Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1Kematian-m...ME.ps1
windows7-x64
3Kematian-m...ME.ps1
windows10-2004-x64
3Kematian-m...er.bat
windows7-x64
1Kematian-m...er.bat
windows10-2004-x64
1Kematian-m...est.py
windows7-x64
3Kematian-m...est.py
windows10-2004-x64
3Kematian-m...vm.ps1
windows7-x64
3Kematian-m...vm.ps1
windows10-2004-x64
3Kematian-main/main.py
windows7-x64
3Kematian-main/main.py
windows10-2004-x64
3Kematian-m...ver.py
windows7-x64
3Kematian-m...ver.py
windows10-2004-x64
3Kematian-m...ler.py
windows7-x64
3Kematian-m...ler.py
windows10-2004-x64
3Kematian-m...ler.py
windows7-x64
3Kematian-m...ler.py
windows10-2004-x64
3Kematian-m...tml.py
windows7-x64
3Kematian-m...tml.py
windows10-2004-x64
3Kematian-m...ges.py
windows7-x64
3Kematian-m...ges.py
windows10-2004-x64
3Kematian-m...ner.py
windows7-x64
3Kematian-m...ner.py
windows10-2004-x64
3Kematian-m...ain.py
windows7-x64
3Kematian-m...ain.py
windows10-2004-x64
3Kematian-m...ypt.py
windows7-x64
3Kematian-m...ypt.py
windows10-2004-x64
3Kematian-m...ors.py
windows7-x64
3Kematian-m...ors.py
windows10-2004-x64
3Kematian-m...ime.py
windows7-x64
3Kematian-m...ime.py
windows10-2004-x64
3Kematian-m...ger.py
windows7-x64
3Kematian-m...ger.py
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 12:56
Static task
static1
Behavioral task
behavioral1
Sample
Kematian-main/README.ps1
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Kematian-main/README.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Kematian-main/builder.bat
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Kematian-main/builder.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Kematian-main/conftest.py
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Kematian-main/conftest.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Kematian-main/frontend-src/antivm.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Kematian-main/frontend-src/antivm.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Kematian-main/main.py
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
Kematian-main/main.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Kematian-main/panel/server.py
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Kematian-main/panel/server.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Kematian-main/panel/ui/handlers/logs_handler.py
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Kematian-main/panel/ui/handlers/logs_handler.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Kematian-main/panel/ui/handlers/stats_handler.py
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Kematian-main/panel/ui/handlers/stats_handler.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Kematian-main/panel/ui/html/html.py
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Kematian-main/panel/ui/html/html.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Kematian-main/panel/ui/media/images.py
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
Kematian-main/panel/ui/media/images.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Kematian-main/panel/ui/modules/async_runner/runner.py
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
Kematian-main/panel/ui/modules/async_runner/runner.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Kematian-main/panel/ui/modules/builder/main.py
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
Kematian-main/panel/ui/modules/builder/main.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Kematian-main/panel/ui/modules/crypt/crypt.py
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
Kematian-main/panel/ui/modules/crypt/crypt.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Kematian-main/panel/ui/modules/errors/errors.py
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Kematian-main/panel/ui/modules/errors/errors.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Kematian-main/panel/ui/modules/first_time/first_time.py
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
Kematian-main/panel/ui/modules/first_time/first_time.py
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
Kematian-main/panel/ui/modules/logging/logger.py
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
Kematian-main/panel/ui/modules/logging/logger.py
Resource
win10v2004-20240802-en
General
-
Target
Kematian-main/main.py
-
Size
1KB
-
MD5
d97a482f3784cbad5c2db528fe105af0
-
SHA1
f2df3d8b7944ec665a817dc8730a08ad29b6f607
-
SHA256
a7d629ee76174056348db8c9905c34ed08b301bb1d8443eaf07e068506a10e30
-
SHA512
b548df0977dd3b184c93c721fc92bd6cde5f24f2f57c71d14dd6ed49277fbac285ca06ae314c2ff5e5a138d4eb7fa0b8174454bfbe11358a742e3aff42e26174
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2652 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2652 AcroRd32.exe 2652 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2724 2820 cmd.exe 31 PID 2820 wrote to memory of 2724 2820 cmd.exe 31 PID 2820 wrote to memory of 2724 2820 cmd.exe 31 PID 2724 wrote to memory of 2652 2724 rundll32.exe 32 PID 2724 wrote to memory of 2652 2724 rundll32.exe 32 PID 2724 wrote to memory of 2652 2724 rundll32.exe 32 PID 2724 wrote to memory of 2652 2724 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Kematian-main\main.py1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Kematian-main\main.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Kematian-main\main.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57ac1979c13a43f6326d3c04249986b5e
SHA17a5d09f6869cb75686ae8c4a488dc4208d8e8ddb
SHA256f96459d5fc409e5ff75311366d831b0e7dae6e31dd41a478a4574c9494982e2e
SHA5123d0953df7a1c47a53dba31a0c6a3dcb626e191788493252997e91473b5da2065f3c3e169374a33d34a70a499c80e3e5529cad21bd274727dc293fef66d00f0bd