Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 20:43
Behavioral task
behavioral1
Sample
lGxCmyo.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
lGxCmyo.exe
Resource
win10v2004-20250129-en
General
-
Target
lGxCmyo.exe
-
Size
6.3MB
-
MD5
8b566fdf77f5acf29c6c5bd2d52eacab
-
SHA1
19842502be7711f7e4d303c71184dc0b2ac05798
-
SHA256
4dcab4dff066a113b9f2cea94b1b21837cf92f0874eb3c4fc166824546ff5271
-
SHA512
d3e12e3a8f5593a8e7eb7c78c0b27e1a2b9ba229a2ab4ff14675589617a43185a9bea8ffa4b26586e9744b39b657d143645f76bcac21f20fbab45509998c1ff6
-
SSDEEP
98304:ijcIruEVC6IEq9Vyn//5gcllxt3bzBoUv6aQ/BDyZeut1BDjRhh:WDCjTA//5gcllfrNJ6jBGwutlhh
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0005000000019509-21.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 1028 lGxCmyo.exe -
resource yara_rule behavioral1/files/0x0005000000019509-21.dat upx behavioral1/memory/1028-23-0x0000000074B30000-0x0000000075043000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lGxCmyo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lGxCmyo.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 588 wrote to memory of 1028 588 lGxCmyo.exe 31 PID 588 wrote to memory of 1028 588 lGxCmyo.exe 31 PID 588 wrote to memory of 1028 588 lGxCmyo.exe 31 PID 588 wrote to memory of 1028 588 lGxCmyo.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"C:\Users\Admin\AppData\Local\Temp\lGxCmyo.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5c2d7c1219852ebef562663248393591d
SHA156d54e195ca36dd8239ed2b2d826d03584f0b372
SHA256ff71be682dd009694bb52cad1aff027a4605f213ec42682c08a37bf0105653b5
SHA5124284f02ece7c2e6f2bee253255f58319c5c4a1333a54e6c9676d47f66a2f5d860ac963640b550ee8ec3246fda5223306d022ef4e6a57f5f7ef5132b0aecf6fd3