Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 23:51
Behavioral task
behavioral1
Sample
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Resource
win10v2004-20220812-en
General
-
Target
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
-
Size
131KB
-
MD5
a31b01b6707db1543d654586bceccfb0
-
SHA1
17d4cb00c3acac356c02e87177614066ac9e869e
-
SHA256
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f
-
SHA512
838801d8179953c401ecfb98a814f423d8609ef918ad0368b816dc4817654a6905ada195a365d74761ed6d2f518b694f2e8a63a3ac31642ee9b38803ea730d65
-
SSDEEP
3072:IyrN/sVywaEj1UsEOBYJwyrN/sVywaEj1Usqd5PjJ5Sr5n:Nh9wv1Ut3nh9wv1U1L5Sr5n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1240 lcss.exe -
resource yara_rule behavioral1/files/0x00090000000122dc-54.dat upx behavioral1/files/0x00090000000122dc-55.dat upx behavioral1/files/0x000500000000b2d2-58.dat upx behavioral1/files/0x000b0000000122d6-57.dat upx behavioral1/files/0x00080000000122dd-56.dat upx behavioral1/memory/832-59-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/1240-60-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Modifies WinLogon 2 TTPs 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon lcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1" lcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wlogon.dll 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe File opened for modification C:\Windows\SysWOW64\net.cpl 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe File opened for modification C:\Windows\SysWOW64\lcss.exe 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe File opened for modification C:\Windows\SysWOW64\crypto.dll 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB} lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32 lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB} 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1 lcss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 832 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Token: SeDebugPrivilege 832 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Token: SeTakeOwnershipPrivilege 1240 lcss.exe Token: SeDebugPrivilege 1240 lcss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe"C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe"1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Windows\SysWOW64\lcss.exeC:\Windows\SysWOW64\lcss.exe1⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD56bf4e87007b6f2c672c4d0277bf2367a
SHA1f2d575da4eb12ff9698793b8bfe8299e1142ee8f
SHA256b83294f82bd6f3618d974eb63a889d18557a1e219061449a0577aa9579d987d4
SHA5121f0928b70e0b3a789a245f4243f8179997b87be7e6a05b2ebccaaefbf486f9c00182e981f66012ac126dc98da61811b5b858c90e78f25aba55ee8a77faa28172
-
Filesize
170KB
MD51aee391d492c9fc7cd741d523d14a0f4
SHA15c789ecdfb310045db8b0a9cf07ce2f3df7d2622
SHA2561d14540ef29308331104c2b5827a6d3d8e2eea7f7d32ec10cfd614b3d3f7ee29
SHA5120276bee883c89549d23df269c7c8afea5618ecb0eddd84239f6a72e59395e3155cf9c2680706000f3a645d477092f6f017a35f0f918c514bd7c3073f349acf28
-
Filesize
170KB
MD51aee391d492c9fc7cd741d523d14a0f4
SHA15c789ecdfb310045db8b0a9cf07ce2f3df7d2622
SHA2561d14540ef29308331104c2b5827a6d3d8e2eea7f7d32ec10cfd614b3d3f7ee29
SHA5120276bee883c89549d23df269c7c8afea5618ecb0eddd84239f6a72e59395e3155cf9c2680706000f3a645d477092f6f017a35f0f918c514bd7c3073f349acf28
-
Filesize
188KB
MD59aeef58994cfd85f5768bb537eda3de1
SHA1bbbbfbdcfb5a48bb688be09656ce925e28276489
SHA256a6a1bfe553175b6de37367ac0cede3c6b843eb25518c159cefbfb868a7e73c26
SHA512866bbe7a9e6f29849b0cde8ef6c005fa9538fda7c9aed22c065a6009da8f09a933db891aa59f820730f7280577f3012ba12e1af81965fd939166965c94d2e5bc
-
Filesize
186KB
MD5d2f87a7a8da69756dcd36ca3cd9b6144
SHA1c60fae6615ce3123702c5290f84ade95d4fd5923
SHA2569468058c3818356fc326e6fc8124d856df95ba7acab989707a8975b60eab11af
SHA5121bc0532b4d8f47f58a7099029d7b9bcb1e03a8340197f902393583694ee71ae7771a98aa008eea710978f603435dd5572bb8e5dcc2d8d1d0ef8e799dff811712