Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3R3Air.2.0....IR.dll
windows7-x64
1R3Air.2.0....IR.dll
windows10-2004-x64
1R3Air.2.0....ry.exe
windows7-x64
1R3Air.2.0....ry.exe
windows10-2004-x64
1R3Air.2.0....32.dll
windows7-x64
1R3Air.2.0....32.dll
windows10-2004-x64
3R3Air.2.0....64.dll
windows7-x64
1R3Air.2.0....64.dll
windows10-2004-x64
1R3Air.2.0....it.dll
windows7-x64
1R3Air.2.0....it.dll
windows10-2004-x64
1R3Air.2.0....R3.exe
windows7-x64
1R3Air.2.0....R3.exe
windows10-2004-x64
1R3Air.2.0....ir.swf
windows7-x64
3R3Air.2.0....ir.swf
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/04/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Adobe AIR.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Adobe AIR.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/CaptiveAppEntry.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/CaptiveAppEntry.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF32.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF64.dll
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF64.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/WebKit.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/WebKit.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
R3Air.2.0.0.Release.64/R3.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
R3Air.2.0.0.Release.64/R3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
R3Air.2.0.0.Release.64/R3Air.swf
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
R3Air.2.0.0.Release.64/R3Air.swf
Resource
win10v2004-20240226-en
General
-
Target
R3Air.2.0.0.Release.64/R3.exe
-
Size
108KB
-
MD5
c8973d954de8bdfbc8eaf142ddad467a
-
SHA1
75c9af2e68035c3b6a582bbf133edb2be85091db
-
SHA256
343f4bca3c8006251bcb4aec1efc2f61d2263418cea6660f1763240af821d6c1
-
SHA512
bd1d89818c4879ac52ca5e66826d4539fd5b47d27a1e46fcb8339092e8d55af266b70480e567975cdd206aaac9700fcb3da33f7325939699b4610700ee45690b
-
SSDEEP
3072:/569XWkwazEmk+a/k+DewA3U1MIvbxVSK6NxCwxw:8RwaIJ+glDsUvD8xCb
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 R3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz R3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1180 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1180 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4484 R3.exe 4484 R3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\R3Air.2.0.0.Release.64\R3.exe"C:\Users\Admin\AppData\Local\Temp\R3Air.2.0.0.Release.64\R3.exe"1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4484
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180