Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3R3Air.2.0....IR.dll
windows7-x64
1R3Air.2.0....IR.dll
windows10-2004-x64
1R3Air.2.0....ry.exe
windows7-x64
1R3Air.2.0....ry.exe
windows10-2004-x64
1R3Air.2.0....32.dll
windows7-x64
1R3Air.2.0....32.dll
windows10-2004-x64
3R3Air.2.0....64.dll
windows7-x64
1R3Air.2.0....64.dll
windows10-2004-x64
1R3Air.2.0....it.dll
windows7-x64
1R3Air.2.0....it.dll
windows10-2004-x64
1R3Air.2.0....R3.exe
windows7-x64
1R3Air.2.0....R3.exe
windows10-2004-x64
1R3Air.2.0....ir.swf
windows7-x64
3R3Air.2.0....ir.swf
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Adobe AIR.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Adobe AIR.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/CaptiveAppEntry.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/CaptiveAppEntry.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF32.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF64.dll
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/NPSWF64.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/WebKit.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
R3Air.2.0.0.Release.64/Adobe AIR/Versions/1.0/Resources/WebKit.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
R3Air.2.0.0.Release.64/R3.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
R3Air.2.0.0.Release.64/R3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
R3Air.2.0.0.Release.64/R3Air.swf
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
R3Air.2.0.0.Release.64/R3Air.swf
Resource
win10v2004-20240226-en
General
-
Target
R3Air.2.0.0.Release.64/R3Air.swf
-
Size
12.0MB
-
MD5
10049e4b660bb0814e2d929f17a99262
-
SHA1
e0d4f10d6fe1c12d48ababe4b8a6ac74576b91e5
-
SHA256
bd7ba2530b9fc1f16d2784aba9ea89ac7b1b3623ab68bd2d0009b151fcc85d85
-
SHA512
4cde7fcfb59bac137477643c959348999657f1514a7cd94346f49b81e80dc1213778c9d4bc139763200cf8258d0ce92f809c2a982b565ea265ceb97df48ae79d
-
SSDEEP
393216:5oHFpL0Cwpg4ydLrQ6ePC9/VhFpA0CRW6XQw48:8FFVwW4ydDIC91+0CRn48
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 5080e5bd0c8ada01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418780896" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAE1E571-F5FF-11EE-8859-DE62917EBCA6} = "0" iexplore.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.swf rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\shell\open\CommandId = "IE.File" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.swf\ = "swf_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\swf_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2720 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2720 iexplore.exe 2720 iexplore.exe 2440 IEXPLORE.EXE 2440 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2996 2784 cmd.exe 29 PID 2784 wrote to memory of 2996 2784 cmd.exe 29 PID 2784 wrote to memory of 2996 2784 cmd.exe 29 PID 2996 wrote to memory of 2720 2996 rundll32.exe 30 PID 2996 wrote to memory of 2720 2996 rundll32.exe 30 PID 2996 wrote to memory of 2720 2996 rundll32.exe 30 PID 2720 wrote to memory of 2440 2720 iexplore.exe 33 PID 2720 wrote to memory of 2440 2720 iexplore.exe 33 PID 2720 wrote to memory of 2440 2720 iexplore.exe 33 PID 2720 wrote to memory of 2440 2720 iexplore.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\R3Air.2.0.0.Release.64\R3Air.swf1⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\R3Air.2.0.0.Release.64\R3Air.swf2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\R3Air.2.0.0.Release.64\R3Air.swf3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54dd76df4c95d8febacdcb6a502a68173
SHA1f75998219f6941cc96db2c794dcf6e29fe0f245f
SHA256f63cc23a321d95dd54977675e560adcf2974d56b262d88e367f03f2548b09cef
SHA512c02e933c78178e3c5809c7d2ac86c07fb5656e1356e013444279a6709095249c1421d707f7d37c33dbe7202b24d6bc45135c87bf450e0ff59eb3a36f93d37ce5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57a087e01d67bc9ccedb3f5e57229643f
SHA1572a10bbe1a997691a2584e60c7ea1b7d0decdff
SHA256c257ee96008249f32b79e9a61d22095b02a7024880249a5eb29d86a101fb0d1c
SHA5120f4ad00e3d8b352605b331998bddb27b4db5404a5d37f5660f6836c4bef23c5e06ea1ae340e11b27f680363f0762385e2a3e774cbdc74aaf7401fe2009c88ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50d5e3ada0fc2c8bbfe6800fdda9595dc
SHA1937f7d7998407fbe3c8bfd7f56a64eb82a6fca30
SHA256ffe5b3003d4177346f9bdaa097321c68e7f10b1b075b9696c9adf74ad01f02ab
SHA5120903768141cfd4b2617c58f8f7798d3209f963c5e263f4e8150bbc14543ce9d1e6a0adadf1894c20eee6d7dc7979f17b5ca33603bd6e586fc817dfc58d1116d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD522e98c1098a58777abee4c4faa531712
SHA1f8fca99ca5ea4f30c6cb2b105dcc45c40829b83a
SHA25677092b4af465911b2b69b3e9286fa8cef70d7f39b1972ad9d9e8633277180d24
SHA51258ab0ba019b03d3222b072da6ad9b672fa6ac6ef16177a7ac340debcff2b205892a376ad933f2b23b0a968ec80e1fa1ed18f5d0288d5a6c1036202419e78079f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5975dee24100fb3a3a0c8d479b6d2987c
SHA1558bd9984a3ad075962bafb0c04d9392d316099d
SHA256cada2e5e8ffa66274bfce3e72579e2cf36d68eac15bef4418aca83000f67abd5
SHA512e01afa1b66e23d86375c0cee28a68be6a46106b26438330230637b706587b58fbd86096f7ab9dbee2f89b30845177a17ab5f4eff2dd55b79ba7dbf0447d9a9c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59f24e36f18c77375508160d40ade71a4
SHA1a6ab2f8ae2d8a6149ec7d664361d93e2525df791
SHA256db180787db5776945121ee03f1da705270c826e764184173ab78a40d8642a308
SHA512529cb1443c1ea4219c5d5d446688bb4627fdc3db741ddd53923f77f95e8776c531b533af1d4f7af25338b7d5a98858d8836fbce858e8e570a3d58ff93e488d76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a2806947c2effee6a464013eac3b81fb
SHA1b9ecee6405191d6d404185cf77fd44d6309f9ed3
SHA25620a7d15af081e7cffcd1d2d8140027610b70907ca0948c00999b52abfe7be4e7
SHA51282c070313b8c44ecd25809f19da84764df09f0fd70116e2ccff7f82f7069cb9336975bda19ca368c5fad62f0070aed396eb28828b3fe50fc30d0a273d9e306e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a15f8e42f1c467c24c6865c4688a0b84
SHA1267c90d3e0afe7d1d07165282d494d4df4bbdd1e
SHA25644aba42e8194e0c8478bfd0009777621fe0d6eec4c15bd2399d2d211d85da070
SHA5129cd18122c4bfd5bec617ac8d71200f6cf5295c3f5eaadb59e6fed63a538003af2d8449c8aa862f8e96bb5970494a995974f79da58834a71146c7e468dd7cf4ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5958f1d32b0b03970038325f052142d7c
SHA1cff993af10da7518d7081f9d1def92166c9ac1a3
SHA256bfb5e11fbe8756dba2b772cf9749a958d015fdf39fc612d86919c80f92760975
SHA5127ddd94e483071061f6fcc5ee903c76e68b28b097c9fcacdc4b9eb118518426d6854bde36014b584f32269e60cdf569d9fab056e50677b62a47010edfd30d8281
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5110fe1aa4f90e11e17fae07584dee342
SHA1cc378ba6644266f46276be7e4cc04b6b6751e126
SHA2567d838d10ccce95b8b7ab63ce3543ac7392eb134a12b229345bd74533bc8a5536
SHA512e6003c24ccf28f1bfef1134755345fcc8db12bb63e43ab181ec95ccfadc6aec17959b5694d87c9b3e78a67a7ade6ac2aa0f9e7757836673e92fe0b60a4b9984e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD507d0e099ec4588d097db9460e773051e
SHA17ea78c38ed5fff5a8d19a7c252a47f8e569a1fd8
SHA2566976c0bcc8b0cccbfe4f8b78dc59c437b11a252e3bfa19e64feb6492b357b74c
SHA5120ae158c04301ee736482cc65f0fd9b6a7c63229379149228f51e7c8e67757085cd4e1c7080a156a22a13258e8fcf6d38dbaec5ea40ce80222e6085e9e9057c2e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a