Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

cee9c8a4e0...e5.exe

windows7-x64

7

cee9c8a4e0...e5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    190s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 16:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cee9c8a4e07d9fb8a1da22a174919c8ed81e860a83a0770d970d36888f9422e5.exe

  • Size

    6.4MB

  • MD5

    32addb5c1de3baea0e625813d88ae34d

  • SHA1

    caee3665e93b45375460e81d45aa903af820ee2c

  • SHA256

    cee9c8a4e07d9fb8a1da22a174919c8ed81e860a83a0770d970d36888f9422e5

  • SHA512

    72a0d1f7ba2d28629da8754939beff27d63979c7e989bfbf99793a82b307c54e77370c4d0698e62bf5aeaf3d242a94605760b7d28f6aa056c695089c3c843f6d

  • SSDEEP

    196608:B4HJryvp10aEvcRVcdaNaqH+ex+PdQ3iVci1zwXA3:BiNyb1fcsNaqN+PZfNww3

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cee9c8a4e07d9fb8a1da22a174919c8ed81e860a83a0770d970d36888f9422e5.exe
    "C:\Users\Admin\AppData\Local\Temp\cee9c8a4e07d9fb8a1da22a174919c8ed81e860a83a0770d970d36888f9422e5.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4272

Network

  • flag-unknown
    DNS
    15.89.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.89.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 8.238.111.126:80
    322 B
     7
  • 20.189.173.11:443
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 8.248.3.254:80
    322 B
     7
  • 96.16.53.148:80
    322 B
     7
  • 96.16.53.148:80
    322 B
     7
  • 85.93.14.155:81
    cee9c8a4e07d9fb8a1da22a174919c8ed81e860a83a0770d970d36888f9422e5.exe
    260 B
     5
  • 8.8.8.8:53
    15.89.54.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    15.89.54.20.in-addr.arpa

  • 8.8.8.8:53
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hordwgaj.uye\7z.dll
    Filesize

    893KB

    MD5

    04ad4b80880b32c94be8d0886482c774

    SHA1

    344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

    SHA256

    a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

    SHA512

    3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

    Download Submit

  • memory/4272-132-0x0000000075230000-0x00000000757E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4272-133-0x0000000075230000-0x00000000757E1000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.