Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 19:26
Behavioral task
behavioral1
Sample
80aabd5337136686aefe2ff1e6da8d5a.exe
Resource
win7-20231215-en
General
-
Target
80aabd5337136686aefe2ff1e6da8d5a.exe
-
Size
563KB
-
MD5
80aabd5337136686aefe2ff1e6da8d5a
-
SHA1
a749d303f5a928cff0d66ac23a704b90837ea0f9
-
SHA256
afd7b91be42e614fa8f3488f8cf2024b1a5b364c4b66c514fa86940b06c93515
-
SHA512
5472e503c6e18297efcac3cb0b78dd1c4798f6d60695bf738aba8cfdf42902a2b9d5fb0bf35503750efd6a31ea1cb0144fa07f3f31aeaaee8bd492c0a501fe5a
-
SSDEEP
12288:6V6zPygCa+DZjF1/A/ZMvGTsv+wD1IRJ+ZN1JBCGoOdnq1T:c6zPXCa+DZj3/SOvPGkZ13ox
Malware Config
Extracted
limerat
False
-
aes_key
admin12345$
-
antivm
false
-
c2_url
https://pastebin.com/raw/dd1yrjpH
-
download_payload
false
-
install
false
-
install_name
settings.exe
-
main_folder
False
-
payload_url
True
-
pin_spread
false
-
sub_folder
True
-
usb_spread
false
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2572-0-0x00000000010E0000-0x0000000001172000-memory.dmp disable_win_def behavioral1/files/0x00070000000162a6-5.dat disable_win_def behavioral1/memory/3028-8-0x0000000000BE0000-0x0000000000C72000-memory.dmp disable_win_def -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts settings.exe -
Executes dropped EXE 1 IoCs
pid Process 3028 settings.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini 80aabd5337136686aefe2ff1e6da8d5a.exe File opened for modification C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini 80aabd5337136686aefe2ff1e6da8d5a.exe File created C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini settings.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 6 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2448 schtasks.exe 2688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 3028 settings.exe 3028 settings.exe 3028 settings.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2572 80aabd5337136686aefe2ff1e6da8d5a.exe Token: SeDebugPrivilege 3028 settings.exe Token: SeDebugPrivilege 3028 settings.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2448 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 28 PID 2572 wrote to memory of 2448 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 28 PID 2572 wrote to memory of 2448 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 28 PID 2572 wrote to memory of 2864 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 31 PID 2572 wrote to memory of 2864 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 31 PID 2572 wrote to memory of 2864 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 31 PID 2864 wrote to memory of 2840 2864 cmd.exe 33 PID 2864 wrote to memory of 2840 2864 cmd.exe 33 PID 2864 wrote to memory of 2840 2864 cmd.exe 33 PID 2864 wrote to memory of 2640 2864 cmd.exe 34 PID 2864 wrote to memory of 2640 2864 cmd.exe 34 PID 2864 wrote to memory of 2640 2864 cmd.exe 34 PID 2572 wrote to memory of 3028 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 35 PID 2572 wrote to memory of 3028 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 35 PID 2572 wrote to memory of 3028 2572 80aabd5337136686aefe2ff1e6da8d5a.exe 35 PID 3028 wrote to memory of 2688 3028 settings.exe 36 PID 3028 wrote to memory of 2688 3028 settings.exe 36 PID 3028 wrote to memory of 2688 3028 settings.exe 36 PID 3028 wrote to memory of 1580 3028 settings.exe 38 PID 3028 wrote to memory of 1580 3028 settings.exe 38 PID 3028 wrote to memory of 1580 3028 settings.exe 38 PID 1580 wrote to memory of 668 1580 cmd.exe 40 PID 1580 wrote to memory of 668 1580 cmd.exe 40 PID 1580 wrote to memory of 668 1580 cmd.exe 40 PID 1580 wrote to memory of 512 1580 cmd.exe 41 PID 1580 wrote to memory of 512 1580 cmd.exe 41 PID 1580 wrote to memory of 512 1580 cmd.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 2840 attrib.exe 2640 attrib.exe 668 attrib.exe 512 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80aabd5337136686aefe2ff1e6da8d5a.exe"C:\Users\Admin\AppData\Local\Temp\80aabd5337136686aefe2ff1e6da8d5a.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL LIMITED /tn UDMR /tr "'C:\ProgramData\Provisioning\settings.exe'"2⤵
- Creates scheduled task(s)
PID:2448
-
-
C:\Windows\system32\cmd.execmd /c attrib +H +S "C:\ProgramData\\Provisioning" & attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D2⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\ProgramData\\Provisioning"3⤵
- Views/modifies file attributes
PID:2840
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\ProgramData\\Provisioning\*" /S /D3⤵
- Views/modifies file attributes
PID:2640
-
-
-
C:\ProgramData\Provisioning\settings.exe"C:\ProgramData\Provisioning\settings.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL LIMITED /tn UDMR /tr "'C:\ProgramData\Provisioning\settings.exe'"3⤵
- Creates scheduled task(s)
PID:2688
-
-
C:\Windows\system32\cmd.execmd /c attrib +H +S "C:\ProgramData\\Provisioning" & attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D3⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\ProgramData\\Provisioning"4⤵
- Views/modifies file attributes
PID:668
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\ProgramData\\Provisioning\*" /S /D4⤵
- Views/modifies file attributes
PID:512
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
563KB
MD580aabd5337136686aefe2ff1e6da8d5a
SHA1a749d303f5a928cff0d66ac23a704b90837ea0f9
SHA256afd7b91be42e614fa8f3488f8cf2024b1a5b364c4b66c514fa86940b06c93515
SHA5125472e503c6e18297efcac3cb0b78dd1c4798f6d60695bf738aba8cfdf42902a2b9d5fb0bf35503750efd6a31ea1cb0144fa07f3f31aeaaee8bd492c0a501fe5a
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
818B
MD53798d4cc9ccec9f631b976031436b9d7
SHA148e749f1fecc9b320349712e69e5d14304f0a820
SHA256d2739833e78366320c6078534632856e7d9c53367ef2122a691f0edc285d0755
SHA512f0780bb80f47a759c2fa20a192eef65ee52045689cd1826349556f1491cd85d1b35ab2a712c7c0f2834f87354d7bd9ea12aa0adbe0fb7134c5ce1c05761641d5