Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
84890393814f5b5f09d7f41d6f0a90d6.exe
Resource
win7-20231215-en
General
-
Target
84890393814f5b5f09d7f41d6f0a90d6.exe
-
Size
276KB
-
MD5
84890393814f5b5f09d7f41d6f0a90d6
-
SHA1
9718f38173cb56d3ea7b2bf5893c61bc77810efd
-
SHA256
b8bd1f2001371580a5d4ec4ede4878a2fd564a349e0cf66422bba7f0870e4f22
-
SHA512
2d5e149035f731af62b9a7cc69a039a4b620e639e994b027e1b90e74a65cd5adc4a6fa0e8e351c09257b09d619d9523a9833925bbf929f2d4e2bfa748d96d50e
-
SSDEEP
3072:x+CCSpjGZodtSu2XkePqH1A0feINRDpepu/VeprFUU5jpPPxhkjXlj:QbYjGCSuykaoXfKsVepaUVnfYX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 84890393814f5b5f09d7f41d6f0a90d6.exe -
Executes dropped EXE 1 IoCs
pid Process 3748 Wservices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 220 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3748 Wservices.exe Token: SeDebugPrivilege 3748 Wservices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 220 2148 84890393814f5b5f09d7f41d6f0a90d6.exe 88 PID 2148 wrote to memory of 220 2148 84890393814f5b5f09d7f41d6f0a90d6.exe 88 PID 2148 wrote to memory of 220 2148 84890393814f5b5f09d7f41d6f0a90d6.exe 88 PID 2148 wrote to memory of 3748 2148 84890393814f5b5f09d7f41d6f0a90d6.exe 90 PID 2148 wrote to memory of 3748 2148 84890393814f5b5f09d7f41d6f0a90d6.exe 90 PID 2148 wrote to memory of 3748 2148 84890393814f5b5f09d7f41d6f0a90d6.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\84890393814f5b5f09d7f41d6f0a90d6.exe"C:\Users\Admin\AppData\Local\Temp\84890393814f5b5f09d7f41d6f0a90d6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"2⤵
- Creates scheduled task(s)
PID:220
-
-
C:\Users\Admin\AppData\Roaming\Wservices.exe"C:\Users\Admin\AppData\Roaming\Wservices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD584890393814f5b5f09d7f41d6f0a90d6
SHA19718f38173cb56d3ea7b2bf5893c61bc77810efd
SHA256b8bd1f2001371580a5d4ec4ede4878a2fd564a349e0cf66422bba7f0870e4f22
SHA5122d5e149035f731af62b9a7cc69a039a4b620e639e994b027e1b90e74a65cd5adc4a6fa0e8e351c09257b09d619d9523a9833925bbf929f2d4e2bfa748d96d50e