Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3krx/.RUN T...RX.bat
windows7-x64
10krx/.RUN T...RX.bat
windows10-2004-x64
10krx/.crack.ps1
windows7-x64
3krx/.crack.ps1
windows10-2004-x64
7krx/RUN TH...at.lnk
windows7-x64
3krx/RUN TH...at.lnk
windows10-2004-x64
10krx/krx/DD...er.exe
windows7-x64
1krx/krx/DD...er.exe
windows10-2004-x64
1krx/krx/KR...nt.exe
windows7-x64
10krx/krx/KR...nt.exe
windows10-2004-x64
10krx/krx/SDL2.dll
windows7-x64
1krx/krx/SDL2.dll
windows10-2004-x64
3krx/krx/av...61.dll
windows7-x64
1krx/krx/av...61.dll
windows10-2004-x64
1krx/krx/av...61.dll
windows7-x64
1krx/krx/av...61.dll
windows10-2004-x64
3krx/krx/avutil-59.dll
windows7-x64
1krx/krx/avutil-59.dll
windows10-2004-x64
1krx/krx/co...ry.bat
windows7-x64
1krx/krx/co...ry.bat
windows10-2004-x64
1krx/krx/co...ve.exe
windows7-x64
1krx/krx/co...ve.exe
windows10-2004-x64
1krx/krx/co...re.exe
windows7-x64
1krx/krx/co...re.exe
windows10-2004-x64
1krx/krx/da...al.exe
windows7-x64
1krx/krx/da...al.exe
windows10-2004-x64
1krx/krx/dbgcore.dll
windows10-2004-x64
1krx/krx/dbghelp.dll
windows10-2004-x64
8krx/krx/de...at.exe
windows7-x64
1krx/krx/de...at.exe
windows10-2004-x64
8krx/krx/dilate.exe
windows7-x64
1krx/krx/dilate.exe
windows10-2004-x64
8Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
krx/.RUN THIS SCRIPT TO START KRX.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
krx/.RUN THIS SCRIPT TO START KRX.bat
Resource
win10v2004-20250207-en
Behavioral task
behavioral3
Sample
krx/.crack.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
krx/.crack.ps1
Resource
win10v2004-20250207-en
Behavioral task
behavioral5
Sample
krx/RUN THIS SCRIPT TO START KRX.bat.lnk
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
krx/RUN THIS SCRIPT TO START KRX.bat.lnk
Resource
win10v2004-20250207-en
Behavioral task
behavioral7
Sample
krx/krx/DDNet-Server.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
krx/krx/DDNet-Server.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral9
Sample
krx/krx/KRX Client.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
krx/krx/KRX Client.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral11
Sample
krx/krx/SDL2.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
krx/krx/SDL2.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral13
Sample
krx/krx/avcodec-61.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
krx/krx/avcodec-61.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral15
Sample
krx/krx/avformat-61.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
krx/krx/avformat-61.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral17
Sample
krx/krx/avutil-59.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
krx/krx/avutil-59.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral19
Sample
krx/krx/config_directory.bat
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
krx/krx/config_directory.bat
Resource
win10v2004-20250207-en
Behavioral task
behavioral21
Sample
krx/krx/config_retrieve.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
krx/krx/config_retrieve.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral23
Sample
krx/krx/config_store.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
krx/krx/config_store.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral25
Sample
krx/krx/data/krx/DDNet_original.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
krx/krx/data/krx/DDNet_original.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral27
Sample
krx/krx/dbgcore.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral28
Sample
krx/krx/dbghelp.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral29
Sample
krx/krx/demo_extract_chat.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
krx/krx/demo_extract_chat.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral31
Sample
krx/krx/dilate.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
krx/krx/dilate.exe
Resource
win10v2004-20250207-en
General
-
Target
krx/krx/KRX Client.exe
-
Size
13.5MB
-
MD5
14aa5b66b4eb09f2ec43ab2785353b30
-
SHA1
13e604b67db06e15a4f6c320fadb653f35d8bd1a
-
SHA256
83d30f0c1b0fb62ba26d7a2a8ddd0f1d0a355d4011d57c9316fc1fe6fc3e144b
-
SHA512
ae7b132ae3d91e1f7967fffc52c7b30760d4bf29f7c3c25522c27002399c2de865729e99ce7141baa6355ce6e22141721e733bc1ebdacc840f2d3ad112ead39a
-
SSDEEP
196608:1aqDXlWLO5Ui4d+fNcCnpVubF7d2vziaM7G9PEozWpLMFhKxY+MyAD0vOLQpMJKu:1a0eO9kh7EzzKOPEoypIFDWY3tKgO4
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral10/files/0x000c000000023ccb-4.dat family_umbral behavioral10/memory/3464-12-0x0000029D75D20000-0x0000029D75D60000-memory.dmp family_umbral -
Umbral family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation KRX Client.exe -
Executes dropped EXE 2 IoCs
pid Process 3464 Umbral.exe 2112 KRX Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KRX Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 540 MicrosoftEdgeUpdate.exe 540 MicrosoftEdgeUpdate.exe 540 MicrosoftEdgeUpdate.exe 540 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3464 Umbral.exe Token: SeIncreaseQuotaPrivilege 3160 wmic.exe Token: SeSecurityPrivilege 3160 wmic.exe Token: SeTakeOwnershipPrivilege 3160 wmic.exe Token: SeLoadDriverPrivilege 3160 wmic.exe Token: SeSystemProfilePrivilege 3160 wmic.exe Token: SeSystemtimePrivilege 3160 wmic.exe Token: SeProfSingleProcessPrivilege 3160 wmic.exe Token: SeIncBasePriorityPrivilege 3160 wmic.exe Token: SeCreatePagefilePrivilege 3160 wmic.exe Token: SeBackupPrivilege 3160 wmic.exe Token: SeRestorePrivilege 3160 wmic.exe Token: SeShutdownPrivilege 3160 wmic.exe Token: SeDebugPrivilege 3160 wmic.exe Token: SeSystemEnvironmentPrivilege 3160 wmic.exe Token: SeRemoteShutdownPrivilege 3160 wmic.exe Token: SeUndockPrivilege 3160 wmic.exe Token: SeManageVolumePrivilege 3160 wmic.exe Token: 33 3160 wmic.exe Token: 34 3160 wmic.exe Token: 35 3160 wmic.exe Token: 36 3160 wmic.exe Token: SeIncreaseQuotaPrivilege 3160 wmic.exe Token: SeSecurityPrivilege 3160 wmic.exe Token: SeTakeOwnershipPrivilege 3160 wmic.exe Token: SeLoadDriverPrivilege 3160 wmic.exe Token: SeSystemProfilePrivilege 3160 wmic.exe Token: SeSystemtimePrivilege 3160 wmic.exe Token: SeProfSingleProcessPrivilege 3160 wmic.exe Token: SeIncBasePriorityPrivilege 3160 wmic.exe Token: SeCreatePagefilePrivilege 3160 wmic.exe Token: SeBackupPrivilege 3160 wmic.exe Token: SeRestorePrivilege 3160 wmic.exe Token: SeShutdownPrivilege 3160 wmic.exe Token: SeDebugPrivilege 3160 wmic.exe Token: SeSystemEnvironmentPrivilege 3160 wmic.exe Token: SeRemoteShutdownPrivilege 3160 wmic.exe Token: SeUndockPrivilege 3160 wmic.exe Token: SeManageVolumePrivilege 3160 wmic.exe Token: 33 3160 wmic.exe Token: 34 3160 wmic.exe Token: 35 3160 wmic.exe Token: 36 3160 wmic.exe Token: SeDebugPrivilege 540 MicrosoftEdgeUpdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3496 wrote to memory of 3464 3496 KRX Client.exe 81 PID 3496 wrote to memory of 3464 3496 KRX Client.exe 81 PID 3496 wrote to memory of 2112 3496 KRX Client.exe 82 PID 3496 wrote to memory of 2112 3496 KRX Client.exe 82 PID 3464 wrote to memory of 3160 3464 Umbral.exe 83 PID 3464 wrote to memory of 3160 3464 Umbral.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe"C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.4MB
MD57907e9406015ceba49d7f1156f032ac8
SHA1a8034055f4358c1d687b3c2c70c588f37982fa88
SHA256fc59d043ebbf8e3225f399030bc6447a0592e992bcb57a08d769c35934335de3
SHA512bff798c9a2301120c343e7108a857dc2a78e5c18fa5fbc06d71ada65f96adbff3ce47e3ffbf51c13db50f0c09ae6d0bcad4a2abe3911e0bd0b2a1b816c0685a9
-
Filesize
231KB
MD539866481d5925ad5fb5a6c72bc51c3c5
SHA16c646ec853a4178e219c73cd1788d3f51623099d
SHA25638042abd98755c213a6f36e5c79d23e7d09b56495b29daab3e89fcdccde80ad2
SHA512daca18d9d9132ffe07b142a80148aa98575c72052de8bd18115f85adcac1ed8b6f990a85d3076a9c88e934694ae8ba19b58eb6cf81bc27a3c84480c3e853779d