Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-14...ye.exe

windows7-x64

8

2024-10-14...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 20:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe

  • Size

    192KB

  • MD5

    e05a4709520074f18c63fe96c5b8db31

  • SHA1

    76e3de89f7640038f909ab7597d373e02032f158

  • SHA256

    bde35e900bdb9a168941fdb113b07115012f27765e9f995bf7d868823d115e8c

  • SHA512

    3d476ba16c768c1f5c3599c74b83a5e9da8ec033618df2f2b2c60bd5a0115304c6e2f33b763878ef07385fac4ffb9f15599724721b84e6ede07acb5b3c874a0b

  • SSDEEP

    1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oXl1OPOe2MUVg3Ve+rXfMUa

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
      C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
        C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
          C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe
            C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2296
            • C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe
              C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
                C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2816
                • C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
                  C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:344
                  • C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
                    C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1696
                    • C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
                      C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1440
                      • C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
                        C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2996
                        • C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe
                          C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EF574~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:1128
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A8B7~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2452
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB872~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1284
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A2B~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1956
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{F321B~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2332
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{F9870~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2592
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{36268~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2812
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{7CB0D~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{868F9~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A33AD~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{362682AC-233A-41ce-88AF-80593442EB20}.exe
    Filesize

    192KB

    MD5

    812e76d59750792e99e48c4770c6ed4d

    SHA1

    cee3dcbe36aab6d110acac66f0beb6889edf72f0

    SHA256

    c06613c989c97d6a86e7368cc9da5bb9ebdeb377d5b1aed147daffc3052511b0

    SHA512

    b675e157feda54709ff99243d67f43f2a53672c9739560e4e5d19047e2eeee2506b08493720e5f56ca454e968c9364bc391f47a2488a677c8fe4c8a7d89fc97d

    Download Submit

  • C:\Windows\{7CB0DE63-0884-4035-B29F-57DD7296C1CC}.exe
    Filesize

    192KB

    MD5

    b60bd5ef9bdaff582ad10881a3733eeb

    SHA1

    7027cc31906bdf07b4c565be95885bf90c14ffe0

    SHA256

    06346f1ed57ad37d7fbb7515e9f38f97bb2c22882d98a6c87ab81d2bb810bcde

    SHA512

    9387aa82a3636a384f54bb9147072980792ae73480d850edf5974457c59f0c4a158fd5dc86c225db2562028438d30fa8111ea017d048e88af714920ab50e811d

    Download Submit

  • C:\Windows\{824977BB-ED3C-485c-B455-1EF8842EA003}.exe
    Filesize

    192KB

    MD5

    70f5ccab06b46182a8e1f0259baf4560

    SHA1

    1c92d159cba1d4788b8576988d473694a096f629

    SHA256

    131cf5bfdb318a7abd76158fd5a1723d0fd82d62aea8d6dc6017258ffe00306b

    SHA512

    63dc7195a5e55ba345643fadc7401689f1b0c719379bdd8a415c5c6952661b1c6952ec783b73583b2f61c5d19196fc0f1fedd83705ffc003035d07e22f36708b

    Download Submit

  • C:\Windows\{868F9530-6AEC-4932-8066-1739843FEB8A}.exe
    Filesize

    192KB

    MD5

    18c1941f8c767d3ac8a43e8d7c8d683d

    SHA1

    739b192da7f891e73ae480065ce8be85e32cbf8b

    SHA256

    b4c3c529ca4b710ae73896c9d7fcbb095a849e1010a9493d7620aee9d48a29c8

    SHA512

    a4a43f7bdd667cbba23d812387d388661fa6d4bac7f1206b5aca393efb16e608d65c32bba310f8d03da776e0b53f0dd4505dc0d7bb72aaf5ba52c378f7365369

    Download Submit

  • C:\Windows\{9A8B749A-8A2D-4243-81F1-7638862E60BF}.exe
    Filesize

    192KB

    MD5

    5408ae69a676cd21499fddc90ff72560

    SHA1

    2aed22b3f7e269c1eacd7ed89dea838caa238aff

    SHA256

    e7627e31577d73049b96c3aff9347feba26c9a85bcd1385d45ce94677737086e

    SHA512

    597c98dbd76571638a9bfe84510d2ebe3b202c0bad8ec236a12a57a3f093281dc29371efa8c2320cd943ce83fd29b53cf6ee833c71f457b31c5498878bb6213c

    Download Submit

  • C:\Windows\{A33AD5AF-FBF1-4045-82FF-0FF3B6E7A31E}.exe
    Filesize

    192KB

    MD5

    d83675e1aad4fcf320a893eb26f727e7

    SHA1

    d97dffea52cbbe0cee49084decd40611b47fa859

    SHA256

    b15c00abc1bfbc40679fee9403707f3f94a1ca3e790f06f0c727bbd280b93bb9

    SHA512

    fb6dede347918b1b9df07040d3e91c3b5d50d2b2c5260db72fddc5d9de66ef9bc043840480251f3b111c2a9b1028df73159f7f059ff7096abf6b76e7f4645121

    Download Submit

  • C:\Windows\{B8A2BFD6-F8CE-4d86-BDF8-72FD818B68F6}.exe
    Filesize

    192KB

    MD5

    a54c5ced4175828fc380f5c6345d52bd

    SHA1

    471bd5787eeef4264eef9c689ed54c0a75d30bd7

    SHA256

    96ab131fadc72e46e3d645707b6c3b8031e3a911d5865be7a5dc9406d3a671bf

    SHA512

    ae5cc1ea1fd8b7b4bee25c5b6a1a0e07543a3c27140b25e80877264c1beb114ef4fdadb58aaf97d00977a223daabac60a0719b4832adaa33a3f515d048352a61

    Download Submit

  • C:\Windows\{CB8726E6-003A-4044-BB97-F86A6648A661}.exe
    Filesize

    192KB

    MD5

    a94ff587b2ece1237f01209d685ca959

    SHA1

    6c1d7f425e0abf1ca3d7381b865c0ab248f3c7c7

    SHA256

    c6d9abf2b46268f54a6f487f3f17b488bcf1c8ba709688f49e6270f03607d0ce

    SHA512

    e14f58c7ef61e7853273e30086876ad7cd47e54bc5ca47b53fba06e100ed830d9d7676389ba61b1b356cf507dfa0f1a92ded75f974e78e9413e4bf5f58fe6c5e

    Download Submit

  • C:\Windows\{EF57439F-D459-48fd-9E7E-1D99DB2DFA74}.exe
    Filesize

    192KB

    MD5

    b3e928d608ac12854cce13d49be6fab8

    SHA1

    16caf4ed35e7893a07e2bdfc8d4ecda32191bcc6

    SHA256

    b52e33f80786234c9976f90cfd3434e98431e8b251987e5670d1d85abf559b24

    SHA512

    96efdb2c935bb8fc8f2543f6d94a9cadebc82619958c9780f3e2424a757c7e70f56920aef9128e0e0b9641428f02602d865b83f1b7036ade9616234063180094

    Download Submit

  • C:\Windows\{F321B4E9-2022-4791-8DA5-8B4461763B3E}.exe
    Filesize

    192KB

    MD5

    7398acf0f0d78e1479cf9b76aefb3b49

    SHA1

    c2b852b328e48a3d2b07bb23ac6b9ca47472ed96

    SHA256

    f3f6ad7fabde62f4b7560466430f61696f0f0234b4d955bc5d66664ffff5c025

    SHA512

    5799be31b4620301d1090ddfff8f08c70c65f7091da8558afdf073233479d7ea3143515108494e3eb2285a246982f1deb540953b1579e40a22d15b473ae91b7d

    Download Submit

  • C:\Windows\{F9870DAE-F972-4d98-800D-5373A335090A}.exe
    Filesize

    192KB

    MD5

    b0b667777eec586ac349c50c866a815a

    SHA1

    05059cbd6a7459691b6ab2a9e0be55352724e02e

    SHA256

    9a9ff02e60933d6692e651b620a7572fe2d8a349cda18e0a7b93e836cb70d85e

    SHA512

    d0e7ff07e6533993f6ab545f9c804de9a820db18a453de4ec9679e7682b8ca0f8badb7751bd1b6a9240b61724952683d22561cd62ef78116c3657dfd1af4e4ea

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.