Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
Resource
win10v2004-20220812-en
General
-
Target
d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
-
Size
16KB
-
MD5
ce9deff846866c2ae98450377b60c038
-
SHA1
5b7158706142c10fb8166bdc178adb655391f8fa
-
SHA256
d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00
-
SHA512
ca2142eab1d9d198cbc57494902445c11b3faf93d4489e0554dfc5b7cedf33c9818d47772f627aff292544c8ea9152694f1acdeda5cb8e3be746ef1e19797bc3
-
SSDEEP
384:kU/soECZv8fA8w6leg3MxuMkEb/erdjrEo7Zhqv/VVU:HEaQvogWKWv/U
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run LYLOADER.EXE -
Executes dropped EXE 1 IoCs
pid Process 3776 LYLOADER.EXE -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\LYMANGR.DLL LYLOADER.EXE File created C:\Windows\SysWOW64\MSDEG32.DLL LYLOADER.EXE File created C:\Windows\SysWOW64\REGKEY.hiv LYLOADER.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3776 LYLOADER.EXE 3776 LYLOADER.EXE 3776 LYLOADER.EXE 3776 LYLOADER.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 3776 LYLOADER.EXE Token: SeDebugPrivilege 3776 LYLOADER.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3776 4532 d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe 78 PID 4532 wrote to memory of 3776 4532 d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe 78 PID 4532 wrote to memory of 3776 4532 d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe 78 PID 3776 wrote to memory of 372 3776 LYLOADER.EXE 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXEC:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE "C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5438bd710f35da05dab5f74a5c1eaadc8
SHA1e2e16112fe04df81d37b6aa0524bfb6cde0330ad
SHA256aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858
SHA512cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229
-
Filesize
12KB
MD5438bd710f35da05dab5f74a5c1eaadc8
SHA1e2e16112fe04df81d37b6aa0524bfb6cde0330ad
SHA256aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858
SHA512cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229