Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

syphra (5).zip

windows10-ltsc 2021-x64

7

ArcadiaLauncher.exe

windows10-ltsc 2021-x64

1

ArcadiaModule.dll

windows10-ltsc 2021-x64

6

Syphra.exe

windows10-ltsc 2021-x64

6

updates.txt

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    82s
  • max time network
    87s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01/01/2025, 03:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    syphra (5).zip

  • Size

    5.4MB

  • MD5

    c743458ebed7718a4e3bf573013e4598

  • SHA1

    455887a78870569b0b9d09aa3017164e56d86929

  • SHA256

    35b3393164c065c7108e0f1af636da335c26acd71234677d8ed796425d297fd7

  • SHA512

    82406adcd46d0001db656262ecdb214550185d61f557d0baa91e013afd2c88bed5f405ae06c40f7447f7a8628d0c473e21a3e48c31a3e91098d3e1ecb0f64127

  • SSDEEP

    98304:EkkNfLQQY+lmp0BbW+OwzFeBCnGOChTcU5AQ6YYJNiGwPW6uBnJkCd6lqX/Xw2M+:E9LQl+EMkBCvCpl5+XiZe6u8CdW4g4d

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\syphra (5).zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4028
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:648
    • C:\Users\Admin\Desktop\fff\Syphra.exe
      "C:\Users\Admin\Desktop\fff\Syphra.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1388
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\fff\key.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2804
    • C:\Users\Admin\Desktop\fff\Syphra.exe
      "C:\Users\Admin\Desktop\fff\Syphra.exe"
      1⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      PID:3704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Syphra.exe.log
      Filesize

      1KB

      MD5

      5823a29cae5e65131a0f89538e43e7b8

      SHA1

      515f01dd5be34010baa391d699f313ee1def55ba

      SHA256

      70d951b26ba9eaef60feb2baf02a02664fc68a795dc0025a4d18cb6f8814daa2

      SHA512

      1068554e4eebbc867b706d9a74665c91a1b751a95b0a7065f503b69577a00849d635db7ad0ac98f43caf20035203f71ac5f535261eba16010a5df2949ff491af

      Download Submit

    • C:\Users\Admin\Desktop\fff\Syphra.exe
      Filesize

      1.6MB

      MD5

      46630830806724602b9dd8111c6f1d98

      SHA1

      5324edf8bf5b7c94cac2d869d31641b7557b6701

      SHA256

      cd45f87c82da868ecd184676d9bf1e8b4cbb5216052920e34ebb04d0591db35b

      SHA512

      e8b73474dada6167d5428a872031c566131d0a1187be846a455644decd442e610ea10e19b7484395b4791006c9c64988e7ab5cf0e8c0b01d69509c64b9c4b462

      Download Submit

    • C:\Users\Admin\Desktop\fff\key.txt
      Filesize

      17B

      MD5

      8b13b91cba59408211c53ff554a4b681

      SHA1

      c2bb5a04bb1b68b1df6d6f726273c08ab89b30c0

      SHA256

      b1375aff61d34fd8a3a2c7318f9d8cf9722e6a7eb95a75cd8e8d6c701ff6b9c6

      SHA512

      4e7c38ee9358793603bdf43cc0fd14904a18ff08800f3f30e2e3262fe884f276bb43ea2cd8113ff603b3655f39de132380027233f1e65a19125d2c2645cd8e12

      Download Submit

    • C:\Users\Admin\Desktop\fff\updates.txt
      Filesize

      141B

      MD5

      66bdc0c2fd43029d4f33b2833fb117aa

      SHA1

      ff3d2d4d5f431b124e37c08dd19b18994e6a05b7

      SHA256

      aed2dd9a0486d116e090a715385775e8240f68e2b48b905cc82a43836c7415aa

      SHA512

      5a202d42e97135f6f75a87524e1ab46469961b8c2ba784a35e333cebf2e7f6eafa1bd18663e2928342e51e4d986be32e21155d8a7af93340f6d20660d44598b5

      Download Submit

    • memory/1388-17-0x0000027629DC0000-0x0000027629DE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1388-14-0x000002760F640000-0x000002760F6F2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1388-15-0x0000027628A30000-0x0000027628B7E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1388-16-0x000002760F610000-0x000002760F624000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1388-13-0x00007FFF8F030000-0x00007FFF8FAF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1388-12-0x000002760F4A0000-0x000002760F4BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1388-21-0x00007FFF8F033000-0x00007FFF8F035000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1388-22-0x00007FFF8F030000-0x00007FFF8FAF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1388-25-0x00007FFF8F030000-0x00007FFF8FAF2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1388-11-0x000002760D620000-0x000002760D7C2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1388-10-0x00007FFF8F033000-0x00007FFF8F035000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3704-28-0x0000023212670000-0x0000023212684000-memory.dmp

      Filesize

      80KB

      Download