Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

0dee8e57ff...dc.exe

windows7-x64

10

0dee8e57ff...dc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 22:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dee8e57ffe75067ba28753b0d00703254d3b08513ea2b96ac421b94b2668ddc.exe

  • Size

    503KB

  • MD5

    0abbf2d3cc9ee550fd17c49e40316170

  • SHA1

    be1a50fd8971defd5cb9477b8f5ec31dff7e210b

  • SHA256

    0dee8e57ffe75067ba28753b0d00703254d3b08513ea2b96ac421b94b2668ddc

  • SHA512

    800b3ba6bdb7172324e669e0540f13e1f87b41229f56c4dc909b36ad163ef5f924b4ee70505d18992610697653d2d36e08dfb02cfe0e766a62a4afc1f0c6882c

  • SSDEEP

    12288:Sh1Lk70TnvjcXt2ksLayYZbrgK5JkHM/radQA7QwPnBHBZgzc:mk70TrcXgksLfkrgKbAM/rarr/

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dee8e57ffe75067ba28753b0d00703254d3b08513ea2b96ac421b94b2668ddc.exe
    "C:\Users\Admin\AppData\Local\Temp\0dee8e57ffe75067ba28753b0d00703254d3b08513ea2b96ac421b94b2668ddc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\IEMonitor.exe
      "C:\Users\Admin\AppData\Local\Temp\IEMonitor.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\IEMonitor.exe" "IEMonitor.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:32
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:5000

Network

  • flag-us
    DNS
    moon2009us.linkpc.net
    IEMonitor.exe
    Remote address:
    8.8.8.8:53
    Request
    moon2009us.linkpc.net
    IN A
    Response
    moon2009us.linkpc.net
    IN CNAME
    linkpc.net
    linkpc.net
    IN A
    38.79.142.66
  • 38.79.142.66:5353
    moon2009us.linkpc.net
    IEMonitor.exe
    260 B
     5
  • 38.79.142.66:5353
    moon2009us.linkpc.net
    IEMonitor.exe
    260 B
     5
  • 38.79.142.66:5353
    moon2009us.linkpc.net
    IEMonitor.exe
    260 B
     5
  • 38.79.142.66:5353
    moon2009us.linkpc.net
    IEMonitor.exe
    260 B
     5
  • 38.79.142.66:5353
    moon2009us.linkpc.net
    IEMonitor.exe
    208 B
     4
  • 8.8.8.8:53
    moon2009us.linkpc.net
    dns
    IEMonitor.exe
    67 B
     97 B
     1
    1

    DNS Request

    moon2009us.linkpc.net

    DNS Response

    38.79.142.66

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IEMonitor.exe
    Filesize

    503KB

    MD5

    0abbf2d3cc9ee550fd17c49e40316170

    SHA1

    be1a50fd8971defd5cb9477b8f5ec31dff7e210b

    SHA256

    0dee8e57ffe75067ba28753b0d00703254d3b08513ea2b96ac421b94b2668ddc

    SHA512

    800b3ba6bdb7172324e669e0540f13e1f87b41229f56c4dc909b36ad163ef5f924b4ee70505d18992610697653d2d36e08dfb02cfe0e766a62a4afc1f0c6882c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IEMonitor.exe
    Filesize

    503KB

    MD5

    0abbf2d3cc9ee550fd17c49e40316170

    SHA1

    be1a50fd8971defd5cb9477b8f5ec31dff7e210b

    SHA256

    0dee8e57ffe75067ba28753b0d00703254d3b08513ea2b96ac421b94b2668ddc

    SHA512

    800b3ba6bdb7172324e669e0540f13e1f87b41229f56c4dc909b36ad163ef5f924b4ee70505d18992610697653d2d36e08dfb02cfe0e766a62a4afc1f0c6882c

    Download Submit

  • memory/2980-132-0x0000000004BD0000-0x0000000004C6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2980-133-0x0000000004CD0000-0x0000000005274000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2980-134-0x0000000005280000-0x0000000005312000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2980-135-0x00000000053A0000-0x00000000053AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2980-136-0x0000000005500000-0x0000000005556000-memory.dmp

    Filesize

    344KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.