Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1cinerotiqu...__.pyc
windows7-x64
3cinerotiqu...__.pyc
windows10-2004-x64
3cinerotiqu...ts.pyc
windows7-x64
3cinerotiqu...ts.pyc
windows10-2004-x64
3cinerotiqu...on.pyc
windows7-x64
3cinerotiqu...on.pyc
windows10-2004-x64
3cinerotiqu...ts.pyc
windows7-x64
3cinerotiqu...ts.pyc
windows10-2004-x64
3cinerotiqu...ns.pyc
windows7-x64
3cinerotiqu...ns.pyc
windows10-2004-x64
3cinerotiqu...on.pyc
windows7-x64
3cinerotiqu...on.pyc
windows10-2004-x64
3cinerotiqu...ns.pyc
windows7-x64
3cinerotiqu...ns.pyc
windows10-2004-x64
3cinerotiqu...ng.pyc
windows7-x64
3cinerotiqu...ng.pyc
windows10-2004-x64
3cinerotiqu...ns.pyc
windows7-x64
3cinerotiqu...ns.pyc
windows10-2004-x64
3cinerotiqu...ls.pyc
windows7-x64
3cinerotiqu...ls.pyc
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
cinerotique_mod_scripts/__init__.pyc
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
cinerotique_mod_scripts/__init__.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
cinerotique_mod_scripts/add_tag_elements.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
cinerotique_mod_scripts/add_tag_elements.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
cinerotique_mod_scripts/display_mod_version.pyc
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
cinerotique_mod_scripts/display_mod_version.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
cinerotique_mod_scripts/dlc_pack_tests.pyc
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
cinerotique_mod_scripts/dlc_pack_tests.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
cinerotique_mod_scripts/inject_testsets_into_interactions.pyc
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
cinerotique_mod_scripts/inject_testsets_into_interactions.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
cinerotique_mod_scripts/notification.pyc
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
cinerotique_mod_scripts/notification.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
cinerotique_mod_scripts/object_injections.pyc
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
cinerotique_mod_scripts/object_injections.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
cinerotique_mod_scripts/objects_handling.pyc
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
cinerotique_mod_scripts/objects_handling.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
cinerotique_mod_scripts/tuning_injections.pyc
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
cinerotique_mod_scripts/tuning_injections.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cinerotique_mod_scripts/utils.pyc
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
cinerotique_mod_scripts/utils.pyc
Resource
win10v2004-20240611-en
General
-
Target
cinerotique_mod_scripts/add_tag_elements.pyc
-
Size
3KB
-
MD5
8ba0af0008484613b971a4abf5778858
-
SHA1
92031a8c306e84dcfeb09e48679780091ae8c449
-
SHA256
adaaccd543379b93a7b48729ef3fa9675c4e4a5f0aa6f7b059e84059552b5112
-
SHA512
a7d16d60a02bcc0744e8ec411a7b168937ef6c864e9de3b93fa9719f7fbeb8da33a9c25c77278523da2bdf2ade3ae2f3f5ae978e13bb61d2c0e8841eb9493506
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyc rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2644 AcroRd32.exe 2644 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2648 2848 cmd.exe 29 PID 2848 wrote to memory of 2648 2848 cmd.exe 29 PID 2848 wrote to memory of 2648 2848 cmd.exe 29 PID 2648 wrote to memory of 2644 2648 rundll32.exe 30 PID 2648 wrote to memory of 2644 2648 rundll32.exe 30 PID 2648 wrote to memory of 2644 2648 rundll32.exe 30 PID 2648 wrote to memory of 2644 2648 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\add_tag_elements.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\add_tag_elements.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\add_tag_elements.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50406a72c4b31b201dedbd1dc4387571b
SHA17ad4209548f3ab01b874286b2a9cb41deff82622
SHA256fc61556712896fdeb6fccbda0f764f36e69c71dbe9fa014f08596d693c7993f1
SHA512b7e23a536e71e3922f8431dff95f887ad5c5d36e7e48fda37cda4fa0e2dc29e01476d126624d9d46eb8584694b8ca7e2a0fa0d299ba5bc0410037a5fb8a395bb