Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
331jan_aciddd.zip
windows7-x64
131jan_aciddd.zip
windows10-2004-x64
1acid_nopump31.zip
windows7-x64
1acid_nopump31.zip
windows10-2004-x64
1bin2local/...d1.exe
windows7-x64
10bin2local/...d1.exe
windows10-2004-x64
10$TEMP/Unavailable
windows7-x64
1$TEMP/Unavailable
windows10-2004-x64
1MoveChoice/Committed
windows7-x64
1MoveChoice/Committed
windows10-2004-x64
1MoveChoice/Image.cab
windows7-x64
1MoveChoice/Image.cab
windows10-2004-x64
1MusclesCumulative/Bye
windows7-x64
1MusclesCumulative/Bye
windows10-2004-x64
1MusclesCum...e/Joke
windows7-x64
1MusclesCum...e/Joke
windows10-2004-x64
1MusclesCum...Knight
windows7-x64
1MusclesCum...Knight
windows10-2004-x64
1MusclesCumulative/Ur
windows7-x64
1MusclesCumulative/Ur
windows10-2004-x64
1Suspension...roudly
windows7-x64
1Suspension...roudly
windows10-2004-x64
1bin2local/...re.dll
windows7-x64
1bin2local/...re.dll
windows10-2004-x64
1bin2local/...rm.dll
windows7-x64
1bin2local/...rm.dll
windows10-2004-x64
1bin2local/...ro.dll
windows7-x64
1bin2local/...ro.dll
windows10-2004-x64
1bin2local/...Ex.dll
windows7-x64
1bin2local/...Ex.dll
windows10-2004-x64
1bin2local/...Ex.pdb
windows7-x64
3bin2local/...Ex.pdb
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
31jan_aciddd.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
31jan_aciddd.zip
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
acid_nopump31.zip
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
acid_nopump31.zip
Resource
win10v2004-20250129-en
Behavioral task
behavioral5
Sample
bin2local/[ex]acid1.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
bin2local/[ex]acid1.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral7
Sample
$TEMP/Unavailable
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$TEMP/Unavailable
Resource
win10v2004-20250129-en
Behavioral task
behavioral9
Sample
MoveChoice/Committed
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
MoveChoice/Committed
Resource
win10v2004-20250129-en
Behavioral task
behavioral11
Sample
MoveChoice/Image.cab
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
MoveChoice/Image.cab
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
MusclesCumulative/Bye
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
MusclesCumulative/Bye
Resource
win10v2004-20250129-en
Behavioral task
behavioral15
Sample
MusclesCumulative/Joke
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
MusclesCumulative/Joke
Resource
win10v2004-20250129-en
Behavioral task
behavioral17
Sample
MusclesCumulative/Knight
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
MusclesCumulative/Knight
Resource
win10v2004-20250129-en
Behavioral task
behavioral19
Sample
MusclesCumulative/Ur
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
MusclesCumulative/Ur
Resource
win10v2004-20250129-en
Behavioral task
behavioral21
Sample
SuspensionShop/Proudly
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
SuspensionShop/Proudly
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
bin2local/bin/Caliburn.Micro.Platform.Core.dll
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
bin2local/bin/Caliburn.Micro.Platform.Core.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral25
Sample
bin2local/bin/Caliburn.Micro.Platform.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
bin2local/bin/Caliburn.Micro.Platform.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral27
Sample
bin2local/bin/Caliburn.Micro.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
bin2local/bin/Caliburn.Micro.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral29
Sample
bin2local/bin/ControlzEx.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
bin2local/bin/ControlzEx.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral31
Sample
bin2local/bin/ControlzEx.pdb
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
bin2local/bin/ControlzEx.pdb
Resource
win10v2004-20250129-en
General
-
Target
bin2local/bin/ControlzEx.pdb
-
Size
685KB
-
MD5
95ad9dc53d104d709ee179d85ce83def
-
SHA1
c7bed5d7fe6421c547c4cbde7c986984cd6aea21
-
SHA256
b46feb5b41a16f6dcf37001f5775ba59a1e4cf9eb7d0665f1724b917c30a3983
-
SHA512
3e5593f2d573b3a5bfa05408d409c2d562c90dd700b98b9c8a63454249ed69f71add820e1a0ec71b009ba05ce4f438683ec5e0ae99a27be2df87af66e11b5981
-
SSDEEP
6144:0pr12iW1CzyRJywCHyL/+/d5Zbk3RCLhr2a9fucQaVK60RyOKpvDi2jf5sxpr12d:0ph12XyhH8pxbp60cpcph12XyhHNr
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2696 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2696 AcroRd32.exe 2696 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2692 2496 cmd.exe 31 PID 2496 wrote to memory of 2692 2496 cmd.exe 31 PID 2496 wrote to memory of 2692 2496 cmd.exe 31 PID 2692 wrote to memory of 2696 2692 rundll32.exe 32 PID 2692 wrote to memory of 2696 2692 rundll32.exe 32 PID 2692 wrote to memory of 2696 2692 rundll32.exe 32 PID 2692 wrote to memory of 2696 2692 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\bin2local\bin\ControlzEx.pdb1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bin2local\bin\ControlzEx.pdb2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bin2local\bin\ControlzEx.pdb"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5298e7f3eac7947e705f213e2e9bb982d
SHA14844b75062d678bf47cf58e2c6d672d089e24532
SHA25694d818249b48837c1472551cd9c08a29e1364cb6db121d763e897872a34270cd
SHA512e83eb76f1cd7d818b3f063c1b0d10cf8329eb516029cafd9072f325d77ee43a3099ceba73ebc516f45a1567508e5301e2ec541e7cc17cf01b2eddc972c9737f1