Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2024-10-18...ye.exe

windows7-x64

8

2024-10-18...ye.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe

  • Size

    344KB

  • MD5

    426316c95b133a7d838ef64aba9491ea

  • SHA1

    9f572e18549967acedf4fb3edb2059024a50d793

  • SHA256

    4ccd2b8f150b501e556c8fb6a88414b5085d6e8b2686b52bfc188f6ea710c38e

  • SHA512

    ad215540698474fec6d122d2c03f6142318f495a31b9c9d27558b3d93e7b0d7d674ea7ff90b3378e873e956d8de7efbf706efbb2196c186c599cc1a6bbad8042

  • SSDEEP

    3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGGlqOe2MUVg3v2IneKcAEcA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-18_426316c95b133a7d838ef64aba9491ea_goldeneye.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\{30C1F8D4-9E62-4cf5-A5B2-AC10DD6718BA}.exe
      C:\Windows\{30C1F8D4-9E62-4cf5-A5B2-AC10DD6718BA}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\{5B41FAF5-3CAC-48f5-91F1-C1CCE81FD4C4}.exe
        C:\Windows\{5B41FAF5-3CAC-48f5-91F1-C1CCE81FD4C4}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\{837E2C07-CC57-42b1-B5F5-B6A5EB2E036E}.exe
          C:\Windows\{837E2C07-CC57-42b1-B5F5-B6A5EB2E036E}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Windows\{28509B3B-5712-4912-8749-7831A45F52AC}.exe
            C:\Windows\{28509B3B-5712-4912-8749-7831A45F52AC}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\{5583BD04-84F4-4185-B11D-37AB6BEEB21E}.exe
              C:\Windows\{5583BD04-84F4-4185-B11D-37AB6BEEB21E}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2348
              • C:\Windows\{15F580A3-F2A9-43bd-8C4A-8ABCE091F827}.exe
                C:\Windows\{15F580A3-F2A9-43bd-8C4A-8ABCE091F827}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:752
                • C:\Windows\{B5FFDA7E-5124-4de5-BB0D-C8529F93BFAC}.exe
                  C:\Windows\{B5FFDA7E-5124-4de5-BB0D-C8529F93BFAC}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1784
                  • C:\Windows\{84ACAB4C-1619-4391-AD1A-6BED9CB15B13}.exe
                    C:\Windows\{84ACAB4C-1619-4391-AD1A-6BED9CB15B13}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:856
                    • C:\Windows\{A2910FD8-95AE-45ae-92EB-DCD5E5058589}.exe
                      C:\Windows\{A2910FD8-95AE-45ae-92EB-DCD5E5058589}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3052
                      • C:\Windows\{594DFCE9-9AE9-46e8-BD14-D9EC72C3DB58}.exe
                        C:\Windows\{594DFCE9-9AE9-46e8-BD14-D9EC72C3DB58}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2240
                        • C:\Windows\{1304AB0C-13EF-4bf3-9E1B-8A1FB2BB663D}.exe
                          C:\Windows\{1304AB0C-13EF-4bf3-9E1B-8A1FB2BB663D}.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{594DF~1.EXE > nul
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2292
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2910~1.EXE > nul
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1152
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c del C:\Windows\{84ACA~1.EXE > nul
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2876
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5FFD~1.EXE > nul
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:2032
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c del C:\Windows\{15F58~1.EXE > nul
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1900
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c del C:\Windows\{5583B~1.EXE > nul
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2100
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Windows\{28509~1.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2268
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\{837E2~1.EXE > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\Windows\{5B41F~1.EXE > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30C1F~1.EXE > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\{1304AB0C-13EF-4bf3-9E1B-8A1FB2BB663D}.exe
    Filesize

    344KB

    MD5

    7a5152dac06408bfe9761b2cc1f430df

    SHA1

    0ad1f21de543158a899838d0877a56b1ba2f0e08

    SHA256

    7cb21904584c5a4afc5d4932e42009f44c461db4bf4db4ecf5020c24455b187a

    SHA512

    3daf542336b8d66f649a77dd47e8b103fc47da3b1f543c73920c82357a341df031210fa3cd987a32e560d4e5f0c06d7002d06fd3c199892bce2be77907ed84a5

    Download Submit

  • C:\Windows\{15F580A3-F2A9-43bd-8C4A-8ABCE091F827}.exe
    Filesize

    344KB

    MD5

    9f7a4829501be3439e66cb863d2a6427

    SHA1

    ee4ef7286f22dadb4d087f20a31551d0ed7c56f8

    SHA256

    323eee0eb11081edbdb88ce488cdcc8ece68e2427428d854b3d551f738bb306e

    SHA512

    a54f2975b4281a85d5c1a6826b839daee10ec9f9832d23d3869de0ada29f0d3d227e4dc847f970a980d76a58789d18a20570b6dc174c5e2fc452fe1da70bcda9

    Download Submit

  • C:\Windows\{28509B3B-5712-4912-8749-7831A45F52AC}.exe
    Filesize

    344KB

    MD5

    7a251d8ccfeef061d92dcef1d1dd60af

    SHA1

    f77f8a066da0ef489c04904b3716ea00d40a4213

    SHA256

    b2d7010ec5674bd1a6e25b9dd735d99b7958d2a33d036f5a2c1b84db56fda7c6

    SHA512

    4fed94e8f72ffa2f08c53e55597c936e998a82731ebb0c76e51e05a6298394ea88839c4713d1dcbfe6247464af221e8ccdf24117e5b83d25e0916474d311b853

    Download Submit

  • C:\Windows\{30C1F8D4-9E62-4cf5-A5B2-AC10DD6718BA}.exe
    Filesize

    344KB

    MD5

    39c25aebc2600fefa4352238bbed81b1

    SHA1

    b2fbe2bee4e687d537de1d4c4dda7c66a818787b

    SHA256

    0a838c4993af53a3da2c64e9c5ddb565d081568a1c54951001c36dc894989620

    SHA512

    44ec51688b08be859fe7a6691e2acc9d66e67ba0712bc7e76ad551ddd65e37d99239eb78efe0ad75e02d6358cdda91e1558be75c6850d4c51e81028478e167de

    Download Submit

  • C:\Windows\{5583BD04-84F4-4185-B11D-37AB6BEEB21E}.exe
    Filesize

    344KB

    MD5

    6c1bdf39e1a1860526f0d421ca9260f7

    SHA1

    52cfbcb2302836bdf820dd288539e34e6cb3be1d

    SHA256

    563c66b82ba2668193d30e91b4e5d1e24cd0951762796a14469b8d64248f2237

    SHA512

    9e949df0a2db9f0b75a2f04a1ce04e237bb2cab0535c31d4d756daa6034a67ac41c1fce82dabfde53f66c850e6b5dbebd0aad9d918c5561900162cce0736c273

    Download Submit

  • C:\Windows\{594DFCE9-9AE9-46e8-BD14-D9EC72C3DB58}.exe
    Filesize

    344KB

    MD5

    6618c8c045bc2d999c196d142a1583ed

    SHA1

    1eee6d2510fb01c39462866b8876fd70cfc3e832

    SHA256

    ad4f59dc07f82fc44e8e56c82a453f0ba05030212df35c8d4a35a9555fedeb4b

    SHA512

    691f10680d7ad4aa0080cbc39b18554273fbd7ebe6fb25fcdd981cbbf50abef62b7c7ff30e5c740e1d6bbf79b4324f7092f07a79eff42c987d21830c594bd6d3

    Download Submit

  • C:\Windows\{5B41FAF5-3CAC-48f5-91F1-C1CCE81FD4C4}.exe
    Filesize

    344KB

    MD5

    c6b0c8f80373ddac0a96281d94fd823f

    SHA1

    d333d41b70fe207cdec0fbba18868ff8f0db63d6

    SHA256

    899906537757d0ae872035213ad6176d2f6ecb5f905339ec689f6b0a27e1ff75

    SHA512

    f5a6f432418a920d680f64b63b7d4032c53c5cae4b9a2a6e73452d6dcb9b09abfe9d4c57d07d208bc2ad304ce39a104dcacca08a0c606e18619b402534b52caf

    Download Submit

  • C:\Windows\{837E2C07-CC57-42b1-B5F5-B6A5EB2E036E}.exe
    Filesize

    344KB

    MD5

    e7a996e9ce32da1411dc2780afb1b18f

    SHA1

    8d2619a71a0eec8955d66ffb2d728d83f347df15

    SHA256

    87c68355ad81b29411ab8e947ecf6253b00faab0203c61c345d76d3587faf3cd

    SHA512

    b37d31ee25bbd1149b6ec9ae5671160c53427c9110b289e5d302e94fce95ddfa3b2ed3d5aff66b55123a846398cdd85ff45eaa7c2b2b7b438d4d24a76e25c9d7

    Download Submit

  • C:\Windows\{84ACAB4C-1619-4391-AD1A-6BED9CB15B13}.exe
    Filesize

    344KB

    MD5

    2862524309108e98ab2188a9125b8f88

    SHA1

    47d2368573189ba7bde3e45de827260f4e2c4ba3

    SHA256

    6c1d7fc16504b2f991d5b3ce23c8c5c0382ea783a3d7bc397b8888cb442fc995

    SHA512

    b82b41f87551bdf73e799a793c646f4127adca628bd67570f3616e3e734587361e2ba5e52291ad224eaa95b4eaea7ff87eb861c209e5b18bc1069735e5c11f54

    Download Submit

  • C:\Windows\{A2910FD8-95AE-45ae-92EB-DCD5E5058589}.exe
    Filesize

    344KB

    MD5

    c28f5b1636aa45d4e8c234a66dde1038

    SHA1

    02fc3991289632b17aae7963359a426c6b619665

    SHA256

    7473ea367741cbef0b6382494f5d733b3b2f2f478235bd22be6c3ae2fd5e5aeb

    SHA512

    90b33e129a8d6d78db089e4ce4bfe6b775fb99b54eea880229f0299571aa5f1054af893a276030eefbe172a380b08e4d54962b250e00474b21e4badcea424523

    Download Submit

  • C:\Windows\{B5FFDA7E-5124-4de5-BB0D-C8529F93BFAC}.exe
    Filesize

    344KB

    MD5

    1f092f38a1f1784fb03c55c8ea837187

    SHA1

    62c40dfc1e0a9b301e46523db6c3b581fe3f0bc3

    SHA256

    d9fc23049275718e611adfad1f2114b1a425c370b6ae63fd080b2f2d393d65cd

    SHA512

    c1a0a66c5bdd9e7b58e19410dd2f79dede2053358c26b9b2a55a5573343cf6e36cc6467cb82bdbce15046db2e00bd9f1d2f2e6c4bb025c9de73d3b9750dd9061

    Download Submit