Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1GTA 5 Rex ...on.rar
windows7-x64
3GTA 5 Rex ...on.rar
windows10-2004-x64
3GTA 5 - St...ne.txt
windows7-x64
1GTA 5 - St...ne.txt
windows10-2004-x64
1GTA 5 - St...or.fkr
windows7-x64
3GTA 5 - St...or.fkr
windows10-2004-x64
3GTA 5 - St...gs.xml
windows7-x64
1GTA 5 - St...gs.xml
windows10-2004-x64
1GTA 5 - St...gs.xml
windows7-x64
1GTA 5 - St...gs.xml
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
25/11/2023, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
GTA 5 Rex Optimization.rar
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
GTA 5 Rex Optimization.rar
Resource
win10v2004-20231020-en
Behavioral task
behavioral3
Sample
GTA 5 - Stutter Fix/Copy All These into Game Directory/commandline.txt
Resource
win7-20231025-en
Behavioral task
behavioral4
Sample
GTA 5 - Stutter Fix/Copy All These into Game Directory/commandline.txt
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
GTA 5 - Stutter Fix/Copy All These into Game Directory/gpu_simulator.fkr
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
GTA 5 - Stutter Fix/Copy All These into Game Directory/gpu_simulator.fkr
Resource
win10v2004-20231020-en
Behavioral task
behavioral7
Sample
GTA 5 - Stutter Fix/Low Settings/settings.xml
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
GTA 5 - Stutter Fix/Low Settings/settings.xml
Resource
win10v2004-20231025-en
Behavioral task
behavioral9
Sample
GTA 5 - Stutter Fix/Medium Settings/settings.xml
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
GTA 5 - Stutter Fix/Medium Settings/settings.xml
Resource
win10v2004-20231023-en
General
-
Target
GTA 5 - Stutter Fix/Copy All These into Game Directory/gpu_simulator.fkr
-
Size
314KB
-
MD5
683a0378279bfd010ace4b79176d59b8
-
SHA1
c67f0a4807417dc8f9eb00269990f7277802416d
-
SHA256
35a74516c3a33ed44a0131e5eb75c5c180a24e3157f386cc8b611090f7c63f18
-
SHA512
351e3dde797839cc06b86cc887e566d682cdd566dfdb993307380efdc3e37954e877f4fefceba73622a34dc39060f0dfd154ea3e5b7ace1a22a93aba8ede4c52
-
SSDEEP
6144:Ucxawg0klBbyoKz9Fg98KwxYozV3jVjV+b2F23GjnWyINlkZTfOA:UcxawJ2BuoKpqdwxvz/YyFdjnWLv0TfT
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\fkr_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.fkr\ = "fkr_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\fkr_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\fkr_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\fkr_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\fkr_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.fkr rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\fkr_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2728 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2728 AcroRd32.exe 2728 AcroRd32.exe 2728 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2888 2572 cmd.exe 29 PID 2572 wrote to memory of 2888 2572 cmd.exe 29 PID 2572 wrote to memory of 2888 2572 cmd.exe 29 PID 2888 wrote to memory of 2728 2888 rundll32.exe 30 PID 2888 wrote to memory of 2728 2888 rundll32.exe 30 PID 2888 wrote to memory of 2728 2888 rundll32.exe 30 PID 2888 wrote to memory of 2728 2888 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\GTA 5 - Stutter Fix\Copy All These into Game Directory\gpu_simulator.fkr"1⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GTA 5 - Stutter Fix\Copy All These into Game Directory\gpu_simulator.fkr2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GTA 5 - Stutter Fix\Copy All These into Game Directory\gpu_simulator.fkr"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD504e6e1c36f884c33dd44209e855c97ea
SHA1d4824dfff477d7c5bde1137f7410f1ed33669d8d
SHA25646eae385c37acb9c4f856f997e6f00e8160528b73c0856c19ba9ad6f86263a35
SHA512fdd2fb6557f4b1f36975d7b3b558adf2506c226c97fef71e8c1bf86bb978a68842e9be7e4bf3e446481f5a96a0ecc6cffcfeb00017ff66754f7f7920b1fb4208