Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 14:03
Behavioral task
behavioral1
Sample
Xotic_Activator.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Xotic_Activator.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20231215-en
General
-
Target
main.pyc
-
Size
4KB
-
MD5
78044e0945749775910ce61a3a0c8f74
-
SHA1
72ed0e3180c2f62b1e70c08dda96dc083f2a0074
-
SHA256
391cda8393509999ba2bc99c764de7ddb6b5b03a70a29af87bf50a1d5e09a17e
-
SHA512
a77820098223d5ff35f93da1876556b1dcda5f14837a155b9db73140dfb2e792e7137decfa342e9321ff96e06330ac48d392b35512b0e7f8145db6da664a06ab
-
SSDEEP
96:QEHXKag/on8jIIVTfHAlVPflDji+kgZjPlsx9SHfUh:d6agwIVTfJgZy3Nh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2400 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2400 AcroRd32.exe 2400 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2820 2356 cmd.exe 29 PID 2356 wrote to memory of 2820 2356 cmd.exe 29 PID 2356 wrote to memory of 2820 2356 cmd.exe 29 PID 2820 wrote to memory of 2400 2820 rundll32.exe 30 PID 2820 wrote to memory of 2400 2820 rundll32.exe 30 PID 2820 wrote to memory of 2400 2820 rundll32.exe 30 PID 2820 wrote to memory of 2400 2820 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5cc11514481b2d8dcdd61e082a6e208ff
SHA1b1d1b84b53f4c3e8298b950a2ac3693f03256f5e
SHA256891a2e3002f7ba65268006fb6bd950d457ddbd434b4d7396c0da803735f8a77d
SHA512491dd909e26911b10f4521486da03a3894b163ef0d82fcac6fa0df83caf2ffb2186e6e847c68dc23a64dfebe85e02e76094db032c87c379a139dcd5c9bca7b5c