Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3womsz_python.zip
windows7-x64
1womsz_python.zip
windows10-2004-x64
1fotosy/apple.png
windows7-x64
3fotosy/apple.png
windows10-2004-x64
3fotosy/background.png
windows7-x64
3fotosy/background.png
windows10-2004-x64
3fotosy/head.png
windows7-x64
3fotosy/head.png
windows10-2004-x64
3fotosy/segment.png
windows7-x64
3fotosy/segment.png
windows10-2004-x64
3womsz_main.exe
windows7-x64
7womsz_main.exe
windows10-2004-x64
7womsz_main.pyc
windows7-x64
3womsz_main.pyc
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 18:56
Behavioral task
behavioral1
Sample
womsz_python.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
womsz_python.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
fotosy/apple.png
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
fotosy/apple.png
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
fotosy/background.png
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
fotosy/background.png
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
fotosy/head.png
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
fotosy/head.png
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
fotosy/segment.png
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
fotosy/segment.png
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
womsz_main.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
womsz_main.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
womsz_main.pyc
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
womsz_main.pyc
Resource
win10v2004-20240802-en
General
-
Target
womsz_main.pyc
-
Size
4KB
-
MD5
a65dfcc4a59c43827962e7545d67f32b
-
SHA1
f8bd6d7d542024840a3fad053ffa02f79441faaf
-
SHA256
0f882947bde8b6f73dd11b6304a1b5c59c8d128baac611d620d6dfe8000f01b2
-
SHA512
796a8416f39bafd121341da04f2695ffb689243bd5edd98ff027e3ffbfc205d800bc35d0d4f2c7c25b5b3373eb49c77214fe98877798ae087dc473b4a90f052a
-
SSDEEP
96:Wqb8p0zDOM+dshn1urX/D0kjSrjfz+/6hk:W03OM+duC++S2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\pyc_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2804 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2804 AcroRd32.exe 2804 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2844 2524 cmd.exe 32 PID 2524 wrote to memory of 2844 2524 cmd.exe 32 PID 2524 wrote to memory of 2844 2524 cmd.exe 32 PID 2844 wrote to memory of 2804 2844 rundll32.exe 33 PID 2844 wrote to memory of 2804 2844 rundll32.exe 33 PID 2844 wrote to memory of 2804 2844 rundll32.exe 33 PID 2844 wrote to memory of 2804 2844 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\womsz_main.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\womsz_main.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\womsz_main.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53c2b2dac8813313ce7ced8ee8ed98543
SHA12eeb84c3a1054c1023e674108c18617b1b11e553
SHA25663decd833e70920c07ca61016403320acc947c5f5170e501284fc768cc39104f
SHA5128420442841c45b89c01acdd47eaf59666dd5973cbd6f45c24dc4566f408a618b2063aa16108f37c8916231f9c698abcf5be9f8e3bc5a7a53bf675037c9da6314