Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-14...ye.exe

windows7-x64

8

2024-10-14...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe

  • Size

    408KB

  • MD5

    a46f44d83e516aa5529d86db755e7cb9

  • SHA1

    2fd83e95faa1195d2c08831c5b1415340be09992

  • SHA256

    cc987d9a18ddedd0deb8081a0cde8127753e982ef3ed2df8674f8e6eb07f1b9b

  • SHA512

    847ab4fffb1f412b3b00a32d5233b4c22ecf80f53f11afdc65ea0704bb40ccc68fc14b38190862d45845d56171c48aec1c3ccb7b14b1e78b5eb65e237a8df6f2

  • SSDEEP

    3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\{B9D2E63D-1D8F-4901-820E-BF62A77F4A6F}.exe
      C:\Windows\{B9D2E63D-1D8F-4901-820E-BF62A77F4A6F}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\{4DD61289-D26E-45df-BDED-CB027A65113D}.exe
        C:\Windows\{4DD61289-D26E-45df-BDED-CB027A65113D}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\{86FFF7E5-140B-4016-96B4-A85BF7A04629}.exe
          C:\Windows\{86FFF7E5-140B-4016-96B4-A85BF7A04629}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Windows\{6EE82F35-9A61-4ad0-8E90-873C49F12148}.exe
            C:\Windows\{6EE82F35-9A61-4ad0-8E90-873C49F12148}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2108
            • C:\Windows\{268D7AAF-23D4-4d11-AB2C-2B8EBDB4865C}.exe
              C:\Windows\{268D7AAF-23D4-4d11-AB2C-2B8EBDB4865C}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2540
              • C:\Windows\{B8E9DDCB-D65D-484b-BC64-47C419C411C8}.exe
                C:\Windows\{B8E9DDCB-D65D-484b-BC64-47C419C411C8}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2852
                • C:\Windows\{0F1CEC8B-586D-4012-9297-8FF64FB0EE17}.exe
                  C:\Windows\{0F1CEC8B-586D-4012-9297-8FF64FB0EE17}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2340
                  • C:\Windows\{0AEF2849-89B6-48f8-B9C3-4904B422F4A1}.exe
                    C:\Windows\{0AEF2849-89B6-48f8-B9C3-4904B422F4A1}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:572
                    • C:\Windows\{CE479362-76EE-4f12-BB86-7FC135161ED9}.exe
                      C:\Windows\{CE479362-76EE-4f12-BB86-7FC135161ED9}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3016
                      • C:\Windows\{7A1E132A-8ED1-4ebe-A82B-E31AA68FFA4E}.exe
                        C:\Windows\{7A1E132A-8ED1-4ebe-A82B-E31AA68FFA4E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1924
                        • C:\Windows\{F8523412-4CB9-4f32-B07A-F1CDE3D89274}.exe
                          C:\Windows\{F8523412-4CB9-4f32-B07A-F1CDE3D89274}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{7A1E1~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2504
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE479~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:828
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{0AEF2~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2428
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F1CE~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1564
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E9D~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2132
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{268D7~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1860
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{6EE82~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{86FFF~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD61~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D2E~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2552
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{0AEF2849-89B6-48f8-B9C3-4904B422F4A1}.exe
    Filesize

    408KB

    MD5

    1af70841004e6758dee94d50e5fc7800

    SHA1

    bff17fa6e482f7662d4d5aefb26e425985c6d745

    SHA256

    6438ad515c616742e5f06ca3b60e5346e0999bb12a9c6e406f2596428146997e

    SHA512

    bfedf2add53c4fea41098a9c953001c89cc0c09c33f25d7e9883edef7be2bacead80e876f48f976d8645bc69a0194b9447cb0a3180e2d3cb4e83ad6942d1e4e2

    Download Submit

  • C:\Windows\{0F1CEC8B-586D-4012-9297-8FF64FB0EE17}.exe
    Filesize

    408KB

    MD5

    d1fc93d27f625be5f194ea35fdf21482

    SHA1

    e598fd73ab5932379d6495f9e81e795b68916f34

    SHA256

    fd91a86e475cf37f6e3434b49cfa4a91fe854c74735fa4892cee6553925fb357

    SHA512

    2e525fa237dce2b34bcc40895547bedfc96fc7322d84518ae03492e55bc2068c67b6a64d88e23650e3ccf7092337fae9cff78a5fc9aa26fdeccb4a588396460c

    Download Submit

  • C:\Windows\{268D7AAF-23D4-4d11-AB2C-2B8EBDB4865C}.exe
    Filesize

    408KB

    MD5

    30a5df425fa11bfec09be3b3540acb3b

    SHA1

    46db7cb059be7a1f34e85d879be68dc6c1fd6be6

    SHA256

    c81a59bf1f067015b595d04a625d8ebd102a23de7776f3538a907d3d4bfaea15

    SHA512

    7819c02bdbd6ced791668de2db9dc0265ba23374a9d1706773f328440bea5708ee0ad95dadfa6a44bd7f34cfbe9e86bc2fa2d0f7b4ccd97f7404f106eb161039

    Download Submit

  • C:\Windows\{4DD61289-D26E-45df-BDED-CB027A65113D}.exe
    Filesize

    408KB

    MD5

    a3ad2652feafa12b0fb3f42e798c6257

    SHA1

    832e447b326243e4b6d197da8359a1f83a6e007d

    SHA256

    e5ae51fd54e32ff7fb9f209afb86c5e80db7553af0ef2814f7232902ead3047f

    SHA512

    8caed69aa63719fb66bc529921f306f51f47d3493409c4a3edcbfdb210632d6c406c5452d4172a9637a69a1e3711b8e3b26b8ab181e4b17d8fad25666e0922d1

    Download Submit

  • C:\Windows\{6EE82F35-9A61-4ad0-8E90-873C49F12148}.exe
    Filesize

    408KB

    MD5

    cab47f975ca5ba9fbd9d6284159eda7b

    SHA1

    be4a37cf613bee78dddb8f1bc03d060fd69b746e

    SHA256

    c0ea17dd0f7fc4f09377b26fc7f05c20f07b646ea5774baee5429a95e78e00a5

    SHA512

    349dd57eaaa66ff1ccf1ac50b62b9e5be4a4fe23e2a5b7fe392af5fc9d3c8e7e4f2e9ec067491e16dbed5f9ba8aea1e5a4286c66e4bba95ddef5c70d6a289f2a

    Download Submit

  • C:\Windows\{7A1E132A-8ED1-4ebe-A82B-E31AA68FFA4E}.exe
    Filesize

    408KB

    MD5

    e560d53623b61decf79c214c7c2d582c

    SHA1

    af3dfd1b57af8b7b4196b88a3d72e40d05432539

    SHA256

    c0a84cac211f71fe57729671398251a22b98c06b2c74e122b44f6c07dd23f31d

    SHA512

    5c1e8d18a72e367642a5487c534b843de62c0306f10ed8fb56e21395b52fc0d52e5450faa4967be0578b134510afc281bbd1d99d34ba9b2503a00c0f5c2d2077

    Download Submit

  • C:\Windows\{86FFF7E5-140B-4016-96B4-A85BF7A04629}.exe
    Filesize

    408KB

    MD5

    67e3a9a3af2d0c92ef03d357dccbe4a2

    SHA1

    f9399d983e9f9f53a7ed8db10ca3beeb4040749f

    SHA256

    85f88f04f1e69f1b7c14950d5f897f744b42c5dbffb41895792a3cfd359b7475

    SHA512

    f59ef9f07ab1ae8dbe76c8c1ad05570981fdde3c1b7a59470fd3a9513352707fb4462e043bb519fee1225a140f33eb8a343ea64b408ad5e9983918f601feb644

    Download Submit

  • C:\Windows\{B8E9DDCB-D65D-484b-BC64-47C419C411C8}.exe
    Filesize

    408KB

    MD5

    b9d612eafca11a9fa299fc1e7287819e

    SHA1

    114870d04d2dbb9ba8ee990edb120f1e06b5edfb

    SHA256

    11480794a787e5fda5f03b7816b5d3fd0ed7d7754235fd563f2dbbc0584432e6

    SHA512

    23f01cb71f350f934c51ec77e981ceb81f9e63a4b13c3d989f963ae31c5ebf8c7a4bab68a3ae95a178715b8bc16d3256f2670cf4c0a700448b6e489fc720dcb6

    Download Submit

  • C:\Windows\{B9D2E63D-1D8F-4901-820E-BF62A77F4A6F}.exe
    Filesize

    408KB

    MD5

    e04a9a2603e1ee1c2f8f633d39605b91

    SHA1

    6202d4037db0888b1081f693d63b1e4f9dc50db1

    SHA256

    1dcb7b3cb8a0afb7ea0cfe9f035a4a3748d6f79153a2ef47f25fca1d89e867bf

    SHA512

    e42c991e805dcdac315fb2e6ad21982176dbec238c33815c8f4f4a7c99f82e14103a4d13df614dfde3893326628f9f8667aa413f5d2e16bf6d65e7caa9b38ba8

    Download Submit

  • C:\Windows\{CE479362-76EE-4f12-BB86-7FC135161ED9}.exe
    Filesize

    408KB

    MD5

    5c48d2f2b419c3aa571571fca7877938

    SHA1

    ebafeadf89ee675253b2d70387e48c934340960b

    SHA256

    17844ad0d0e38a1e707e09c2897ae5c8a79d683c828f499cd04357f0c2029f77

    SHA512

    5f6fdd3b9ec68f2f95312680dd316422dae4e076573e940a78e579f9072702a180367a741b7c75de448eac5b5732161d937685d341ba36ff13a17c54278e9de6

    Download Submit

  • C:\Windows\{F8523412-4CB9-4f32-B07A-F1CDE3D89274}.exe
    Filesize

    408KB

    MD5

    dd4136c25ae999738a34901ac431750d

    SHA1

    46bc003f22043a9a781dcee737dc8129e160c68f

    SHA256

    f6b17f80b7830a48c1124ad2733c319bae17319a56e59c0092b74275df36a476

    SHA512

    b6e7c3c0dba7401cb0e8118e1d02ed7d55f88568f8a6425d1314124cc37d418f711543f832d4fb2f139edfb740475b68f029646d37d58c677110ab0d9d228d25

    Download Submit