Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-02...ye.exe

windows7-x64

8

2024-10-02...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe

  • Size

    180KB

  • MD5

    8b953551a67085ad3e3577bda919d261

  • SHA1

    33a1a4f3e8d1f4dc59062ccb90abeef4b7ca2221

  • SHA256

    491b134f035deab9259b8082eb1a263775bbbaf902581f81d534cbc67ebf759f

  • SHA512

    f56dc91223f001d756a8eaea02a3859e2663f76c8f6b70868974eacf37bcd618aa6b5204b72ba962d115e7e1de1cfe8fced6f27203a667e208772cf2b24652ba

  • SSDEEP

    3072:jEGh0oulfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG4l5eKcAEc

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\{6442B4F0-DD5D-448f-954C-209FD9DEA812}.exe
      C:\Windows\{6442B4F0-DD5D-448f-954C-209FD9DEA812}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\{AF24870F-053A-418b-BB22-E3F87E0F8DD1}.exe
        C:\Windows\{AF24870F-053A-418b-BB22-E3F87E0F8DD1}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\{A4873E50-3051-46e7-9BED-81D38BB6C23C}.exe
          C:\Windows\{A4873E50-3051-46e7-9BED-81D38BB6C23C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\{9670AB38-8667-4bac-91AF-B17E5DDF8A51}.exe
            C:\Windows\{9670AB38-8667-4bac-91AF-B17E5DDF8A51}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Windows\{4C28BD0C-3B60-4996-8DB9-B0F923BE0F70}.exe
              C:\Windows\{4C28BD0C-3B60-4996-8DB9-B0F923BE0F70}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\{3F62D84B-F0AD-4bbd-9389-64844D8D8B64}.exe
                C:\Windows\{3F62D84B-F0AD-4bbd-9389-64844D8D8B64}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:576
                • C:\Windows\{A7290220-CB91-4bfb-A7EB-3E2565E0E5B9}.exe
                  C:\Windows\{A7290220-CB91-4bfb-A7EB-3E2565E0E5B9}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2532
                  • C:\Windows\{B9861CE3-758A-41ba-A879-EFA661FE7EA1}.exe
                    C:\Windows\{B9861CE3-758A-41ba-A879-EFA661FE7EA1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2168
                    • C:\Windows\{9943AE24-E695-4901-BF0E-313A4BCE6A2D}.exe
                      C:\Windows\{9943AE24-E695-4901-BF0E-313A4BCE6A2D}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2180
                      • C:\Windows\{7BBA8B24-80CD-435c-A5FA-172E8F63F25C}.exe
                        C:\Windows\{7BBA8B24-80CD-435c-A5FA-172E8F63F25C}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1192
                        • C:\Windows\{5868CF5C-5D63-4d8b-8AC1-EF253C0A175D}.exe
                          C:\Windows\{5868CF5C-5D63-4d8b-8AC1-EF253C0A175D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2312
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7BBA8~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:336
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9943A~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2120
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9861~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1128
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7290~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2184
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{3F62D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1568
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{4C28B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2276
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{9670A~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1256
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{A4873~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{AF248~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6442B~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{3F62D84B-F0AD-4bbd-9389-64844D8D8B64}.exe
    Filesize

    180KB

    MD5

    64eac20969475a572129c29779ea4d8e

    SHA1

    878bff7294e4ccba1c272cdad51b5d83ab7b2b54

    SHA256

    1dc0ef489b6205a315ae0560b21238400c21401f66669e431f37657e031d2d38

    SHA512

    f4f07ee070eab01d2025959a5de437a10654414f4c19de9003810b0623de48c7540c662edb983a75e20bbd89dd4a0ac0585a53058e52b8d30e5c26dbe08b8fd6

    Download Submit

  • C:\Windows\{4C28BD0C-3B60-4996-8DB9-B0F923BE0F70}.exe
    Filesize

    180KB

    MD5

    4038ab54a33acfb04759f1857d794399

    SHA1

    047308c7e10ab14e3ee4bd36b95b56d5aee08212

    SHA256

    26d081e1349988effdd53cdfd975cbbcebd8d07ca115b1744334bea97a7a3c1f

    SHA512

    77d04d3e05d6cbb5732085356d1f1607ae9f740069488a9b5f73746e3edb8fd0067970b19bead3616aa19ccbd95f407f8b9c7c81e763f90d51ddcac8df8328c4

    Download Submit

  • C:\Windows\{5868CF5C-5D63-4d8b-8AC1-EF253C0A175D}.exe
    Filesize

    180KB

    MD5

    11eba98f30bfb5a87fc95ba01c0b0a7d

    SHA1

    9db2193d47b0b1f13343cdb4641d39fe5774909c

    SHA256

    f05494f1c0240690d2210151ee4d9ffba25ba78df77c7f162264775b4e2b4d43

    SHA512

    c0e65b1eae48841ac7cf3d4884399faeb6e07c946823f5c7c6e8501a644394815218207e1438054179e043b79014636e1934262c41a70191b791bf91e190b1f5

    Download Submit

  • C:\Windows\{6442B4F0-DD5D-448f-954C-209FD9DEA812}.exe
    Filesize

    180KB

    MD5

    8b819903b071f03ddc0ff029f3f8b509

    SHA1

    6f8317be84d117cc04a26bf58670324823dc1692

    SHA256

    47cb4e691e5e92c13fb2137973cbda790d066ea209826c8c34357b0f08591ff7

    SHA512

    47a80c2131ece9039a6ed094e593e44f71d03fa7e749755515e4b713e99b895c9cf7bc09b264b12ce9aacbebb6752c281f9f4830669ada3d09326324dcf721d8

    Download Submit

  • C:\Windows\{7BBA8B24-80CD-435c-A5FA-172E8F63F25C}.exe
    Filesize

    180KB

    MD5

    15219e30315cd44eb7947dd46ba08980

    SHA1

    0ea7b17caea50c2ad088d2fe07e84b38aa5a6d79

    SHA256

    c2b47b11800ce201ffd721c693ab69a57975888beb2b40822e8177b2f903629a

    SHA512

    b9a9b9f8d2e9e43c1dc29f1963555bd834fe28ffb149c873e061194696f59dcbaf5c4a0334289581510374387b42a51ea20e09da882425a67f4d9d2fa36b54f0

    Download Submit

  • C:\Windows\{9670AB38-8667-4bac-91AF-B17E5DDF8A51}.exe
    Filesize

    180KB

    MD5

    590a3bdcb2886c4052897dee3a79ab6b

    SHA1

    41555139630a6cf671b0f963ad6d735ed6fb4b5d

    SHA256

    a335fd0b0bd913832955229989da437d3b18cb083ddac59ab76e26630788c592

    SHA512

    51e808cfe5f6d14e5a9e0b87ef31618c6b64945f8bf1da117fda2a1ec921a2539e893624742968ffc3f9dad117a1d9115a1bc8963463914483e39ed4aa04243f

    Download Submit

  • C:\Windows\{9943AE24-E695-4901-BF0E-313A4BCE6A2D}.exe
    Filesize

    180KB

    MD5

    18be922bfb6a8892adda6266849d2b06

    SHA1

    24fe253cf6c5cb994848cdf2dd67b74ee6ead93f

    SHA256

    adb35f570c7134722aab1ac37956a391a830209c3fa7de2e1f1ddeb93335f8d8

    SHA512

    5b8cd13f1fd1683867029cf1a4e94aa8acfc72884e85331f577b4617f167b16dc5dfa4cae323c3506bbc0b25885c9d251f6447e2dbc927c20fd3d45578f18ac6

    Download Submit

  • C:\Windows\{A4873E50-3051-46e7-9BED-81D38BB6C23C}.exe
    Filesize

    180KB

    MD5

    cd805c7b578df1ec82aa0d433c728728

    SHA1

    57f8ede874650c7644564e636c9de384af5c60a7

    SHA256

    c26ebf71bc4779758d5226e95bdbf0d8b694ac5d80a9e4a328132a32ac3aef8d

    SHA512

    5b9ed8f5560588af25ccb65398d09f041cff894a6e335991e2cd6af19dc6b2c2004f2f50aa1a72ad0c6fe1c97bc840ba6a3dbcedf2dc023a225adf51bad57e12

    Download Submit

  • C:\Windows\{A7290220-CB91-4bfb-A7EB-3E2565E0E5B9}.exe
    Filesize

    180KB

    MD5

    c707748ec01ddd1b6cd0fda53f8e6bf2

    SHA1

    49a5a4719679b4212e1f35f62d1326f02a38f76f

    SHA256

    d63f35c12e6ef2893c943dde4c98ef4e32447a82ae019767bac1b4c682b170f5

    SHA512

    4c37d20417c07408efa2fe031991b5e368508d9dfb1c0f0ca5ac79343805141d6f81a7c1872b6dcc47ee1090cca58a3857bea34c280c1edec9b871f806c4e1a6

    Download Submit

  • C:\Windows\{AF24870F-053A-418b-BB22-E3F87E0F8DD1}.exe
    Filesize

    180KB

    MD5

    fecd453d9dadf25b82eb3f7d2e65a2bd

    SHA1

    dc86d9addecfdf7d1d9091a5ac6f219ba8238dd2

    SHA256

    f1448319eabbc2a687e760288fa721ea1b787f1f51238453147730bcce72b5f5

    SHA512

    44982c935932aa4fa66a702bbd16987675325b9a7fd8fee288d0c35f700f597151a5216e51dd889001434a18eb318802161a447a17f92b84196e33289649c851

    Download Submit

  • C:\Windows\{B9861CE3-758A-41ba-A879-EFA661FE7EA1}.exe
    Filesize

    180KB

    MD5

    ae88a940549f4c017c4c029cbaf588bf

    SHA1

    010f364f061bd88fc9ce1ce94e0f5332b2297897

    SHA256

    abc632acaebf7002dbb8474b6af2663c3937f9ca0276baec975a440ceb70115d

    SHA512

    d2b4921e976fdb32588fe09b2989969b61e432ecfec03c6a0652ff24aba57072e77ad29e9ce9d151eeec140327ba402daf437fc18d77f6203f56f97f3c49c4a8

    Download Submit