Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/09/2023, 11:22
230918-ngklgsgh6w 818/09/2023, 11:20
230918-nfx57agh51 718/09/2023, 04:17
230918-ewdbaaeh8s 3Analysis
-
max time kernel
138s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
18/09/2023, 11:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
LCALPC.exe
Resource
win7-20230831-en
windows7-x64
7 signatures
600 seconds
Behavioral task
behavioral2
Sample
LCALPC.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
19 signatures
600 seconds
General
-
Target
LCALPC.exe
-
Size
3.3MB
-
MD5
4c268a0c963b7809565ce22c296a8c79
-
SHA1
8c218f1d34d56a4feae367e019c958175286c993
-
SHA256
112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409
-
SHA512
1e6372a932832e4df14adb7d584fce6d594571354d753af597a46f60936d4d492543d07f3158c3c4b85dd8303300095d090b28b08426415c0305bd06b095f851
-
SSDEEP
49152:XX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QB:XlRsZ47/QXoHUOfAoj1x6B
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2612 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: SeDebugPrivilege 2612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1172 2220 LCALPC.exe 30 PID 2220 wrote to memory of 1172 2220 LCALPC.exe 30 PID 2220 wrote to memory of 1172 2220 LCALPC.exe 30 PID 2220 wrote to memory of 2736 2220 LCALPC.exe 32 PID 2220 wrote to memory of 2736 2220 LCALPC.exe 32 PID 2220 wrote to memory of 2736 2220 LCALPC.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\LCALPC.exe"C:\Users\Admin\AppData\Local\Temp\LCALPC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\LCALPC.exe"C:\Users\Admin\AppData\Local\Temp\LCALPC.exe" connect --disableUpdate=1 --hideConsole=1 --exitPID=22202⤵PID:2736
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612