Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
Process Lasso 14.2.0.32.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Process Lasso 14.2.0.32.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
_Silent Install.cmd
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
_Silent Install.cmd
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
_Unpack Portable.cmd
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
_Unpack Portable.cmd
Resource
win10v2004-20240709-en
General
-
Target
_Unpack Portable.cmd
-
Size
1KB
-
MD5
11bb19b34ae3d7efb2f2896416bdecfd
-
SHA1
76749fa742a58c585c7a9e6044d798776fc35d00
-
SHA256
7256488f34caa5538294556b0b728e291cbe635f8d3cc6cd8195ad4bef1f782d
-
SHA512
8ced83bb80ca73c583890bacee3c2306c347e84c33bf883dd4589139b8d830d01131f6d8e3c6ea7a29b9bea59c40be447d5d2968a3d78bee2fb11d4116996377
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3060 Process Lasso 14.2.0.32.tmp -
Loads dropped DLL 5 IoCs
pid Process 1248 Process Lasso 14.2.0.32.exe 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1248 Process Lasso 14.2.0.32.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3060 Process Lasso 14.2.0.32.tmp -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp 3060 Process Lasso 14.2.0.32.tmp -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1876 wrote to memory of 1248 1876 cmd.exe 32 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33 PID 1248 wrote to memory of 3060 1248 Process Lasso 14.2.0.32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\_Unpack Portable.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe"Process Lasso 14.2.0.32.exe" /SILENT /PORTABLE=12⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\is-M8VTO.tmp\Process Lasso 14.2.0.32.tmp"C:\Users\Admin\AppData\Local\Temp\is-M8VTO.tmp\Process Lasso 14.2.0.32.tmp" /SL5="$6022C,4754140,60928,C:\Users\Admin\AppData\Local\Temp\Process Lasso 14.2.0.32.exe" /SILENT /PORTABLE=13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
Filesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
907KB
MD53754a5eb2b26e9b6a89bd0690718351a
SHA15356815f88cbcc512c74b401c5b1c89f8e950944
SHA2562006b2b4d5eb64722f0bba35380057c9556a7e8bd4bf95b92cd68d84ba255be6
SHA5129ad991d58a60924650523f3e59a02389a7e729fbf73a0b20479c590375f40f041e0a7101604d7305ef8d7a8d57ba53e8823a75aa27441757881c604236ab0bec