Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-03...ye.exe

windows7-x64

8

2024-10-03...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe

  • Size

    197KB

  • MD5

    99c30ea3210c009ee8810dff4e63cf9f

  • SHA1

    26b51f2e0de933860e38d58952a4844cfcd0eaee

  • SHA256

    7bcad27b998ac2f43d5332c7bce9ec35c8d44f0d33828c3e765b2044da6ba35c

  • SHA512

    c38c9f8d2c8b9a3157cfd4b2847b956a05bad042a7cf8e24687e871c604f39f8d357833e5cf4c1e92c500e363a500fc7682a6893b6145da6005a8de1a65d2334

  • SSDEEP

    3072:jEGh0oXl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-03_99c30ea3210c009ee8810dff4e63cf9f_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\{3C12E681-D485-4359-A733-DCF7D54BA6E9}.exe
      C:\Windows\{3C12E681-D485-4359-A733-DCF7D54BA6E9}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\{D0821665-1E46-48e0-B0BB-E5A8142F57F0}.exe
        C:\Windows\{D0821665-1E46-48e0-B0BB-E5A8142F57F0}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\{7A5620E9-59AD-454b-BA9F-692910FBD9E8}.exe
          C:\Windows\{7A5620E9-59AD-454b-BA9F-692910FBD9E8}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Windows\{076CD7C5-1C55-4644-A084-636B3EE3A08B}.exe
            C:\Windows\{076CD7C5-1C55-4644-A084-636B3EE3A08B}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Windows\{0F9E21CF-56BB-4bdb-A4AC-6C17CC27EEFA}.exe
              C:\Windows\{0F9E21CF-56BB-4bdb-A4AC-6C17CC27EEFA}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2072
              • C:\Windows\{FD08BBA2-7E48-4d15-ADEA-3F9711269BE8}.exe
                C:\Windows\{FD08BBA2-7E48-4d15-ADEA-3F9711269BE8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1880
                • C:\Windows\{0A6A65A6-8B36-4d4b-B971-C155707B9E7A}.exe
                  C:\Windows\{0A6A65A6-8B36-4d4b-B971-C155707B9E7A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:344
                  • C:\Windows\{CACE1F96-97C2-4e5e-8B9B-787530871802}.exe
                    C:\Windows\{CACE1F96-97C2-4e5e-8B9B-787530871802}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3868
                    • C:\Windows\{57A784BD-8BFC-447e-B347-0607CF68D090}.exe
                      C:\Windows\{57A784BD-8BFC-447e-B347-0607CF68D090}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1540
                      • C:\Windows\{157E260A-0351-42ba-AFDE-A5C449044FDC}.exe
                        C:\Windows\{157E260A-0351-42ba-AFDE-A5C449044FDC}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2732
                        • C:\Windows\{7972125D-8C89-4850-94CC-5ACF0BACB077}.exe
                          C:\Windows\{7972125D-8C89-4850-94CC-5ACF0BACB077}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2692
                          • C:\Windows\{522CDFBD-A162-4de9-8BC9-BCA5E5A7EB52}.exe
                            C:\Windows\{522CDFBD-A162-4de9-8BC9-BCA5E5A7EB52}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4500
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{79721~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:3956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{157E2~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1760
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{57A78~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2244
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CACE1~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2808
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A6A6~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2972
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{FD08B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2000
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{0F9E2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1388
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{076CD~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1008
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7A562~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{D0821~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C12E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{076CD7C5-1C55-4644-A084-636B3EE3A08B}.exe
    Filesize

    197KB

    MD5

    c626ee855138dae1c6e3cd01af51fe16

    SHA1

    085e0743caac94fe58a60adbe7e4529b68995625

    SHA256

    8544a08f63f8e4dd6bced075919338156b530442b17e17326f8a47b47ef12aac

    SHA512

    a8efbc22e71fa2c2eda20385edc927a329b0bcd9010a302c498e52dfcc8806b83f01051fe0934a1223a1c9d6a344385a8cb06a2d8dc58a0503a2bc1a554071d7

    Download Submit

  • C:\Windows\{0A6A65A6-8B36-4d4b-B971-C155707B9E7A}.exe
    Filesize

    197KB

    MD5

    2820033ac18fceb700dd4f3fa6b5ef9a

    SHA1

    14cdbb645c1612793ff3351323ce129f27c44b41

    SHA256

    450fb7a9ba60a8fa62fe5ae97222bf77e096106560fdd4f2d6a23f718375fdd4

    SHA512

    78e1f3d30e8058cbd7cf458aa26e97476de0132d878d2377fc564712fe05e3a19b4f815263fdb19efbaced7688a885e8d7370faaae13423abe2cd72ccfd581ce

    Download Submit

  • C:\Windows\{0F9E21CF-56BB-4bdb-A4AC-6C17CC27EEFA}.exe
    Filesize

    197KB

    MD5

    844bc35b1c7779408320a6f5cd1fc358

    SHA1

    9332b368853ed0c68dc6bcc7d7e81f4f1a093c83

    SHA256

    16ebc8697c6736db006dd501d404504e2afd3c70e537b4c8a3bfa37fa6a8b601

    SHA512

    b10c33ebf6a4312c1d9384d8115ed95604197246a374a7c1b199fcdca7be5778bcdebe5b54e2843913cfd20045214d18fa48e3b3c9b1860f196c09a2df74c1e4

    Download Submit

  • C:\Windows\{157E260A-0351-42ba-AFDE-A5C449044FDC}.exe
    Filesize

    197KB

    MD5

    394470d9217ad5d913d79c6b62c5a1c6

    SHA1

    2585fd2604e67db0e42893bf615f6adbae902c7a

    SHA256

    6fde96302a837b3f56d61cf4259ddd876e47bf79b77e262d084432fccf561cc3

    SHA512

    51aa09e4e1792e767811db9206e379a90ec06d39f1cbb7914fdf8f4eed089aec585f31e08dce7c794a76c854f880cf6e05235922ac4d7e28244c7905d1604b73

    Download Submit

  • C:\Windows\{3C12E681-D485-4359-A733-DCF7D54BA6E9}.exe
    Filesize

    197KB

    MD5

    44d4c83e89182574a0f099d0ef682c30

    SHA1

    b28b1c73a5585f78ca610c8f67e20d069aa452f4

    SHA256

    1fdf55ad38fc0a5ce71490135bcde100c5ecd335d1fc6ca343cd1635134161e0

    SHA512

    28267f67a0d8dc2288f359015f5d990517f77c7e7e58d1d97c3c147e580f6f447f39ba63da2f22f1536f2691cfa7c20f4b26030b032236d0ab6a832730ab9e56

    Download Submit

  • C:\Windows\{522CDFBD-A162-4de9-8BC9-BCA5E5A7EB52}.exe
    Filesize

    197KB

    MD5

    a82a11ca1bd7272704fd5ff3208af324

    SHA1

    12ee2902beb3b6a97136030fff1e074b1e8f4c46

    SHA256

    11db89172e5591f5eea15a9770083622dff798cb9f3a4821939be2f5d34b8dc7

    SHA512

    1ad92cb7750f9e67f71eb75b19421d0ba591ce254925c7fe1cedccd2e9ae699e417e7627ea187cca4ebd1a9b35b9cd61494ce8757012c88e998937c8c515e227

    Download Submit

  • C:\Windows\{57A784BD-8BFC-447e-B347-0607CF68D090}.exe
    Filesize

    197KB

    MD5

    e8b626c557a74dd96583a4141d300b61

    SHA1

    13562718e98aba5bc16356c54f4c1d58b729497b

    SHA256

    3a34eafe9dcbee7e42dbf9e0ad39388e744fcbc38d26964532897db9c746ecc1

    SHA512

    a61a5115c85ccf6f723232b9a466a8ab593f2299da8b7c77c886a68560cb6a839d793d9523ed77724b084282b83fc7ea7ec60633d645da4ca6fd297fc226b510

    Download Submit

  • C:\Windows\{7972125D-8C89-4850-94CC-5ACF0BACB077}.exe
    Filesize

    197KB

    MD5

    af81997a419eba1a7da709e282fd4891

    SHA1

    8d66ce1d24c6547092379d4e806fa174447d6af9

    SHA256

    d0814d4193983d8b7cf6f58bb7e6400a0b67b808cf2b2e3401706094b49ced81

    SHA512

    80507ec31753232302cdc5c4cc2ab50a646b4e01ce8eec4d8f26b23a1a7aed640565758883c40de5b511d3b36bdce3d453f832d48ed0e539e0f3fb7f996347d7

    Download Submit

  • C:\Windows\{7A5620E9-59AD-454b-BA9F-692910FBD9E8}.exe
    Filesize

    197KB

    MD5

    c641d96fe9b73d7692857135f4e15666

    SHA1

    5a0c4ddf85f8967d66105a7f18c0b104c5116230

    SHA256

    f218067eee421b45df3a0524bb189f35005349abb9d34848f3dd54b7da6532bf

    SHA512

    2e0966d13030711cba25caa21edf22eca84d0339bed2be9ead4570df70e125faa80bfab75429e43ba2aea5e4bfd11837456a61924faddf51a1080074303001da

    Download Submit

  • C:\Windows\{CACE1F96-97C2-4e5e-8B9B-787530871802}.exe
    Filesize

    197KB

    MD5

    4fb624b04d8cd435953e369e56d6ead1

    SHA1

    217eccd616fa637a9ee28f904b01bfd91ac40238

    SHA256

    f67b5ecd38328cb8a66018c0a43a3237addbee98cf714a3bafeccb2ed6d28ba1

    SHA512

    fcf981a41b7e80469e2b0b43eb80363cd957797c90bbe5483dc58ac6f73fbd7d3d6502ace717810e4444e497a4e30a8150ea48d3bf6740066f8892937ccb41e7

    Download Submit

  • C:\Windows\{D0821665-1E46-48e0-B0BB-E5A8142F57F0}.exe
    Filesize

    197KB

    MD5

    33ec25dbdeea9287692b807857396f26

    SHA1

    441d370c6014dbdda250d5753d6dce69403b0843

    SHA256

    f6478c757197351258ab8fc3d491db0fe719e95d8b96f7bbb2609a80969fc99e

    SHA512

    9e7a7fcb44197b6bd7c77c8f39801f6b96e4dbfbf8b436073a38ac395e48bc99ebc79538da777c5d085cd06d3baf15690133bcfe6b00a652e2585e87c051ebd6

    Download Submit

  • C:\Windows\{FD08BBA2-7E48-4d15-ADEA-3F9711269BE8}.exe
    Filesize

    197KB

    MD5

    665981628f0ae404d7cfa2e1ca37fee5

    SHA1

    3b5827dff6a362588d1323d4e5c333ce3d30b7c9

    SHA256

    382c116a62f3ff33192707a60e2b16c5ce31daecf956be34b73fc4f327bd585d

    SHA512

    91782f0f0fc379ee0832e01f5c3eda3b5a62ac8896820448a681689b8ca3b10bc10ea595fc6f21a20f6bd97198e8e996ea3705453b37743677e7f6a8c548fd88

    Download Submit