Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/09/2024, 19:58

General

  • Target

    Lobotomz.exe

  • Size

    438KB

  • MD5

    f713bc9b842e94a0712a0dc0f3a58cce

  • SHA1

    d5c2dc86593248eac098a27e9c3ba6350f46a6fb

  • SHA256

    337839269a3be5d60e52de93be53f93cab86a88cb6b331ab0d1322b32e17d83b

  • SHA512

    c4cef32f25527a984ac613b174bcba2996795526c328e00003977e090551f0accb2aef37838e75a474d92f760b97223324bab8bb0bf177d856d4d3b449d3099b

  • SSDEEP

    1536:N1PbVOwHQGMoivnfOv7SzMFEIePmtu/Et7v1tEYMHGWpUrrWoOTJfuVmyLUQ7wVY:N1PbVvxeeMstW4rqDu7qY

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies system executable filetype association 2 TTPs 47 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lobotomz.exe
    "C:\Users\Admin\AppData\Local\Temp\Lobotomz.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKCR /f
        3⤵
        • Modifies system executable filetype association
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1664
      2⤵
      • Program crash
      PID:1040
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3736 -ip 3736
    1⤵
      PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3736-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

      Filesize

      4KB

    • memory/3736-1-0x0000000000E00000-0x0000000000E74000-memory.dmp

      Filesize

      464KB

    • memory/3736-2-0x0000000005E50000-0x00000000063F6000-memory.dmp

      Filesize

      5.6MB

    • memory/3736-3-0x0000000005940000-0x00000000059D2000-memory.dmp

      Filesize

      584KB

    • memory/3736-4-0x00000000749C0000-0x0000000075171000-memory.dmp

      Filesize

      7.7MB

    • memory/3736-5-0x00000000749C0000-0x0000000075171000-memory.dmp

      Filesize

      7.7MB