Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-10...ye.exe

windows7-x64

8

2024-10-10...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe

  • Size

    168KB

  • MD5

    03a0ec4e9d736a377870b1600d5e71b6

  • SHA1

    5fe1ae9c8987468ee3d0a59aa722ba0ba64c6687

  • SHA256

    58f5af79b6f1c514db5b05d25b75d620b27fa544eb281b1f957a9f131d1c39d2

  • SHA512

    3e3558836b18fedb1d107a08aebdaf29e9aaae4fa4944449f02130b9ad75f705a7a9bdad6e38d7411b6b340c4438c068752145bf227b5b8e6222827afa66dc4e

  • SSDEEP

    1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\{963ACB5E-902D-42a3-85EC-A239EEC500F4}.exe
      C:\Windows\{963ACB5E-902D-42a3-85EC-A239EEC500F4}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\{CEDBC219-51BB-4b51-9761-6C3593F47FC5}.exe
        C:\Windows\{CEDBC219-51BB-4b51-9761-6C3593F47FC5}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\{9716BA52-BABF-47f3-8DE4-4297F468BA18}.exe
          C:\Windows\{9716BA52-BABF-47f3-8DE4-4297F468BA18}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\{C792307A-BDEB-4fc5-9311-4F3B90F6D313}.exe
            C:\Windows\{C792307A-BDEB-4fc5-9311-4F3B90F6D313}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Windows\{3B5D2104-65A7-4b0d-B2F4-2808ACADC33F}.exe
              C:\Windows\{3B5D2104-65A7-4b0d-B2F4-2808ACADC33F}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1104
              • C:\Windows\{EA987CF6-1ABB-4ca2-B5C8-D609F0C342B3}.exe
                C:\Windows\{EA987CF6-1ABB-4ca2-B5C8-D609F0C342B3}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2256
                • C:\Windows\{B7FFCF0A-CEA1-4980-82EB-F924BD891D4E}.exe
                  C:\Windows\{B7FFCF0A-CEA1-4980-82EB-F924BD891D4E}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1332
                  • C:\Windows\{BEBDBC70-ED34-4c17-855C-C48DEAAC9524}.exe
                    C:\Windows\{BEBDBC70-ED34-4c17-855C-C48DEAAC9524}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1632
                    • C:\Windows\{0F8D1730-9E7A-482a-A2D6-E32B6146A19F}.exe
                      C:\Windows\{0F8D1730-9E7A-482a-A2D6-E32B6146A19F}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2220
                      • C:\Windows\{70262C85-C0F4-4c7d-97B3-7866A73325E6}.exe
                        C:\Windows\{70262C85-C0F4-4c7d-97B3-7866A73325E6}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3012
                        • C:\Windows\{C218DFF8-8C1B-4841-8717-E9543D33AA6A}.exe
                          C:\Windows\{C218DFF8-8C1B-4841-8717-E9543D33AA6A}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1924
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{70262~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:632
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8D1~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2380
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{BEBDB~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2044
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B7FFC~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:688
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{EA987~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2060
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{3B5D2~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:296
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{C7923~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2096
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{9716B~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1560
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{CEDBC~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{963AC~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0F8D1730-9E7A-482a-A2D6-E32B6146A19F}.exe
    Filesize

    168KB

    MD5

    58b95f8bcafcd989b71077c20bb23c1f

    SHA1

    285e4299088f388b7e77c2449f5f07384b79288a

    SHA256

    8073a8828fe55049eb51a3208aca148ae10d8556dcfdcf05500c5b78a6c8bb3f

    SHA512

    daa862bb8f3a9e11681606e4f8c83361a5da2299de42d1c68d85b534d0bdf962781e10fd56afb3be72af0c6517196e5c22399a5bcd8af9740db923a69398a2fd

    Download Submit

  • C:\Windows\{3B5D2104-65A7-4b0d-B2F4-2808ACADC33F}.exe
    Filesize

    168KB

    MD5

    e456dc156ecf3ca0335f8fb55b43956d

    SHA1

    a2f1359e74b465f9199876a5cbb25e1f226d6f1c

    SHA256

    aa1e542103d61b46e71ec6e25bbde0f16a2824c9ca56a769c60181653feb17aa

    SHA512

    a3316e6230a38f12df881f6e1136dce00f1e860abcdc83a8296df7b3b092ece4a5901b9927ad8c3276b3b7e23de6cd707e16c55e579877bad171b21bd374ba31

    Download Submit

  • C:\Windows\{70262C85-C0F4-4c7d-97B3-7866A73325E6}.exe
    Filesize

    168KB

    MD5

    70661cd091c0fc419c86f993a3c0c198

    SHA1

    c7cf8656157c3eeec5f830f350a2574cbb463fe3

    SHA256

    79b5771f95c803f7b4dd12b58b5109d64aab52e85740d917f1b55a5911846747

    SHA512

    6b899354e00e58ae05c42b6f0443a805e036b5105abda448b62328a08bccb3d0e4d733afeb804975d49577d0be66af28509de82a66984e3211b4fce3e92ac048

    Download Submit

  • C:\Windows\{963ACB5E-902D-42a3-85EC-A239EEC500F4}.exe
    Filesize

    168KB

    MD5

    81ee23ad30d4b7209143e0744adb6c8d

    SHA1

    2a0b06a301272bf40a03e6a73b7f87353862c8a7

    SHA256

    5cb69413fae57d1908d63e7016f3474fe18b020ff255822753b3ae04abe2a013

    SHA512

    9449b5ad20815d8925676e2e073eb919596acfdcdef2b2e6c0e2c08fe74827e77f59eed03d34ff936a42a3c4684e2149770b1a4fc7bcd975e0e087520e097e10

    Download Submit

  • C:\Windows\{9716BA52-BABF-47f3-8DE4-4297F468BA18}.exe
    Filesize

    168KB

    MD5

    b9a5dc30d77b0280324b7f24f603def8

    SHA1

    5b2a9ab568f5ecca2304f2fde64821187c801f0f

    SHA256

    7a92f5b0348ace202d337bae4d1d4db3a47a4b1b1cfbec970f3efa9f6ef78742

    SHA512

    5bc499b0f33e4300afe78e4bf237f4c8af6ed58289cd118431985a1cf01c7535b68481aa6c558f9756d670c52ec055fb69977fea6cd6a68c539ab130c131cd53

    Download Submit

  • C:\Windows\{B7FFCF0A-CEA1-4980-82EB-F924BD891D4E}.exe
    Filesize

    168KB

    MD5

    7ca7ddae7f512938e375efa5ae730f6f

    SHA1

    3c65319486d52172659f642dd98545ef1f1590aa

    SHA256

    e046a3485840052edd06cf7b5cd02e356a080ba31db236f0618222eeb4e486db

    SHA512

    fde960b22c31dcc9c7374240eb3dbf451cf17fb5f9bc3fffc4d4d3be063749b2720eae1ed1f705a40201e4e5041dca79d95b1cace47c86b4e8171a6363badcc8

    Download Submit

  • C:\Windows\{BEBDBC70-ED34-4c17-855C-C48DEAAC9524}.exe
    Filesize

    168KB

    MD5

    0cceabc2994024881cfae663c3bc9daa

    SHA1

    085cec5489076fc5f7e9ebcdb0296c582172a59e

    SHA256

    a0ed654ec111a4916b9133d1441f0c81fd45be4f9634c953806634aa2aae9d87

    SHA512

    f4ad77c6ab04059205d10add02d0f20d58c4ca4130c6ba65006ca9cfb8775838452efc55d38cd654a6d1f48a2c9f9e6e7c9a1ec0a8d0cb409bb23e0119b8d6b7

    Download Submit

  • C:\Windows\{C218DFF8-8C1B-4841-8717-E9543D33AA6A}.exe
    Filesize

    168KB

    MD5

    8c6a65b146bb1aa19d789337521245a2

    SHA1

    ca088a2a040f19c3f037228a462a3f84758254ff

    SHA256

    81ab4d7931ec233253d3595d50ae95cbcfe11602859c867e9bd4bcbab372d033

    SHA512

    c0ef717bb9d3ed302215b120c2b0f5cc9a23d389a926abdde738e6a5a0ff47054c9247d250226e29603825b4e18cc68824ec18ed3824d897bdd0f0fb7b340a96

    Download Submit

  • C:\Windows\{C792307A-BDEB-4fc5-9311-4F3B90F6D313}.exe
    Filesize

    168KB

    MD5

    7c5a92de10284957f75124e008fcde34

    SHA1

    772d73e35b369979c369bc0d6601c5ac86a29184

    SHA256

    1378f82f38260937e57b6993292ece8262c2df8c4fbb4ed2d4bdefc255b9a01e

    SHA512

    5a6d04de4130956ebdc1438b8457c3a4cbd84540b9cf0c6fc5291c677431a2eb0b12f2899af85e274757b8053d0cad01ea557fc1bf9a9fe463f2162f6a276b1a

    Download Submit

  • C:\Windows\{CEDBC219-51BB-4b51-9761-6C3593F47FC5}.exe
    Filesize

    168KB

    MD5

    8c207ddb52c4ec0de67ca676d9ed2d6e

    SHA1

    61f1dd8f651ccaebbea5234a55cd5e249e96429b

    SHA256

    ba7d1b392608da12969cd9dfc44b80a97837339328e1ffaf0658213567c4b40b

    SHA512

    2e5f34c55f9af1154dca4221a7dd2002a53b99ae13eaee9b10a6e8e2aaa8c17e3d4d502a214b9ed99ad2b18a33f84c08ff129711f09e34b3249d565e67699786

    Download Submit

  • C:\Windows\{EA987CF6-1ABB-4ca2-B5C8-D609F0C342B3}.exe
    Filesize

    168KB

    MD5

    49b6e3242b0c25a325c3b66e4453c161

    SHA1

    27fe8b6ddfbf93af03d63813b91c68f1710d7a04

    SHA256

    1b7aa52e2a0751f5476a9ea78d7083de013178893ad8381d562ea2f3d88f607a

    SHA512

    698e30cf243ef719aeae3ce86ac9a2042628b53bad28d8e4d33ed596cf44aa193397c57fa96bb09d8d6c37ab9ddbe9dcc0b97f4774faaa1e79c4f2db7b6865d9

    Download Submit