Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
7release8-16.rar
windows7-x64
3release8-16.rar
windows10-2004-x64
3release/ma...ex.exe
windows7-x64
9release/ma...ex.exe
windows10-2004-x64
9release/ma...er.exe
windows7-x64
9release/ma...er.exe
windows10-2004-x64
9release/map/Map.exe
windows7-x64
8release/map/Map.exe
windows10-2004-x64
release/readme.txt
windows7-x64
1release/readme.txt
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 13:48
Behavioral task
behavioral1
Sample
release8-16.rar
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
release8-16.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
release/main/celex.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
release/main/celex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
release/main/loader.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
release/main/loader.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
release/map/Map.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
release/map/Map.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
release/readme.txt
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
release/readme.txt
Resource
win10v2004-20240802-en
General
-
Target
release8-16.rar
-
Size
8.1MB
-
MD5
7b8a172974a32f9d1c093d1c35e8f1a1
-
SHA1
9110827d5a5a39306ee26e3e8b763abf22ae555e
-
SHA256
ecab58d9e2edf6539e3cca667a72cb0ced2567bf30073f9f216af4a872c5beaf
-
SHA512
458f52e0cba4801acce10f062207939f7749365dcfad4a2473e96ccfd91213d0a91b15d07f40b5588e1ebacbbdd5852711dd81252772cc0b9c3232b174a32850
-
SSDEEP
196608:DyPpgjLDA8M2X5et5MNhJNlixAvGUFi0gpuKLoqizxw1wK:Bj/A8MHHMDXAA+UA0gxLonzM
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2940 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2940 vlc.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe 2940 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2940 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2744 2540 cmd.exe 31 PID 2540 wrote to memory of 2744 2540 cmd.exe 31 PID 2540 wrote to memory of 2744 2540 cmd.exe 31 PID 2744 wrote to memory of 2748 2744 rundll32.exe 32 PID 2744 wrote to memory of 2748 2744 rundll32.exe 32 PID 2744 wrote to memory of 2748 2744 rundll32.exe 32 PID 2748 wrote to memory of 2940 2748 rundll32.exe 35 PID 2748 wrote to memory of 2940 2748 rundll32.exe 35 PID 2748 wrote to memory of 2940 2748 rundll32.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\release8-16.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\release8-16.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\release8-16.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\release8-16.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
-