c83ea86580c3909aabd90ce52c45a84a2

    SHA512

    a4185e1718f389b283ac2d03d92440804ba3c4aeb8027b545f8c26e25f029911e9094fc68287f743ab6b4389fc2d759f265e167c4ca6d77b557265df1884b146

    Download Submit

  • C:\Windows\{A931C154-54BB-40c8-A850-236603F230E1}.exe
    Filesize

    197KB

    MD5

    a62de11492cfb9b8650833f4d99f59a9

    SHA1

    505a924c2d72d5b965c1639ebeef4d1a2ab32c27

    SHA256

    cd7152a111f8f2ac451eb074eb19e800e5d48f4921da744d35ddbe16471f7d29

    SHA512

    7a937ba3a9072af68f052a5d076f7e9603f1bdaa7bc81aad89b81f2326ef02b47b4b27e1d9b0e43394b53036fe1cee9fcb5e8aa69ec1ea74e007636e0652628e

    Download Submit

  • C:\Windows\{C60E4C93-9D95-4221-945F-9D229C01E276}.exe
    Filesize

    197KB

    MD5

    3c0612c4cb85fe21a72f23557d0c9036

    SHA1

    2c0d82fcf6060a97d04ddc5f2f9b03c3575122bd

    SHA256

    f3a2e7cf64f3b7ed72a65809629071836662fc579cda634ca03e859940188543

    SHA512

    6a093c7c4f81d81738451699d5ec1cd2ca1e15344c31c3182309359c38d1046ecdccab14f48610eb9671a9ebbc19d8c38e5d0bd997af37e87c469c766f403fa3

    Download Submit

  • C:\Windows\{E742C79B-531E-459f-B02C-582F50B67AD2}.exe
    Filesize

    197KB

    MD5

    1660159d6a5f139279e7a870877156c1

    SHA1

    705c90793d6f6450cf687ec4451f08b60a78ac2f

    SHA256

    6ea6cb9bdc2dad2ebab1c3a556b3981a70df9fb89a32d096125b69e32b706885

    SHA512

    2490962f8b4d0cc623eef40eb2b9fc7a626496202200a706bf9b68a1ce0c7982de0d53a63cf76bcc40be64f5756a0c63a57af856c5094a8750d340dfe25167cf

    Download Submit

  • C:\Windows\{F47A9B7C-635F-4405-AABE-164107479D05}.exe
    Filesize

    197KB

    MD5

    498e9b09c49c37770269bc7b6d4d2a48

    SHA1

    9e52fc48050d88ad05ec2f0b5df1d0be993f8bf0

    SHA256

    b084ddb081adbcddc7cef399e74af510a51adcb85d93384da2a79e5916f74219

    SHA512

    654547acc4f96bc3d7202ad26b0fd0c8f1dd9bcf8999eeac8995fc146f8c867900879dce8eec517e1e8b5ce5a2a1deadfc6dfe9e31ef88ecf86000679fa9937e

    Download Submit

  • C:\Windows\{FC545188-DCCA-4602-9925-DC9A8EF300A5}.exe
    Filesize

    197KB

    MD5

    5d09e41027ffce2542bd320253cbc391

    SHA1

    5c1e55225801a68cfc0a94b7a0dbfdad5e566813

    SHA256

    6e75b3297c32d339f4e93858c13befda029c0d9a693b18cca60a26ca8cb468cd

    SHA512

    09b67adffb331f3d53334e0a2f51e2cfbcec86c985596db487f7768388b9b91557c14f0638b4db8e7b52e6d3abefcf63b99c2c5e6a9ce4b80963f66c03b94855

    Download Submit