Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7ItsOnFire.apk
android-9-x86
ItsOnFire.apk
android-10-x64
ItsOnFire.apk
android-11-x64
1baseline.prof
windows7-x64
3baseline.prof
windows10-2004-x64
3baseline.profm
windows7-x64
3baseline.profm
windows10-2004-x64
3damageshelter.ogg
windows7-x64
1damageshelter.ogg
windows10-2004-x64
7invaderexplode.ogg
windows7-x64
1invaderexplode.ogg
windows10-2004-x64
7oh.ogg
windows7-x64
1oh.ogg
windows10-2004-x64
7playerexplode.ogg
windows7-x64
1playerexplode.ogg
windows10-2004-x64
7shoot.ogg
windows7-x64
1shoot.ogg
windows10-2004-x64
7uh.ogg
windows7-x64
1uh.ogg
windows10-2004-x64
7Resubmissions
03/10/2023, 14:56
231003-sbdm7scb8z 703/10/2023, 14:35
231003-rx4abadf82 702/10/2023, 22:39
231002-2k417afa8s 702/10/2023, 21:20
231002-z68v6aeg3z 7Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2023, 22:39
Static task
static1
Behavioral task
behavioral1
Sample
ItsOnFire.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
ItsOnFire.apk
Resource
android-x64-20230831-en
Behavioral task
behavioral3
Sample
ItsOnFire.apk
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral4
Sample
baseline.prof
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
baseline.prof
Resource
win10v2004-20230915-en
Behavioral task
behavioral6
Sample
baseline.profm
Resource
win7-20230831-en
Behavioral task
behavioral7
Sample
baseline.profm
Resource
win10v2004-20230915-en
Behavioral task
behavioral8
Sample
damageshelter.ogg
Resource
win7-20230831-en
Behavioral task
behavioral9
Sample
damageshelter.ogg
Resource
win10v2004-20230915-en
Behavioral task
behavioral10
Sample
invaderexplode.ogg
Resource
win7-20230831-en
Behavioral task
behavioral11
Sample
invaderexplode.ogg
Resource
win10v2004-20230915-en
Behavioral task
behavioral12
Sample
oh.ogg
Resource
win7-20230831-en
Behavioral task
behavioral13
Sample
oh.ogg
Resource
win10v2004-20230915-en
Behavioral task
behavioral14
Sample
playerexplode.ogg
Resource
win7-20230831-en
Behavioral task
behavioral15
Sample
playerexplode.ogg
Resource
win10v2004-20230915-en
Behavioral task
behavioral16
Sample
shoot.ogg
Resource
win7-20230831-en
Behavioral task
behavioral17
Sample
shoot.ogg
Resource
win10v2004-20230915-en
Behavioral task
behavioral18
Sample
uh.ogg
Resource
win7-20230831-en
Behavioral task
behavioral19
Sample
uh.ogg
Resource
win10v2004-20230915-en
General
-
Target
damageshelter.ogg
-
Size
16KB
-
MD5
26df32d00fe1e5a754c43590eca08b8a
-
SHA1
e2061ea74213ee1fa73e62f4cb00e5ca2d498b17
-
SHA256
49eff40d58068528f8a4aeaef67027fa308f3d4b75a8e5e1c572d1fbfa5f710d
-
SHA512
94e9859be87afd04b7eb4347530f00d54cd9e7f6e80d545fbc374374dbfb100a39997ecd4f4af09bfda5e4a4635f48dcac85abc833724728df3a4f04d0bfe899
-
SSDEEP
192:XKv+FWxZknNi8XWWwbMIbkrk7lQ719rm663DIIIIIxyIIIII+ZF2HU39n8HUqUTa:XKqWQUCMb6k7iBZ634SIw9nrYvws
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4948 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4948 vlc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1028 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1028 AUDIODG.EXE Token: 33 4948 vlc.exe Token: SeIncBasePriorityPrivilege 4948 vlc.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe 4948 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4948 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3336 wrote to memory of 4948 3336 cmd.exe 86 PID 3336 wrote to memory of 4948 3336 cmd.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\damageshelter.ogg1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\damageshelter.ogg"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d4 0x4ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028