Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
7D0puslunar...de.rar
windows7-x64
7D0puslunar...de.rar
windows10-2004-x64
732bit/Lang...hs.dll
windows7-x64
132bit/Lang...hs.dll
windows10-2004-x64
132bit/Lang...ht.dll
windows7-x64
132bit/Lang...ht.dll
windows10-2004-x64
132bit/Lang...ch.dll
windows7-x64
132bit/Lang...ch.dll
windows10-2004-x64
132bit/Lang...sk.dll
windows7-x64
132bit/Lang...sk.dll
windows10-2004-x64
132bit/Lang...ch.dll
windows7-x64
132bit/Lang...ch.dll
windows10-2004-x64
132bit/Lang...ch.dll
windows7-x64
132bit/Lang...ch.dll
windows10-2004-x64
132bit/Lang...ll.dll
windows7-x64
132bit/Lang...ll.dll
windows10-2004-x64
132bit/Lang...sh.dll
windows7-x64
132bit/Lang...sh.dll
windows10-2004-x64
132bit/Lang...sm.dll
windows7-x64
132bit/Lang...sm.dll
windows10-2004-x64
132bit/Lang...ol.dll
windows7-x64
132bit/Lang...ol.dll
windows10-2004-x64
132bit/Lang...is.dll
windows7-x64
132bit/Lang...is.dll
windows10-2004-x64
132bit/Lang...no.dll
windows7-x64
132bit/Lang...no.dll
windows10-2004-x64
132bit/Lang...pn.dll
windows7-x64
132bit/Lang...pn.dll
windows10-2004-x64
132bit/Lang...or.dll
windows7-x64
132bit/Lang...or.dll
windows10-2004-x64
132bit/Lang...ar.dll
windows7-x64
132bit/Lang...ar.dll
windows10-2004-x64
1Analysis
-
max time kernel
96s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 12:49 UTC
Behavioral task
behavioral1
Sample
D0puslunar12.33-de.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
D0puslunar12.33-de.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
32bit/Language/chs.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
32bit/Language/chs.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
32bit/Language/cht.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
32bit/Language/cht.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
32bit/Language/czech.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
32bit/Language/czech.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
32bit/Language/dansk.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
32bit/Language/dansk.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
32bit/Language/deutsch.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
32bit/Language/deutsch.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
32bit/Language/dutch.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
32bit/Language/dutch.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
32bit/Language/ell.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
32bit/Language/ell.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
32bit/Language/english.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
32bit/Language/english.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
32bit/Language/esm.dll
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
32bit/Language/esm.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
32bit/Language/espanol.dll
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
32bit/Language/espanol.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
32bit/Language/francais.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
32bit/Language/francais.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
32bit/Language/italiano.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
32bit/Language/italiano.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
32bit/Language/jpn.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
32bit/Language/jpn.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral29
Sample
32bit/Language/kor.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
32bit/Language/kor.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
32bit/Language/magyar.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
32bit/Language/magyar.dll
Resource
win10v2004-20240226-en
General
-
Target
D0puslunar12.33-de.rar
-
Size
65.7MB
-
MD5
0c4bbf23849fa553ce1dd668dc5d0341
-
SHA1
3d403740b24da559212928ca77e454ace41039fb
-
SHA256
8166e9f4dde03649255b9fea4a9920ed2f55e18f05bb8cb68194bb9636e935a4
-
SHA512
9f77b58afe46bb3565b9279090c6cd7848f2bf54d18c4e47f556b8a0f8bc596ab7d22b2ec4f481bd59ad7beb6838a515024a25397564d5a0280c674909fb416d
-
SSDEEP
1572864:kXm5hMulWZMvRpggqEfakm2P6mwz4R/RdZVXNwEO+:kXmMC8MpmgqKpWzoRD9LO+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 4620 7zFM.exe Token: 35 4620 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4620 7zFM.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 448 wrote to memory of 4620 448 cmd.exe 89 PID 448 wrote to memory of 4620 448 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\D0puslunar12.33-de.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\D0puslunar12.33-de.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4620
-
Network
-
Remote address:8.8.8.8:53Request150.1.37.23.in-addr.arpaIN PTRResponse150.1.37.23.in-addr.arpaIN PTRa23-37-1-150deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.171.91.138.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.14.97.104.in-addr.arpaIN PTRResponse25.14.97.104.in-addr.arpaIN PTRa104-97-14-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.197.17.2.in-addr.arpaIN PTRResponse240.197.17.2.in-addr.arpaIN PTRa2-17-197-240deploystaticakamaitechnologiescom
-
70 B 133 B 1 1
DNS Request
150.1.37.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
81.171.91.138.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
25.14.97.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
240.197.17.2.in-addr.arpa