Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3afkconsoleclient.exe
windows7-x64
7afkconsoleclient.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDIR/app-64.7z
windows7-x64
3$PLUGINSDIR/app-64.7z
windows10-2004-x64
7LICENSE.electron.txt
windows7-x64
1LICENSE.electron.txt
windows10-2004-x64
1chrome_100...nt.pak
windows7-x64
3chrome_100...nt.pak
windows10-2004-x64
3chrome_200...nt.pak
windows7-x64
3chrome_200...nt.pak
windows10-2004-x64
3icudtl.dat
windows7-x64
3icudtl.dat
windows10-2004-x64
3locales/af.pak
windows7-x64
3locales/af.pak
windows10-2004-x64
3locales/am.pak
windows7-x64
3locales/am.pak
windows10-2004-x64
3locales/ar.pak
windows7-x64
3locales/ar.pak
windows10-2004-x64
3locales/bg.pak
windows7-x64
3locales/bg.pak
windows10-2004-x64
3locales/bn.pak
windows7-x64
3locales/bn.pak
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19/02/2024, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
afkconsoleclient.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
afkconsoleclient.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/app-64.7z
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/app-64.7z
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
LICENSE.electron.txt
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
LICENSE.electron.txt
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
chrome_100_percent.pak
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
chrome_100_percent.pak
Resource
win10v2004-20231222-en
Behavioral task
behavioral17
Sample
chrome_200_percent.pak
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
chrome_200_percent.pak
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
icudtl.dat
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
icudtl.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
locales/af.pak
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
locales/af.pak
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
locales/am.pak
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
locales/am.pak
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
locales/ar.pak
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
locales/ar.pak
Resource
win10v2004-20231222-en
Behavioral task
behavioral27
Sample
locales/bg.pak
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
locales/bg.pak
Resource
win10v2004-20231222-en
Behavioral task
behavioral29
Sample
locales/bn.pak
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
locales/bn.pak
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
resources/elevate.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
resources/elevate.exe
Resource
win10v2004-20231215-en
General
-
Target
icudtl.dat
-
Size
10.1MB
-
MD5
2c367970ac87a9275eeec5629bb6fc3d
-
SHA1
399324d1aeee5e74747a6873501a1ee5aac005ee
-
SHA256
17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de
-
SHA512
f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01
-
SSDEEP
98304:TfPBQYOo+ddlymYf2LfPQCvliXUxiG9Ha93Whla6ZENSs285:TfPBhORjYAHliXUxiG9Ha93Whla6ZEV7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.dat rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.dat\ = "dat_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 AcroRd32.exe 2688 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2300 2376 cmd.exe 29 PID 2376 wrote to memory of 2300 2376 cmd.exe 29 PID 2376 wrote to memory of 2300 2376 cmd.exe 29 PID 2300 wrote to memory of 2688 2300 rundll32.exe 30 PID 2300 wrote to memory of 2688 2300 rundll32.exe 30 PID 2300 wrote to memory of 2688 2300 rundll32.exe 30 PID 2300 wrote to memory of 2688 2300 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\icudtl.dat2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\icudtl.dat"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5744fef6450281fd87bfba702c1aa22ef
SHA1c9c9202f401a2e6025b3bc98b20ed551335a794d
SHA2560a3250f14bf2f3febbfe63b19fe6a405c37da711d63b974c1e051d19050f0e7a
SHA5124a9b605a6c4169608fbeb26a6f8c3143f8820b83aca841fd2107cc494833a6b802366483a4c77a227393d61b19b67c48825077c7b7dcdf44a435a28896a2037f