Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b245810954...0N.exe

windows7-x64

7

b245810954...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2458109543e5db6179b4658f03854f0N.exe

  • Size

    455KB

  • MD5

    b2458109543e5db6179b4658f03854f0

  • SHA1

    4584c509f78d102ddf35924fbdb539cc8dcb0099

  • SHA256

    79d1ea072de1d36ca909179496d8a8cfba5c16106882e0e92da6b83a52b780e5

  • SHA512

    08247f92fa5f8874c7dacf5a709290cba86ef72fcd3569119bb755285437b63c5cb3cda685b05cb2f42b8e89d45ca43051c8a58446b72c1db5e80b6565ed8307

  • SSDEEP

    6144:aBapC9DUIYmO5Kv5Q7X/l/rYvkW1VxxfnzrV9UAH0ctkPfc92F8ALpIh9jil:VpQD+mO5KWy/zrVbt4fcYr9U9jI

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 46 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2458109543e5db6179b4658f03854f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b2458109543e5db6179b4658f03854f0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Windows\LSASS.exe
      "C:\Windows\LSASS.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:556
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2188
      • C:\Users\Admin\LSASS.exe
        "C:\Users\Admin\LSASS.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2672
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4808
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4648
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:228
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4460
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3656
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:64
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4244
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:224
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3828
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:404
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4644
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3860
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:856
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1972
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:728
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3672
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4248
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4180
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4500
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3076
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3304
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2620
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2704
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1072
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4412
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1164
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:952
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1716
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3720
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3264
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:876
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4996
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2888
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3960
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:5072
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2328
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3896
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4184
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:452
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3436
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4732
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2024
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1060
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\LSASS.exe
    Filesize

    455KB

    MD5

    7ce012f77440a159b405d102088e1e28

    SHA1

    1c89ade3f0915b5962408806a89f220fdbbab69a

    SHA256

    95d13b0023e9783fa1e216ab853a3463a7f97d65080723bfe44df6478359f01d

    SHA512

    319d451aa1b14bf54eb057954dfd6d15252519024c7217824e4a9ab0e52f56f06ebeb639083e572c35dd4d24e2e7a62d8960db11eb8b80ea6d292d7ae05ea964

    Download Submit

  • C:\Windows\LSASS.exe
    Filesize

    455KB

    MD5

    a141b848e788218875cb5dde381d1d2a

    SHA1

    e7dd90150460e2cfe5d1e425dee76cada93b4505

    SHA256

    0b542939480eb149270d04188fdd94dbcb3f04870e3c188e07cc4b711887fab4

    SHA512

    190b519ad50eca1db1c290218bd900576191bfcc1367ec274ff380fa19259119261703014dd8e79ee3b319d95c73ccdb8f20b6592a8801a24126d178dd81c35c

    Download Submit

  • C:\autorun.inf
    Filesize

    190B

    MD5

    b1445c7f646c6ca9a7597791af38d575

    SHA1

    91efaf63fa1f7a51ee2f9b1c3b0f8932f15439ce

    SHA256

    220517d50470c86d94020cebcd03af286898e65338f468dc5f860dc04af2c88e

    SHA512

    533349278b6d186f0f3947681e90dcc7f617e146736798e6fc23e79d61610f1f7b2e4b4241b296884622fbd6b1cf73dc694a852e05bf4235da8ed40b70c5683f

    Download Submit

  • memory/456-0-0x0000000006020000-0x0000000006021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/456-35-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2672-108-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-128-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-109-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-34-0x00000000041D0000-0x00000000041D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3880-133-0x00000000041D0000-0x00000000041D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3880-146-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-163-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-180-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-198-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-215-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-232-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-249-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-266-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/3880-283-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download