Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 22:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Logon_overwriter.exe
Resource
win7-20231020-en
6 signatures
150 seconds
General
-
Target
Logon_overwriter.exe
-
Size
266KB
-
MD5
08d52877fd68e4de576b54515330a900
-
SHA1
2404b3245e591b3e55badd8addf78f18ae8ff3b7
-
SHA256
1f934e5ee7286e177226e282041c445cd88060032edb4f2ff0cd9a10c26b0722
-
SHA512
3164c40f644a6bd4c955a66e83ac0dc84780963c97aa7001dc734b8e2e0579bb768de0820465ca6fed6b89ce19897b44dc30d072663ac9bdda59d35ea14b2cf1
-
SSDEEP
6144:pbpdyCIzMEZ4DQ0SsG4+7WO7WfdyCIzMEZ4DQ0SsG4Nq:glzMKwKaOaIlzMKwQ
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
pid Process 5032 takeown.exe 720 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation Logon_overwriter.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 5032 takeown.exe 720 icacls.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\LogonUI.exe Logon_overwriter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5032 takeown.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3908 wrote to memory of 3548 3908 Logon_overwriter.exe 91 PID 3908 wrote to memory of 3548 3908 Logon_overwriter.exe 91 PID 3548 wrote to memory of 5032 3548 cmd.exe 93 PID 3548 wrote to memory of 5032 3548 cmd.exe 93 PID 3548 wrote to memory of 720 3548 cmd.exe 94 PID 3548 wrote to memory of 720 3548 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe"C:\Users\Admin\AppData\Local\Temp\Logon_overwriter.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:720
-
-