Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/10/2024, 06:18
241005-g2vhvstgpe 1005/10/2024, 06:17
241005-g2atfszejn 1005/10/2024, 06:12
241005-gx786atfkh 10Analysis
-
max time kernel
103s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 06:17
Behavioral task
behavioral1
Sample
FortnitePET MOD.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FortnitePET MOD.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20240802-en
General
-
Target
main.pyc
-
Size
7KB
-
MD5
a88641dbfbffc9e97932caae9681fdee
-
SHA1
f998d750ef2737d7d65f1a700b7c274a3f3e0e21
-
SHA256
3685414e23ce06f5c73ebe063b5bee33fde11abc12001b79c412e0ccd8e91ce0
-
SHA512
1591a7a7734dd9726c8064a644b9888edc1229b53a45f30dfef575f9decb5317d8f6dce14d448a5166ceea0354ca4d6a4461cb362c5dbd5d3ea19d8502b98c95
-
SSDEEP
192:wk5hHuxZWD8tiWdXwvKjAJhwvVfMdw9nw:P5hNWut2dfP9w
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2764 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2764 AcroRd32.exe 2764 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1856 wrote to memory of 804 1856 cmd.exe 31 PID 1856 wrote to memory of 804 1856 cmd.exe 31 PID 1856 wrote to memory of 804 1856 cmd.exe 31 PID 804 wrote to memory of 2764 804 rundll32.exe 33 PID 804 wrote to memory of 2764 804 rundll32.exe 33 PID 804 wrote to memory of 2764 804 rundll32.exe 33 PID 804 wrote to memory of 2764 804 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD550357b6a112ea8ce5e78d08af5c0c4d7
SHA17e3e3bf9672a9329d4b56314c145320ea94a4526
SHA25624c042c22ccb401a0e5b6e6a7f1e46dd32361986fccc196f370e4e2ec4175287
SHA51258a26637eaa6572f81b778347ca95c966fd5e5dd57da0371fad153561723c10ebdf3dff80a50917298b61577109848b0c5d5b125ef0d49d114cf88f1576cd079