Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
93a5f8883087b30a2bfbb41aa530bb28.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
93a5f8883087b30a2bfbb41aa530bb28.exe
Resource
win10v2004-20231215-en
General
-
Target
93a5f8883087b30a2bfbb41aa530bb28.exe
-
Size
86KB
-
MD5
93a5f8883087b30a2bfbb41aa530bb28
-
SHA1
cba8389fc7a814885c19931a26fd0c3aec5285be
-
SHA256
8850c10c46383bafebe6053d7cbaca3625b5ab73c9b267edd574c90aaaa7bed6
-
SHA512
1947b8ca414b7efc35aa79707de94c24fb6636a4fd26ba1a1702d02dd37d7957fa72b68ae70a41b747dd057f7e2bfaf8738daf8a899f5925c9c41c0ff1f03c79
-
SSDEEP
1536:rD8Vu7vOjG3aPGzJG9GrxwHzcTkdqSHjDnsdyoNrzu0CvmVow5jxeiY:38VubOj2aPOM0xuwkd5HjDnsdyoNrzut
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral1/memory/2744-12-0x0000000000160000-0x000000000016D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 93a5f8883087b30a2bfbb41aa530bb28.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 93a5f8883087b30a2bfbb41aa530bb28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\93a5f8883087b30a2bfbb41aa530bb28.exe = "0" 93a5f8883087b30a2bfbb41aa530bb28.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 93a5f8883087b30a2bfbb41aa530bb28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\93a5f8883087b30a2bfbb41aa530bb28.exe = "0" 93a5f8883087b30a2bfbb41aa530bb28.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 93a5f8883087b30a2bfbb41aa530bb28.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 93a5f8883087b30a2bfbb41aa530bb28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 93a5f8883087b30a2bfbb41aa530bb28.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2196 set thread context of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2196 93a5f8883087b30a2bfbb41aa530bb28.exe Token: SeDebugPrivilege 2164 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2164 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 28 PID 2196 wrote to memory of 2164 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 28 PID 2196 wrote to memory of 2164 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 28 PID 2196 wrote to memory of 2164 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 28 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 PID 2196 wrote to memory of 2744 2196 93a5f8883087b30a2bfbb41aa530bb28.exe 30 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 93a5f8883087b30a2bfbb41aa530bb28.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93a5f8883087b30a2bfbb41aa530bb28.exe"C:\Users\Admin\AppData\Local\Temp\93a5f8883087b30a2bfbb41aa530bb28.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\93a5f8883087b30a2bfbb41aa530bb28.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\SYSWOW64\calc.exe"C:\Windows\SYSWOW64\calc.exe"2⤵PID:2744
-