Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 17:50
Behavioral task
behavioral1
Sample
cracked_lunar.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
cracked_lunar.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
cracked_lunar.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
cracked_lunar.pyc
Resource
win10v2004-20240508-en
General
-
Target
cracked_lunar.pyc
-
Size
4KB
-
MD5
12a93c3ee2b59411a9887a18560b8df5
-
SHA1
b9ad55bbacd12a061fd5130e4254a375e9e2344f
-
SHA256
bf271fe46ded5677beb44f398a3e22d867cd1b935682d59a806ae02eaf121b24
-
SHA512
4b7f968bd045e63cff5994092438598018344f2023e6b96a27805030a909d725ccd456b8b9e1fd053e1f0ec45a7ec631e117cfc14334c328151dd6bfdc69e45b
-
SSDEEP
96:VbjDfGyG3+bbQ6OOssflo+UKBccccc3ccGd+o1gScHw:It3+baOssfl7vccccc3ccGd+CEw
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pyc_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1432 wrote to memory of 2532 1432 cmd.exe 29 PID 1432 wrote to memory of 2532 1432 cmd.exe 29 PID 1432 wrote to memory of 2532 1432 cmd.exe 29 PID 2532 wrote to memory of 2704 2532 rundll32.exe 30 PID 2532 wrote to memory of 2704 2532 rundll32.exe 30 PID 2532 wrote to memory of 2704 2532 rundll32.exe 30 PID 2532 wrote to memory of 2704 2532 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cracked_lunar.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cracked_lunar.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cracked_lunar.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50ed453cbcf64891825e12dec6f4f93f1
SHA13b33b5f70fe0d680902e1e9aac263faf5d3e7756
SHA256538e725da304cd14670b49316b1828583887411b3d16aa4c6c0ee23c91668d7b
SHA5122259719816ceb397601b1cb5e97adcd2e911abf7bd6c280702002b9424fce63b4b64dc770bc82414dfaed45421bbc954af6f53c27db3ec30b9fbca981f5dd508