Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3Osu.7z
windows7-x64
3Osu.7z
windows10-2004-x64
3Osu/Launcher.exe
windows7-x64
10Osu/Launcher.exe
windows10-2004-x64
10Osu/optimi...al.dll
windows7-x64
1Osu/optimi...al.dll
windows10-2004-x64
1Osu/vk_swi...er.dll
windows7-x64
1Osu/vk_swi...er.dll
windows10-2004-x64
1Osu/vulkan-1.dll
windows7-x64
1Osu/vulkan-1.dll
windows10-2004-x64
1Analysis
-
max time kernel
1561s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
Osu.7z
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Osu.7z
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Osu/Launcher.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Osu/Launcher.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Osu/optimization_guide_internal.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Osu/optimization_guide_internal.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Osu/vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Osu/vk_swiftshader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Osu/vulkan-1.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Osu/vulkan-1.dll
Resource
win10v2004-20240508-en
General
-
Target
Osu.7z
-
Size
3.7MB
-
MD5
925d19382afe84113af3255a66d024d8
-
SHA1
dae8a69db43980e2335503a4a0a7d30576bed181
-
SHA256
9d0eef3560fd3b6f9207a21206c4f4337b07bff2cf082869c87bdc1ddd6d2e89
-
SHA512
1a6cf9bdc5666a4a9b0b4e4fc9d46eaecabf572a757fa9abb4faf24413abde504fef829660a0dd3a6681ab6c28f9032875c3c22a653f66939412ed853175ca45
-
SSDEEP
98304:00xdEVRkgh/ZxjuutKhnM5IYpu99zvp8sPhy//oSuks:00fq/mhnMqYp6B8sJ4Ts
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.7z rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.7z\ = "7z_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1764 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1764 AcroRd32.exe 1764 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2660 2924 cmd.exe 29 PID 2924 wrote to memory of 2660 2924 cmd.exe 29 PID 2924 wrote to memory of 2660 2924 cmd.exe 29 PID 2660 wrote to memory of 1764 2660 rundll32.exe 30 PID 2660 wrote to memory of 1764 2660 rundll32.exe 30 PID 2660 wrote to memory of 1764 2660 rundll32.exe 30 PID 2660 wrote to memory of 1764 2660 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Osu.7z1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Osu.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Osu.7z"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b5152f7dc1808dda82fe43fb2c49df8b
SHA1c96a0dc1e0814948317559f2c778b48b92f49eb8
SHA25603e1c67ad758d24516eaf561c2699661be0c61c573f62c9ecf2c208933f4e190
SHA5123888e76b20b40f77a6908247d5e59ea0efe6bcf5ba9399f9242ff83f124e519be36d9f1b83ae8a405df38d5ed8157f7897f6cedced06924aa309d64ca0a950dd