Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

lol.exe

windows7-x64

7

lol.exe

windows10-1703-x64

7

lol.exe

windows10-2004-x64

7

lol.exe

windows11-21h2-x64

7

Resubmissions

23/02/2024, 15:00

240223-sdjx1ace7v 10

23/02/2024, 14:44

240223-r4hbesbc58 10

Analysis

  • max time kernel
    571s
  • max time network
    725s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/02/2024, 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lol.exe

  • Size

    214KB

  • MD5

    bd367e4170e17df14b5a6a15cdfd79b0

  • SHA1

    206cb6b1336d890e2bb8f4f36cf27b9d78ca8b1a

  • SHA256

    1b0fb3b5cd0ff954ab04c5502d0be2270181da75cca92f84ab91e4142745ed56

  • SHA512

    c62163ea1be9652862112116200ca0153737b7af6b1439b820687c4bbaf52fb616c70bbd3ca55dfe3d24a178a99d831ef6819e685de5e838473b26ea6281b5f6

  • SSDEEP

    6144:DXP9zPvM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:DX5s2B+64kQHam2dNREz9FdOZMJwGuEu

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lol.exe
    "C:\Users\Admin\AppData\Local\Temp\lol.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:316
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:168
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
      PID:4632
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1540
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4248
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri
        Filesize

        162KB

        MD5

        0d02b03a068d671348931cc20c048422

        SHA1

        67b6deacf1303acfcbab0b158157fdc03a02c8d5

        SHA256

        44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

        SHA512

        805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.pri
        Filesize

        2KB

        MD5

        a2942665b12ed000cd2ac95adef8e0cc

        SHA1

        ac194f8d30f659131d1c73af8d44e81eccab7fde

        SHA256

        bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374

        SHA512

        4e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9

        Download Submit

      • memory/2332-0-0x00000000735E0000-0x0000000073B90000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2332-1-0x00000000735E0000-0x0000000073B90000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2332-2-0x0000000001170000-0x0000000001180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-8-0x00000000735E0000-0x0000000073B90000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2332-9-0x00000000735E0000-0x0000000073B90000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2332-10-0x0000000001170000-0x0000000001180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-11-0x0000000001170000-0x0000000001180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-12-0x0000000001170000-0x0000000001180000-memory.dmp

        Filesize

        64KB

        Download