Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
4b642633a36a25817bd10003d5d4dea0.exe
Resource
win7-20231129-en
General
-
Target
4b642633a36a25817bd10003d5d4dea0.exe
-
Size
100KB
-
MD5
4b642633a36a25817bd10003d5d4dea0
-
SHA1
66e64cc788ae62e354596207bf670be4a6882c49
-
SHA256
db2224fd25fb45150d7033001ff2ea90da3fd56d8a3f1d99f1f3fab14705fe09
-
SHA512
cc47e3e65fa5aca36a092af0f489574ec157fbae3f6fa06dbb4de4c0e794dc8ce2c4e6286d48d8b32c8b0d457b6ca8e22442e34ef79322a3aa960d30ca8fff94
-
SSDEEP
3072:gi9cmKEV+l7/qlNPQ6Qpmj2dDqSGVk8jwaaHw7Koj4rDMN0:gicUWrqfPnumjkDqSk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\lromjllx\\txgytluo.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txgytluo.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txgytluo.exe svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2536 ldetvnwufpyrmcgb.exe -
Loads dropped DLL 5 IoCs
pid Process 2244 4b642633a36a25817bd10003d5d4dea0.exe 2244 4b642633a36a25817bd10003d5d4dea0.exe 2244 4b642633a36a25817bd10003d5d4dea0.exe 2244 4b642633a36a25817bd10003d5d4dea0.exe 2244 4b642633a36a25817bd10003d5d4dea0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\TxgYtluo = "C:\\Users\\Admin\\AppData\\Local\\lromjllx\\txgytluo.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe 2732 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 484 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2244 4b642633a36a25817bd10003d5d4dea0.exe Token: SeDebugPrivilege 2244 4b642633a36a25817bd10003d5d4dea0.exe Token: SeSecurityPrivilege 2252 svchost.exe Token: SeSecurityPrivilege 2732 svchost.exe Token: SeDebugPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeSecurityPrivilege 2536 ldetvnwufpyrmcgb.exe Token: SeLoadDriverPrivilege 2536 ldetvnwufpyrmcgb.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe Token: SeBackupPrivilege 2732 svchost.exe Token: SeRestorePrivilege 2732 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2252 2244 4b642633a36a25817bd10003d5d4dea0.exe 15 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2732 2244 4b642633a36a25817bd10003d5d4dea0.exe 14 PID 2244 wrote to memory of 2536 2244 4b642633a36a25817bd10003d5d4dea0.exe 30 PID 2244 wrote to memory of 2536 2244 4b642633a36a25817bd10003d5d4dea0.exe 30 PID 2244 wrote to memory of 2536 2244 4b642633a36a25817bd10003d5d4dea0.exe 30 PID 2244 wrote to memory of 2536 2244 4b642633a36a25817bd10003d5d4dea0.exe 30
Processes
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
C:\Users\Admin\AppData\Local\Temp\4b642633a36a25817bd10003d5d4dea0.exe"C:\Users\Admin\AppData\Local\Temp\4b642633a36a25817bd10003d5d4dea0.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\ldetvnwufpyrmcgb.exe"C:\Users\Admin\AppData\Local\Temp\ldetvnwufpyrmcgb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD54b642633a36a25817bd10003d5d4dea0
SHA166e64cc788ae62e354596207bf670be4a6882c49
SHA256db2224fd25fb45150d7033001ff2ea90da3fd56d8a3f1d99f1f3fab14705fe09
SHA512cc47e3e65fa5aca36a092af0f489574ec157fbae3f6fa06dbb4de4c0e794dc8ce2c4e6286d48d8b32c8b0d457b6ca8e22442e34ef79322a3aa960d30ca8fff94
-
Filesize
92KB
MD58073e92f00b42fc3de60f010e6b4ff0c
SHA10004d848bb7d725c2a68516f17943be0bfcfb02f
SHA25677a435f9eac296f2e5164f5e76342dfa723ebef4958215259451b0f6811de751
SHA512725d6544655d023bef493f2536443c54486c6ef1dacf47765dc43b76559d1cc599980d93293a4c699ed6f96ad514f8b1b610beae89574f6d5bc6e1fb81306c5e