Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-06...ye.exe

windows7-x64

8

2024-10-06...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe

  • Size

    216KB

  • MD5

    f1c7b46cb8b085fb80151b3449e6f514

  • SHA1

    19909fa73a62a965cfc614b2e330f37830636cde

  • SHA256

    948bc65704a0e3c0cdf4a3f32a7b321e7b8e1b2d354d8c9bfe3d0c4b6a989840

  • SHA512

    e40d4e0889b9c6938f254eb4d77f57b5153b7260dec59049b8f720714e7de6fd6d602298c3e5d65bdca025fa33e974224ec5bd94157c592f157b407e15154a2d

  • SSDEEP

    3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGzlEeKcAEcGy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\{5F8E5EBF-BE8B-449c-8E66-2CD2E9D94894}.exe
      C:\Windows\{5F8E5EBF-BE8B-449c-8E66-2CD2E9D94894}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\{ABF099FC-05FD-4af8-B466-128666BD7925}.exe
        C:\Windows\{ABF099FC-05FD-4af8-B466-128666BD7925}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Windows\{AC86DD19-5512-437b-8C3D-2D4F428CC9DA}.exe
          C:\Windows\{AC86DD19-5512-437b-8C3D-2D4F428CC9DA}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\{72028914-DCC9-4de9-9615-2E06F4E2E814}.exe
            C:\Windows\{72028914-DCC9-4de9-9615-2E06F4E2E814}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\{5D30B34C-37C2-4d78-9B60-766FDAE493A7}.exe
              C:\Windows\{5D30B34C-37C2-4d78-9B60-766FDAE493A7}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2060
              • C:\Windows\{D0B9413B-14B9-4343-9047-E71573A19C36}.exe
                C:\Windows\{D0B9413B-14B9-4343-9047-E71573A19C36}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\{77827C52-1EAB-4709-AB0C-D68F13F8CC00}.exe
                  C:\Windows\{77827C52-1EAB-4709-AB0C-D68F13F8CC00}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2000
                  • C:\Windows\{6470B77A-1152-4670-AE84-7D16C8C6BD49}.exe
                    C:\Windows\{6470B77A-1152-4670-AE84-7D16C8C6BD49}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1864
                    • C:\Windows\{CA64B2EF-4882-4cde-9A00-3D4B06CE9DEC}.exe
                      C:\Windows\{CA64B2EF-4882-4cde-9A00-3D4B06CE9DEC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2216
                      • C:\Windows\{7014F40C-E2CB-4024-955D-2BAD0ABD1529}.exe
                        C:\Windows\{7014F40C-E2CB-4024-955D-2BAD0ABD1529}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1772
                        • C:\Windows\{D2C6C78B-557C-423e-8076-B797CD01EF90}.exe
                          C:\Windows\{D2C6C78B-557C-423e-8076-B797CD01EF90}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2412
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7014F~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:292
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA64B~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2868
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{6470B~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2980
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{77827~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2176
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B94~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1468
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5D30B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1488
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{72028~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1360
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{AC86D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{ABF09~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F8E5~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2680
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{5D30B34C-37C2-4d78-9B60-766FDAE493A7}.exe
    Filesize

    216KB

    MD5

    35d1db75383825406118443fbf9312c4

    SHA1

    ab6067daeb7a2b3d1a5434ecd6120b7869720dfc

    SHA256

    f7c94fd5121a78ba980760b51e650b4d15a95c938f0b2bce3592579268879a88

    SHA512

    7fdd25c46b810fef8f0b0fb4c28bfd5ee23e792015d7969ccf66326def2d3727dfe182fa04557f769ba089329ebc5e0d4350f8f1da98afe56ab1a29e66855f24

    Download Submit

  • C:\Windows\{5F8E5EBF-BE8B-449c-8E66-2CD2E9D94894}.exe
    Filesize

    216KB

    MD5

    248eb973ee6c84e8f6dfdf024e03cae9

    SHA1

    1b2574496be0da51b98c5fdec670e23fc131627e

    SHA256

    95a0da8faae1ad181ba630ef78131d6f557c40b2e414b3eed92165b57fd906c9

    SHA512

    c09a06bc40952cf9a51ba87706c70df16fc6626ecf145dabc2c49e246d4d7b7d3996ce6ed2b5afcadb2d81a386663700a54f31691bde756e6096e4fc42ff2cd2

    Download Submit

  • C:\Windows\{6470B77A-1152-4670-AE84-7D16C8C6BD49}.exe
    Filesize

    216KB

    MD5

    34a20d07b29c1e32bfe882acfd511d64

    SHA1

    15c880de7f5f36f477a33f507a92927def7d6f2d

    SHA256

    4d29237d9a94358fc74dd20c4b4cbb0bfd9cef4ce26fd5ac7a68bc03d75cb952

    SHA512

    42ceb2bf8c9797d05e16c254aedd0eebd1eddf0aa6fc6d30b469a73169c59cad5a8bbada6d9c27e9803d288b71fb00a2c79f591247029fe03eaa7d0d62e4a12a

    Download Submit

  • C:\Windows\{7014F40C-E2CB-4024-955D-2BAD0ABD1529}.exe
    Filesize

    216KB

    MD5

    ca7b9e89b6df73973fa6cd45be54b760

    SHA1

    f8945768728bf3d887a96b5a10691f05c946dd08

    SHA256

    1a172352a064c5a9bfe703e0ac262fb32076eda8a15a5680898f753e556f6b83

    SHA512

    d3845ae8456e493d2499db440dc13ec012a41287d6a2096abe2538c66ce4a6f3e897f99c3c18d7fe8975b764420b83b35f1968e50bf44e4973e7d4e1545eca7c

    Download Submit

  • C:\Windows\{72028914-DCC9-4de9-9615-2E06F4E2E814}.exe
    Filesize

    216KB

    MD5

    73da147678b28e6a60219553b6a9e9e0

    SHA1

    d730808ae63e9bb6d4e04b4f6317917866ddc0aa

    SHA256

    163599b5bc13dbae6da09106f29b4487ecd735e3891d3827a388b774393cbe79

    SHA512

    f0438c59f5074371c71fd15e199a7a2d454cea150a1698fc88a45361058571e087f9fceacda2fbbd5c4608eeb470072cf569b193d3e5b0109ae3e8593be95dc7

    Download Submit

  • C:\Windows\{77827C52-1EAB-4709-AB0C-D68F13F8CC00}.exe
    Filesize

    216KB

    MD5

    935f72e07365964e723f41226f51de58

    SHA1

    5a3c6ac4f0dc9c1c90623a7b24b2e50017308234

    SHA256

    3d2cbe3843bbf7ab6a2b86becefb3c8fb70c402eb27407efaf9369150a16d488

    SHA512

    0f332f328d240858c2219dba529dc3c0531e209bd0fa10e0ffcec5f55800aa569054326a5d05fc0e1d0a4c1a47228f6199e6596a390afa0d62c48382ce4264a7

    Download Submit

  • C:\Windows\{ABF099FC-05FD-4af8-B466-128666BD7925}.exe
    Filesize

    216KB

    MD5

    8e74338be2a792be40b7498e5b1bf290

    SHA1

    fe9cf1d739762df2a9582d7bffc38704d711cdd2

    SHA256

    2ad9f415fd00977c649530b263916a836ac5f3eaca23b318bbff1cde8ea44487

    SHA512

    d1147804f8c1ecf19af047cddef00cc883af123f59b620e9cf6727b96b9243c5a9c35ef596095591e149c8270d595ff117aabdc7bedc0d9ed9b65b0b41e161bf

    Download Submit

  • C:\Windows\{AC86DD19-5512-437b-8C3D-2D4F428CC9DA}.exe
    Filesize

    216KB

    MD5

    5f06faaa8d72a6281b6e5fa929aa536d

    SHA1

    17a1a7df4398ab239170935b9b4f58c89b890dcb

    SHA256

    463c989c56dc6f791be6b1b8c868317469a42b1b368a4e1339c1a2cf4cd88d60

    SHA512

    171112c6b645d1914ef2b4c4ba2636949da7fdf21d898970954c7e9aed8872b557ba036c6f4880fd69abba2b55bcd2c4075ab2381062d3ab15357aa7a415761f

    Download Submit

  • C:\Windows\{CA64B2EF-4882-4cde-9A00-3D4B06CE9DEC}.exe
    Filesize

    216KB

    MD5

    2679e91faae44e725360fef3d45b0ce9

    SHA1

    ff1622677e42ad6471f4392360008079a51def8e

    SHA256

    5c6e870a4c4b198595b9319734d4d56ded3472b8dd990e99e6550e89a2b26ffb

    SHA512

    cdc154d4768fe399dc8db2f877500bc1e561865c91053b27928bb6c0269b1a408f6d0625ea2229919c1d76848e6246009c0132f0d1189faaf19de5bdaf7428c3

    Download Submit

  • C:\Windows\{D0B9413B-14B9-4343-9047-E71573A19C36}.exe
    Filesize

    216KB

    MD5

    f0dd4173f01da9723ac45a0b7ef52df2

    SHA1

    2794d58da0ce8e4af2ae50885fe8ea7570bf5c8f

    SHA256

    7632daf410544d163bfea6d3d6e888e7e063dcf0a5f76628f3b3586dc5fcd602

    SHA512

    43f7327f1704513195645f73ad70e92cba1a6cb7e24a1898be7da520a903ceddcd12048f1419cf699ab2d4ca2fa152deb924911d2085ca73e7d1b74d67747a26

    Download Submit

  • C:\Windows\{D2C6C78B-557C-423e-8076-B797CD01EF90}.exe
    Filesize

    216KB

    MD5

    5af8332c031d58367a00319635c50383

    SHA1

    2d2511e29eb754353729d5792f78ef36e2494c80

    SHA256

    1d7aeb2b5f38e9be9b8e03c46680d169b4abf547a0416ac4da7c16c29f18e2d5

    SHA512

    cf9763623880a062aa9037d5d4330f402969c57f572539a0b5e0a759748332bc7f993209a43856b6ae34e1d519c734871b7c910457c4b88a4f4da943fa742d02

    Download Submit