Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3krx/.RUN T...RX.bat
windows7-x64
10krx/.RUN T...RX.bat
windows10-2004-x64
10krx/.crack.ps1
windows7-x64
3krx/.crack.ps1
windows10-2004-x64
7krx/RUN TH...at.lnk
windows7-x64
3krx/RUN TH...at.lnk
windows10-2004-x64
10krx/krx/DD...er.exe
windows7-x64
1krx/krx/DD...er.exe
windows10-2004-x64
1krx/krx/KR...nt.exe
windows7-x64
10krx/krx/KR...nt.exe
windows10-2004-x64
10krx/krx/SDL2.dll
windows7-x64
1krx/krx/SDL2.dll
windows10-2004-x64
3krx/krx/av...61.dll
windows7-x64
1krx/krx/av...61.dll
windows10-2004-x64
1krx/krx/av...61.dll
windows7-x64
1krx/krx/av...61.dll
windows10-2004-x64
3krx/krx/avutil-59.dll
windows7-x64
1krx/krx/avutil-59.dll
windows10-2004-x64
1krx/krx/co...ry.bat
windows7-x64
1krx/krx/co...ry.bat
windows10-2004-x64
1krx/krx/co...ve.exe
windows7-x64
1krx/krx/co...ve.exe
windows10-2004-x64
1krx/krx/co...re.exe
windows7-x64
1krx/krx/co...re.exe
windows10-2004-x64
1krx/krx/da...al.exe
windows7-x64
1krx/krx/da...al.exe
windows10-2004-x64
1krx/krx/dbgcore.dll
windows10-2004-x64
1krx/krx/dbghelp.dll
windows10-2004-x64
8krx/krx/de...at.exe
windows7-x64
1krx/krx/de...at.exe
windows10-2004-x64
8krx/krx/dilate.exe
windows7-x64
1krx/krx/dilate.exe
windows10-2004-x64
8Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
krx/.RUN THIS SCRIPT TO START KRX.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
krx/.RUN THIS SCRIPT TO START KRX.bat
Resource
win10v2004-20250207-en
Behavioral task
behavioral3
Sample
krx/.crack.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
krx/.crack.ps1
Resource
win10v2004-20250207-en
Behavioral task
behavioral5
Sample
krx/RUN THIS SCRIPT TO START KRX.bat.lnk
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
krx/RUN THIS SCRIPT TO START KRX.bat.lnk
Resource
win10v2004-20250207-en
Behavioral task
behavioral7
Sample
krx/krx/DDNet-Server.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
krx/krx/DDNet-Server.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral9
Sample
krx/krx/KRX Client.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
krx/krx/KRX Client.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral11
Sample
krx/krx/SDL2.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
krx/krx/SDL2.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral13
Sample
krx/krx/avcodec-61.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
krx/krx/avcodec-61.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral15
Sample
krx/krx/avformat-61.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
krx/krx/avformat-61.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral17
Sample
krx/krx/avutil-59.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
krx/krx/avutil-59.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral19
Sample
krx/krx/config_directory.bat
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
krx/krx/config_directory.bat
Resource
win10v2004-20250207-en
Behavioral task
behavioral21
Sample
krx/krx/config_retrieve.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
krx/krx/config_retrieve.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral23
Sample
krx/krx/config_store.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
krx/krx/config_store.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral25
Sample
krx/krx/data/krx/DDNet_original.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
krx/krx/data/krx/DDNet_original.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral27
Sample
krx/krx/dbgcore.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral28
Sample
krx/krx/dbghelp.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral29
Sample
krx/krx/demo_extract_chat.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
krx/krx/demo_extract_chat.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral31
Sample
krx/krx/dilate.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
krx/krx/dilate.exe
Resource
win10v2004-20250207-en
General
-
Target
krx/krx/KRX Client.exe
-
Size
13.5MB
-
MD5
14aa5b66b4eb09f2ec43ab2785353b30
-
SHA1
13e604b67db06e15a4f6c320fadb653f35d8bd1a
-
SHA256
83d30f0c1b0fb62ba26d7a2a8ddd0f1d0a355d4011d57c9316fc1fe6fc3e144b
-
SHA512
ae7b132ae3d91e1f7967fffc52c7b30760d4bf29f7c3c25522c27002399c2de865729e99ce7141baa6355ce6e22141721e733bc1ebdacc840f2d3ad112ead39a
-
SSDEEP
196608:1aqDXlWLO5Ui4d+fNcCnpVubF7d2vziaM7G9PEozWpLMFhKxY+MyAD0vOLQpMJKu:1a0eO9kh7EzzKOPEoypIFDWY3tKgO4
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1337020963363225641/h0Ve6Z9WtTbW9d3frLkSaZTzjtjFum8OAq1NnRnHG-Vd0mImdRoT37Xs5_5jhVWlKEdf
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral9/files/0x000c000000012262-4.dat family_umbral behavioral9/memory/2500-10-0x0000000000860000-0x00000000008A0000-memory.dmp family_umbral -
Umbral family
-
Executes dropped EXE 2 IoCs
pid Process 2500 Umbral.exe 2396 KRX Client.exe -
Loads dropped DLL 2 IoCs
pid Process 1796 KRX Client.exe 1796 KRX Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KRX Client.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2500 Umbral.exe Token: SeIncreaseQuotaPrivilege 2940 wmic.exe Token: SeSecurityPrivilege 2940 wmic.exe Token: SeTakeOwnershipPrivilege 2940 wmic.exe Token: SeLoadDriverPrivilege 2940 wmic.exe Token: SeSystemProfilePrivilege 2940 wmic.exe Token: SeSystemtimePrivilege 2940 wmic.exe Token: SeProfSingleProcessPrivilege 2940 wmic.exe Token: SeIncBasePriorityPrivilege 2940 wmic.exe Token: SeCreatePagefilePrivilege 2940 wmic.exe Token: SeBackupPrivilege 2940 wmic.exe Token: SeRestorePrivilege 2940 wmic.exe Token: SeShutdownPrivilege 2940 wmic.exe Token: SeDebugPrivilege 2940 wmic.exe Token: SeSystemEnvironmentPrivilege 2940 wmic.exe Token: SeRemoteShutdownPrivilege 2940 wmic.exe Token: SeUndockPrivilege 2940 wmic.exe Token: SeManageVolumePrivilege 2940 wmic.exe Token: 33 2940 wmic.exe Token: 34 2940 wmic.exe Token: 35 2940 wmic.exe Token: SeIncreaseQuotaPrivilege 2940 wmic.exe Token: SeSecurityPrivilege 2940 wmic.exe Token: SeTakeOwnershipPrivilege 2940 wmic.exe Token: SeLoadDriverPrivilege 2940 wmic.exe Token: SeSystemProfilePrivilege 2940 wmic.exe Token: SeSystemtimePrivilege 2940 wmic.exe Token: SeProfSingleProcessPrivilege 2940 wmic.exe Token: SeIncBasePriorityPrivilege 2940 wmic.exe Token: SeCreatePagefilePrivilege 2940 wmic.exe Token: SeBackupPrivilege 2940 wmic.exe Token: SeRestorePrivilege 2940 wmic.exe Token: SeShutdownPrivilege 2940 wmic.exe Token: SeDebugPrivilege 2940 wmic.exe Token: SeSystemEnvironmentPrivilege 2940 wmic.exe Token: SeRemoteShutdownPrivilege 2940 wmic.exe Token: SeUndockPrivilege 2940 wmic.exe Token: SeManageVolumePrivilege 2940 wmic.exe Token: 33 2940 wmic.exe Token: 34 2940 wmic.exe Token: 35 2940 wmic.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2500 1796 KRX Client.exe 31 PID 1796 wrote to memory of 2500 1796 KRX Client.exe 31 PID 1796 wrote to memory of 2500 1796 KRX Client.exe 31 PID 1796 wrote to memory of 2500 1796 KRX Client.exe 31 PID 1796 wrote to memory of 2396 1796 KRX Client.exe 32 PID 1796 wrote to memory of 2396 1796 KRX Client.exe 32 PID 1796 wrote to memory of 2396 1796 KRX Client.exe 32 PID 1796 wrote to memory of 2396 1796 KRX Client.exe 32 PID 2500 wrote to memory of 2940 2500 Umbral.exe 33 PID 2500 wrote to memory of 2940 2500 Umbral.exe 33 PID 2500 wrote to memory of 2940 2500 Umbral.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe"C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"2⤵
- Executes dropped EXE
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD539866481d5925ad5fb5a6c72bc51c3c5
SHA16c646ec853a4178e219c73cd1788d3f51623099d
SHA25638042abd98755c213a6f36e5c79d23e7d09b56495b29daab3e89fcdccde80ad2
SHA512daca18d9d9132ffe07b142a80148aa98575c72052de8bd18115f85adcac1ed8b6f990a85d3076a9c88e934694ae8ba19b58eb6cf81bc27a3c84480c3e853779d
-
Filesize
13.4MB
MD57907e9406015ceba49d7f1156f032ac8
SHA1a8034055f4358c1d687b3c2c70c588f37982fa88
SHA256fc59d043ebbf8e3225f399030bc6447a0592e992bcb57a08d769c35934335de3
SHA512bff798c9a2301120c343e7108a857dc2a78e5c18fa5fbc06d71ada65f96adbff3ce47e3ffbf51c13db50f0c09ae6d0bcad4a2abe3911e0bd0b2a1b816c0685a9