Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

LCALPC.exe

windows10-2004-x64

7

Resubmissions

18/09/2023, 11:22

230918-ngklgsgh6w 8

18/09/2023, 11:20

230918-nfx57agh51 7

18/09/2023, 04:17

230918-ewdbaaeh8s 3

Analysis

  • max time kernel
    33s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LCALPC.exe

  • Size

    3.3MB

  • MD5

    4c268a0c963b7809565ce22c296a8c79

  • SHA1

    8c218f1d34d56a4feae367e019c958175286c993

  • SHA256

    112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409

  • SHA512

    1e6372a932832e4df14adb7d584fce6d594571354d753af597a46f60936d4d492543d07f3158c3c4b85dd8303300095d090b28b08426415c0305bd06b095f851

  • SSDEEP

    49152:XX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QB:XlRsZ47/QXoHUOfAoj1x6B

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LCALPC.exe
    "C:\Users\Admin\AppData\Local\Temp\LCALPC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
    • C:\Users\Admin\AppData\Local\Temp\LCALPC.exe
      "C:\Users\Admin\AppData\Local\Temp\LCALPC.exe" connect --disableUpdate=1 --hideConsole=1 --exitPID=4940
      2⤵
      • Modifies data under HKEY_USERS
      PID:1124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\746CC6E6608D0187EA705E1DB5203EF1E13324FC
    Filesize

    1KB

    MD5

    945b4e542349bfc2ce8d9ee83e792b64

    SHA1

    06bff638c1ca9f400b08b38d568645340e95416f

    SHA256

    da65060b556b2789a5e3b8ae0ac2cf2edcc43dc8c79273dc27832d4f87677852

    SHA512

    67b2d70fa9ebf6a1863edeb74df491657067bd051e845150afa8d74d72d1f8e10da39e225d56dee43045698eeebf9a0a10d788799f4917f2d41cf155a614b102

    Download Submit