Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Roflection.exe

windows11-21h2-x64

7

$PLUGINSDI...er.dll

windows11-21h2-x64

3

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...ll.dll

windows11-21h2-x64

3

LICENSES.c...m.html

windows11-21h2-x64

3

Roflection.exe

windows11-21h2-x64

7

d3dcompiler_47.dll

windows11-21h2-x64

1

ffmpeg.dll

windows11-21h2-x64

1

libEGL.dll

windows11-21h2-x64

1

libGLESv2.dll

windows11-21h2-x64

1

resources/elevate.exe

windows11-21h2-x64

3

swiftshade...GL.dll

windows11-21h2-x64

1

swiftshade...v2.dll

windows11-21h2-x64

1

vk_swiftshader.dll

windows11-21h2-x64

1

vulkan-1.dll

windows11-21h2-x64

1

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

$PLUGINSDI...ss.dll

windows11-21h2-x64

3

$PLUGINSDI...7z.dll

windows11-21h2-x64

3

Uninstall ...on.exe

windows11-21h2-x64

7

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...ll.dll

windows11-21h2-x64

3

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

$PLUGINSDI...ss.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    99s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/08/2024, 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Roflection.exe

  • Size

    61.3MB

  • MD5

    14d2a481b6b413f276ffcd0bff85bc84

  • SHA1

    9525e71c34b27508d007a74de12d61ea330cf558

  • SHA256

    372b81cb23efd1c29173c72b812793d0e2b60cd4befd8c6917a206830a4c5af3

  • SHA512

    4c38ac673939189c580847005b74b63f5ed902252fb506ddca694a44d8dff2f81b0df1f409079e620caffb736cebe7f6d48dbbb6cb5e87eeffbed3acc25db63c

  • SSDEEP

    1572864:3Vzq5PhfttdirLfjYQ2jcGUMQRe0X9PJFiZ4YWPu:3oBh1jirLfcQzxJRgZ43W

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Roflection.exe
    "C:\Users\Admin\AppData\Local\Temp\Roflection.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1280
  • C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe
    "C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3184
    • C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe
      "C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe" --type=gpu-process --field-trial-handle=1712,7277559643273250542,12408673174782248579,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2360
    • C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe
      "C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,7277559643273250542,12408673174782248579,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:8
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:3048
    • C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe
      "C:\Users\Admin\AppData\Local\Programs\Roflection\Roflection.exe" --type=gpu-process --field-trial-handle=1712,7277559643273250542,12408673174782248579,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:956
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:5012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Programs\Roflection\D3DCompiler_47.dll
      Filesize

      4.3MB

      MD5

      7641e39b7da4077084d2afe7c31032e0

      SHA1

      2256644f69435ff2fee76deb04d918083960d1eb

      SHA256

      44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

      SHA512

      8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\chrome_100_percent.pak
      Filesize

      138KB

      MD5

      03aaa4f8525ba4b3e30d2a02cb40ab7a

      SHA1

      dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

      SHA256

      c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

      SHA512

      c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\chrome_200_percent.pak
      Filesize

      202KB

      MD5

      7d4f330a5443eadf32e041c63e7e70ad

      SHA1

      26ce6fb98c0f28f508d7b88cf94a442b81e80c88

      SHA256

      b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

      SHA512

      f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\ffmpeg.dll
      Filesize

      2.6MB

      MD5

      7c3c780de9ae5cc4abeccbd7cb6b367b

      SHA1

      bda27b3c0b1ec023e2a0a97099a84b10e04cb135

      SHA256

      39293258d5a2418841edb5ccf9ab3ad23064fb95e1ddfa7a3c6295a24c272a08

      SHA512

      80a79f827c3154461158ec6f466db0c2ecd9ce9ffd7728001644d4cf382721d09c0758f98f73d7fa548e4e220ffd2b8842303d67a43e79b9146e8b882853658c

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\icudtl.dat
      Filesize

      9.9MB

      MD5

      80a7528515595d8b0bf99a477a7eff0d

      SHA1

      fde9a195fc5a6a23ec82b8594f958cfcf3159437

      SHA256

      6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

      SHA512

      c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\libEGL.dll
      Filesize

      429KB

      MD5

      b3017453d487a7d33445c1d2d9b9bc13

      SHA1

      7e643ccb8984a4a92dd439eeb4bdaaeb62bd8862

      SHA256

      23046e7fe2bbf76ee2c5596b6beac723ad465fdbaa44266486102cdb292148a1

      SHA512

      fd583f4b95aa974d72628bcc548feb22bc86c5ab0fd1536995bd796e28422f56e6799d60e2c3bef9aed9a1080eaf12338a3b29b8c3d40ba5166030a219572baf

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\libglesv2.dll
      Filesize

      7.6MB

      MD5

      dd8d815769cbf46af41a41931e9b4572

      SHA1

      f242fcc4cfd5030f3f543c22f141185cd86e7142

      SHA256

      dd74029716da56a0e4b64bc5cea0c169e1c4b31143ff39213d3c544792e8f2b9

      SHA512

      69a12f862157746ffc27b637941261a0c5c494175c3e674c7de4d0c4452a5b9358735944e8e0568b7279a7791cf178c9b1afd5ea4a781e93f28cd775a0a6096f

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\locales\en-US.pak
      Filesize

      88KB

      MD5

      af5c77e1d94dc4f772cb641bd310bc87

      SHA1

      0ceeb456e2601e22d873250bcc713bab573f2247

      SHA256

      781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

      SHA512

      8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\resources.pak
      Filesize

      4.9MB

      MD5

      91f8a4b158df6967163ccbbe765e095a

      SHA1

      95db67f0a2352fd898f4a4cfdfc860f6a9c58c87

      SHA256

      a30b8269e588c6cc2cea5fd4685da3012fd10451edb59a283005116f8e033182

      SHA512

      6450d75d53f24d11e1c1e7e3cacfc57ee9dd09c00ca0dc2ff30f580b59a6b17e7ad7d96682195bd7d806b49068653538c77ca4200491560cecff128a0b012d92

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\resources\app.asar
      Filesize

      14.3MB

      MD5

      bdc4b27b2516efc9bb89227164561e78

      SHA1

      708f02b85436bcb9d7c9903386cb437e99181e39

      SHA256

      af01bbba9c37d7d32d8f4efaca43f44123569b48377c1ea520050ac21f7d3131

      SHA512

      20e107780e8507682b84c9d07e1b52107db5bacdf7d19880f85bf6ce20b2b02ad7523b4a7f5bef59bea1b33685c74dc21b8013597a3a1abcec781a43a1a8c386

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Roflection\v8_context_snapshot.bin
      Filesize

      161KB

      MD5

      e47426f88649c7f8e27b8a1516cc0137

      SHA1

      5452aadfddbc55d6c5c18b801087e39529859b12

      SHA256

      09686ad5bf03d95de7c251d204e60a8e3824bd6420bedddee80b2c6e5609fb26

      SHA512

      f9647a35ff273ca622b3db4aefb9aaf75075386c42a31e085f916fc82f3a18fed25b0e05dcc09e678ca419408f59f0c34fa5762e5f945db35f9c6f67b7b94bc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\37288796-3014-4d04-bb8e-4c727bebd058.tmp.node
      Filesize

      137KB

      MD5

      04bfbfec8db966420fe4c7b85ebb506a

      SHA1

      939bb742a354a92e1dcd3661a62d69e48030a335

      SHA256

      da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

      SHA512

      4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9e44b2da-59b2-4ffb-a217-4279674280d6.tmp.node
      Filesize

      1.8MB

      MD5

      3072b68e3c226aff39e6782d025f25a8

      SHA1

      cf559196d74fa490ac8ce192db222c9f5c5a006a

      SHA256

      7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

      SHA512

      61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\SpiderBanner.dll
      Filesize

      9KB

      MD5

      17309e33b596ba3a5693b4d3e85cf8d7

      SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

      SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

      SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\StdUtils.dll
      Filesize

      101KB

      MD5

      33b4e69e7835e18b9437623367dd1787

      SHA1

      53afa03edaf931abdc2d828e5a2c89ad573d926c

      SHA256

      72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae

      SHA512

      ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\System.dll
      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\WinShell.dll
      Filesize

      3KB

      MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

      SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

      SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

      SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\nsProcess.dll
      Filesize

      4KB

      MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

      SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

      SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

      SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nshB18E.tmp\nsis7z.dll
      Filesize

      391KB

      MD5

      c6a070b3e68b292bb0efc9b26e85e9cc

      SHA1

      5a922b96eda6595a68fd0a9051236162ff2e2ada

      SHA256

      66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

      SHA512

      8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

      Download Submit

    • memory/2360-229-0x00007FF82D700000-0x00007FF82D701000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2360-240-0x00000214268F0000-0x0000021426C68000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2360-241-0x00000214268F0000-0x0000021426C68000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2360-246-0x00000214268F0000-0x0000021426C68000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2360-256-0x00000214268F0000-0x0000021426C68000-memory.dmp

      Filesize

      3.5MB

      Download