Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cce33f881b...c8.exe

windows7-x64

10

cce33f881b...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cce33f881b5d4fc308e2cfdaf6e196c8.exe

  • Size

    320KB

  • MD5

    cce33f881b5d4fc308e2cfdaf6e196c8

  • SHA1

    409e145727c4b08e285a5f56c1ea4d787e0b86f1

  • SHA256

    e9eaecb452ac6a633d38f5d5e1872df95e53d3273d72e63425d9a40408c47fff

  • SHA512

    b3b68b1b5222e9aed2b7f1d3781074397f8bf97b5f2eb2d32ddc10047715e18da3fb8b82d57116f459fe9171943c8b444351257792e46af57705defb15fa32b8

  • SSDEEP

    3072:QRpbB19av4ITa1YncX6JIeZc2tQAp3dC2Zj/AZXk4jX4tFLk86gP9pWe0:Q7IMydrZc2yA7ZjwX8tW

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cce33f881b5d4fc308e2cfdaf6e196c8.exe
    "C:\Users\Admin\AppData\Local\Temp\cce33f881b5d4fc308e2cfdaf6e196c8.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Users\Admin\AppData\Local\Temp\cce33f881b5d4fc308e2cfdaf6e196c8.exe"
      2⤵
      • Checks QEMU agent file
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/560-2-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/560-5-0x0000000077681000-0x00000000777A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/560-3-0x0000000077681000-0x00000000777A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/560-7-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/560-10-0x0000000002210000-0x0000000002222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2552-6-0x0000000000E00000-0x0000000000F00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2552-4-0x0000000000E00000-0x0000000000F00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2552-9-0x0000000000E00000-0x0000000000F00000-memory.dmp

    Filesize

    1024KB

    Download