Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

c2e896-rrpy.rar

windows7-x64

3

c2e896-rrpy.rar

windows10-2004-x64

7

rrpy/DZSB/...lc.rpf

windows7-x64

3

rrpy/DZSB/...lc.rpf

windows10-2004-x64

3

rrpy/DZSB/...or.yft

windows7-x64

3

rrpy/DZSB/...or.yft

windows10-2004-x64

3

rrpy/DZSB/...or.ytd

windows7-x64

3

rrpy/DZSB/...or.ytd

windows10-2004-x64

3

rrpy/DZSB/...hi.yft

windows7-x64

3

rrpy/DZSB/...hi.yft

windows10-2004-x64

3

rrpy/DZSB/...��.txt

windows7-x64

1

rrpy/DZSB/...��.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20/02/2024, 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rrpy/DZSB/Replace/emperor.ytd

  • Size

    2.6MB

  • MD5

    0519c606e6cc72e0cbbbf3234f044c98

  • SHA1

    1cf171cd4b200e6e74934ad178b51917c7e6fa66

  • SHA256

    ec4d347e04c0b692a9bb0ae3467bd60612df6b8c8c1cfaeb450077f43897b04d

  • SHA512

    091751c4eb37507d25f7fe4d404b92bccced7762034a7adf13dab279bfcef32f986016227bd1152fa48ad5cb9c98a32bda2f251a98785211ed2d8eef28120257

  • SSDEEP

    49152:W11NOhBzVlJea6V38wGf2yPRNe8hdGBNLLXUTqKbM8ovWWq6TMieCI7IUtHC2:W11NOhBzVPf6xy/xhwnEJbM8oeq9eCZy

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\rrpy\DZSB\Replace\emperor.ytd
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\rrpy\DZSB\Replace\emperor.ytd
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\rrpy\DZSB\Replace\emperor.ytd"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    ae3e627379d99660a31d14ce789c4637

    SHA1

    ea592899e41ec4fc259cb1a19c1733cc1ac6860b

    SHA256

    73cc0b6e3e289121149eba7035255527bc5d9abd3eb5116c7ec125e6ede83ed2

    SHA512

    559469eda84a5ad1ec00beebb67324d08bd8719f5b719fcd2069d4d3fbf64ad1a88e7e0749575389a372e0cb9b428d097dcb984d53c49967844e959b88c2342f

    Download Submit