Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
0684613a082fa7636caac7449c5afabb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0684613a082fa7636caac7449c5afabb.exe
Resource
win10v2004-20231215-en
General
-
Target
0684613a082fa7636caac7449c5afabb.exe
-
Size
65KB
-
MD5
0684613a082fa7636caac7449c5afabb
-
SHA1
976613ae9ae9633c58d7601eed46c258c9076be0
-
SHA256
8ac7f77740ec910195b24b77d1aa1f0a1fcb7c92de73657d081cd6f53ac824ac
-
SHA512
f8c01db7e1c7ad2ad77d6e5b3fe78afa1c44a602c341c92adb105070544e3a7f0f1251c7268c6e88bd60a87e95717eb228c78a9f1c3a48a0e90c6d9e2fa517f4
-
SSDEEP
1536:+HVFj01flhJGXDHyddtERFC7oHGyzqT6uwXX9Xyyx3YO/x:gl0193sw7SD+2hXo23
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 0684613a082fa7636caac7449c5afabb.exe -
Executes dropped EXE 1 IoCs
pid Process 2460 lcmoa.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\program files (x86)\common files\system\lcmoa.exe 0684613a082fa7636caac7449c5afabb.exe File opened for modification \??\c:\program files (x86)\common files\system\lcmoa.exe 0684613a082fa7636caac7449c5afabb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3544 0684613a082fa7636caac7449c5afabb.exe Token: SeIncBasePriorityPrivilege 3544 0684613a082fa7636caac7449c5afabb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3544 wrote to memory of 2460 3544 0684613a082fa7636caac7449c5afabb.exe 22 PID 3544 wrote to memory of 2460 3544 0684613a082fa7636caac7449c5afabb.exe 22 PID 3544 wrote to memory of 2460 3544 0684613a082fa7636caac7449c5afabb.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\0684613a082fa7636caac7449c5afabb.exe"C:\Users\Admin\AppData\Local\Temp\0684613a082fa7636caac7449c5afabb.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵PID:1616
-
-
C:\program files (x86)\common files\system\lcmoa.exe"C:\program files (x86)\common files\system\lcmoa.exe"2⤵
- Executes dropped EXE
PID:2460
-