Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

BE-LS.exe

windows7-x64

8

BE-LS.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 17:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BE-LS.exe

  • Size

    64.4MB

  • MD5

    17225dd0181b9daecb53a5f514b42c33

  • SHA1

    cb254d82f9fa4c852015492eced179e50ea7927a

  • SHA256

    1c6eaa150b49c636b4b64321fb92be9d4a431c89db471d32e5dc2444a6f54c61

  • SHA512

    3e2d104fb7cf83dae2c6293d70b6da1800330373f0986c295cf84a4ff6be1ac7ab1f8336672a7cd1ffd73c0f31412952218b5b5912f4bb869981fbb403a1889f

  • SSDEEP

    393216:pjaZgP8kQCoo53we9r9OJ/sbA9ZhGInxtnWxvdiQ2OUNpCEp7kN3VkQGQPNLFu4v:hkghQCk49Otsbyx1DOUNoER7g5

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BE-LS.exe
    "C:\Users\Admin\AppData\Local\Temp\BE-LS.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
      "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\BattleEye.sys
      2⤵
      • Executes dropped EXE
      PID:1808

Network

  • flag-us
    DNS
    cdnimmortal.xyz
    BE-LS.exe
    Remote address:
    8.8.8.8:53
    Request
    cdnimmortal.xyz
    IN A
    Response
    cdnimmortal.xyz
    IN A
    185.199.109.153
    cdnimmortal.xyz
    IN A
    185.199.111.153
    cdnimmortal.xyz
    IN A
    185.199.110.153
    cdnimmortal.xyz
    IN A
    185.199.108.153
  • flag-us
    GET
    https://cdnimmortal.xyz/LOADER_HERE.exe
    BE-LS.exe
    Remote address:
    185.199.109.153:443
    Request
    GET /LOADER_HERE.exe HTTP/1.1
    Host: cdnimmortal.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 547328
    Server: GitHub.com
    Content-Type: application/octet-stream
    Last-Modified: Wed, 04 Sep 2024 21:13:32 GMT
    Access-Control-Allow-Origin: *
    Strict-Transport-Security: max-age=31556952
    ETag: "66d8cd7c-85a00"
    expires: Fri, 06 Sep 2024 18:02:29 GMT
    Cache-Control: max-age=600
    x-proxy-cache: MISS
    X-GitHub-Request-Id: B05B:2BA494:394A9ED:39D349D:66DB415D
    Accept-Ranges: bytes
    Age: 0
    Date: Fri, 06 Sep 2024 17:52:29 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lcy-eglc8600048-LCY
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1725645149.328191,VS0,VE93
    Vary: Accept-Encoding
    X-Fastly-Request-ID: c42d147582bea71fcc4743f9317a6401862bb10d
  • flag-us
    GET
    https://cdnimmortal.xyz/BattleEye.sys
    BE-LS.exe
    Remote address:
    185.199.109.153:443
    Request
    GET /BattleEye.sys HTTP/1.1
    Host: cdnimmortal.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 11695
    Server: GitHub.com
    Content-Type: application/octet-stream
    Last-Modified: Wed, 04 Sep 2024 21:13:32 GMT
    Access-Control-Allow-Origin: *
    Strict-Transport-Security: max-age=31556952
    ETag: "66d8cd7c-2daf"
    expires: Fri, 06 Sep 2024 18:02:29 GMT
    Cache-Control: max-age=600
    x-proxy-cache: MISS
    X-GitHub-Request-Id: D673:30A21E:3281ED4:32F3B39:66DB4159
    Accept-Ranges: bytes
    Age: 0
    Date: Fri, 06 Sep 2024 17:52:29 GMT
    Via: 1.1 varnish
    X-Served-By: cache-lcy-eglc8600048-LCY
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1725645150.616374,VS0,VE99
    Vary: Accept-Encoding
    X-Fastly-Request-ID: 2d8db09e8e458d4f30386919fe84ec989d71d519
  • 185.199.109.153:443
    https://cdnimmortal.xyz/BattleEye.sys
    tls, http
    BE-LS.exe
    10.8kB
     585.9kB
     222
    435

    HTTP Request

    GET https://cdnimmortal.xyz/LOADER_HERE.exe

    HTTP Response

    200

    HTTP Request

    GET https://cdnimmortal.xyz/BattleEye.sys

    HTTP Response

    200
  • 8.8.8.8:53
    cdnimmortal.xyz
    dns
    BE-LS.exe
    61 B
     125 B
     1
    1

    DNS Request

    cdnimmortal.xyz

    DNS Response

    185.199.109.153
    185.199.111.153
    185.199.110.153
    185.199.108.153

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
    Filesize

    534KB

    MD5

    cd4d08af76e7614f46bc853cf82cebc6

    SHA1

    94e75dac14976227c1c33ae48866e820db52aa1a

    SHA256

    f03d6b156974af96b66b3913bbcdf49609720f37f2e69c4222c2d0920f442f58

    SHA512

    b24396f3973156d8aef58203a0bcf1d542362e8591509e054488d6562fcf60e3cd628db0252a45ead220b4c7e82f065092e8a6145fcbfc399b4ca86f17084d99

    Download Submit

  • memory/1808-108-0x000000013F480000-0x000000013F533000-memory.dmp

    Filesize

    716KB

    Download

  • memory/1808-107-0x000000013F480000-0x000000013F533000-memory.dmp

    Filesize

    716KB

    Download

  • memory/2128-37-0x0000000004760000-0x00000000047A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-29-0x0000000004610000-0x0000000004650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-17-0x00000000025E0000-0x0000000002610000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2128-41-0x00000000047F0000-0x0000000004830000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-49-0x0000000004880000-0x00000000048A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2128-53-0x0000000004A50000-0x0000000004C00000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2128-45-0x00000000020D0000-0x00000000020E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2128-2-0x0000000003440000-0x00000000040D0000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/2128-33-0x00000000046B0000-0x0000000004710000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2128-4-0x0000000001E60000-0x0000000001E90000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2128-25-0x0000000004570000-0x00000000045C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2128-21-0x00000000044F0000-0x0000000004510000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2128-57-0x0000000004F50000-0x0000000004FA0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2128-65-0x0000000005010000-0x0000000005020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2128-61-0x0000000004FD0000-0x0000000005000000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2128-8-0x0000000002020000-0x0000000002040000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2128-16-0x000000013FE6D000-0x000000013FE6E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-105-0x000000013F480000-0x000000013F533000-memory.dmp

    Filesize

    716KB

    Download

  • memory/2128-12-0x0000000002060000-0x0000000002080000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2128-111-0x000000013F480000-0x000000013F533000-memory.dmp

    Filesize

    716KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.