Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1cinerotiqu...__.pyc
windows7-x64
3cinerotiqu...__.pyc
windows10-2004-x64
3cinerotiqu...ts.pyc
windows7-x64
3cinerotiqu...ts.pyc
windows10-2004-x64
3cinerotiqu...on.pyc
windows7-x64
3cinerotiqu...on.pyc
windows10-2004-x64
3cinerotiqu...ts.pyc
windows7-x64
3cinerotiqu...ts.pyc
windows10-2004-x64
3cinerotiqu...ns.pyc
windows7-x64
3cinerotiqu...ns.pyc
windows10-2004-x64
3cinerotiqu...on.pyc
windows7-x64
3cinerotiqu...on.pyc
windows10-2004-x64
3cinerotiqu...ns.pyc
windows7-x64
3cinerotiqu...ns.pyc
windows10-2004-x64
3cinerotiqu...ng.pyc
windows7-x64
3cinerotiqu...ng.pyc
windows10-2004-x64
3cinerotiqu...ns.pyc
windows7-x64
3cinerotiqu...ns.pyc
windows10-2004-x64
3cinerotiqu...ls.pyc
windows7-x64
3cinerotiqu...ls.pyc
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
cinerotique_mod_scripts/__init__.pyc
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
cinerotique_mod_scripts/__init__.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
cinerotique_mod_scripts/add_tag_elements.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
cinerotique_mod_scripts/add_tag_elements.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
cinerotique_mod_scripts/display_mod_version.pyc
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
cinerotique_mod_scripts/display_mod_version.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
cinerotique_mod_scripts/dlc_pack_tests.pyc
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
cinerotique_mod_scripts/dlc_pack_tests.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
cinerotique_mod_scripts/inject_testsets_into_interactions.pyc
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
cinerotique_mod_scripts/inject_testsets_into_interactions.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
cinerotique_mod_scripts/notification.pyc
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
cinerotique_mod_scripts/notification.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
cinerotique_mod_scripts/object_injections.pyc
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
cinerotique_mod_scripts/object_injections.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
cinerotique_mod_scripts/objects_handling.pyc
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
cinerotique_mod_scripts/objects_handling.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
cinerotique_mod_scripts/tuning_injections.pyc
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
cinerotique_mod_scripts/tuning_injections.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cinerotique_mod_scripts/utils.pyc
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
cinerotique_mod_scripts/utils.pyc
Resource
win10v2004-20240611-en
General
-
Target
cinerotique_mod_scripts/dlc_pack_tests.pyc
-
Size
3KB
-
MD5
086478cce52741bb3b20223fa1c47851
-
SHA1
1fbd3fc25c7b3c1ab75e569257f61c5246b05fae
-
SHA256
6d0230f739adb06213c5e39c9810076aec253c64e15767d2e25f87e56d70487a
-
SHA512
88c1057a84e4caa74acb57f52e228cd7809b77fd1d10aaf55b26aae44651ac71aea3fdc2e844e96888ce64f86babc5f063dae86c337d3d3b4f94e72b4781c991
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2572 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2572 AcroRd32.exe 2572 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2588 2732 cmd.exe 29 PID 2732 wrote to memory of 2588 2732 cmd.exe 29 PID 2732 wrote to memory of 2588 2732 cmd.exe 29 PID 2588 wrote to memory of 2572 2588 rundll32.exe 30 PID 2588 wrote to memory of 2572 2588 rundll32.exe 30 PID 2588 wrote to memory of 2572 2588 rundll32.exe 30 PID 2588 wrote to memory of 2572 2588 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\dlc_pack_tests.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\dlc_pack_tests.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cinerotique_mod_scripts\dlc_pack_tests.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD586960ef2dd8f6e535de73ff0fa300052
SHA12d1d7e1f9ae8ae792768cac93a52e71e6f85a6b8
SHA2566aebdeed3c9769c750fbc08c2b04b28099b05975bba89fe213fc9e27ff541c64
SHA512ddbad8618e3027bc00659c5dc51de99f6735fd6098a017c14ec80d2b2edf52db5d0933d55495e55352c0cda30488142dcdc47e655f07c3e8d57e592fc0d68d44