Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2022, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
797KB
-
MD5
774934501fa2c6c6ec22f6989b1543f4
-
SHA1
34a787999c1d1ca742a92099aa083babc39a9da4
-
SHA256
303bd4a9a4f522900dcb9af3030f9683b64cb904e12e75ed06723c43215ef438
-
SHA512
9359eea59f36f6a4cbdbba57a97336100798d338f979c8bd7c81f6f48e3a75f055043f2c0eda548ff95e8a8097993c4847e47cdf3f541fbe4f8ff0912e6516a6
-
SSDEEP
24576:9F02K/c+HpNeL72e/QzC2X4LJSOKl696D:X0Z/c+mPQmtgmI
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/2196-161-0x0000000001230000-0x000000000123D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Executes dropped EXE 2 IoCs
pid Process 3416 Lesson.exe.pif 2196 Lesson.exe.pif -
Loads dropped DLL 6 IoCs
pid Process 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3416 set thread context of 2196 3416 Lesson.exe.pif 95 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4312 tasklist.exe 4260 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2304 PING.EXE 4092 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4312 tasklist.exe Token: SeDebugPrivilege 4260 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3416 Lesson.exe.pif 3416 Lesson.exe.pif 3416 Lesson.exe.pif -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4964 wrote to memory of 2628 4964 tmp.exe 81 PID 4964 wrote to memory of 2628 4964 tmp.exe 81 PID 4964 wrote to memory of 2628 4964 tmp.exe 81 PID 4964 wrote to memory of 1524 4964 tmp.exe 83 PID 4964 wrote to memory of 1524 4964 tmp.exe 83 PID 4964 wrote to memory of 1524 4964 tmp.exe 83 PID 1524 wrote to memory of 4576 1524 cmd.exe 85 PID 1524 wrote to memory of 4576 1524 cmd.exe 85 PID 1524 wrote to memory of 4576 1524 cmd.exe 85 PID 4576 wrote to memory of 4312 4576 cmd.exe 87 PID 4576 wrote to memory of 4312 4576 cmd.exe 87 PID 4576 wrote to memory of 4312 4576 cmd.exe 87 PID 4576 wrote to memory of 1000 4576 cmd.exe 88 PID 4576 wrote to memory of 1000 4576 cmd.exe 88 PID 4576 wrote to memory of 1000 4576 cmd.exe 88 PID 4576 wrote to memory of 4260 4576 cmd.exe 89 PID 4576 wrote to memory of 4260 4576 cmd.exe 89 PID 4576 wrote to memory of 4260 4576 cmd.exe 89 PID 4576 wrote to memory of 4720 4576 cmd.exe 90 PID 4576 wrote to memory of 4720 4576 cmd.exe 90 PID 4576 wrote to memory of 4720 4576 cmd.exe 90 PID 4576 wrote to memory of 1560 4576 cmd.exe 91 PID 4576 wrote to memory of 1560 4576 cmd.exe 91 PID 4576 wrote to memory of 1560 4576 cmd.exe 91 PID 4576 wrote to memory of 3416 4576 cmd.exe 92 PID 4576 wrote to memory of 3416 4576 cmd.exe 92 PID 4576 wrote to memory of 3416 4576 cmd.exe 92 PID 4576 wrote to memory of 4092 4576 cmd.exe 93 PID 4576 wrote to memory of 4092 4576 cmd.exe 93 PID 4576 wrote to memory of 4092 4576 cmd.exe 93 PID 1524 wrote to memory of 2304 1524 cmd.exe 94 PID 1524 wrote to memory of 2304 1524 cmd.exe 94 PID 1524 wrote to memory of 2304 1524 cmd.exe 94 PID 3416 wrote to memory of 2196 3416 Lesson.exe.pif 95 PID 3416 wrote to memory of 2196 3416 Lesson.exe.pif 95 PID 3416 wrote to memory of 2196 3416 Lesson.exe.pif 95 PID 3416 wrote to memory of 2196 3416 Lesson.exe.pif 95 PID 3416 wrote to memory of 2196 3416 Lesson.exe.pif 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\ftp.exeftp /?2⤵PID:2628
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Rooms.ppt & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵PID:1000
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵PID:4720
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^qkvETill$" Grocery.ppt4⤵PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lesson.exe.pifLesson.exe.pif L4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lesson.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lesson.exe.pif5⤵
- Executes dropped EXE
PID:2196
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
PID:4092
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:2304
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD5c9eb5f3a20be611e4d443fe77c2a86ad
SHA1ff463868b1ad385ef6e997cd86ba4ded2ad9f2a9
SHA25605ee14e114cf200567c8412c491e840a81117c80a8e98d5dedf969250138edfb
SHA5127d6f9a3f73c89e77f0b00ffe545767084394aa1b103a5b889a36c12d27b761696fa6b83356d3c42cde7736b1bfa523f415382014e1597bc2e3aca23476141a47
-
Filesize
924KB
MD5f2998acca867906fac6889ce3cc83256
SHA1d4368c536a1733f059b132d458e4248db5d08cc7
SHA256b9d12a436dbe1c34cdb555f9003f6f96d29f326e62f0982b02cbf14890b50520
SHA512a0a0b3928d70e2bcc05498857aabfa09fc2d0463e323565e26ccc092894ea6e35206465d57e9548ac3d4e1a3ec529ec3e9d89326dd6175b834009230ac273138
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
11KB
MD507bc85d301b69e32b9485dfeb3bbc6f4
SHA1e1a14b5410f9d870e6e034d75207e03abd01bc40
SHA25692b500ce272fcde0fee5793b1ba2cc5f600be2fec517a0b4062d7916ab824577
SHA512cd11ba14c0da33ab73c342285815473250d1c5914de59927e5164efbace098368d877c951683497c5f17479e2640a9c5b59aa5fdf41f9af29cbb11abf216c328
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219