Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 03:56
Behavioral task
behavioral1
Sample
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
Resource
win10v2004-20220812-en
General
-
Target
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
-
Size
1.1MB
-
MD5
137319b57917990ab6f6194ce1e1bddb
-
SHA1
81bf8fa08378780f518daebc73d0d75131551d59
-
SHA256
d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9
-
SHA512
92ddf23265a9c631ee421590d44fc19483cda59c7c93d055c434aad41a14d394797d5dd0765fb5baf67cf512ae336d7115215dfec9754e8d4ace7b514c8b335e
-
SSDEEP
24576:tY3l3nbWmJVJFwSddIXvfhqbiaxvRxq9DmS+s+:tYxamdZdcBYJs+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" LocalLzafYSOLLn.exe -
Executes dropped EXE 2 IoCs
pid Process 4944 LocalLzafYSOLLn.exe 620 msdcsc.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation LocalLzafYSOLLn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" LocalLzafYSOLLn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4944 LocalLzafYSOLLn.exe Token: SeSecurityPrivilege 4944 LocalLzafYSOLLn.exe Token: SeTakeOwnershipPrivilege 4944 LocalLzafYSOLLn.exe Token: SeLoadDriverPrivilege 4944 LocalLzafYSOLLn.exe Token: SeSystemProfilePrivilege 4944 LocalLzafYSOLLn.exe Token: SeSystemtimePrivilege 4944 LocalLzafYSOLLn.exe Token: SeProfSingleProcessPrivilege 4944 LocalLzafYSOLLn.exe Token: SeIncBasePriorityPrivilege 4944 LocalLzafYSOLLn.exe Token: SeCreatePagefilePrivilege 4944 LocalLzafYSOLLn.exe Token: SeBackupPrivilege 4944 LocalLzafYSOLLn.exe Token: SeRestorePrivilege 4944 LocalLzafYSOLLn.exe Token: SeShutdownPrivilege 4944 LocalLzafYSOLLn.exe Token: SeDebugPrivilege 4944 LocalLzafYSOLLn.exe Token: SeSystemEnvironmentPrivilege 4944 LocalLzafYSOLLn.exe Token: SeChangeNotifyPrivilege 4944 LocalLzafYSOLLn.exe Token: SeRemoteShutdownPrivilege 4944 LocalLzafYSOLLn.exe Token: SeUndockPrivilege 4944 LocalLzafYSOLLn.exe Token: SeManageVolumePrivilege 4944 LocalLzafYSOLLn.exe Token: SeImpersonatePrivilege 4944 LocalLzafYSOLLn.exe Token: SeCreateGlobalPrivilege 4944 LocalLzafYSOLLn.exe Token: 33 4944 LocalLzafYSOLLn.exe Token: 34 4944 LocalLzafYSOLLn.exe Token: 35 4944 LocalLzafYSOLLn.exe Token: 36 4944 LocalLzafYSOLLn.exe Token: SeIncreaseQuotaPrivilege 620 msdcsc.exe Token: SeSecurityPrivilege 620 msdcsc.exe Token: SeTakeOwnershipPrivilege 620 msdcsc.exe Token: SeLoadDriverPrivilege 620 msdcsc.exe Token: SeSystemProfilePrivilege 620 msdcsc.exe Token: SeSystemtimePrivilege 620 msdcsc.exe Token: SeProfSingleProcessPrivilege 620 msdcsc.exe Token: SeIncBasePriorityPrivilege 620 msdcsc.exe Token: SeCreatePagefilePrivilege 620 msdcsc.exe Token: SeBackupPrivilege 620 msdcsc.exe Token: SeRestorePrivilege 620 msdcsc.exe Token: SeShutdownPrivilege 620 msdcsc.exe Token: SeDebugPrivilege 620 msdcsc.exe Token: SeSystemEnvironmentPrivilege 620 msdcsc.exe Token: SeChangeNotifyPrivilege 620 msdcsc.exe Token: SeRemoteShutdownPrivilege 620 msdcsc.exe Token: SeUndockPrivilege 620 msdcsc.exe Token: SeManageVolumePrivilege 620 msdcsc.exe Token: SeImpersonatePrivilege 620 msdcsc.exe Token: SeCreateGlobalPrivilege 620 msdcsc.exe Token: 33 620 msdcsc.exe Token: 34 620 msdcsc.exe Token: 35 620 msdcsc.exe Token: 36 620 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 620 msdcsc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2836 wrote to memory of 4944 2836 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 80 PID 2836 wrote to memory of 4944 2836 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 80 PID 2836 wrote to memory of 4944 2836 d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe 80 PID 4944 wrote to memory of 620 4944 LocalLzafYSOLLn.exe 81 PID 4944 wrote to memory of 620 4944 LocalLzafYSOLLn.exe 81 PID 4944 wrote to memory of 620 4944 LocalLzafYSOLLn.exe 81 PID 620 wrote to memory of 4956 620 msdcsc.exe 82 PID 620 wrote to memory of 4956 620 msdcsc.exe 82 PID 620 wrote to memory of 4956 620 msdcsc.exe 82 PID 620 wrote to memory of 4504 620 msdcsc.exe 83 PID 620 wrote to memory of 4504 620 msdcsc.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe"C:\Users\Admin\AppData\Local\Temp\d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\LocalLzafYSOLLn.exe"C:\Users\Admin\AppData\LocalLzafYSOLLn.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵PID:4956
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:4504
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483
-
Filesize
723KB
MD5f302d36bd8d7f3f84fe74ed6fdafaf0a
SHA1634bf8474a6c38772190ade14a8e6a56451d3fe6
SHA256a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468
SHA512d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483