Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 06:13
Behavioral task
behavioral1
Sample
9a2206d003d9d376706d886d987773f6_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9a2206d003d9d376706d886d987773f6_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
9a2206d003d9d376706d886d987773f6_JC.exe
-
Size
132KB
-
MD5
9a2206d003d9d376706d886d987773f6
-
SHA1
22215da078d6a8ea5ca7d84a23c38bcadd0513ef
-
SHA256
71e842200ac81b7d9d05992724e80618f8cf38b935b056dc741c08d187c0d013
-
SHA512
0f8729d01296e6725ac0fe349dd4714f1788b7793d0ef73eddc261c5fb2d7376fada6a89167d5b5d31d3fc3a753c85fcd3c183b94dcf8dd8ffbbaa3d9300baf2
-
SSDEEP
1536:B3aacz2htqkUla/NGVcJ/gAqcX0JMseuiGSeNVvDi0tMuUJJny3GM+90:Ua/qc9rqzMseNoVv9EJFnM80
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 3 1516 rundll32.exe 7 1516 rundll32.exe 8 1516 rundll32.exe 9 1516 rundll32.exe 10 1516 rundll32.exe 13 1516 rundll32.exe 14 1516 rundll32.exe 15 1516 rundll32.exe 17 1516 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2292 lgainr.exe -
Executes dropped EXE 1 IoCs
pid Process 2292 lgainr.exe -
Loads dropped DLL 4 IoCs
pid Process 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2480-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2480-2-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00060000000120e4-3.dat upx behavioral1/files/0x00060000000120e4-4.dat upx behavioral1/memory/2292-6-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\mxlnz\\bnjvg.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2044 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1516 rundll32.exe 1516 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1516 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2480 9a2206d003d9d376706d886d987773f6_JC.exe 2292 lgainr.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2460 2480 9a2206d003d9d376706d886d987773f6_JC.exe 28 PID 2480 wrote to memory of 2460 2480 9a2206d003d9d376706d886d987773f6_JC.exe 28 PID 2480 wrote to memory of 2460 2480 9a2206d003d9d376706d886d987773f6_JC.exe 28 PID 2480 wrote to memory of 2460 2480 9a2206d003d9d376706d886d987773f6_JC.exe 28 PID 2460 wrote to memory of 2044 2460 cmd.exe 30 PID 2460 wrote to memory of 2044 2460 cmd.exe 30 PID 2460 wrote to memory of 2044 2460 cmd.exe 30 PID 2460 wrote to memory of 2044 2460 cmd.exe 30 PID 2460 wrote to memory of 2292 2460 cmd.exe 31 PID 2460 wrote to memory of 2292 2460 cmd.exe 31 PID 2460 wrote to memory of 2292 2460 cmd.exe 31 PID 2460 wrote to memory of 2292 2460 cmd.exe 31 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32 PID 2292 wrote to memory of 1516 2292 lgainr.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a2206d003d9d376706d886d987773f6_JC.exe"C:\Users\Admin\AppData\Local\Temp\9a2206d003d9d376706d886d987773f6_JC.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\lgainr.exe "C:\Users\Admin\AppData\Local\Temp\9a2206d003d9d376706d886d987773f6_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2044
-
-
\??\c:\lgainr.exec:\lgainr.exe "C:\Users\Admin\AppData\Local\Temp\9a2206d003d9d376706d886d987773f6_JC.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\mxlnz\bnjvg.dll",init c:\lgainr.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5d6e605be27b7e013c8383163705f4e26
SHA15b556cc9942a78e7961bd71709cb7c071580ff15
SHA2569bc4bebf289c922bd4b9f8bd10fc09d92c212bb09afe47bc46f88b3fcc0c74ca
SHA51234e5f2750f3d285ea292293129e5af7112f72b085c1b532ea7dbc0216372fa77e991288fb9493c58a264e47faec837cd2eb6dfaf30fca9adb998f2df22f04564
-
Filesize
132KB
MD5d6e605be27b7e013c8383163705f4e26
SHA15b556cc9942a78e7961bd71709cb7c071580ff15
SHA2569bc4bebf289c922bd4b9f8bd10fc09d92c212bb09afe47bc46f88b3fcc0c74ca
SHA51234e5f2750f3d285ea292293129e5af7112f72b085c1b532ea7dbc0216372fa77e991288fb9493c58a264e47faec837cd2eb6dfaf30fca9adb998f2df22f04564
-
Filesize
50KB
MD5ab32c5bfd7ecfbe9ed733dfb81210933
SHA14d5c6e7a0031691f12e78b096ff928b0d55bdfab
SHA256a632527bcd457c9a4cfce83e7a9a675baff790b0279de5d8ea3192dfb2dd888a
SHA51259b971146292074d76d23d5f26889108f4d6e33804332449f4c589bf8a8d53e37ac8dfea47e9d3c5ae0f382ae1acf25c4968bea87b3f5ff9d51f2274229c1ab5
-
Filesize
50KB
MD5ab32c5bfd7ecfbe9ed733dfb81210933
SHA14d5c6e7a0031691f12e78b096ff928b0d55bdfab
SHA256a632527bcd457c9a4cfce83e7a9a675baff790b0279de5d8ea3192dfb2dd888a
SHA51259b971146292074d76d23d5f26889108f4d6e33804332449f4c589bf8a8d53e37ac8dfea47e9d3c5ae0f382ae1acf25c4968bea87b3f5ff9d51f2274229c1ab5
-
Filesize
50KB
MD5ab32c5bfd7ecfbe9ed733dfb81210933
SHA14d5c6e7a0031691f12e78b096ff928b0d55bdfab
SHA256a632527bcd457c9a4cfce83e7a9a675baff790b0279de5d8ea3192dfb2dd888a
SHA51259b971146292074d76d23d5f26889108f4d6e33804332449f4c589bf8a8d53e37ac8dfea47e9d3c5ae0f382ae1acf25c4968bea87b3f5ff9d51f2274229c1ab5
-
Filesize
50KB
MD5ab32c5bfd7ecfbe9ed733dfb81210933
SHA14d5c6e7a0031691f12e78b096ff928b0d55bdfab
SHA256a632527bcd457c9a4cfce83e7a9a675baff790b0279de5d8ea3192dfb2dd888a
SHA51259b971146292074d76d23d5f26889108f4d6e33804332449f4c589bf8a8d53e37ac8dfea47e9d3c5ae0f382ae1acf25c4968bea87b3f5ff9d51f2274229c1ab5
-
Filesize
50KB
MD5ab32c5bfd7ecfbe9ed733dfb81210933
SHA14d5c6e7a0031691f12e78b096ff928b0d55bdfab
SHA256a632527bcd457c9a4cfce83e7a9a675baff790b0279de5d8ea3192dfb2dd888a
SHA51259b971146292074d76d23d5f26889108f4d6e33804332449f4c589bf8a8d53e37ac8dfea47e9d3c5ae0f382ae1acf25c4968bea87b3f5ff9d51f2274229c1ab5