Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 03:56
Behavioral task
behavioral1
Sample
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
Resource
win10v2004-20220812-en
General
-
Target
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
-
Size
1.1MB
-
MD5
137319b57917990ab6f6194ce1e1bddb
-
SHA1
81bf8fa08378780f518daebc73d0d75131551d59
-
SHA256
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9
-
SHA512
92ddf23265a9c631ee421590d44fc19483cda59c7c93d055c434aad41a14d394797d5dd0765fb5baf67cf512ae336d7115215dfec9754e8d4ace7b514c8b335e
-
SSDEEP
24576:tY3l3nbWmJVJFwSddIXvfhqbiaxvRxq9DmS+s+:tYxamdZdcBYJs+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" LocalLzafYSOLLn.exe -
Executes dropped EXE 2 IoCs
pid Process 1292 LocalLzafYSOLLn.exe 568 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 1292 LocalLzafYSOLLn.exe 1292 LocalLzafYSOLLn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" LocalLzafYSOLLn.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 568 set thread context of 1524 568 msdcsc.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1292 LocalLzafYSOLLn.exe Token: SeSecurityPrivilege 1292 LocalLzafYSOLLn.exe Token: SeTakeOwnershipPrivilege 1292 LocalLzafYSOLLn.exe Token: SeLoadDriverPrivilege 1292 LocalLzafYSOLLn.exe Token: SeSystemProfilePrivilege 1292 LocalLzafYSOLLn.exe Token: SeSystemtimePrivilege 1292 LocalLzafYSOLLn.exe Token: SeProfSingleProcessPrivilege 1292 LocalLzafYSOLLn.exe Token: SeIncBasePriorityPrivilege 1292 LocalLzafYSOLLn.exe Token: SeCreatePagefilePrivilege 1292 LocalLzafYSOLLn.exe Token: SeBackupPrivilege 1292 LocalLzafYSOLLn.exe Token: SeRestorePrivilege 1292 LocalLzafYSOLLn.exe Token: SeShutdownPrivilege 1292 LocalLzafYSOLLn.exe Token: SeDebugPrivilege 1292 LocalLzafYSOLLn.exe Token: SeSystemEnvironmentPrivilege 1292 LocalLzafYSOLLn.exe Token: SeChangeNotifyPrivilege 1292 LocalLzafYSOLLn.exe Token: SeRemoteShutdownPrivilege 1292 LocalLzafYSOLLn.exe Token: SeUndockPrivilege 1292 LocalLzafYSOLLn.exe Token: SeManageVolumePrivilege 1292 LocalLzafYSOLLn.exe Token: SeImpersonatePrivilege 1292 LocalLzafYSOLLn.exe Token: SeCreateGlobalPrivilege 1292 LocalLzafYSOLLn.exe Token: 33 1292 LocalLzafYSOLLn.exe Token: 34 1292 LocalLzafYSOLLn.exe Token: 35 1292 LocalLzafYSOLLn.exe Token: SeIncreaseQuotaPrivilege 568 msdcsc.exe Token: SeSecurityPrivilege 568 msdcsc.exe Token: SeTakeOwnershipPrivilege 568 msdcsc.exe Token: SeLoadDriverPrivilege 568 msdcsc.exe Token: SeSystemProfilePrivilege 568 msdcsc.exe Token: SeSystemtimePrivilege 568 msdcsc.exe Token: SeProfSingleProcessPrivilege 568 msdcsc.exe Token: SeIncBasePriorityPrivilege 568 msdcsc.exe Token: SeCreatePagefilePrivilege 568 msdcsc.exe Token: SeBackupPrivilege 568 msdcsc.exe Token: SeRestorePrivilege 568 msdcsc.exe Token: SeShutdownPrivilege 568 msdcsc.exe Token: SeDebugPrivilege 568 msdcsc.exe Token: SeSystemEnvironmentPrivilege 568 msdcsc.exe Token: SeChangeNotifyPrivilege 568 msdcsc.exe Token: SeRemoteShutdownPrivilege 568 msdcsc.exe Token: SeUndockPrivilege 568 msdcsc.exe Token: SeManageVolumePrivilege 568 msdcsc.exe Token: SeImpersonatePrivilege 568 msdcsc.exe Token: SeCreateGlobalPrivilege 568 msdcsc.exe Token: 33 568 msdcsc.exe Token: 34 568 msdcsc.exe Token: 35 568 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1524 iexplore.exe Token: SeSecurityPrivilege 1524 iexplore.exe Token: SeTakeOwnershipPrivilege 1524 iexplore.exe Token: SeLoadDriverPrivilege 1524 iexplore.exe Token: SeSystemProfilePrivilege 1524 iexplore.exe Token: SeSystemtimePrivilege 1524 iexplore.exe Token: SeProfSingleProcessPrivilege 1524 iexplore.exe Token: SeIncBasePriorityPrivilege 1524 iexplore.exe Token: SeCreatePagefilePrivilege 1524 iexplore.exe Token: SeBackupPrivilege 1524 iexplore.exe Token: SeRestorePrivilege 1524 iexplore.exe Token: SeShutdownPrivilege 1524 iexplore.exe Token: SeDebugPrivilege 1524 iexplore.exe Token: SeSystemEnvironmentPrivilege 1524 iexplore.exe Token: SeChangeNotifyPrivilege 1524 iexplore.exe Token: SeRemoteShutdownPrivilege 1524 iexplore.exe Token: SeUndockPrivilege 1524 iexplore.exe Token: SeManageVolumePrivilege 1524 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1524 iexplore.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1416 wrote to memory of 1292 1416 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 27 PID 1416 wrote to memory of 1292 1416 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 27 PID 1416 wrote to memory of 1292 1416 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 27 PID 1416 wrote to memory of 1292 1416 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 27 PID 1292 wrote to memory of 568 1292 LocalLzafYSOLLn.exe 29 PID 1292 wrote to memory of 568 1292 LocalLzafYSOLLn.exe 29 PID 1292 wrote to memory of 568 1292 LocalLzafYSOLLn.exe 29 PID 1292 wrote to memory of 568 1292 LocalLzafYSOLLn.exe 29 PID 568 wrote to memory of 1524 568 msdcsc.exe 30 PID 568 wrote to memory of 1524 568 msdcsc.exe 30 PID 568 wrote to memory of 1524 568 msdcsc.exe 30 PID 568 wrote to memory of 1524 568 msdcsc.exe 30 PID 568 wrote to memory of 1524 568 msdcsc.exe 30 PID 568 wrote to memory of 1524 568 msdcsc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe"C:\Users\Admin\AppData\Local\Temp\d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\LocalLzafYSOLLn.exe"C:\Users\Admin\AppData\LocalLzafYSOLLn.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483