Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-09...ye.exe

windows7-x64

8

2024-10-09...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-09_3d1951415d226a6b43a7a34999ea4639_goldeneye.exe

  • Size

    372KB

  • MD5

    3d1951415d226a6b43a7a34999ea4639

  • SHA1

    4d1139c421c7b198bd923d291bab0b046e13f2f1

  • SHA256

    4dd97b0935c45d0b353e5d6da3e684d26a2740fef94fcd2e645ff39d2f332794

  • SHA512

    4249c121da5361a3a8f91b09d0ba8f76c11f17c87401d2dfb7fcd708ce61582d6c342fc03a4cf42756179e3b7cd67b0a2349cf55bb958bafeb3844a106f66684

  • SSDEEP

    3072:CEGh0o+mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG1l/Oe2MUVg3vTeKcAEciTBqr3

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_3d1951415d226a6b43a7a34999ea4639_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_3d1951415d226a6b43a7a34999ea4639_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\{AE8B317D-A841-412b-B6D7-CB4403FCB9FE}.exe
      C:\Windows\{AE8B317D-A841-412b-B6D7-CB4403FCB9FE}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\{11B6E313-52F7-420b-91E3-E7D9319BA557}.exe
        C:\Windows\{11B6E313-52F7-420b-91E3-E7D9319BA557}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Windows\{F005B440-014F-4739-8888-6054901CDD65}.exe
          C:\Windows\{F005B440-014F-4739-8888-6054901CDD65}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Windows\{56182924-9A11-4532-96D0-2D6C4322893D}.exe
            C:\Windows\{56182924-9A11-4532-96D0-2D6C4322893D}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3720
            • C:\Windows\{1B558563-5482-4e76-8A82-5BB2EF774930}.exe
              C:\Windows\{1B558563-5482-4e76-8A82-5BB2EF774930}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:548
              • C:\Windows\{D3CA8026-A620-4578-A932-ACC6DE56474A}.exe
                C:\Windows\{D3CA8026-A620-4578-A932-ACC6DE56474A}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3208
                • C:\Windows\{EDE1202C-8562-4a7b-AD83-C249F75FB2FA}.exe
                  C:\Windows\{EDE1202C-8562-4a7b-AD83-C249F75FB2FA}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2884
                  • C:\Windows\{492D7BD8-D23C-4eb5-BBAD-44EC6C578E70}.exe
                    C:\Windows\{492D7BD8-D23C-4eb5-BBAD-44EC6C578E70}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3748
                    • C:\Windows\{F1CD251F-4CA9-4a03-9E16-C378284937C0}.exe
                      C:\Windows\{F1CD251F-4CA9-4a03-9E16-C378284937C0}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4912
                      • C:\Windows\{1D6B9469-AA30-42d9-AB6A-D76C1E211D25}.exe
                        C:\Windows\{1D6B9469-AA30-42d9-AB6A-D76C1E211D25}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4744
                        • C:\Windows\{97D7A899-DBA2-4720-A279-FFF4A591C316}.exe
                          C:\Windows\{97D7A899-DBA2-4720-A279-FFF4A591C316}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2780
                          • C:\Windows\{C6B3675E-E91B-4dfa-98D0-F4B9D46DB056}.exe
                            C:\Windows\{C6B3675E-E91B-4dfa-98D0-F4B9D46DB056}.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:2228
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{97D7A~1.EXE > nul
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:4884
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1D6B9~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:3080
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1CD2~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:988
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{492D7~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:4732
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE12~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3064
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{D3CA8~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3160
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{1B558~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1288
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{56182~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1524
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{F005B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{11B6E~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8B3~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3120
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{11B6E313-52F7-420b-91E3-E7D9319BA557}.exe
    Filesize

    372KB

    MD5

    d489a538f7320930835a2d984e147ab1

    SHA1

    2ad66fb10bc963514df409e9ebaaf932d3ce316e

    SHA256

    0cad65799952b835c2e4791f99f9fd8608ae46a4716a079022bd3f0ff86a165c

    SHA512

    c6523c5b359c3bb49227828beae994f8d561365017cbc8949957939ab731fb149c700cbf89946ddb539ff1de6dee4c97ce127ce10a2b938768785d81bb4e4121

    Download Submit

  • C:\Windows\{1B558563-5482-4e76-8A82-5BB2EF774930}.exe
    Filesize

    372KB

    MD5

    2fd55b7229a6a1363ea8907713cfde7e

    SHA1

    7c8ab0b2fe4a449aa0119bc2064bafea2f13dbdc

    SHA256

    faef394faae89ef84715848c463661b055352669d024b4c1d71f8fdafdaa8137

    SHA512

    711f6dc9d2acd77185c27b7e876d098f028316916eb7c8763d40134db36ea975b0978b0fea774cbdb5070e1fe9b775932c4ba0395c7b98933be06fd62fe45dc7

    Download Submit

  • C:\Windows\{1D6B9469-AA30-42d9-AB6A-D76C1E211D25}.exe
    Filesize

    372KB

    MD5

    cd2037ca82a71c336a7e72c68799936e

    SHA1

    5777e6048037e651ae7e387df406634d6e84b81b

    SHA256

    817bc5dd6506e39c7c3762f1dd328e104ac721b353cd4d4d96f0b40e370026ff

    SHA512

    a8467fcbbdd0f771c80811702424bd677f18fcf82931f3b3c9d3df74f2386e37f19a2e2b6da17ffab59217d7c1a1ac101fff7c3e2fe8815f96028f4cd8bd9822

    Download Submit

  • C:\Windows\{492D7BD8-D23C-4eb5-BBAD-44EC6C578E70}.exe
    Filesize

    372KB

    MD5

    fd21846afa850f926089cb9279954fc6

    SHA1

    94872971b81d22479e0dbce41293434a4e52fb09

    SHA256

    556754ae8e22ec47d0ef78541013e8be7d600094a3fc6258043661b5a4c714e1

    SHA512

    b852641bc7670002e6efa8faac7f03e77ed8600a80882b3d44fc3e3df6a4c1b863780977561a40162cdcba14091a3446de444b1c6cf9c98fd1dbc38335467f7c

    Download Submit

  • C:\Windows\{56182924-9A11-4532-96D0-2D6C4322893D}.exe
    Filesize

    372KB

    MD5

    c6cf02ab7b74a26ca5f2b8a2c3ab1177

    SHA1

    ed14a1d36a3ff06f33f54ff012fef67350a07202

    SHA256

    22210954c152908669b2955b13df28850ac59a6e06ba7745034acebb97535ab4

    SHA512

    9991de00b67231cc03eb346029d42b3088364ff57e670b1ee2c8035c9523b410cc91482692044ef019f8d857485893036c9817977fd5bf0cd70563fea5542cba

    Download Submit

  • C:\Windows\{97D7A899-DBA2-4720-A279-FFF4A591C316}.exe
    Filesize

    372KB

    MD5

    d0ebe1705dbe1774f3471d6b2d607420

    SHA1

    4cb4168e56c1a2ef0a468a238f007698cde47a0d

    SHA256

    8995fd43ff1687bf4eb7859ec96eb3f43b9ed9995a712e2006f378ab591c0ac4

    SHA512

    85bb33b13d32d39ee2915cf0e087c958412cfdd56e5800c781acd121eaa391b7d7600f2bd75066e302184ed01ed8c421e1a1943c9cc04e468756af190422f4c9

    Download Submit

  • C:\Windows\{AE8B317D-A841-412b-B6D7-CB4403FCB9FE}.exe
    Filesize

    372KB

    MD5

    99f6f3657e4e5740f58343c9c7bb3f0c

    SHA1

    68b3d1f35276b8e2835fcccfb19de0d745d9ec35

    SHA256

    72bd71c7587effe1778d736253068b029a396269de8bed8e5e7323d65cfff8df

    SHA512

    11426025001dc18fad00601dd55df3922b5f36331f1914bd24025e1a0d053e6a11af1099a49b254936cb8171b7038529c7ce9d57385878fe7d9efb2d4b200e65

    Download Submit

  • C:\Windows\{C6B3675E-E91B-4dfa-98D0-F4B9D46DB056}.exe
    Filesize

    372KB

    MD5

    ae83675562b47522b07cb1ad94808449

    SHA1

    192cfd36e1aab3ebf1f8307e0e347f4498565f21

    SHA256

    edb19a1af6afa44ad707c59434a6f858883b2f3e7a1b915c2d2c3cc531d7dc0c

    SHA512

    28e295aee5cb40c0635959b94c9e18077353a00230de83621ceace69c2dc3aff266abf615609ed16636c38a213b15557e8e19477dff25cf67757757ecde77004

    Download Submit

  • C:\Windows\{D3CA8026-A620-4578-A932-ACC6DE56474A}.exe
    Filesize

    372KB

    MD5

    3441d0dafe179bfd05e9122efa24d7d9

    SHA1

    280a8a76a16b5612b69d960ebd602abce0a2335e

    SHA256

    04dd82917e0e5ec3d9b84a47b0fd03bf1e301526648e99306fb396bf77182fff

    SHA512

    0454da90acd025a561ef815950ae8800710e0e454c3b2efce989cdae7a825ae523028e68d6a4888372efa7098dd31d7d5abb8f548207c4e0a9da545e50f55229

    Download Submit

  • C:\Windows\{EDE1202C-8562-4a7b-AD83-C249F75FB2FA}.exe
    Filesize

    372KB

    MD5

    1e28cf2dcbfd66b23c942857be829037

    SHA1

    c1a76bf09d6160b676d4b9879b80f160aca7cd83

    SHA256

    e430eb273123fb7b5c41da1fd3188c72862fbd8ad46f5bbfe78b3be4e51f6c6f

    SHA512

    904fa91820b0dd562e2f5d3e4d734e84b83c73357119404655a6f5992c036094cdc7672db59ab2f344765bbb3c1583bdc3262d84fe46920c37a885d4e9cbf15a

    Download Submit

  • C:\Windows\{F005B440-014F-4739-8888-6054901CDD65}.exe
    Filesize

    372KB

    MD5

    7bff9ed5ac68376b8e53557774840f48

    SHA1

    aca4933688a36b664137b29362d53ea999710329

    SHA256

    85d191f1b257ba92212516c3de6b64a79b0de9e6f317b7b2bbd617d3bbb23185

    SHA512

    b9f83e9b5c8a35cd77af674c70849cb23cfb015839163e4b799c8525b3f4315a6b7c71b0d5955fca397a1414f43652268f224b752c1c14634c38ce26588b92d7

    Download Submit

  • C:\Windows\{F1CD251F-4CA9-4a03-9E16-C378284937C0}.exe
    Filesize

    372KB

    MD5

    46acddb73d8198e2cac41f5d233b0c40

    SHA1

    b31c9712f2c30164dc04e1c722d70efa326dedd3

    SHA256

    e9dfc735a33cc30da68e99fd37daf0a31fbae2b26ad4dd5437a60ca76b0ba7f0

    SHA512

    99b31a77e15b2f9152a91627420918f540f881bcb76b1aeeacaac378e4b07137c74ce8b67a4139530dfed26d377eb1d404d5295022aa0a8d024c49c91a48c50a

    Download Submit