Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 06:52
Behavioral task
behavioral1
Sample
53fd48d989c02c4cfd7d7cdbc9540940N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
53fd48d989c02c4cfd7d7cdbc9540940N.exe
Resource
win10v2004-20240802-en
General
-
Target
53fd48d989c02c4cfd7d7cdbc9540940N.exe
-
Size
15KB
-
MD5
53fd48d989c02c4cfd7d7cdbc9540940
-
SHA1
ba8ebe275b24c823366ba4f06ccf2a0b6d126f72
-
SHA256
2ee071579da35565f77a2dc017d1d86f82a08bb1922e3f2e0e9507e292b39e15
-
SHA512
8d61cb60c33df2eba0a92f7d9282e129e8989a2e619e6d247c0befd44d9c91d417a4111715d1d6a1551c6899efff3e043686c7ae35f74fb4a6c2b06342d9dead
-
SSDEEP
384:IO3qdXlIQV0YXd45xuYiMcRWnPbeVGWLwbbbVHHHH4fff+:IO3EVdV0YXd4DuicNV3Ffff+
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4772 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 53fd48d989c02c4cfd7d7cdbc9540940N.exe -
Executes dropped EXE 1 IoCs
pid Process 4324 lyghost.exe -
resource yara_rule behavioral2/memory/3352-0-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/files/0x0008000000023452-4.dat upx behavioral2/memory/3352-6-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4324-7-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4324-10-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4324-13-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4324-16-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Debug\lyghost.exe 53fd48d989c02c4cfd7d7cdbc9540940N.exe File opened for modification C:\Windows\Debug\lyghost.exe attrib.exe File created C:\Windows\Debug\lyghost.exe 53fd48d989c02c4cfd7d7cdbc9540940N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lyghost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53fd48d989c02c4cfd7d7cdbc9540940N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3352 wrote to memory of 4772 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe 85 PID 3352 wrote to memory of 4772 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe 85 PID 3352 wrote to memory of 4772 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe 85 PID 3352 wrote to memory of 4376 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe 91 PID 3352 wrote to memory of 4376 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe 91 PID 3352 wrote to memory of 4376 3352 53fd48d989c02c4cfd7d7cdbc9540940N.exe 91 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4772 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53fd48d989c02c4cfd7d7cdbc9540940N.exe"C:\Users\Admin\AppData\Local\Temp\53fd48d989c02c4cfd7d7cdbc9540940N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\lyghost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\53FD48~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4376
-
-
C:\Windows\Debug\lyghost.exeC:\Windows\Debug\lyghost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD53287fc6d3ba06d803ee9882aa2358f78
SHA1f40a6bcc07a60d8371a930b76860706740259d1c
SHA25627296b60ff832acd712e0b4d3ffe13a8ff20deb1f853ad44f91101fbdec47294
SHA512c8c5818136558dbd58c297499bc3fbd5cc44df55214f2a74706446c9d425f48cbf7041a37a5036fbd1694febcc116e111aac026e9fd4e0f937202891f70ae5c2