Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2022, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
811KB
-
MD5
cc25b34fae0fab4310a268da338a6fca
-
SHA1
54ae3e4451557295cefc0cad7685ba223a66ef29
-
SHA256
1c4b01e1cc2b754ed518f940a1ac36d0b41a6b2ef0699679d970ebaadcc42446
-
SHA512
39a52578f9e21cf78b7be5bf5447a677110c407b4e8b05aec17fd43c8ad1afc15f1c0c4825bd5e82abae9ec1859ccdf4ef47290feb2189085848142454dc519b
-
SSDEEP
12288:5zOf/G5jWDiMB00nwVzMmd9CRnm1cNj9KHhShnKjxazKes7H:5yXIjaFLwRMmWm1cNh6hShKjxaq
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/5108-161-0x0000000000CF0000-0x0000000000CFD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Executes dropped EXE 2 IoCs
pid Process 1748 Actively.exe.pif 5108 Actively.exe.pif -
Loads dropped DLL 6 IoCs
pid Process 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1748 set thread context of 5108 1748 Actively.exe.pif 97 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2240 tasklist.exe 4848 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4348 PING.EXE 2004 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2240 tasklist.exe Token: SeDebugPrivilege 4848 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1748 Actively.exe.pif 1748 Actively.exe.pif 1748 Actively.exe.pif -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 5000 wrote to memory of 3956 5000 file.exe 79 PID 5000 wrote to memory of 3956 5000 file.exe 79 PID 5000 wrote to memory of 3956 5000 file.exe 79 PID 5000 wrote to memory of 4944 5000 file.exe 81 PID 5000 wrote to memory of 4944 5000 file.exe 81 PID 5000 wrote to memory of 4944 5000 file.exe 81 PID 4944 wrote to memory of 4304 4944 cmd.exe 83 PID 4944 wrote to memory of 4304 4944 cmd.exe 83 PID 4944 wrote to memory of 4304 4944 cmd.exe 83 PID 4304 wrote to memory of 2240 4304 cmd.exe 84 PID 4304 wrote to memory of 2240 4304 cmd.exe 84 PID 4304 wrote to memory of 2240 4304 cmd.exe 84 PID 4304 wrote to memory of 3160 4304 cmd.exe 85 PID 4304 wrote to memory of 3160 4304 cmd.exe 85 PID 4304 wrote to memory of 3160 4304 cmd.exe 85 PID 4304 wrote to memory of 4848 4304 cmd.exe 86 PID 4304 wrote to memory of 4848 4304 cmd.exe 86 PID 4304 wrote to memory of 4848 4304 cmd.exe 86 PID 4304 wrote to memory of 4756 4304 cmd.exe 87 PID 4304 wrote to memory of 4756 4304 cmd.exe 87 PID 4304 wrote to memory of 4756 4304 cmd.exe 87 PID 4304 wrote to memory of 3320 4304 cmd.exe 88 PID 4304 wrote to memory of 3320 4304 cmd.exe 88 PID 4304 wrote to memory of 3320 4304 cmd.exe 88 PID 4304 wrote to memory of 1748 4304 cmd.exe 89 PID 4304 wrote to memory of 1748 4304 cmd.exe 89 PID 4304 wrote to memory of 1748 4304 cmd.exe 89 PID 4304 wrote to memory of 4348 4304 cmd.exe 90 PID 4304 wrote to memory of 4348 4304 cmd.exe 90 PID 4304 wrote to memory of 4348 4304 cmd.exe 90 PID 4944 wrote to memory of 2004 4944 cmd.exe 91 PID 4944 wrote to memory of 2004 4944 cmd.exe 91 PID 4944 wrote to memory of 2004 4944 cmd.exe 91 PID 1748 wrote to memory of 5108 1748 Actively.exe.pif 97 PID 1748 wrote to memory of 5108 1748 Actively.exe.pif 97 PID 1748 wrote to memory of 5108 1748 Actively.exe.pif 97 PID 1748 wrote to memory of 5108 1748 Actively.exe.pif 97 PID 1748 wrote to memory of 5108 1748 Actively.exe.pif 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin bitsadmin bitsadmin bitsadmin bitsadmin bitsadmin bitsadmin2⤵PID:3956
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Hazard.mdb & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵PID:3160
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵PID:4756
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zTPUrZ$" Lamps.mdb4⤵PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Actively.exe.pifActively.exe.pif o4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Actively.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Actively.exe.pif5⤵
- Executes dropped EXE
PID:5108
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
PID:4348
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:2004
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
11KB
MD55d0469a1e816e965cd346d8ba30b28f5
SHA1a2f79b197da7abe6a917928a9557de7e5a6f1796
SHA256463a10b81a8f5c4af516d625532482fc104aa8beb8c89a688e21ba8e4d00d97f
SHA51208850e22a9ba9479f6f8e727421feff68d5dcebb80c58f77ba5ae607e8e2a2ae4050de40f81f9c58fbb67c40a4f9c6b4c665c2d42206823dc0ee84db9b666d32
-
Filesize
924KB
MD5545276413a197c589079736c0ef600de
SHA1123bf26466ca4e9a7455d062d879e59767f988ea
SHA256ef65bc00ca7ed7edb46131cebaa59b70ca2126d1ddfe45953e711553b4813b93
SHA5123190b0c6e81c98ad2d14fb5966c6fe63e7f1ed1b821ea0e1ee3d692d9dbe664ee45dbc4caf4695a3495ede137cbde976afd5a7e17749a664eda5504a4d9327b1
-
Filesize
816KB
MD54ffd563ff148d0e4a73e2eb5e1e9fd70
SHA119d14c6887810ee41fbdcd5c264439901f987d53
SHA2563a4ecc310ee4a9019145e92fce4efbe1f80031c645768255247e9a7c6046cf46
SHA5121ca14857567e6878a455d5d6f5429dcada7c9f2fc095ca9bcd9fc0cf17462fe1bd99cc1cb041f3bea7f5473945e51846b426c301638e3882d10357e1cbce003c