Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 06:09 UTC

General

  • Target

    fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe

  • Size

    20KB

  • MD5

    933ac6a2234ba205f00d21ec54a21910

  • SHA1

    9148eeed74728ce159651816d0e408fe619f6c12

  • SHA256

    fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691

  • SHA512

    913af589c2bab9fcd423d3f636abd99152794a7671eaf7b68dd31f5c65dacaa321bdb3c68a802ecba30e59125368f071500dcf260eec60dd1580e6911db9f579

  • SSDEEP

    192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB23z:1M3PnQoHDCpHf4I4Qwdc0G5KDJU

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops desktop.ini file(s) 24 IoCs
  • Drops autorun.inf file 1 TTPs 27 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
    "C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1948
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Drops autorun.inf file
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2000
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4256

Network

    No results found
  • 93.184.221.240:80
    260 B
    5
  • 93.184.221.240:80
    260 B
    5
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    260 B
    5
  • 93.184.220.29:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 93.184.221.240:80
    iexplore.exe
    260 B
    5
  • 93.184.220.29:80
    IEXPLORE.EXE
    260 B
    5
  • 13.69.239.73:443
    322 B
    7
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    iexplore.exe
    1.2kB
    8.0kB
    15
    13
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

    Filesize

    779B

    MD5

    004e1f9f2b4726e5564e16c49fb4a831

    SHA1

    b57e588e3371a7fee13eaa737aefdf4e126dcf51

    SHA256

    bad8f107566ae2c13676df6b3c67da0642b6c850a6705acac03f460a6adb8dab

    SHA512

    5971b426d98c2f4e66708d490f513d66f85b89aa31479ec8e60e6b54b2afe32b77cf8d853d367f5ee173685129d0ba179739be5cf72a11a641d1cee6a28c75c4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

    Filesize

    246B

    MD5

    99b4fe2c9a30df563dc2fe3ed00cf459

    SHA1

    2d67b7a9f208e04fbe708207e00b1a2208d9da0e

    SHA256

    bd6202a63f62e66266321a02bf05b065a5a12d2d41b166ef5c52bce7b627af62

    SHA512

    da36b4cd57181d090f8eeddfc8e39c811e14775cdb71e50cff4889a82a058a811702bef8be5fc4f383fad5c42153e664e976fd69f1e1d332b078d8b1f3d41cd4

  • C:\Windows\AE 0124 BE.exe

    Filesize

    40KB

    MD5

    e6b55890a38db58bd43dbbe9feea6b76

    SHA1

    b1de84cdb248ffe9aa527c969867239bd1f5a40e

    SHA256

    acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

    SHA512

    d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

  • C:\Windows\AE 0124 BE.exe

    Filesize

    40KB

    MD5

    e6b55890a38db58bd43dbbe9feea6b76

    SHA1

    b1de84cdb248ffe9aa527c969867239bd1f5a40e

    SHA256

    acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

    SHA512

    d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

  • C:\Windows\AE 0124 BE.gif

    Filesize

    20KB

    MD5

    22c4647e82ee43a9b0761e1fa17df729

    SHA1

    588e23b8029f561faa725c09ddf2cae7e7b250b4

    SHA256

    afc4e53eacdb5ae70a9ab19d43a8eae4f94da76ebfb8e665f7b4a8e6e2d5ec02

    SHA512

    789e0ba765b38e3e2ea6fa0095c97e90f49ee710d4fd26e7995ef9207ce73bf6353e8b8d10daaeba51998ebde8ebe94b0a313b1cd48571526b767791fb565058

  • C:\Windows\AE 0124 BE.gif

    Filesize

    40KB

    MD5

    bb105504964fb508903d163ba92834c7

    SHA1

    09f0bc7d3f16830e6fcf538cac63b292ebcafdd2

    SHA256

    e8a12e7f519707ef382f9ee2bf17437c7fb446246849b16c74bd634ea5b286b6

    SHA512

    7c4a35bab1f8c0bf88be8f9697ee79892bbd842c806b40bf0551874ab83beae2e485bd7a17755df239e9a200073a784d5a03b6adf49b2a1bccc3bc5648a06a33

  • C:\Windows\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\Msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    e6b55890a38db58bd43dbbe9feea6b76

    SHA1

    b1de84cdb248ffe9aa527c969867239bd1f5a40e

    SHA256

    acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

    SHA512

    d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    e6b55890a38db58bd43dbbe9feea6b76

    SHA1

    b1de84cdb248ffe9aa527c969867239bd1f5a40e

    SHA256

    acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

    SHA512

    d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    e6b55890a38db58bd43dbbe9feea6b76

    SHA1

    b1de84cdb248ffe9aa527c969867239bd1f5a40e

    SHA256

    acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

    SHA512

    d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

  • C:\Windows\SysWOW64\drivers\winlogon.exe

    Filesize

    40KB

    MD5

    e6b55890a38db58bd43dbbe9feea6b76

    SHA1

    b1de84cdb248ffe9aa527c969867239bd1f5a40e

    SHA256

    acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

    SHA512

    d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

  • \??\c:\B1uv3nth3x1.diz

    Filesize

    25B

    MD5

    589b6886a49054d03b739309a1de9fcc

    SHA1

    0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

    SHA256

    564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

    SHA512

    4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

  • \??\c:\B1uv3nth3x1.diz

    Filesize

    25B

    MD5

    589b6886a49054d03b739309a1de9fcc

    SHA1

    0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

    SHA256

    564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

    SHA512

    4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.