Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2023, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
MaritasGame.rar
Resource
win7-20230703-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
MaritasGame.rar
Resource
win10v2004-20230703-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
MaritasGame.rar
-
Size
46.9MB
-
MD5
2be360b964a23bdb077791fc0b95e5e3
-
SHA1
8b9e207bdfb1307f3f53b52a7a4abb4c6af74f3e
-
SHA256
a9ac9bec8258026d4a82c4bbc46bbf5e7fbdc95acef7619185051a50f8b9a702
-
SHA512
0787c14ae2af4c588984120d1bae32b4010ae788a50e8f37521b5ee544390519f970f90e7f1ac4738e30fd776dd9a7d3033703e8ebbd41ca48f63aa1ee80e03e
-
SSDEEP
786432:a4DKYy7zy3Nz2mM26w6+iMPibavUz9PQABKGNlOJvVoiEKPLYk/f3zNZ4:aMYzc5h57tGBKGNIJOiDD/f3zN2
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000e656e935110050524f4752417e310000740009000400efbe874fdb49e656e9352e0000003f0000000000010000000000000000004a000000000000223c00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Applications OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Applications\7z.exe OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\rar_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e35666651000372d5a6970003c0009000400efbee3566665e35666652e000000e324020000000f0000000000000000000000000000002ff2dc0037002d005a0069007000000014000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.rar OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Applications\7z.exe\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Applications\7z.exe\shell\open\command OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\rar_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\rar_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\붾lj\ = "rar_auto_file" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Applications\7z.exe\shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4244 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 3868 7z.exe Token: 35 3868 7z.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe 4244 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4244 wrote to memory of 3868 4244 OpenWith.exe 86 PID 4244 wrote to memory of 3868 4244 OpenWith.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MaritasGame.rar1⤵PID:5048
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\MaritasGame.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868
-