Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 23:51
Behavioral task
behavioral1
Sample
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
Resource
win10v2004-20220812-en
General
-
Target
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe
-
Size
131KB
-
MD5
a31b01b6707db1543d654586bceccfb0
-
SHA1
17d4cb00c3acac356c02e87177614066ac9e869e
-
SHA256
0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f
-
SHA512
838801d8179953c401ecfb98a814f423d8609ef918ad0368b816dc4817654a6905ada195a365d74761ed6d2f518b694f2e8a63a3ac31642ee9b38803ea730d65
-
SSDEEP
3072:IyrN/sVywaEj1UsEOBYJwyrN/sVywaEj1Usqd5PjJ5Sr5n:Nh9wv1Ut3nh9wv1U1L5Sr5n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4108 lcss.exe -
resource yara_rule behavioral2/files/0x0006000000022e37-132.dat upx behavioral2/files/0x0006000000022e37-133.dat upx behavioral2/files/0x0007000000022e2f-136.dat upx behavioral2/files/0x0007000000022e32-135.dat upx behavioral2/files/0x0006000000022e38-134.dat upx behavioral2/memory/4560-137-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4108-138-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Modifies WinLogon 2 TTPs 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon" lcss.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wlogon.dll 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe File opened for modification C:\Windows\SysWOW64\net.cpl 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe File opened for modification C:\Windows\SysWOW64\lcss.exe 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe File opened for modification C:\Windows\SysWOW64\crypto.dll 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32 lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1 lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB} lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB} 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1" lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}" 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID lcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography" lcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt" lcss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4560 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Token: SeDebugPrivilege 4560 0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe Token: SeTakeOwnershipPrivilege 4108 lcss.exe Token: SeDebugPrivilege 4108 lcss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe"C:\Users\Admin\AppData\Local\Temp\0b86da924751b0cf7f52badacb2e6fdf54bffd2b140facb16dbcb6410535015f.exe"1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
C:\Windows\SysWOW64\lcss.exeC:\Windows\SysWOW64\lcss.exe1⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD546f56da73fee598a0fc161a09f8ef190
SHA1bf4ff701f4f545f9c4a6faee803ecd5759863aef
SHA25665271a7a7b0a4b38514af41fb162bcbb32ebd02b2cfc416619f7567a066dd3e3
SHA512e391b2ed54391b7a88881cf3801ae4bceb6cd6dabba403e52b095dfc5db480eae9687e89adb5e0b221a958a4ed323231851d9acd357e9e2a9b85b2467fba2f41
-
Filesize
145KB
MD588fbe34de3599ce0d8c3f7b7af657863
SHA16a70f7da5ec2f17d0a65b47132ba5e30fdfcefbc
SHA2566b7864784253cae53377a05530532fbdf14c35505c9a09533fe8883bb390187d
SHA5129320d09de917cb2670d96162e6e19afc375873d435ce13a546e3cb83e8c9175a28be2a32105e1b33ede96927ef1079e363823236bcae25812cdf71e26ba0950d
-
Filesize
145KB
MD588fbe34de3599ce0d8c3f7b7af657863
SHA16a70f7da5ec2f17d0a65b47132ba5e30fdfcefbc
SHA2566b7864784253cae53377a05530532fbdf14c35505c9a09533fe8883bb390187d
SHA5129320d09de917cb2670d96162e6e19afc375873d435ce13a546e3cb83e8c9175a28be2a32105e1b33ede96927ef1079e363823236bcae25812cdf71e26ba0950d
-
Filesize
216KB
MD521cdd9ca63946ed5c7857941da9609d0
SHA1373226e91811d6d203bfff64e4fe9ae03a292d18
SHA256de0aa80a1d8cd98b3bc7f6783528478370a95f0b37f5b123b49486489ad2a058
SHA512cb6ddde9a454123e8cdfa3c77d499482196f4c988ec7094624816fd4ebce68ba5f4bd338013e009724387b2bf7d808e0b4ebb6ea1c165d78bb3985c138d85a8b
-
Filesize
211KB
MD56669b99ffddc26f899d5893ff84c92d6
SHA143b9b44fb0948940fdeffef4e0578c5943c331b3
SHA25645c851fbcbcf2e151cb13f5d3094416ac3d42bf998939d5c6a1e37665a432d86
SHA512bc1bf7066c7b91c6f0bed71bc2a200a020497c9c09804c32f549ca7c3ea0194bc6a44073b6ecbbe3bd27a7851d87453c96fb83109e88ef9492123fdbfd4d0a44