Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
371adc882c0...74.exe
windows7-x64
771adc882c0...74.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3App_Encryp...ty.exe
windows7-x64
3App_Encryp...ty.exe
windows10-2004-x64
3File/Crypt...86.dll
windows7-x64
1File/Crypt...86.dll
windows10-2004-x64
1File/runRe...it.bat
windows7-x64
3File/runRe...it.bat
windows10-2004-x64
7GXT.HttpWe...ls.dll
windows7-x64
1GXT.HttpWe...ls.dll
windows10-2004-x64
1Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1log4net.dll
windows7-x64
1log4net.dll
windows10-2004-x64
1zxing.dll
windows7-x64
1zxing.dll
windows10-2004-x64
1Analysis
-
max time kernel
51s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 16:29
Static task
static1
Behavioral task
behavioral1
Sample
71adc882c04d3971db6186a8630db425c571b8db6403036745e86b53bf1d3474.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
71adc882c04d3971db6186a8630db425c571b8db6403036745e86b53bf1d3474.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
App_EncryptUtility.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
App_EncryptUtility.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
File/CryptoKit.SDEG.x86.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
File/CryptoKit.SDEG.x86.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
File/runReg_admin_CryptoKit.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
File/runReg_admin_CryptoKit.bat
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
GXT.HttpWebRequestUtils.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
GXT.HttpWebRequestUtils.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Newtonsoft.Json.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
log4net.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
log4net.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
zxing.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
zxing.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
File/runReg_admin_CryptoKit.bat
-
Size
358B
-
MD5
b813c9f650bc28f8062a640788d589c7
-
SHA1
99959bb6d7b00b9255d3ff7145be22669e5e92bd
-
SHA256
0054e30f1d7d46f510cf2d91d0cbbb6d966c6e39af3fbdf90a40badee85349b3
-
SHA512
344e0b1f986596b450613624b5e72384568a7246e77d995f85dd3dee6a7d0fab574ee8ab880fb3540703df68f7d2d6bf0b52afe899c0abb991bb4434b7ec4b34
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\ = "CryptoAgent Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\ProgID\ = "CryptoKit.CryptoAgent.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\VersionIndependentProgID\ = "CryptoKit.CryptoAgent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\ = "ICryptoAgent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\TypeLib\ = "{FE17CEE1-C1EE-41B1-99ED-63416061190F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File\\CryptoKit.SDEG.x86.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\TypeLib\ = "{FE17CEE1-C1EE-41B1-99ED-63416061190F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\ = "ICryptoAgent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\TypeLib\ = "{FE17CEE1-C1EE-41B1-99ED-63416061190F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\ = "CryptoAgent Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer\ = "CryptoKit.CryptoAgent.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File\\CryptoKit.SDEG.x86.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\ = "CryptoKit.SDEG.x86 3.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE5E54C-021A-49CB-830E-3C3159CCE2EF}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE17CEE1-C1EE-41B1-99ED-63416061190F}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E64AF12-53D0-467E-99D5-2BAFBE9F85F0}\TypeLib\Version = "1.0" regsvr32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5004 PING.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3108 wrote to memory of 3012 3108 cmd.exe 82 PID 3108 wrote to memory of 3012 3108 cmd.exe 82 PID 3012 wrote to memory of 316 3012 mshta.exe 84 PID 3012 wrote to memory of 316 3012 mshta.exe 84 PID 316 wrote to memory of 3452 316 cmd.exe 86 PID 316 wrote to memory of 3452 316 cmd.exe 86 PID 3452 wrote to memory of 3116 3452 regsvr32.exe 87 PID 3452 wrote to memory of 3116 3452 regsvr32.exe 87 PID 3452 wrote to memory of 3116 3452 regsvr32.exe 87 PID 316 wrote to memory of 5004 316 cmd.exe 89 PID 316 wrote to memory of 5004 316 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\File\runReg_admin_CryptoKit.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\File\RUNREG~1.BAT ::","","runas",1)(window.close)2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\File\RUNREG~1.BAT ::3⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32 /s CryptoKit.SDEG.x86.dll4⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\regsvr32.exe/s CryptoKit.SDEG.x86.dll5⤵
- Modifies registry class
PID:3116
-
-
-
C:\Windows\system32\PING.EXEping -n 1 127.14⤵
- Runs ping.exe
PID:5004
-
-
-