Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0904efe9f6...18.exe

windows7-x64

7

0904efe9f6...18.exe

windows10-2004-x64

7

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$TEMP/netddee.exe

windows7-x64

7

$TEMP/netddee.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$S...1_.exe

windows7-x64

7

$SYSDIR/$S...1_.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$_5_.dll

windows7-x64

6

$SYSDIR/$_5_.dll

windows10-2004-x64

6

$TEMP/setup.exe

windows7-x64

7

$TEMP/setup.exe

windows10-2004-x64

7

$PLUGINSDI...ol.dll

windows7-x64

3

$PLUGINSDI...ol.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/netddee.exe

  • Size

    507KB

  • MD5

    ad4b2243c131ada12b25cb0334690a62

  • SHA1

    811da77cfd2021738196ee13cae9ec9f239b9118

  • SHA256

    ac7891555a255a9b7fe04b78ecfb035507414a6a8598422dab771214d1410a46

  • SHA512

    ee207f92b0d45dab82b486fda7e5baf7e3a476a2418b866f4e00a15152e0a95284916c04137b19e30e078544c391a84840f6a88efe5558e78058e24b7501d049

  • SSDEEP

    12288:mUyg5Z03FxbKz7Vj4X1f6oXXCF9uEYN9k71RqXaJnnb:mUZ5O3F9EpjEfQzI9kBRqKJnnb

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\netddee.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\netddee.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\abevanwlxj.dll"
      2⤵
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2264
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8de56b6d40cdef15b75364af05554f01

    SHA1

    515ac5346631232cd94108f25ff2cd8ab48ff2eb

    SHA256

    5f5b91f97023b3cccd8f936e11c5aa5fde8762fdf9f3bd93e0eab3cb903d1aad

    SHA512

    391b7390d04065cddb4295a01197ac15458564ab217fc4db6021e36e02f02ebcbb9cd20975a7bd146528405f401671ac93f6372eef63cb31d4a0c3e8124edb9f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6dac82c9ed70dec194c673940e86010c

    SHA1

    8d4478b1bbd95c02999889bbdcb84a8a071124a3

    SHA256

    9c14cb251bb3b5132554ff99b9f77039c0715ad27e73909917fe4bc3f0fabc93

    SHA512

    b340448493b457d08631b1226d801662dd061bcdc5ef3eb3085711fb4ffe6e08a35a208c6ae3ce8ae6d6dac22636ed3ee7f39522b8273f0b9a2bd654022b292a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ff406aae66e556a2350fbe40faef855f

    SHA1

    86282a99012142592f8cb95885e0cb07beb35269

    SHA256

    e0e693480bbc2db78c613cfe7f14c82a4f7e367fe44bcc5e41b0176be88e4317

    SHA512

    76fc1be8b3d5ba12ed37f7067bd5bdcdc9e05a7fb4890f99a9f910f197943058be389affac45782b48d0259477d5fc465c145eb27202185cf5b5be67b2d729ac

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    70532be76afa87acb4bbfa5bc2ba41a0

    SHA1

    59dc7f5aca0e9a495add6aa8e6cc3942d1462053

    SHA256

    3f66e81a8514d623611e6af6159d9dd0e14e676d857215279df0256676d25c2d

    SHA512

    1d12794803f871047a7c14dbfa2a20fc25f049984ae523187870915927365cec4242ec1da382edd96be4cfdb3fea97399a125cd473a4be04ff363a4e4e73926e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    613f360f51aab9a33bf554e8034353b4

    SHA1

    72aa41fd713b359aa11659a2022a57cb75f24e66

    SHA256

    576e7c4b0c498aa346d2dd5e64f4bc04620ee17cb1816a91e77a4be97634e91c

    SHA512

    038c61c7e28478afd708db21499269860ef7e915b8920e97dce8b0f7aaf20ab5e4bdbee59a9679e0554115c87a605580883e7a0c466509e5bd930635618b12c2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9b2f005eb63556c024dfac7d7d5f8aac

    SHA1

    84e9a828406c20480266e01cb167f8943770f0c4

    SHA256

    49878d02ea7a9b74bcb69befde9d116a426f05d5bf6a688fff8c2e120ed63c4d

    SHA512

    416fe3001db94f77b177dea1135b7299772abbd0d75bed7e76057b8205b757d80b7499b19a86156ffc74bb1c6e28566598cc48db6a21e7b8ba85f12515f1972d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9895282f9563308a6a40dc9a53c7315e

    SHA1

    5cfffd22e966e9c1cf165b3df8bc311ef0786641

    SHA256

    c063cddda468e6a4caac37f82b3c0936449b3647e564067abe85013fd53bfeef

    SHA512

    8825f3e0c13689e6017b498aafc7ad3956a708f99d05f7ba5bd391470787ef9c489de7e18e05ba6cbba990dd93db82bd3b90f294d1491e6007ca4172c8a032cf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3f925cc911e1e3b74368f7d812dcd66d

    SHA1

    d5360c216d87167b335236416d2c1ec2e2cae14a

    SHA256

    449d6613853b7cc14864b83bb0cc0c00e0cd04d00a493bd9ec202024214f0277

    SHA512

    943926b59cae34b77084afc821c77fbd88583d799f13f2882cb0d0abfa346d21264e67f329aab7998922a2683494e505f5c1db296d8a0891ee0af71131212efe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c229f188b0c09117cf46df45286dc590

    SHA1

    cc0ab7494b98dd3d7e144e0d8f884ff497015e55

    SHA256

    1720b7d2774ee46f301a9143dd81f5281e59ab94d3229e4fabe740f9e8789906

    SHA512

    0590e54cb12cc5065431270b691f15872bd3c4c7a26e44e2b110c2eb410abe304b66917e210330b9c8ddeacd1641862a92384827c67116f8bc013f153bb3beb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab930E.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar936E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst91F5.tmp.dll
    Filesize

    877KB

    MD5

    20a9c78acf901dd4328881cc067e336c

    SHA1

    e39e2011c8504dbea9356a0dee4770ea30d95509

    SHA256

    5dc895ed2436461a93e3faf2e89332ad78507608d8249c58b4c093e2d2d3b71e

    SHA512

    7e8483e19bcd1b03099eb7290e4fe32d1b232162da3da67cf29142c33fead4f82e3e6c26094ccb0aadcb7949d8cbb07db5bd56df8e9069a6c67fa2a8c4d51b72

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy89D9.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • memory/2264-23-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2264-22-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2264-19-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2264-18-0x00000000002E0000-0x00000000002E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2264-457-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2264-458-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2264-462-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download

  • memory/2788-16-0x0000000018C40000-0x0000000018D22000-memory.dmp

    Filesize

    904KB

    Download