Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 09:46

General

  • Target

    Cphn-MultiTool/start.bat

  • Size

    105B

  • MD5

    7e1cceb0065441e20af5026339b7ba1a

  • SHA1

    eb7bb7e2f2e7da7122c10d00723a813ef458131e

  • SHA256

    f7c6a30cbd217f779117ab2ca0eaa605181ca8ff78009bc69bf95a4aeb55a40d

  • SHA512

    2f8aa83e3063321d6653d7ba579076cbf1642c9a8c829014cc68b6c5e37bcc5f952af712d1c73e27084b588eb71bf3b2753bb0ae5c5c2c1fbcdf070ac5a4fc6b

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\start.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\system32\mode.com
      mode con: cols=100 lines=30
      2⤵
        PID:1508
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\main.py
        2⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\main.py"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1604
      • C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\utils\upx.exe
        src/utils/upx
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\utils\upx.exe
          src/utils/upx
          3⤵
          • Loads dropped DLL
          PID:2952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI20722\python310.dll

      Filesize

      1.4MB

      MD5

      69d4f13fbaeee9b551c2d9a4a94d4458

      SHA1

      69540d8dfc0ee299a7ff6585018c7db0662aa629

      SHA256

      801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

      SHA512

      8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

      Filesize

      3KB

      MD5

      6ab1b5cd55caf4367357c6b40ee9ea3e

      SHA1

      39564d6b37b24e2d8acc541516149a3191ffd8ec

      SHA256

      cabb1f363de1f6253b55b2eaaad46b6feab3de0a5046ed6dde814c7b31828cf7

      SHA512

      5f674722766ec9b2f7afc0d9d01cddd0278abfe1736b22b83e9de06106c1eca3c40101a7e23bb533852809f8511c876212b029f7e7a279c556c461b60d2f8905

    • memory/2952-138-0x000007FEF6120000-0x000007FEF658E000-memory.dmp

      Filesize

      4.4MB