Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-09-30...ye.exe

windows7-x64

8

2024-09-30...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe

  • Size

    372KB

  • MD5

    a85a60579d91f34dbe932702e61d16e6

  • SHA1

    31b36ba209a3412f00564f81840e6498ec14e5a1

  • SHA256

    79452ea75069f14b89efd4440facca77d54b7f284207b36c2149afa6f2d4fe6b

  • SHA512

    f0359115024c1a8ac31c47906791916b244402f43ec80f09b9aab41bd39498a1c02e668957f4eb9e7849d84517407d89760d77f6b5ae7b1266d649cc3a8c0788

  • SSDEEP

    3072:CEGh0oclMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGKlkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\{5A539022-07FC-4c9b-90B7-3DF2FD2E886E}.exe
      C:\Windows\{5A539022-07FC-4c9b-90B7-3DF2FD2E886E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\{93D63BC7-E685-4101-846F-621E06334CF1}.exe
        C:\Windows\{93D63BC7-E685-4101-846F-621E06334CF1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\{5CCD3C6F-070B-443b-98C5-CB76FEE7DE91}.exe
          C:\Windows\{5CCD3C6F-070B-443b-98C5-CB76FEE7DE91}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\{2738D08E-A36B-4bcf-8BD1-423E70A19542}.exe
            C:\Windows\{2738D08E-A36B-4bcf-8BD1-423E70A19542}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Windows\{314C5476-010E-4dc5-84A7-D82CBE7316BE}.exe
              C:\Windows\{314C5476-010E-4dc5-84A7-D82CBE7316BE}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:840
              • C:\Windows\{F5114623-8473-4eff-B5C5-DB464D06FA74}.exe
                C:\Windows\{F5114623-8473-4eff-B5C5-DB464D06FA74}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1984
                • C:\Windows\{06321BE4-A26D-4815-A29D-C03D61DE1ADB}.exe
                  C:\Windows\{06321BE4-A26D-4815-A29D-C03D61DE1ADB}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1428
                  • C:\Windows\{8F81A574-6BBA-4219-8AF8-A4A0750967D2}.exe
                    C:\Windows\{8F81A574-6BBA-4219-8AF8-A4A0750967D2}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2952
                    • C:\Windows\{D732FC63-05BB-4f07-A289-393B831D602F}.exe
                      C:\Windows\{D732FC63-05BB-4f07-A289-393B831D602F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2296
                      • C:\Windows\{8E7789D7-AA91-452b-9A69-5093CE3ADBD0}.exe
                        C:\Windows\{8E7789D7-AA91-452b-9A69-5093CE3ADBD0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2272
                        • C:\Windows\{ABCAF7C9-5498-4a02-B6A3-340D82D3B15D}.exe
                          C:\Windows\{ABCAF7C9-5498-4a02-B6A3-340D82D3B15D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:408
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8E778~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2432
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{D732F~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2100
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F81A~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2956
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{06321~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1876
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F5114~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2904
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{314C5~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1852
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{2738D~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{5CCD3~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2628
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{93D63~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A539~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{06321BE4-A26D-4815-A29D-C03D61DE1ADB}.exe
    Filesize

    372KB

    MD5

    0e549fbceb3b30b4db3470c702c4b50e

    SHA1

    017794d7cbd61b647fa216784701401b165f70e6

    SHA256

    44a7915bdddd441c25b35a5034b9c69ca7506cbb95dcfd9fc6599eaafa6e79f1

    SHA512

    8724ae07823ba42404a5f382b7f3b6592fffccbd1b9c96372ffbf0d453cb22dfc798b8efb10a33fbac2440c97aecd37163dadd13a41fdf8eeab5234ff218e533

    Download Submit

  • C:\Windows\{2738D08E-A36B-4bcf-8BD1-423E70A19542}.exe
    Filesize

    372KB

    MD5

    cd2bd485435cf0f28bff5cf14fc43e9d

    SHA1

    b9d682aac3ab733ed86f2fc39eb872fef4d76e9f

    SHA256

    49f1eb02cfa4fc21a741aada6fc3e3e04654ca62a0f991089b966a9cfa012642

    SHA512

    e7a9094ef99dde3c7842044713fbd7c1569218e98f469776225b672df6113e13aebba1cf2b1c8b8fc6113393ebd38d32c4e8301d6ddc303dc3c40d7de8ddcd45

    Download Submit

  • C:\Windows\{314C5476-010E-4dc5-84A7-D82CBE7316BE}.exe
    Filesize

    372KB

    MD5

    e0addbc6f3ec38263a974fcfe4b3f8ea

    SHA1

    3a3ef5af8dcc3342a251b32815ab7a4b8a15e0de

    SHA256

    47a4f304e727dd7340d27806c1e2a14b6afa411fd813070bd1b2077ddeda5297

    SHA512

    51e738e24e2f253ea93dcde102500d0caad8142c436ed5a454368fdaf18a60e641c855cfd8c163559aa37a96371feab7b03b1fa865586ca1eb859bc86345f4ad

    Download Submit

  • C:\Windows\{5A539022-07FC-4c9b-90B7-3DF2FD2E886E}.exe
    Filesize

    372KB

    MD5

    d5b61a87e93f4110fedcff0ed1633dda

    SHA1

    7f6d4d536dd4c9bdf8defe55668c04f3f93783ca

    SHA256

    74164c047897420b9737b69d4e3086b00bed95b94e95516af41fbcee3636288c

    SHA512

    57ea7c583857f768b1f126b3d1abec422f9fcf05ce87de18016ab9fa7a7bfa94ab603ef1c6d7507fddd172f4cae856117c5d0506225f32a8d087f19b11343ad1

    Download Submit

  • C:\Windows\{5CCD3C6F-070B-443b-98C5-CB76FEE7DE91}.exe
    Filesize

    372KB

    MD5

    0d18d6e416dfbe15b41446e2b0e7ff71

    SHA1

    95d0b443bfb701f5860802f855cb8317a7ad72cf

    SHA256

    f4c7bafc50955a57250496bf4810f2f71377d2104e4c4319554f1b25d0ea27e7

    SHA512

    66d4459c9f53e5531ce476b195a4610a7ec2550b20f5b9a1548869842e0d6c41fc642b98eb5bfdaa0d506d5c7386a725df2cb300945c4dfd3e7e5ae0734ad946

    Download Submit

  • C:\Windows\{8E7789D7-AA91-452b-9A69-5093CE3ADBD0}.exe
    Filesize

    372KB

    MD5

    40b83ce361684b3038a0e53a94378acf

    SHA1

    af692792eb8855ea234aec8174fba04eec569ec6

    SHA256

    dc1f0421276f6d78fdfa18c3a1b6c43e53b91bbc04a24fbff677d358dc517ef9

    SHA512

    6ad51a34e5dd6abe3ceed8486663621bbd6c8892a73a63821c4144c0b88936c66742badb7d0d23af86c600c59956183fac9a072dd23a73b8c9e3b7e190478743

    Download Submit

  • C:\Windows\{8F81A574-6BBA-4219-8AF8-A4A0750967D2}.exe
    Filesize

    372KB

    MD5

    b3a3ede9e6c5d18a5ca2c945bfddb7c3

    SHA1

    26fd8f1b03b5501d5f2a9784a3aa0c795a32cf47

    SHA256

    4c64fac5f0bb01737a0bd1503de39bad2ce205f95be6123f1385282f35ce843a

    SHA512

    ce9c0629d8e97fe7a8055fcc35dd5b7029ce85af0f953671bb783208334b86f40d352435780bad64e1deaa162a197c456b4d24b7dff501d93c03c3bb1661dc26

    Download Submit

  • C:\Windows\{93D63BC7-E685-4101-846F-621E06334CF1}.exe
    Filesize

    372KB

    MD5

    7423eca2aeb79566a7e20accc62316f7

    SHA1

    884d1b775f2da5788f04dd49b492dfaa8b76376e

    SHA256

    cb72e1a48893302612d4fdc25397c68af365c3aeaa98286b1ecf3e38cb48ac16

    SHA512

    5d05ef03aff6fba369d821829f899e0c22c8e86b91664c2ede0c0408d950b12b899a755bc1aedc4745c56a0caba3703144dcb698987a349ebb1b2c62613a0935

    Download Submit

  • C:\Windows\{ABCAF7C9-5498-4a02-B6A3-340D82D3B15D}.exe
    Filesize

    372KB

    MD5

    1d888a198743a1221feaedb3825af06a

    SHA1

    5f8c7288e82647ee4fd657d6a6458c44c608f2af

    SHA256

    a14356155567270fda5fe177af4f5db4b16c473531ae019c860aa15ce2735874

    SHA512

    f5e10afccbc258ac3915f0a3ef620fc2b5e8ce7afe0bd90924e2877b4f7b909e0fce5553404f987d257aa425774ffb471558ef82054f1d7d7f58950a3b3aaf13

    Download Submit

  • C:\Windows\{D732FC63-05BB-4f07-A289-393B831D602F}.exe
    Filesize

    372KB

    MD5

    5a4c26f1a88cff0c40889372113048f9

    SHA1

    895c23433def494ba6481aee34d1c2c3caf1fa18

    SHA256

    30058a832415dc17be81b227e3ff1d72a5ab0c35b163e99c89dd66fe241f79b9

    SHA512

    5888682c7a6ec925ca85d0a17da2e2693edf95386691388f46c71a8e52a6e27c32b2a49a6f115146ed5320e2cc736ee4a127a2c0c8f40020bb6517c7ce32f6da

    Download Submit

  • C:\Windows\{F5114623-8473-4eff-B5C5-DB464D06FA74}.exe
    Filesize

    372KB

    MD5

    fffff7027783701e47601ca8649a789a

    SHA1

    b34779d1e34d5135bc2af1efb03a744266f6f3c3

    SHA256

    563dd86d546c4ab7c62f253e09b09db1715d635bff2a22e7637eb3121e2533b9

    SHA512

    7ef6ff8d436836fd2b878a41913aeb28d7b424ada9e02d95297254c1965fcc337d69ed8296121849d80d5a30c534b11b8baeeb989aef9f59c48cb457235b6abd

    Download Submit