Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-02...ye.exe

windows7-x64

8

2024-10-02...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe

  • Size

    192KB

  • MD5

    25861ea2893539cd23cb931ad9fbf92e

  • SHA1

    e573e98263a326f9bd4e558ae354c30a6a9c2c33

  • SHA256

    13c23094edd1c20bcfa7cfbf04b46598d15e4ceb62e075418f4077075f222d4f

  • SHA512

    dc723717327501e11b8aa3642cd2fbba444dcd82a9f5064df8c3ea25e7dd9df4cd1d359b6faad2ad613b5a44ba09d64be1adb05cba865247a7f717a2ed62cdab

  • SSDEEP

    1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o1l1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\{08A8ACC9-2D38-4000-90D4-A8DE05C0B7D3}.exe
      C:\Windows\{08A8ACC9-2D38-4000-90D4-A8DE05C0B7D3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\{0CBA0ACB-4B81-45db-9D10-886A1F370DD3}.exe
        C:\Windows\{0CBA0ACB-4B81-45db-9D10-886A1F370DD3}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\{DB76BC84-0FF1-4b07-9C70-0BD8996125FF}.exe
          C:\Windows\{DB76BC84-0FF1-4b07-9C70-0BD8996125FF}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\{4B988EF3-442B-494b-8660-9C93BEEA973A}.exe
            C:\Windows\{4B988EF3-442B-494b-8660-9C93BEEA973A}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Windows\{D2259B86-7EBC-4487-979B-44C1D97D4F8F}.exe
              C:\Windows\{D2259B86-7EBC-4487-979B-44C1D97D4F8F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2132
              • C:\Windows\{8FE2E61F-8747-49ae-8E83-DDC2CED01C98}.exe
                C:\Windows\{8FE2E61F-8747-49ae-8E83-DDC2CED01C98}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2772
                • C:\Windows\{435F33F6-E1FF-405e-805E-BA7F29B113F6}.exe
                  C:\Windows\{435F33F6-E1FF-405e-805E-BA7F29B113F6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2924
                  • C:\Windows\{EEE56A97-AE11-4f3a-A9E0-6A5C86EFA80E}.exe
                    C:\Windows\{EEE56A97-AE11-4f3a-A9E0-6A5C86EFA80E}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:536
                    • C:\Windows\{232C4CAC-F601-43eb-B65E-4A1D1DC27DB2}.exe
                      C:\Windows\{232C4CAC-F601-43eb-B65E-4A1D1DC27DB2}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1636
                      • C:\Windows\{75C1D64F-9AF0-4d72-86A4-7CDFA9AD49C8}.exe
                        C:\Windows\{75C1D64F-9AF0-4d72-86A4-7CDFA9AD49C8}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3040
                        • C:\Windows\{C6785482-3CBD-42b3-B265-972BDDF7FBE9}.exe
                          C:\Windows\{C6785482-3CBD-42b3-B265-972BDDF7FBE9}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1376
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{75C1D~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1044
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{232C4~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1332
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE56~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2064
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{435F3~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2236
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE2E~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2652
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{D2259~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:560
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{4B988~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1172
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DB76B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3068
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{0CBA0~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2568
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08A8A~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{08A8ACC9-2D38-4000-90D4-A8DE05C0B7D3}.exe
    Filesize

    192KB

    MD5

    f0fa7693f6d752e3350b37088ae520d7

    SHA1

    b2a4fd19e9200e54cd4298d2528bf52b7dee6374

    SHA256

    f153531c3b50b5274405ee8bcc4bf7a56cb96ba8895c951acc9433f1370ee021

    SHA512

    f138df92780dee7e63abf72581f92830078d9baabc21afdb9449dd3f6cc789a4138a8f7f95e5b32adbacf10bf32c75f5e523d171f4285e82c16631800a044de7

    Download Submit

  • C:\Windows\{0CBA0ACB-4B81-45db-9D10-886A1F370DD3}.exe
    Filesize

    192KB

    MD5

    a5b2723b0ae310d9002d05a70dfd6bbc

    SHA1

    f7bce342a81afd40c7e3413a31a0bd57ec14c15b

    SHA256

    cf07c43cbfabe3fb06ead94d0d32d0229d7defdf32e1dc5dae15d02abc81fcf8

    SHA512

    7a2e02b5a7d5474057d67eefa617a7f2cf0199bc84d7f1a56ce2c502411b93ec623c619d2088fd48c18aac80c6b91d7f8b76dac0f6da205042d519b6d76f4c9e

    Download Submit

  • C:\Windows\{232C4CAC-F601-43eb-B65E-4A1D1DC27DB2}.exe
    Filesize

    192KB

    MD5

    f2f4c101b0c6551e3ee6ec325dd7585a

    SHA1

    1e1fc3946e20aefb03125cfa43c7346ac73eb92d

    SHA256

    ad4c6ea2b2ff45c1bd4b165373cdd80196c5722bd215d27942a613387dddc745

    SHA512

    79bc5e8409f153af9ea920a11e8df0f68057c5c254e6136d0680984286612b645a0ada10e64845da09ff94285ed798de83526381abff09e39f829a83124daf32

    Download Submit

  • C:\Windows\{435F33F6-E1FF-405e-805E-BA7F29B113F6}.exe
    Filesize

    192KB

    MD5

    a53604db91b192a16502caa0b929004f

    SHA1

    8f0e5027044b1b2f948c1fa59ac09333874e8c4e

    SHA256

    89fd861772a64d3889e395c6395c99024ed5ce37e0a86b93acf54f3bee1bb17d

    SHA512

    741310e4d7cceb878cbe6c12138ec6d61a44c61f1d3287353897bfef2d0323ec2f091ba0dd8ef2c8740d9cf2f0d39647093fb0076c25337e032b283dde3674eb

    Download Submit

  • C:\Windows\{4B988EF3-442B-494b-8660-9C93BEEA973A}.exe
    Filesize

    192KB

    MD5

    a189054f583b9de784f7870c23660996

    SHA1

    c00bac1cc7cb98511ca61786a4a8ae0c5f8785f5

    SHA256

    7bc3547d5cb0decce708de4c764fb820c1ccda525c0c9f04a213cc1527e7a531

    SHA512

    c198e9f0f4d08a12a55c1c734f4f88ad5986671eee0ef2c8e8b8d1ab03432786db9463c7b35af6792e497ecf628d6646403e3b114497d69657f1edb1cdcd05b5

    Download Submit

  • C:\Windows\{75C1D64F-9AF0-4d72-86A4-7CDFA9AD49C8}.exe
    Filesize

    192KB

    MD5

    52ea7d0fe0059db6ef073df1fbd8b13d

    SHA1

    72cee373e745e7ba04ac339d213e8d145532edfe

    SHA256

    1445e1e8e69a88d54f171cf854c51da8a3c39f7c4358234c51f788825589d4aa

    SHA512

    d0a4783fd89ff94b6f73a778c16066ec604408a73efe87af0b404b1cd50f38e02edf3c1f774b2810e9ff9a50be20c4eb4f542e7f89d5ebe83d0d6d27f5d87d39

    Download Submit

  • C:\Windows\{8FE2E61F-8747-49ae-8E83-DDC2CED01C98}.exe
    Filesize

    192KB

    MD5

    d1670f9668709c5be47f7ec91958d7fb

    SHA1

    94dcb4768ebc5070e1fa14613f0a5e91ab3985e8

    SHA256

    18599c48ed6d68877754c794b4e2bb85a23be0e794f6268e2a7cfd979baa62d4

    SHA512

    fa891453bdbaa18204e92525c1264e36b1ab281a51dbf3f4f8e939edbbff03cffb94f5e86183f90ac74cf634d28e3e09bedc92977eebc511b4f72061e526da00

    Download Submit

  • C:\Windows\{C6785482-3CBD-42b3-B265-972BDDF7FBE9}.exe
    Filesize

    192KB

    MD5

    bbf78eef56c6b473465b234af54f29d1

    SHA1

    3e8fa03a2b02a78f9ce802a3d0b424c08b9b3911

    SHA256

    688e5eace77b492c09a2070be793840dc4d39750c571ffa6ce4a4a1c960571e4

    SHA512

    4504319c462ee0b56d0edaaca1e935372aab4b3494e765472f4f8e5f6c2c0f9bb63fb2a37ae46c6d5b54d90fa3f1914f7ed757fa145275933a55f0c49469cea3

    Download Submit

  • C:\Windows\{D2259B86-7EBC-4487-979B-44C1D97D4F8F}.exe
    Filesize

    192KB

    MD5

    efc64e732f43d7e6212c96a2d6c2da32

    SHA1

    fa070e548df5b4a77afc371ce554392971baeadd

    SHA256

    748e299e4b89baa3467d8bc256f93847ab2b3430ae32b425d77a04bf69f202e8

    SHA512

    4e3cd41f46abb06b48a3b48439a085be0db142976cc3416d67f46971f3ac6920512cead6952b3a63215b0eac055dd1f5eed0344347681f1a02096d8a651bad59

    Download Submit

  • C:\Windows\{DB76BC84-0FF1-4b07-9C70-0BD8996125FF}.exe
    Filesize

    192KB

    MD5

    d96624b187befa46833d13d2a0c2811d

    SHA1

    7b59c96fdab235217f7cf946dea54f59e6dfa37a

    SHA256

    561c6c7b3e899776390183f114e6f0b4a374367a542eb3c525d3ae3952f14646

    SHA512

    7924ce611d4b32d72fd03f00a671778cb4dcdf8b8f7febd76d73f64bf6f0abd2d8ddaa2248bece718b57c423f9eed427e96ee8abec117e256af4381fc479d6bb

    Download Submit

  • C:\Windows\{EEE56A97-AE11-4f3a-A9E0-6A5C86EFA80E}.exe
    Filesize

    192KB

    MD5

    6bad7ab0d76b6ba48a94f563ae85f777

    SHA1

    23129e592dd696d941c9e05b29560ae4778b25ac

    SHA256

    ddc65fd65e57c914b1c2db92dd12359d2ae08dffb275c18808b53540ae4589cb

    SHA512

    7948564a916bcbcbc3ac9d99f1ee8335fbd022725881edfa4db3a1cf20ebadbaccc8f465e172454fda5cbaeed123c59d12ceee5b9ec60803477ebb8434506e3a

    Download Submit