Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3krx/.RUN T...RX.bat
windows7-x64
10krx/.RUN T...RX.bat
windows10-2004-x64
10krx/.crack.ps1
windows7-x64
3krx/.crack.ps1
windows10-2004-x64
7krx/RUN TH...at.lnk
windows7-x64
3krx/RUN TH...at.lnk
windows10-2004-x64
10krx/krx/DD...er.exe
windows7-x64
1krx/krx/DD...er.exe
windows10-2004-x64
1krx/krx/KR...nt.exe
windows7-x64
10krx/krx/KR...nt.exe
windows10-2004-x64
10krx/krx/SDL2.dll
windows7-x64
1krx/krx/SDL2.dll
windows10-2004-x64
3krx/krx/av...61.dll
windows7-x64
1krx/krx/av...61.dll
windows10-2004-x64
1krx/krx/av...61.dll
windows7-x64
1krx/krx/av...61.dll
windows10-2004-x64
3krx/krx/avutil-59.dll
windows7-x64
1krx/krx/avutil-59.dll
windows10-2004-x64
1krx/krx/co...ry.bat
windows7-x64
1krx/krx/co...ry.bat
windows10-2004-x64
1krx/krx/co...ve.exe
windows7-x64
1krx/krx/co...ve.exe
windows10-2004-x64
1krx/krx/co...re.exe
windows7-x64
1krx/krx/co...re.exe
windows10-2004-x64
1krx/krx/da...al.exe
windows7-x64
1krx/krx/da...al.exe
windows10-2004-x64
1krx/krx/dbgcore.dll
windows10-2004-x64
1krx/krx/dbghelp.dll
windows10-2004-x64
8krx/krx/de...at.exe
windows7-x64
1krx/krx/de...at.exe
windows10-2004-x64
8krx/krx/dilate.exe
windows7-x64
1krx/krx/dilate.exe
windows10-2004-x64
8Analysis
-
max time kernel
121s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
krx/.RUN THIS SCRIPT TO START KRX.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
krx/.RUN THIS SCRIPT TO START KRX.bat
Resource
win10v2004-20250207-en
Behavioral task
behavioral3
Sample
krx/.crack.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
krx/.crack.ps1
Resource
win10v2004-20250207-en
Behavioral task
behavioral5
Sample
krx/RUN THIS SCRIPT TO START KRX.bat.lnk
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
krx/RUN THIS SCRIPT TO START KRX.bat.lnk
Resource
win10v2004-20250207-en
Behavioral task
behavioral7
Sample
krx/krx/DDNet-Server.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
krx/krx/DDNet-Server.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral9
Sample
krx/krx/KRX Client.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
krx/krx/KRX Client.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral11
Sample
krx/krx/SDL2.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
krx/krx/SDL2.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral13
Sample
krx/krx/avcodec-61.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
krx/krx/avcodec-61.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral15
Sample
krx/krx/avformat-61.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
krx/krx/avformat-61.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral17
Sample
krx/krx/avutil-59.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
krx/krx/avutil-59.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral19
Sample
krx/krx/config_directory.bat
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
krx/krx/config_directory.bat
Resource
win10v2004-20250207-en
Behavioral task
behavioral21
Sample
krx/krx/config_retrieve.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
krx/krx/config_retrieve.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral23
Sample
krx/krx/config_store.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
krx/krx/config_store.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral25
Sample
krx/krx/data/krx/DDNet_original.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
krx/krx/data/krx/DDNet_original.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral27
Sample
krx/krx/dbgcore.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral28
Sample
krx/krx/dbghelp.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral29
Sample
krx/krx/demo_extract_chat.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
krx/krx/demo_extract_chat.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral31
Sample
krx/krx/dilate.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
krx/krx/dilate.exe
Resource
win10v2004-20250207-en
General
-
Target
krx/.RUN THIS SCRIPT TO START KRX.bat
-
Size
348B
-
MD5
208fd017fc655c28b29d21fd3f2f7807
-
SHA1
9909f1316a2db084c659660a8e4a9eb024523de0
-
SHA256
0d85ab947bc0b645e5bf7236b6b5731e400d25b5b3e011342263f9f2e23c4074
-
SHA512
51ce02366c1eaa0a37c9526c4fba52ccd7e6d35624f30708a4c12ed81891021ed83649009e5b0b26928b54fb2890339cd30417317354cf684c6dd8a7d0292f43
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1337020963363225641/h0Ve6Z9WtTbW9d3frLkSaZTzjtjFum8OAq1NnRnHG-Vd0mImdRoT37Xs5_5jhVWlKEdf
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000003683-16.dat family_umbral behavioral1/memory/2732-27-0x0000000000C10000-0x0000000000C50000-memory.dmp family_umbral -
Umbral family
-
Executes dropped EXE 2 IoCs
pid Process 2732 Umbral.exe 2752 KRX Client.exe -
Loads dropped DLL 2 IoCs
pid Process 2884 KRX Client.exe 2884 KRX Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
pid Process 2832 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KRX Client.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2704 ipconfig.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2884 KRX Client.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2732 Umbral.exe Token: SeIncreaseQuotaPrivilege 112 wmic.exe Token: SeSecurityPrivilege 112 wmic.exe Token: SeTakeOwnershipPrivilege 112 wmic.exe Token: SeLoadDriverPrivilege 112 wmic.exe Token: SeSystemProfilePrivilege 112 wmic.exe Token: SeSystemtimePrivilege 112 wmic.exe Token: SeProfSingleProcessPrivilege 112 wmic.exe Token: SeIncBasePriorityPrivilege 112 wmic.exe Token: SeCreatePagefilePrivilege 112 wmic.exe Token: SeBackupPrivilege 112 wmic.exe Token: SeRestorePrivilege 112 wmic.exe Token: SeShutdownPrivilege 112 wmic.exe Token: SeDebugPrivilege 112 wmic.exe Token: SeSystemEnvironmentPrivilege 112 wmic.exe Token: SeRemoteShutdownPrivilege 112 wmic.exe Token: SeUndockPrivilege 112 wmic.exe Token: SeManageVolumePrivilege 112 wmic.exe Token: 33 112 wmic.exe Token: 34 112 wmic.exe Token: 35 112 wmic.exe Token: SeIncreaseQuotaPrivilege 112 wmic.exe Token: SeSecurityPrivilege 112 wmic.exe Token: SeTakeOwnershipPrivilege 112 wmic.exe Token: SeLoadDriverPrivilege 112 wmic.exe Token: SeSystemProfilePrivilege 112 wmic.exe Token: SeSystemtimePrivilege 112 wmic.exe Token: SeProfSingleProcessPrivilege 112 wmic.exe Token: SeIncBasePriorityPrivilege 112 wmic.exe Token: SeCreatePagefilePrivilege 112 wmic.exe Token: SeBackupPrivilege 112 wmic.exe Token: SeRestorePrivilege 112 wmic.exe Token: SeShutdownPrivilege 112 wmic.exe Token: SeDebugPrivilege 112 wmic.exe Token: SeSystemEnvironmentPrivilege 112 wmic.exe Token: SeRemoteShutdownPrivilege 112 wmic.exe Token: SeUndockPrivilege 112 wmic.exe Token: SeManageVolumePrivilege 112 wmic.exe Token: 33 112 wmic.exe Token: 34 112 wmic.exe Token: 35 112 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2168 2352 cmd.exe 31 PID 2352 wrote to memory of 2168 2352 cmd.exe 31 PID 2352 wrote to memory of 2168 2352 cmd.exe 31 PID 2352 wrote to memory of 2832 2352 cmd.exe 32 PID 2352 wrote to memory of 2832 2352 cmd.exe 32 PID 2352 wrote to memory of 2832 2352 cmd.exe 32 PID 2352 wrote to memory of 2704 2352 cmd.exe 33 PID 2352 wrote to memory of 2704 2352 cmd.exe 33 PID 2352 wrote to memory of 2704 2352 cmd.exe 33 PID 2352 wrote to memory of 2884 2352 cmd.exe 34 PID 2352 wrote to memory of 2884 2352 cmd.exe 34 PID 2352 wrote to memory of 2884 2352 cmd.exe 34 PID 2352 wrote to memory of 2884 2352 cmd.exe 34 PID 2884 wrote to memory of 2732 2884 KRX Client.exe 35 PID 2884 wrote to memory of 2732 2884 KRX Client.exe 35 PID 2884 wrote to memory of 2732 2884 KRX Client.exe 35 PID 2884 wrote to memory of 2732 2884 KRX Client.exe 35 PID 2884 wrote to memory of 2752 2884 KRX Client.exe 36 PID 2884 wrote to memory of 2752 2884 KRX Client.exe 36 PID 2884 wrote to memory of 2752 2884 KRX Client.exe 36 PID 2884 wrote to memory of 2752 2884 KRX Client.exe 36 PID 2732 wrote to memory of 112 2732 Umbral.exe 37 PID 2732 wrote to memory of 112 2732 Umbral.exe 37 PID 2732 wrote to memory of 112 2732 Umbral.exe 37
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\krx\.RUN THIS SCRIPT TO START KRX.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\openfiles.exeopenfiles2⤵PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\krx\.crack.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe"C:\Users\Admin\AppData\Local\Temp\krx\krx/KRX Client.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"3⤵
- Executes dropped EXE
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.4MB
MD57907e9406015ceba49d7f1156f032ac8
SHA1a8034055f4358c1d687b3c2c70c588f37982fa88
SHA256fc59d043ebbf8e3225f399030bc6447a0592e992bcb57a08d769c35934335de3
SHA512bff798c9a2301120c343e7108a857dc2a78e5c18fa5fbc06d71ada65f96adbff3ce47e3ffbf51c13db50f0c09ae6d0bcad4a2abe3911e0bd0b2a1b816c0685a9
-
Filesize
231KB
MD539866481d5925ad5fb5a6c72bc51c3c5
SHA16c646ec853a4178e219c73cd1788d3f51623099d
SHA25638042abd98755c213a6f36e5c79d23e7d09b56495b29daab3e89fcdccde80ad2
SHA512daca18d9d9132ffe07b142a80148aa98575c72052de8bd18115f85adcac1ed8b6f990a85d3076a9c88e934694ae8ba19b58eb6cf81bc27a3c84480c3e853779d