Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
3New folder (10).rar
windows7-x64
3New folder (10).rar
windows10-2004-x64
3New folder...ic.exe
windows7-x64
3New folder...ic.exe
windows10-2004-x64
3New folder...lo.lua
windows7-x64
3New folder...lo.lua
windows10-2004-x64
3New folder...ec.lnk
windows7-x64
3New folder...ec.lnk
windows10-2004-x64
3New folder...ce.lnk
windows7-x64
3New folder...ce.lnk
windows10-2004-x64
3New folder...LL.dll
windows7-x64
9New folder...LL.dll
windows10-2004-x64
9New folder...ic.xml
windows7-x64
1New folder...ic.xml
windows10-2004-x64
1New folder...er.txt
windows7-x64
1New folder...er.txt
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
New folder (10).rar
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
New folder (10).rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
New folder (10)/Artic.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
New folder (10)/Artic.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
New folder (10)/Scripts/Hello.lua
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
New folder (10)/Scripts/Hello.lua
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
New folder (10)/autoexec.lnk
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
New folder (10)/autoexec.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
New folder (10)/aworkspace.lnk
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
New folder (10)/aworkspace.lnk
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
New folder (10)/bin/ArticDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
New folder (10)/bin/ArticDLL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
New folder (10)/bin/artic.xml
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
New folder (10)/bin/artic.xml
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
New folder (10)/bin/ver.txt
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
New folder (10)/bin/ver.txt
Resource
win10v2004-20240508-en
General
-
Target
New folder (10)/bin/ArticDLL.dll
-
Size
9.2MB
-
MD5
602aa90fe7c3d3dd958d041a28c01cf2
-
SHA1
a2cbc3bde48d8d764917dde1b56146e4a7a51a1f
-
SHA256
9f57c170461a90629a3a54149011ddffb321ba17ce6c5a2ad29dd3f953479499
-
SHA512
c756b3576bd77e6bb4eaaa886a6292b6edb3861d7865aa9f17359e1b071b7adf74ab2ffaf8e66b8f15948ae18e744273b9c3c233c0569362774bf78ca4e554d9
-
SSDEEP
196608:IDPZpEhP272r1ZULbBw+CjVrLqr/C0dnbX7Hv0vwJLt2IBFS2mSeIN:lhPZBGLbEF+r/Ck8v2LEIPp
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2060 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2060 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2060 2372 rundll32.exe 28 PID 2372 wrote to memory of 2060 2372 rundll32.exe 28 PID 2372 wrote to memory of 2060 2372 rundll32.exe 28 PID 2372 wrote to memory of 2060 2372 rundll32.exe 28 PID 2372 wrote to memory of 2060 2372 rundll32.exe 28 PID 2372 wrote to memory of 2060 2372 rundll32.exe 28 PID 2372 wrote to memory of 2060 2372 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\New folder (10)\bin\ArticDLL.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\New folder (10)\bin\ArticDLL.dll",#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2060
-