Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 23:08

General

  • Target

    0684613a082fa7636caac7449c5afabb.exe

  • Size

    65KB

  • MD5

    0684613a082fa7636caac7449c5afabb

  • SHA1

    976613ae9ae9633c58d7601eed46c258c9076be0

  • SHA256

    8ac7f77740ec910195b24b77d1aa1f0a1fcb7c92de73657d081cd6f53ac824ac

  • SHA512

    f8c01db7e1c7ad2ad77d6e5b3fe78afa1c44a602c341c92adb105070544e3a7f0f1251c7268c6e88bd60a87e95717eb228c78a9f1c3a48a0e90c6d9e2fa517f4

  • SSDEEP

    1536:+HVFj01flhJGXDHyddtERFC7oHGyzqT6uwXX9Xyyx3YO/x:gl0193sw7SD+2hXo23

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0684613a082fa7636caac7449c5afabb.exe
    "C:\Users\Admin\AppData\Local\Temp\0684613a082fa7636caac7449c5afabb.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
        PID:1616
      • C:\program files (x86)\common files\system\lcmoa.exe
        "C:\program files (x86)\common files\system\lcmoa.exe"
        2⤵
        • Executes dropped EXE
        PID:2460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2460-15-0x00000000005A0000-0x00000000005A2000-memory.dmp

      Filesize

      8KB

    • memory/2460-14-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/2460-25-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/3544-0-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/3544-1-0x00000000004B0000-0x00000000004B2000-memory.dmp

      Filesize

      8KB

    • memory/3544-18-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB