Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
0d55c3e47ab628c2cd9908d868715f7f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0d55c3e47ab628c2cd9908d868715f7f.exe
Resource
win10v2004-20231222-en
General
-
Target
0d55c3e47ab628c2cd9908d868715f7f.exe
-
Size
86KB
-
MD5
0d55c3e47ab628c2cd9908d868715f7f
-
SHA1
c6c983efba89aa61dcd2247c8771630ec00e9bcf
-
SHA256
710a3d73ea64dde20329a66cdc1c1267c380b501407924d2872ba8e1bbce3ef0
-
SHA512
6b42838930f09e7f4d1792f9c73afa8d948f82ddd593931966ee1f0125d54f5df15a36ee2d0d75e243bd8060ade7fbf96876a40d6fbaf678c2420b1a25adb7d4
-
SSDEEP
1536:XYueX5YXNGQafXCbHRFEm88L2zYGp3JlMT4a26KLaDz:o2FgLm88LaY6Tg4a26KLaDz
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\109.URL" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\109.URL" laass.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000a0000000133b1-9.dat acprotect -
Deletes itself 1 IoCs
pid Process 2292 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2744 laass.exe -
Loads dropped DLL 7 IoCs
pid Process 840 rundll32.exe 2872 cmd.exe 2872 cmd.exe 2872 cmd.exe 2872 cmd.exe 2872 cmd.exe 2744 laass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:C:\\Progra~1\\%Progr~1\\DEST.BAT" laass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:C:\\Progra~1\\%Progr~1\\DEST.BAT" rundll32.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Progra~1\%Program Files%\109.URL 0d55c3e47ab628c2cd9908d868715f7f.exe File opened for modification C:\Progra~1\%Program Files%\109.URL 0d55c3e47ab628c2cd9908d868715f7f.exe File created C:\Progra~1\%Program Files%\111.URL 0d55c3e47ab628c2cd9908d868715f7f.exe File opened for modification C:\Progra~1\%Program Files%\111.URL 0d55c3e47ab628c2cd9908d868715f7f.exe File created C:\Progra~1\%Program Files%\Dest.BAt 0d55c3e47ab628c2cd9908d868715f7f.exe File created C:\Progra~1\%Program Files%\laass.exe 0d55c3e47ab628c2cd9908d868715f7f.exe File created C:\Progra~1\%Program Files%\Cest.bat 0d55c3e47ab628c2cd9908d868715f7f.exe File created C:\Progra~1\%Program Files%\~ 0d55c3e47ab628c2cd9908d868715f7f.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2224 sc.exe 2272 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2744 laass.exe 2744 laass.exe 2744 laass.exe 2744 laass.exe 2744 laass.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe 840 rundll32.exe 2744 laass.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 840 rundll32.exe 2744 laass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2932 0d55c3e47ab628c2cd9908d868715f7f.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2872 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 28 PID 2932 wrote to memory of 2872 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 28 PID 2932 wrote to memory of 2872 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 28 PID 2932 wrote to memory of 2872 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 28 PID 2872 wrote to memory of 2272 2872 cmd.exe 30 PID 2872 wrote to memory of 2272 2872 cmd.exe 30 PID 2872 wrote to memory of 2272 2872 cmd.exe 30 PID 2872 wrote to memory of 2272 2872 cmd.exe 30 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 840 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 31 PID 2932 wrote to memory of 2292 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 32 PID 2932 wrote to memory of 2292 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 32 PID 2932 wrote to memory of 2292 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 32 PID 2932 wrote to memory of 2292 2932 0d55c3e47ab628c2cd9908d868715f7f.exe 32 PID 2872 wrote to memory of 2224 2872 cmd.exe 33 PID 2872 wrote to memory of 2224 2872 cmd.exe 33 PID 2872 wrote to memory of 2224 2872 cmd.exe 33 PID 2872 wrote to memory of 2224 2872 cmd.exe 33 PID 2872 wrote to memory of 2744 2872 cmd.exe 34 PID 2872 wrote to memory of 2744 2872 cmd.exe 34 PID 2872 wrote to memory of 2744 2872 cmd.exe 34 PID 2872 wrote to memory of 2744 2872 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d55c3e47ab628c2cd9908d868715f7f.exe"C:\Users\Admin\AppData\Local\Temp\0d55c3e47ab628c2cd9908d868715f7f.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Progra~1\%Program Files%\Dest.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\sc.exesc \\10.127.0.84 create "WinAudio" binpath= "cmd.exe /c C:\PROGRA~1\%PROGR~1\Cest.bat" start= auto type= interact type= own displayname= "WinAudio"3⤵
- Launches sc.exe
PID:2272
-
-
C:\Windows\SysWOW64\sc.exesc \\10.127.0.84 config "WinAudio" binpath= "cmd.exe /c C:\PROGRA~1\%PROGR~1\Cest.bat" start= auto type= interact type= own obj= localsystem password= ""3⤵
- Launches sc.exe
PID:2224
-
-
C:\Program Files\%Program Files%\laass.exe"C:\Program Files\%Program Files%\laass.exe" 111.URL main3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2744
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" 111.URL main2⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D55C3~1.EXE > nul & rd c:\%Progr~1 > nul2⤵
- Deletes itself
PID:2292
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD504db368b8459cdf3f2295f216ae565cd
SHA16a1b47d24b46c15cfdd2f898aa9b5460d184798c
SHA256b2f1d0bde21b848f813d36e6508ac6bd5c2717a41d161a37648a010e36cc5fc7
SHA512efb806339228458cf48d6872780ded0eae0dc99851be959e6d6a2d56f4e70b5ebf0ab3d68b48716ae9fd0cf41946e688b1031291dca243b12bd1a047a149ab45
-
Filesize
2KB
MD553f7860f3118f5fd1607767cda0773a5
SHA1424b43bc8e4c9019f6616ea61bbfdf3c58df30a9
SHA2562ca836f7a6b872cc70f845f96b1d9a8dd46fe96080e5e0219318c19507fb54dd
SHA512dc948ec57b291c42d07c35b35f99b2886e74d418c2236fce95dae4325a1d3e6240ee28b1cd0abf2586a39b3bbea9ba30771480887585ddefee3e5861be6809e9
-
Filesize
9KB
MD5359c541c07a39ab11bb45aad29b2d2ce
SHA13c4f277f184ae306a4d0efe1bcb9e03ecabbb9b7
SHA2566e2378348ebebf5b301744fedb0be396ef4e7e92ad94877da79eed9eb46850d5
SHA512768050272dd4875a4c2a6a96f6337334c05d1512dfc0cc9ceee883a7c701de5e2e90872a6f9029de5b528b74c07cb8aa61c10f9f9e834f8021e9759136fcfbff
-
Filesize
73B
MD5d48e2c2f2ccbd4b6d7e7c0e113227513
SHA1422604808c8a8fe52708b1786366bb388fb8636f
SHA256401dad9a900b2fc5af77c3d64567f31cc4953d97e14b2b95a9677b4c0159ea49
SHA51234acead308f248141946f3a19ebc47494c019b3c5048b0a3882c7d5dd89cbd9395873abd642d9a7eddfee841f31e10cc7ebf6aa261f0305f7751fe2ec7c29032