Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 01:48

General

  • Target

    862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe

  • Size

    81KB

  • MD5

    0ebe7ac38810d5c97d9906ce8932bf2c

  • SHA1

    1a82bc74026e8e97103ead39fb4199b981140779

  • SHA256

    862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6

  • SHA512

    3020310d2ac0275c8f5545b861773948ead039335e4943bc221c462a8111aaa71c0ec468c4a199ed2252313a556e7a585ea173697b21c614d005dcfdd8ae44fd

  • SSDEEP

    1536:q1DIsjedzv1GNJf9iYCOMYw1csRTytngW1NCCAN4z+t0CFfLz:q1DI8M4NpyYwmemn2Tp

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe
    "C:\Users\Admin\AppData\Local\Temp\862fe2efe19fb6fcb90f1eb3c01b30cece654acf3adcbbdc711165a08a18cdf6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\lskyqon.dll,htbsxcf
      2⤵
      • Loads dropped DLL
      PID:4980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\evqkzue.dll

    Filesize

    56KB

    MD5

    d484ac0844a15c92cd58a39133732998

    SHA1

    e28f9d5c1e659d28d5c0c9d72df65790dcfb9573

    SHA256

    735299938b7a61f40b1b254b7f4ca39c9896c613f5da7639b49a089dc2f5f73b

    SHA512

    6d67bf50910155d55e414072843db4cd31b97a3cc6f0ab47298c673885dce0d8a54e836dcab4306c8b70f2b045b82021f9d0595678ece9002b2d3f27f0f9d441

  • C:\Windows\SysWOW64\lskyqon.dll

    Filesize

    48KB

    MD5

    d7c5f0ebb46d417f909d7f31885b0311

    SHA1

    29cca02c7033ae876f077146eaa673d784b13fe3

    SHA256

    755ca5979f28c1d7c8e6994211682e17f7da9c0f206a5141d839cb8fb3641052

    SHA512

    260970f6d6ccf9d0550bed7a31380a8891bca0dd96385d1a8597d40299a919c19deb70cad42c778c170435fd1e8b32ef7cbcd6d6580fdef0d73313cd4cffae76

  • C:\Windows\SysWOW64\lskyqon.dll

    Filesize

    48KB

    MD5

    d7c5f0ebb46d417f909d7f31885b0311

    SHA1

    29cca02c7033ae876f077146eaa673d784b13fe3

    SHA256

    755ca5979f28c1d7c8e6994211682e17f7da9c0f206a5141d839cb8fb3641052

    SHA512

    260970f6d6ccf9d0550bed7a31380a8891bca0dd96385d1a8597d40299a919c19deb70cad42c778c170435fd1e8b32ef7cbcd6d6580fdef0d73313cd4cffae76

  • memory/4964-136-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4964-137-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

  • memory/4964-142-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4964-143-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4964-144-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

  • memory/4980-141-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB