Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

dee0fe99bf...d0.exe

windows7-x64

8

dee0fe99bf...d0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe

  • Size

    24KB

  • MD5

    5514470f8edb4733f119fbb6d441e002

  • SHA1

    406eb68234149df1aac1c9d611f3bf14231f0e5f

  • SHA256

    dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0

  • SHA512

    84df5103f760a317d8c5de0527e65cab673fcae9ec1f03977ab1f772895fb761c54e9b04c07d82c3a9011fc3867ba975a1bf7f3cef17c72ae9eab615e4e6cb65

  • SSDEEP

    384:CxL+q5r+PpHfXhUkKvI4QwjQ/vFJhheJ06oZrj/vBKDJZ4:ua4r+PpHfXGLOnNh8noR+K

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 39 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 57 IoCs
  • Drops autorun.inf file 1 TTPs 25 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe
    "C:\Users\Admin\AppData\Local\Temp\dee0fe99bf53a404bf162cfd239d22425390ea6eeee16faf2bf3457e467743d0.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5092 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4620
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Drops autorun.inf file
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:4240
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\AE 0124 BE.gif
    Filesize

    24KB

    MD5

    4c420efb5050d85147cdf9e19fb09269

    SHA1

    1ceb3f87939ee2b7c2972b524101a64830a34040

    SHA256

    d2813c5770b95a90239267e472aa1f0f8274474d75b4d5f768ad6177d2c017bb

    SHA512

    36c5e48a2dd28742f326e72ee264f7cd6872a56e2f0d2e0459a48d95fff9d98b88e55944186433677c0f4d9e2259400dc8f0821b2116686342a3234c2b778a18

    Download Submit

  • C:\Windows\SysWOW64\drivers\winlogon.exe
    Filesize

    48KB

    MD5

    7dc8becf5c877be2df5b6ab3d8e06cdc

    SHA1

    d220501f203b654e4f72ded21997a8f0a42e4435

    SHA256

    4ccb4888118f2fe7b889e3c33c28f7011d6c5bfc806e5bde1b991eb16eea87b3

    SHA512

    4c488ead12d12c1f5ae0637aec76beb8cc64f0d4daeb18a6914236c90aef33653aa97dec0e79c7cff8abb6afd9ca6cd32c513017f5c77b27841e02e96434163b

    Download Submit

  • \??\c:\B1uv3nth3x1.diz
    Filesize

    21B

    MD5

    9cceaa243c5d161e1ce41c7dad1903dd

    SHA1

    e3da72675df53fffa781d4377d1d62116eafb35b

    SHA256

    814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

    SHA512

    af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

    Download Submit

  • memory/2032-450-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2660-88-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3956-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3956-70-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4240-91-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/5072-451-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download