Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-03...ye.exe

windows7-x64

8

2024-10-03...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe

  • Size

    380KB

  • MD5

    fd1441d9179581a63cec50659e4b2665

  • SHA1

    14b065f52946c65bf2ac43db5990bc964bc71554

  • SHA256

    56e02b5fa11e81e31378ddb4e0b63db656b7bb647fa16b7384437ee2eaf1af39

  • SHA512

    1eedbc17afc8f31177b2096a6aaba3235fb49b5cfd5176d3e86b72c1ce2c193ab0d6fb8f9b3dbae6181565e7ec4765881c386e65b0f8aaa35a84319d314f9085

  • SSDEEP

    3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\{8B771F05-7590-4b3a-9E46-FCCEB1442635}.exe
      C:\Windows\{8B771F05-7590-4b3a-9E46-FCCEB1442635}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\{A756ED5A-41A0-4ba4-8B23-61E91C824702}.exe
        C:\Windows\{A756ED5A-41A0-4ba4-8B23-61E91C824702}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\{CB8A188B-6578-4b11-A618-C408F122D32B}.exe
          C:\Windows\{CB8A188B-6578-4b11-A618-C408F122D32B}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\{EF97B22C-9B04-4d4e-8746-80068F67C292}.exe
            C:\Windows\{EF97B22C-9B04-4d4e-8746-80068F67C292}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Windows\{1979BA36-6F75-44ec-A6BC-E5E73C35A649}.exe
              C:\Windows\{1979BA36-6F75-44ec-A6BC-E5E73C35A649}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\{8021CD09-749C-4086-BB57-5B7C8B4C3BB2}.exe
                C:\Windows\{8021CD09-749C-4086-BB57-5B7C8B4C3BB2}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2900
                • C:\Windows\{2EE2E901-DFC9-403a-A4B1-0DCA18B9A6E6}.exe
                  C:\Windows\{2EE2E901-DFC9-403a-A4B1-0DCA18B9A6E6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1480
                  • C:\Windows\{71246C07-DEA0-4a6e-B69E-DD26B1D6C5DE}.exe
                    C:\Windows\{71246C07-DEA0-4a6e-B69E-DD26B1D6C5DE}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1648
                    • C:\Windows\{52A08662-4E09-4a74-AFCD-B1799889C30F}.exe
                      C:\Windows\{52A08662-4E09-4a74-AFCD-B1799889C30F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1960
                      • C:\Windows\{D9727A12-6135-44be-B55A-5664C130A209}.exe
                        C:\Windows\{D9727A12-6135-44be-B55A-5664C130A209}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2160
                        • C:\Windows\{518D9811-977F-45df-88D1-DB3C8E9620C4}.exe
                          C:\Windows\{518D9811-977F-45df-88D1-DB3C8E9620C4}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D9727~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:972
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{52A08~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1792
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{71246~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1060
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE2E~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:300
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{8021C~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3028
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1979B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2280
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{EF97B~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2624
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{CB8A1~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{A756E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B771~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1979BA36-6F75-44ec-A6BC-E5E73C35A649}.exe
    Filesize

    380KB

    MD5

    c9abe3b339d60e9724c94e0d29a09863

    SHA1

    1ad94fdbc3ec4ccb924011992ffb8ed724400aa4

    SHA256

    bf8ced0a7e962cccb5cfdd049b9ffd1d15856ac27ee24f2f8b4968bcb8302b12

    SHA512

    528c856695e214c290a52ca794d94a3401d52d824c06594076b2bcdbbf97f97548518254088cdabfb64813579a9a099f2977fc77ed62940efb2f48f518dae112

    Download Submit

  • C:\Windows\{2EE2E901-DFC9-403a-A4B1-0DCA18B9A6E6}.exe
    Filesize

    380KB

    MD5

    7f8351312eef2f936de3e2a0202a5414

    SHA1

    fa4a97ed55824a8f49ad87a35fd415e2e16ac6fd

    SHA256

    aec5ca21eb841bba32728786d71cc8879a7eefa5dea8502dbbc99712549d538e

    SHA512

    5eef1a2de4fd628d16981f43484184f4ed9422020148ace1b5af4c993c6f7114680190cf0d4b783f269cd499cfa19f3d0057b04324b7e49efde6f61999c6fa9c

    Download Submit

  • C:\Windows\{518D9811-977F-45df-88D1-DB3C8E9620C4}.exe
    Filesize

    380KB

    MD5

    cd3be76230392f44481fd644ca1b7537

    SHA1

    e1939388b4fb7bf89896e6b12a018746a940a58c

    SHA256

    6df450db1f52e2ab549b060354e8376be73a004a0b61c537d097ef939694186a

    SHA512

    81b60ac140eb8c63659267102938cfdfa7adc943dd498744b55eec360b3b77c8bfc558c9fd7e43a61480aa3f3ee45e0f2409020af212a306a32ab7b3d63086e0

    Download Submit

  • C:\Windows\{52A08662-4E09-4a74-AFCD-B1799889C30F}.exe
    Filesize

    380KB

    MD5

    b6e2d83bca0a2aa470f1afefd61f3158

    SHA1

    2c89ac786ac150a6cc1bf1c34c12f8bc83dea6a8

    SHA256

    f0b09d54acef920f53bcd7b22239d6b9bf5635f244638f0d7ed0b1473dcbdc30

    SHA512

    29dd0794bcad50ac26cf6af4e299b9b7c692e30f78cec7d5d4e720450cecaf016e4bdb44b0ec895e8007ea8beae307fd141a4c92ee65f3d6df71702837258915

    Download Submit

  • C:\Windows\{71246C07-DEA0-4a6e-B69E-DD26B1D6C5DE}.exe
    Filesize

    380KB

    MD5

    9767dcb401d4a7edbbe87be7b3a3d794

    SHA1

    d5a3722f23289538153cf574a1e87b13b3b3eaaa

    SHA256

    a72b02c39b1ff9b4fba3e649a98e4700cf5ceb61f3c27f5aae4e9fd1e0cc4d6d

    SHA512

    70ee2f45a078378336c3fed2fa42989ace97b2b6f288decb3dad302e98ceb788d380961361f75d6c3988c24ef79a98b83871aa3f7582a3926d869f50c636983d

    Download Submit

  • C:\Windows\{8021CD09-749C-4086-BB57-5B7C8B4C3BB2}.exe
    Filesize

    380KB

    MD5

    b414ad9dc67ae10debe2751344277599

    SHA1

    455efe3bb3a578e597196f271c2139308a5857f4

    SHA256

    aea2a939b20137165eebb9892367709a2c6a9d5c8a25a154f46d1473bf628b0e

    SHA512

    81f42ba8b4c5fab14fa37b7fbbaf6a92803f81d5c3e17decc7b8813385151d75d1873951ea87802b8fd4bf6c3b58a596c952546fa3702c7d7709d1ef1eead59b

    Download Submit

  • C:\Windows\{8B771F05-7590-4b3a-9E46-FCCEB1442635}.exe
    Filesize

    380KB

    MD5

    16c8fea212078f0328b9126f098f4020

    SHA1

    91513839dbaf3f6c0deb9be09fdc39fac56a29c2

    SHA256

    eb5758c5ccc827fd6f3dffb102d14b876994b6257b690f8212d0e07e8ebdcad0

    SHA512

    d9dc53bf132a4809ed4001a3c7b3f546f1f997b26e631053206d623f18fa3fd3d169fba468c28644d56fcc6a5fa6ad5506aa16ab892662082d2c56f10b5f064c

    Download Submit

  • C:\Windows\{A756ED5A-41A0-4ba4-8B23-61E91C824702}.exe
    Filesize

    380KB

    MD5

    b412b12438694f8a7900db7b550a4db3

    SHA1

    36c39b5ea2566b5c50561fac1062793270978b6e

    SHA256

    05b96a0f7f1d368c5554c1797f7c39397db5d7a7a54360468072b7da76f40ea7

    SHA512

    e8c214ab4f18bd0439ffd87378c8a1df6f68d97a50e85be11a797812879ad9735d2895e46bbe9ecd18697ab9878ef77da0aa0b3ffca87f4ee46edd0a8a871414

    Download Submit

  • C:\Windows\{CB8A188B-6578-4b11-A618-C408F122D32B}.exe
    Filesize

    380KB

    MD5

    b22d37c0f7c0dcf807a4dcfc9f2c3767

    SHA1

    27a7df95428caa9c41e9dcaa4173e076f65070b9

    SHA256

    2d82fc108118f5908dc797d0c27277c3654bed2aca7bfdcdfc824807f0fa1355

    SHA512

    9364e6b62dc247e2021a4d5a4aeebf6e42c8a11a81c6ee81d187cb7d27074ca6d9c55bec47ace526c14fa53dad61a31a073dd4c04be4264d75211561fd2ea8a5

    Download Submit

  • C:\Windows\{D9727A12-6135-44be-B55A-5664C130A209}.exe
    Filesize

    380KB

    MD5

    f8581b03ea7804d454b2594004098147

    SHA1

    7cd250565db64999cdca098aff52b1459bbba0e8

    SHA256

    9d3f98cea2f55a0b1f629d3c4047bc95bca52f8fd42679100d78bfcb0e4c2391

    SHA512

    60b0e651fd2d9b1374d88587c21836b2c1f7abb19ddb6aeb776c78e4fc00010937eeaf8dcadbf959c6b8785f2b03b2b24846ff2fdba37c17c57d0b3d0c4c2fc9

    Download Submit

  • C:\Windows\{EF97B22C-9B04-4d4e-8746-80068F67C292}.exe
    Filesize

    380KB

    MD5

    f0463a017a556ef1ddda8f7da5920c60

    SHA1

    bd2d3dee361bb4f6d6c296691022d075ea643a27

    SHA256

    f92a96f7421018d9b8bfa5a25581f63ad4fac66a09439750c92201371cff4ef5

    SHA512

    72600335d42d8abf4e1a1f4aee140da2aff1481734eaf2a593374a62ebf70b5aa613135e564be00c24b99502f8bc9316d038c4abed3529ffd9a674e0fcba61fd

    Download Submit