Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-09...ye.exe

windows7-x64

8

2024-10-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-09_3d1951415d226a6b43a7a34999ea4639_goldeneye.exe

  • Size

    372KB

  • MD5

    3d1951415d226a6b43a7a34999ea4639

  • SHA1

    4d1139c421c7b198bd923d291bab0b046e13f2f1

  • SHA256

    4dd97b0935c45d0b353e5d6da3e684d26a2740fef94fcd2e645ff39d2f332794

  • SHA512

    4249c121da5361a3a8f91b09d0ba8f76c11f17c87401d2dfb7fcd708ce61582d6c342fc03a4cf42756179e3b7cd67b0a2349cf55bb958bafeb3844a106f66684

  • SSDEEP

    3072:CEGh0o+mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG1l/Oe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_3d1951415d226a6b43a7a34999ea4639_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_3d1951415d226a6b43a7a34999ea4639_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\{8C2BFCAE-8FBD-41d9-964A-2ECD6870A46F}.exe
      C:\Windows\{8C2BFCAE-8FBD-41d9-964A-2ECD6870A46F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\{063EF7BC-4AC0-45da-B856-648DD8A4A417}.exe
        C:\Windows\{063EF7BC-4AC0-45da-B856-648DD8A4A417}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\{DF8898E2-97BF-4c4c-81E1-C0513F08CB0C}.exe
          C:\Windows\{DF8898E2-97BF-4c4c-81E1-C0513F08CB0C}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\{02E190A3-E3F3-4109-BB07-5DD9E9874B26}.exe
            C:\Windows\{02E190A3-E3F3-4109-BB07-5DD9E9874B26}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Windows\{9C27F3BA-B1A8-4ecb-9C43-22508533B506}.exe
              C:\Windows\{9C27F3BA-B1A8-4ecb-9C43-22508533B506}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2240
              • C:\Windows\{2B5B4A24-A0C1-4611-9973-A182AEE0D8E7}.exe
                C:\Windows\{2B5B4A24-A0C1-4611-9973-A182AEE0D8E7}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2948
                • C:\Windows\{F58CC66E-4141-4455-8F73-C92814B6D97A}.exe
                  C:\Windows\{F58CC66E-4141-4455-8F73-C92814B6D97A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2776
                  • C:\Windows\{CD6AB03A-F173-4e73-8B84-AB24B65927EB}.exe
                    C:\Windows\{CD6AB03A-F173-4e73-8B84-AB24B65927EB}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1972
                    • C:\Windows\{5819428A-E8CD-417c-B40E-B727886585E1}.exe
                      C:\Windows\{5819428A-E8CD-417c-B40E-B727886585E1}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3004
                      • C:\Windows\{3367900C-6CDC-468a-8A2A-CBF1D659A0E3}.exe
                        C:\Windows\{3367900C-6CDC-468a-8A2A-CBF1D659A0E3}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1164
                        • C:\Windows\{4C3BF2E5-E22F-4e58-9EA3-C6EAD1D9A7FB}.exe
                          C:\Windows\{4C3BF2E5-E22F-4e58-9EA3-C6EAD1D9A7FB}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{33679~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1704
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{58194~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2328
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD6AB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2940
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{F58CC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:908
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{2B5B4~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2128
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{9C27F~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2560
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{02E19~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{DF889~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2904
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{063EF~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C2BF~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{02E190A3-E3F3-4109-BB07-5DD9E9874B26}.exe
    Filesize

    372KB

    MD5

    6065168654633d70df99dd3d40bfc2e5

    SHA1

    50f75806fd7bc9ebacd17310530daa3a24258ecc

    SHA256

    6b4c74bcee463212e4db157857e7c0463e9480db0c353fd85f22381a61003baf

    SHA512

    496ae6dfdbc86fa091218c821df5615755c0370a7c52a63156fd12e3e47f5f0a0d75bcbf93a52074f9f3212a0086a47e520647a2b751f420c1f1dad0ba434624

    Download Submit

  • C:\Windows\{063EF7BC-4AC0-45da-B856-648DD8A4A417}.exe
    Filesize

    372KB

    MD5

    1921fb151405bfeff1002237463eda4c

    SHA1

    3977b1fb6ba5718840bff420d080003a8461ce0d

    SHA256

    8b62886e97d0155d38a7ac96d850a03e998b9155276de9e5e9b7a08cfdc2e469

    SHA512

    30505338cc0bd1e689d87f9834599933a9c4026a502a240a9a7007b8dd9478f36727fdebd6b20c60879e3afc444cdee2ea59d5e4f5768443db06837d01cc76ad

    Download Submit

  • C:\Windows\{2B5B4A24-A0C1-4611-9973-A182AEE0D8E7}.exe
    Filesize

    372KB

    MD5

    2b78ecc62eeb0d71b212c9c45e090a7f

    SHA1

    947b5f67e92c2640567ee14f35d59e47ad960c2e

    SHA256

    4097b54a15c4e933125c24329afd433178130193e4ef4b639db552ee3c3a4658

    SHA512

    ac03c81bac0166ec7c6ef5d1cb25de7fb6adc234ba35b72d54ecba8323a200ebc250199acf48ff36ca60dcec23bd673f066705cbaba7294ca6211e8c8e571025

    Download Submit

  • C:\Windows\{3367900C-6CDC-468a-8A2A-CBF1D659A0E3}.exe
    Filesize

    372KB

    MD5

    c2bd07254030dc9ab8b7b472050f2735

    SHA1

    c118512e2f487b88ec98b528f10faf154ba24a97

    SHA256

    4c60333a268defac38218a57034df9f99c5645852f4a06122dce19d336267619

    SHA512

    c945e4f84f35b41a591af43e941e6d83bce609b65d7f43d1e6a0bdec32b0d65b694525cd1383e13f3124c047c48a50733f3593feab6698e5f661a16750eeefcb

    Download Submit

  • C:\Windows\{4C3BF2E5-E22F-4e58-9EA3-C6EAD1D9A7FB}.exe
    Filesize

    372KB

    MD5

    63ec7e39f377dc570c0dfb32d9bc0698

    SHA1

    61fab66f299ed34f9afb5c83151e8e8ab7beb478

    SHA256

    e6b68937c7711302c281c5bedc6334a64a5d6dc5c5956d6e06634da435ece6e1

    SHA512

    7b75367162ff508471fea1c939842e0d72fef1800f139f46187dfd61d752482bdf9df6ea26ade2c3f9ee3febef66c79000252c9dc8dad6406467ff46a356a60c

    Download Submit

  • C:\Windows\{5819428A-E8CD-417c-B40E-B727886585E1}.exe
    Filesize

    372KB

    MD5

    84df2f018de451bd58c1be7af7b95ae5

    SHA1

    3f3a4a9c31185d057c870ecfa0a638e2127476fc

    SHA256

    4f1274ccc0fa1c87de3234368ccde9ad3275af79e7c5d6736ed731d8974e786f

    SHA512

    09fe8fd469354feb43f5f821377b23a26b0674a2c461ae9376cb223454588582202bc254b3ac7545a2306276000ee0c7ad9837811cf75dcbf046512ba929718e

    Download Submit

  • C:\Windows\{8C2BFCAE-8FBD-41d9-964A-2ECD6870A46F}.exe
    Filesize

    372KB

    MD5

    c08a45b688eaf3be0b2320c8068b3717

    SHA1

    edebd977c6e301738f60c9c51ffba512bdb4747f

    SHA256

    3da66d5c86fba73ecab759a13dc033d4f3b4bff3acc56bbca472722514621a6b

    SHA512

    2b1c0615ec4fa3403879900904ff10cf43ff0b482092fd2e72ecde869e9253677f894531c32623fbf51b5603cef50690658790b0ed475320c48aa92ef3540af4

    Download Submit

  • C:\Windows\{9C27F3BA-B1A8-4ecb-9C43-22508533B506}.exe
    Filesize

    372KB

    MD5

    4be721c10edfe8f66c8b9f3918ea39f9

    SHA1

    9ec2d6a9f4f0711beae10a1f44cbe037db12e4a0

    SHA256

    9b71e2fd1b24b17ef78dd1ed014eaddc9d6ceef956dd1a3bd9fa4b11134338fd

    SHA512

    82ff5c893024aa05ed12714ca1166f299b2dd5599035d30d562fc7ac5c464f5cfb5c3cedea768b7231f863118c120e797c87da9706a568bd8af542e147ded4c3

    Download Submit

  • C:\Windows\{CD6AB03A-F173-4e73-8B84-AB24B65927EB}.exe
    Filesize

    372KB

    MD5

    11542e47c6b312f868d807afe839b682

    SHA1

    a31d081271ccdf88b37dd499570a4888be57e060

    SHA256

    b64da55997762dd7d09d488b0f950c1ccfa31fc82827cbdd3c98e79f06e857a2

    SHA512

    d748aea8a0688e449bd0d0e04e0fc94432264c608a7b20695e98a7e4179ce1f92619db6524896dc7cb67d100a9c48dc3bac8211d49ddff5d63a6fb87516e6169

    Download Submit

  • C:\Windows\{DF8898E2-97BF-4c4c-81E1-C0513F08CB0C}.exe
    Filesize

    372KB

    MD5

    c7aad66edaf11b33708c41d572668fb6

    SHA1

    488d428086e868d5c235ba5ad26f138182bc8b7e

    SHA256

    4e3c56b5846747cdedc05172628f30cf06efaa2d45fda43b238c890e53b7bf66

    SHA512

    8cd8fd010109b83624072e01d143e07ce40ba36d09fb8dfc510dd52785120eb64c3d7d3b67ff38419cda4c180310bb3ced531632ec046488caad22dac6cc34b3

    Download Submit

  • C:\Windows\{F58CC66E-4141-4455-8F73-C92814B6D97A}.exe
    Filesize

    372KB

    MD5

    b07ce767ee880ebed4996e8e80b27834

    SHA1

    e39d02784a8fcf65cd79e9a52d6c4b9e7d827f25

    SHA256

    c39a18d81d39dff7aa7ad39ecdf8314be47673b275719aaa83b9058c375945b4

    SHA512

    5d6972a9a87fe1ec55b9f08ea249570a0cc30eb5834ba5771cb5bf7c2a273bd26607356a39c33f10c638cd5f82cae72ec713b0ef2a406fc86e4810f790cf4ea5

    Download Submit