Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-04...ye.exe

windows7-x64

8

2024-10-04...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-04_ad96f850339386bceb93b2f2d744a9c9_goldeneye.exe

  • Size

    372KB

  • MD5

    ad96f850339386bceb93b2f2d744a9c9

  • SHA1

    42ba679a7ef9b200e97042036d2d35243c44a3c2

  • SHA256

    8a19c5d2550e57284eea3e573df7248b3ec8c13da96d1d60176fff1ccdf2e00d

  • SHA512

    69f973d30cd4d70521980dc89abd16ed3422b190e6b0e1144759b16b97450bb744cfe0dca82690a0b7067c8e36758033b24880c520e12fef2b00a536ae9ff848

  • SSDEEP

    3072:CEGh0oxlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGnlkOe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_ad96f850339386bceb93b2f2d744a9c9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_ad96f850339386bceb93b2f2d744a9c9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\{36EB4A9F-A1A7-43ad-A851-3078C4EE68B3}.exe
      C:\Windows\{36EB4A9F-A1A7-43ad-A851-3078C4EE68B3}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\{68D1F9D6-619A-460b-AB94-0B38C9904F58}.exe
        C:\Windows\{68D1F9D6-619A-460b-AB94-0B38C9904F58}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\{F86D9F02-8F41-47ce-833A-D3510F1EE256}.exe
          C:\Windows\{F86D9F02-8F41-47ce-833A-D3510F1EE256}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4312
          • C:\Windows\{1410C0B7-8671-410e-A13A-1E058BD65876}.exe
            C:\Windows\{1410C0B7-8671-410e-A13A-1E058BD65876}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3584
            • C:\Windows\{B4317E04-2D1D-4678-8326-838661B15B83}.exe
              C:\Windows\{B4317E04-2D1D-4678-8326-838661B15B83}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2560
              • C:\Windows\{CDFF85C6-0EB7-4840-A9D2-77F70FC4B872}.exe
                C:\Windows\{CDFF85C6-0EB7-4840-A9D2-77F70FC4B872}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1624
                • C:\Windows\{93F88875-515E-4b92-9CD0-A53CFA22730A}.exe
                  C:\Windows\{93F88875-515E-4b92-9CD0-A53CFA22730A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1788
                  • C:\Windows\{00AFD5A8-2998-44d5-BD90-B875C2B1AF6C}.exe
                    C:\Windows\{00AFD5A8-2998-44d5-BD90-B875C2B1AF6C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2100
                    • C:\Windows\{032DDA6C-028A-4ef6-957C-7CBEA9C6C652}.exe
                      C:\Windows\{032DDA6C-028A-4ef6-957C-7CBEA9C6C652}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3004
                      • C:\Windows\{AE4FD2F8-4065-49de-9975-0740F4E09D69}.exe
                        C:\Windows\{AE4FD2F8-4065-49de-9975-0740F4E09D69}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:452
                        • C:\Windows\{C457E67E-7583-4fc1-9775-9636B1B8B085}.exe
                          C:\Windows\{C457E67E-7583-4fc1-9775-9636B1B8B085}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4372
                          • C:\Windows\{1A4E7188-F929-4f80-B485-50ED9A1F75BA}.exe
                            C:\Windows\{1A4E7188-F929-4f80-B485-50ED9A1F75BA}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4876
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C457E~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AE4FD~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:4540
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{032DD~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2076
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{00AFD~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4844
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{93F88~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3820
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFF8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4512
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{B4317~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4400
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{1410C~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2632
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F86D9~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4956
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{68D1F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36EB4~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4800
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{00AFD5A8-2998-44d5-BD90-B875C2B1AF6C}.exe
    Filesize

    372KB

    MD5

    6220c5288142a399b8f43885ce902648

    SHA1

    2c42e19df74c4348994ae17791476572017420fc

    SHA256

    9d0cec9652e596319af32e42caa2a879844a95f7efeeec0e28274f4580e535db

    SHA512

    03370f2adba1f22159e378dee8c4f6ae342b3ce540f2e15196599e069c07667562ae7e70ea40a279e5184abb2ea49696b60cc7dbfe5efe6665bd173c70ff7249

    Download Submit

  • C:\Windows\{032DDA6C-028A-4ef6-957C-7CBEA9C6C652}.exe
    Filesize

    372KB

    MD5

    abd9fb0ff68e8318db20cde80ef70a20

    SHA1

    3f8e314b0b80f4df5bb11f0ee7ec66671dbe962b

    SHA256

    b8e79e0a892e95d0180e4883491d0e7a700af80d8c51ec758a57898d8d6d7163

    SHA512

    de023b5175f563cc02c15b34deed653e6b5d58c61e1ee01140520a114dd2c9b81c7ecb2171502a3cf88ccec2c1edca2e8181e6d2a7c9d91bdd9ee22b820bbf65

    Download Submit

  • C:\Windows\{1410C0B7-8671-410e-A13A-1E058BD65876}.exe
    Filesize

    372KB

    MD5

    bfa4f69fa561bee17d81b5f2622c8a03

    SHA1

    38aef8497d0381faf4207a78854ed2025d2b72e9

    SHA256

    ec02dfbc782097a5a81db0e447a0a123ed67aaa769cc144237dc895c84e06eae

    SHA512

    4ebe176d8b2826aeab3bf9d7c714ef8af3c55048f7970ea2fcf99f67f564b7d8aaf563b7af1ad3fdbab0ea6a7d141f97bce0f0ec5a1bbd8caa093bf14b15c5f3

    Download Submit

  • C:\Windows\{1A4E7188-F929-4f80-B485-50ED9A1F75BA}.exe
    Filesize

    372KB

    MD5

    a9728d478fa5c62e2a4ca5803fcfb49d

    SHA1

    9a3e59670cec5b2559c3d146ab0c1b156a5d052e

    SHA256

    50b7c380f9f50fb5a0f33d36253db3fe44566539efac3a759452b5bdaac56961

    SHA512

    6e7e27aae73d73620a9e0b02a0c9d3649e682a06decac1fbf3dffe3d7c301f066801821725964bb093dd28619a57d38cff7b9e7db1290d182c52e4cc098e04e0

    Download Submit

  • C:\Windows\{36EB4A9F-A1A7-43ad-A851-3078C4EE68B3}.exe
    Filesize

    372KB

    MD5

    53cc5f422d1e881dba0dedd11819a0c6

    SHA1

    f141d8c9c70d735fbc49b16324252122e5c1c1ab

    SHA256

    8312857ce0c051ed85eb7bd03e9623fe631b315f65a0c33dbf79f3d0aa9760c8

    SHA512

    49ba235321f1eb57241eeb222add6a1529043b47cefd8171d5d6229d4f55014ccfc34e0e9fb09cec98d9ea6b36255d9f330318bade6567d0adc5d0591f74fb70

    Download Submit

  • C:\Windows\{68D1F9D6-619A-460b-AB94-0B38C9904F58}.exe
    Filesize

    372KB

    MD5

    4bf472b0c0291f802583970efcd08506

    SHA1

    b61813e3ec5cc4e9540b4849544f337318a6a56e

    SHA256

    d5196d887e3113d3ec8a20fa36ed51131d24ea059597546d74c6fbb06d39488c

    SHA512

    b83854d1f839977731af8fdb0de3d30580ccd98b35c36a7aa33c81028aee0c938d5e336ca6b8200b166447437a2c4e8727adce58722eded75f559d7138b7a929

    Download Submit

  • C:\Windows\{93F88875-515E-4b92-9CD0-A53CFA22730A}.exe
    Filesize

    372KB

    MD5

    103a0a90ac5a0383afa67cee35aadb6c

    SHA1

    439c8671cef865a9a2f6eefe85607327c9ff00b2

    SHA256

    bb363266fa39cab1ed40994e16f8f01914d8b41428fc36c1a4d59f6d82860bf6

    SHA512

    02fef226b8d9175597a7387a802aae7d03df018e002bb056ae3446b4a7d8aa319d345be0d6942417329a6cf26156272aa0fd41346c5911f49c0293c139a41c6b

    Download Submit

  • C:\Windows\{AE4FD2F8-4065-49de-9975-0740F4E09D69}.exe
    Filesize

    372KB

    MD5

    e62aa4567bc54d31149431fe2bb70ef8

    SHA1

    32c4b87bb853920b25c2a0c78ce877c327333029

    SHA256

    3cb87c5b4c8b00cffff50234af009101fb546fbc509d5c9c2c6594400106e8c5

    SHA512

    5462e06e8c079cde07ec267a36ef3ef8de72166f1ecd21ea4a4e22362497427983d49aacb77a0d79ba24a412d1eab785549691bbd8b69079d104410442fe7022

    Download Submit

  • C:\Windows\{B4317E04-2D1D-4678-8326-838661B15B83}.exe
    Filesize

    372KB

    MD5

    32ac0f7487b1ec4b129fdf0f2fd13bd2

    SHA1

    9026e7dc61ba2ef4f787b50a72cb19e2cfcb564e

    SHA256

    117cc98bc3adcc0e792e237e5950d200de9be9403377e643929da86f4103e122

    SHA512

    302ad5d27d001b65953a17b7caf18c6e33a5c5a295799eb1993da6b477f2ed98cef27f28805a87c01e4017fc572468d22553b0af243dade3d40b02b2115d6420

    Download Submit

  • C:\Windows\{C457E67E-7583-4fc1-9775-9636B1B8B085}.exe
    Filesize

    372KB

    MD5

    d93a9b31abe0bbcf8f28a7bbc13fad4c

    SHA1

    a5eb757aa4ce6289299212074c9436f4d70264de

    SHA256

    4cde117adbecfaff5d8f6a3ce53341ca772eeec0b6f5f0e884917323350d2b79

    SHA512

    0b6b10ff2a1727c5a32cc567b304f388fc530556cd462be5636875132b206cc34e5c7545a525dd13c543d1bf5ae6dc029d5f711327f30d28ffb3fc89cb10e80a

    Download Submit

  • C:\Windows\{CDFF85C6-0EB7-4840-A9D2-77F70FC4B872}.exe
    Filesize

    372KB

    MD5

    c99af893365c7cbc18ea5d9f72530656

    SHA1

    f69bc8508559ce84ef06a8224287e954eae32267

    SHA256

    2658e38322ab08d2ee9022777a306de6b92e4ca6c49ac6619a099144aed20ab7

    SHA512

    5438b341d82c14813970f1b63317fbb1633651183af4906f5308b9d5a745a10d5b0ec668682f141e8c0fe68d783d92de30c33848fc6ef982d1b95a1af1097dff

    Download Submit

  • C:\Windows\{F86D9F02-8F41-47ce-833A-D3510F1EE256}.exe
    Filesize

    372KB

    MD5

    490bd501b9faf112b22a321c954f87ee

    SHA1

    10fa208b998b12f4bbb31189e44b26d360bc8b86

    SHA256

    c704c9427335e84e185e0ac02356ec799d21007fe26a999e1af7a2bc756d3cbc

    SHA512

    ed99302354d6dc33c42eac639c1153a9af48376a1c9c890f02de3053338709a1d4ccaa8ab4461cfd1bda0b6516f31c20c3ffbf816663fa5daf4e1398bda6e857

    Download Submit