Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-10-13...it.exe

windows7-x64

7

2024-10-13...it.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-13_57425cc19001960043854c1e143aced4_lockbit.exe

  • Size

    52KB

  • MD5

    57425cc19001960043854c1e143aced4

  • SHA1

    60f09c93a2da1cded719c7da6d006b38bcddff82

  • SHA256

    023334cc47ec29c06fd90e3a43acf9436e5d9e0662d9db13132f9427987ce3f2

  • SHA512

    2506957a4f342362c297e6231cf3a5f866e94476c5be24f05a2bfa15921bf449e5356fc2959b476551d8a283a07646f98ffcb10514ed24bc1bf4b4a547371f98

  • SSDEEP

    1536:EGWpAjHIHcO+UNS8GBx3xb6x4l8QcaeWSDBPrxZaGL:Gp3HiU4PBx3xb6x4l8QcaXSRxZbL

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
    defense_evasion
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-13_57425cc19001960043854c1e143aced4_lockbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_57425cc19001960043854c1e143aced4_lockbit.exe"
    1⤵
    • Impair Defenses: Safe Mode Boot
    • Subvert Trust Controls: Mark-of-the-Web Bypass
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-13_57425cc19001960043854c1e143aced4_lockbit.exe" & del "C:\Users\Admin\AppData\Local\Temp\2024-10-13_57425cc19001960043854c1e143aced4_lockbit.exe" > NUL & exit
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2632
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\2024-10-13_57425cc19001960043854c1e143aced4_lockbit.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2092
  • C:\ProgramData\Microsoft\v2.0_2.0.0.0__47bb3554681e635c\fltMC.exe
    C:\ProgramData\Microsoft\v2.0_2.0.0.0__47bb3554681e635c\fltMC.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\v2.0_2.0.0.0__47bb3554681e635c\fltMC.exe
    Filesize

    52KB

    MD5

    aeaf41d3c800297184e2febdf6aba891

    SHA1

    65cef012208985701bc57f40696667cf2580dd4f

    SHA256

    e66c7b2346632abd3064b3555b6371b2d34a64d166e3c485f9007b942446b6f0

    SHA512

    680d6a185111800937cff7711226b407d413998700bfe1ee74ccbc9e70234a14f2b8ea26130407ad66eca1067faab8ec9582576fe42b328f122222300488a976

    Download Submit

  • C:\ProgramData\Microsoft\v2.0_2.0.0.0__47bb3554681e635c\fltMC.exe
    Filesize

    52KB

    MD5

    57425cc19001960043854c1e143aced4

    SHA1

    60f09c93a2da1cded719c7da6d006b38bcddff82

    SHA256

    023334cc47ec29c06fd90e3a43acf9436e5d9e0662d9db13132f9427987ce3f2

    SHA512

    2506957a4f342362c297e6231cf3a5f866e94476c5be24f05a2bfa15921bf449e5356fc2959b476551d8a283a07646f98ffcb10514ed24bc1bf4b4a547371f98

    Download Submit