Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 20:14

General

  • Target

    d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe

  • Size

    16KB

  • MD5

    ce9deff846866c2ae98450377b60c038

  • SHA1

    5b7158706142c10fb8166bdc178adb655391f8fa

  • SHA256

    d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00

  • SHA512

    ca2142eab1d9d198cbc57494902445c11b3faf93d4489e0554dfc5b7cedf33c9818d47772f627aff292544c8ea9152694f1acdeda5cb8e3be746ef1e19797bc3

  • SSDEEP

    384:kU/soECZv8fA8w6leg3MxuMkEb/erdjrEo7Zhqv/VVU:HEaQvogWKWv/U

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:372
      • C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe
        "C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE
          C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE "C:\Users\Admin\AppData\Local\Temp\d0d4d88be47927bedf0f73c06c398cb06bef95d98d78d6930e26f2c3c30e6c00.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3776

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

      Filesize

      12KB

      MD5

      438bd710f35da05dab5f74a5c1eaadc8

      SHA1

      e2e16112fe04df81d37b6aa0524bfb6cde0330ad

      SHA256

      aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

      SHA512

      cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229

    • C:\Users\Admin\AppData\Local\Temp\LYLOADER.EXE

      Filesize

      12KB

      MD5

      438bd710f35da05dab5f74a5c1eaadc8

      SHA1

      e2e16112fe04df81d37b6aa0524bfb6cde0330ad

      SHA256

      aa49b3263cc648c88ed1e855913a1fb3b97794785d86e5531d11cdb9c9e88858

      SHA512

      cb98c5552b77c24547c70e938ba01ecfc01a7d3002b7bd801d420f61428faccff5949ae2ff055963485f2b80f4b8f4fc77864c71161b57380a823cf2e6d81229