Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 22:09

General

  • Target

    6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe

  • Size

    20KB

  • MD5

    593fafd60704f67f9d6f4be8f8a52c10

  • SHA1

    69d215cb189028a48dda7aaa4afb32c4ad881eb0

  • SHA256

    6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261

  • SHA512

    614583bba4618b6bfce19070618979df3f6860a404b6c4d5bbe6753f555c049e0d00410572403ee04911daa5048ccdb33a3f5693904861471e4bc4d36c80258f

  • SSDEEP

    192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBLp:1M3PnQoHDCpHf4I4Qwdc0G5KDJJp

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops autorun.inf file 1 TTPs 27 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
    "C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4892 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4844
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Drops autorun.inf file
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:176
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AE 0124 BE.exe

    Filesize

    40KB

    MD5

    d79b4677c74ea52d5db0831671184116

    SHA1

    f1d52155518c69a8b444c9636973a43ff9e7ff79

    SHA256

    f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

    SHA512

    308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

  • C:\Windows\AE 0124 BE.exe

    Filesize

    40KB

    MD5

    d79b4677c74ea52d5db0831671184116

    SHA1

    f1d52155518c69a8b444c9636973a43ff9e7ff79

    SHA256

    f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

    SHA512

    308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

  • C:\Windows\AE 0124 BE.gif

    Filesize

    20KB

    MD5

    7a79fc528f652f2c45bb660c26426f88

    SHA1

    6dcf77cd96bec0d8dbe8a9a78d18640952acc884

    SHA256

    d2a8b042dd1bf75f647668a56f34e6c8047e67cdb9bb092f9b40ca8dd8227320

    SHA512

    bb5f4e7a42f7cdc26d3111b7fe5dbf7c52d3bc8c3e03c5136d077ef0022264d920200fe576546a4da292747b209e16ddb7441f0c5da134c0644403b06d2a4289

  • C:\Windows\AE 0124 BE.gif

    Filesize

    40KB

    MD5

    7531962914333aa799f10e4cccf1e7ef

    SHA1

    79fab20289ff5bde3af018ddc2ad11fcd217d293

    SHA256

    a514fb3c3cce037be76b06544e2b8f1f20ab0ab265c960593ae8d90d07ced868

    SHA512

    0d4fc55b3c444dcdb49c5b53cb6090f9ca02273d88428afc01bcbafbee79b90ecd3245d36c5b4e49e3a5ffc121824b4f5b3ddda8df733889efbe71fed789d22f

  • C:\Windows\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    d79b4677c74ea52d5db0831671184116

    SHA1

    f1d52155518c69a8b444c9636973a43ff9e7ff79

    SHA256

    f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

    SHA512

    308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    d79b4677c74ea52d5db0831671184116

    SHA1

    f1d52155518c69a8b444c9636973a43ff9e7ff79

    SHA256

    f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

    SHA512

    308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    d79b4677c74ea52d5db0831671184116

    SHA1

    f1d52155518c69a8b444c9636973a43ff9e7ff79

    SHA256

    f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

    SHA512

    308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    d79b4677c74ea52d5db0831671184116

    SHA1

    f1d52155518c69a8b444c9636973a43ff9e7ff79

    SHA256

    f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

    SHA512

    308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

  • \??\c:\B1uv3nth3x1.diz

    Filesize

    25B

    MD5

    589b6886a49054d03b739309a1de9fcc

    SHA1

    0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

    SHA256

    564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

    SHA512

    4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb