Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3oofile_1.4...ll.dll
windows7-x64
1oofile_1.4...ll.dll
windows10-2004-x64
1oofile_1.4...ll.dll
windows7-x64
3oofile_1.4...ll.dll
windows10-2004-x64
3oofile_1.4...en.exe
windows7-x64
1oofile_1.4...en.exe
windows10-2004-x64
1oofile_1.4...le.exe
windows7-x64
6oofile_1.4...le.exe
windows10-2004-x64
3oofile_1.4.../1.asp
windows7-x64
3oofile_1.4.../1.asp
windows10-2004-x64
3oofile_1.4...g.html
windows7-x64
1oofile_1.4...g.html
windows10-2004-x64
1oofile_1.4...rid.js
windows7-x64
1oofile_1.4...rid.js
windows10-2004-x64
1oofile_1.4...ase.js
windows7-x64
1oofile_1.4...ase.js
windows10-2004-x64
1oofile_1.4...all.js
windows7-x64
1oofile_1.4...all.js
windows10-2004-x64
1oofile_1.4...ore.js
windows7-x64
1oofile_1.4...ore.js
windows10-2004-x64
1oofile_1.4...w.html
windows7-x64
1oofile_1.4...w.html
windows10-2004-x64
1oofile_1.4...veX.js
windows7-x64
1oofile_1.4...veX.js
windows10-2004-x64
1oofile_1.4...Int.js
windows7-x64
1oofile_1.4...Int.js
windows10-2004-x64
1oofile_1.4...nt2.js
windows7-x64
1oofile_1.4...nt2.js
windows10-2004-x64
1oofile_1.4...der.js
windows7-x64
1oofile_1.4...der.js
windows10-2004-x64
1oofile_1.4...enu.js
windows7-x64
1oofile_1.4...enu.js
windows10-2004-x64
1Analysis
-
max time kernel
113s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 10:31
Static task
static1
Behavioral task
behavioral1
Sample
oofile_1.47/FileTranDll.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
oofile_1.47/FileTranDll.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
oofile_1.47/JpgDll.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
oofile_1.47/JpgDll.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
oofile_1.47/ooScreen.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
oofile_1.47/ooScreen.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
oofile_1.47/oofile.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
oofile_1.47/oofile.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
oofile_1.47/viewer/1.asp
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
oofile_1.47/viewer/1.asp
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
oofile_1.47/viewer/ViewLog.html
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
oofile_1.47/viewer/ViewLog.html
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
oofile_1.47/viewer/XmlGrid.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
oofile_1.47/viewer/XmlGrid.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
oofile_1.47/viewer/ext-2.2.1/adapter/ext/ext-base.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
oofile_1.47/viewer/ext-2.2.1/adapter/ext/ext-base.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
oofile_1.47/viewer/ext-2.2.1/ext-all.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
oofile_1.47/viewer/ext-2.2.1/ext-all.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
oofile_1.47/viewer/ext-2.2.1/ext-core.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
oofile_1.47/viewer/ext-2.2.1/ext-core.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
oofile_1.47/viewer/htwin/p_OpenMoreWindow.html
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
oofile_1.47/viewer/htwin/p_OpenMoreWindow.html
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
oofile_1.47/viewer/js/ActiveX.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
oofile_1.47/viewer/js/ActiveX.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
oofile_1.47/viewer/js/BigInt.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral26
Sample
oofile_1.47/viewer/js/BigInt.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
oofile_1.47/viewer/js/BigInt2.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
oofile_1.47/viewer/js/BigInt2.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
oofile_1.47/viewer/js/SessionProvider.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
oofile_1.47/viewer/js/SessionProvider.js
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
oofile_1.47/viewer/js/TabCloseMenu.js
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
oofile_1.47/viewer/js/TabCloseMenu.js
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
oofile_1.47/oofile.exe
-
Size
256KB
-
MD5
c914296daf71a04ef114271500d8315b
-
SHA1
5046cddbd10683d478b70721ee472cc9ee70066a
-
SHA256
530075b0aa1716c3782b26ebaeb5d45735c6e7e97931a44a798510a5c47e0221
-
SHA512
7f9cf37deb570eb839c2d81a32828762e4884f6dd2d783582e82ef62dda9688ead765918fdae725a5b63dc1c0dc0072b37b4ed393a451248ecf1231aeaf6e3d5
-
SSDEEP
3072:cRCTg1Y3ZaYhuXAmgRp9ZFd5d2YGdpxHdXSKJLUQNLdZXARuLlnrzlLiVl:oqZ5ufcFFd5d2FIU5WuZnli
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4448 2996 WerFault.exe 85 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection.1\CLSID oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend\CLSID oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C09B0011-6B92-4FFB-BCC3-5AE3716B09CB} oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\ = "Connection Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.YSysTray.1 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681}\TypeLib\Version = "1.0" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681}\ = "IYSysTray" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client\CurVer\ = "FileTranDll.Client.1" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\InprocServer32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\FLAGS oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend\CurVer oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.YSysTray oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07D1FA7A-925A-478C-B771-321852587289}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo.1\CLSID\ = "{4DC442BB-F3F5-4D6D-ACDC-2B8A312F1F64}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DC442BB-F3F5-4D6D-ACDC-2B8A312F1F64}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{604087EE-5D13-491A-AACA-C12CFC40E6C7}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\ProgID oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo.1\CLSID oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo\ = "HostInfo Class" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\Programmable oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}\1.0\HELPDIR oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server.1\CLSID\ = "{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection\CLSID\ = "{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ = "IServer" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\oofile\ = "{9BB67838-EEC5-4798-9716-848954DF9AA2}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{604087EE-5D13-491A-AACA-C12CFC40E6C7}\ = "IRcSend" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\InprocServer32\ThreadingModel = "Apartment" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client\CurVer oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\VersionIndependentProgID oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C09B0011-6B92-4FFB-BCC3-5AE3716B09CB}\VersionIndependentProgID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection\ = "Connection Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BB67838-EEC5-4798-9716-848954DF9AA2}\ProgID oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{604087EE-5D13-491A-AACA-C12CFC40E6C7}\ = "IRcSend" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{604087EE-5D13-491A-AACA-C12CFC40E6C7}\TypeLib\Version = "1.0" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend.1 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\Programmable oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\TypeLib oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo\CurVer\ = "w_exployer.HostInfo.1" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{07D1FA7A-925A-478C-B771-321852587289}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66F9030-D86D-471D-A68B-4743E94FD681}\TypeLib oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\InprocServer32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\ProgID\ = "FileTranDll.Client.1" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.HostInfo\CLSID\ = "{4DC442BB-F3F5-4D6D-ACDC-2B8A312F1F64}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ProxyStubClsid32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C09B0011-6B92-4FFB-BCC3-5AE3716B09CB}\ = "YSysTray Class" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}\1.0\FLAGS oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{604087EE-5D13-491A-AACA-C12CFC40E6C7}\ProxyStubClsid32 oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DC442BB-F3F5-4D6D-ACDC-2B8A312F1F64}\InprocServer32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF0F0C25-BA24-47BA-AEC7-4968A4112D1C}\1.0\HELPDIR\ oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\VersionIndependentProgID\ = "FileTranDll.Client" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}" oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\HELPDIR oofile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\ProxyStubClsid32 oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend.1\CLSID\ = "{9BB67838-EEC5-4798-9716-848954DF9AA2}" oofile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\w_exployer.RcSend\CurVer\ = "w_exployer.RcSend.1" oofile.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2996 oofile.exe 2996 oofile.exe 2996 oofile.exe 2996 oofile.exe 2996 oofile.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2996 oofile.exe 2996 oofile.exe 2996 oofile.exe 2996 oofile.exe 2996 oofile.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2996 oofile.exe 2996 oofile.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\oofile_1.47\oofile.exe"C:\Users\Admin\AppData\Local\Temp\oofile_1.47\oofile.exe"1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 20842⤵
- Program crash
PID:4448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2996 -ip 29961⤵PID:1588