Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/03/2025, 09:46
Behavioral task
behavioral1
Sample
Cphn-MultiTool/src/utils/upx.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
Cphn-MultiTool/src/utils/upx.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
Cphn-MultiTool/start.bat
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Cphn-MultiTool/start.bat
Resource
win10v2004-20250314-en
General
-
Target
Cphn-MultiTool/start.bat
-
Size
105B
-
MD5
7e1cceb0065441e20af5026339b7ba1a
-
SHA1
eb7bb7e2f2e7da7122c10d00723a813ef458131e
-
SHA256
f7c6a30cbd217f779117ab2ca0eaa605181ca8ff78009bc69bf95a4aeb55a40d
-
SHA512
2f8aa83e3063321d6653d7ba579076cbf1642c9a8c829014cc68b6c5e37bcc5f952af712d1c73e27084b588eb71bf3b2753bb0ae5c5c2c1fbcdf070ac5a4fc6b
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2952 upx.exe -
resource yara_rule behavioral5/files/0x000400000001d7c9-136.dat upx behavioral5/memory/2952-138-0x000007FEF6120000-0x000007FEF658E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1604 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1604 AcroRd32.exe 1604 AcroRd32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2316 wrote to memory of 1508 2316 cmd.exe 32 PID 2316 wrote to memory of 1508 2316 cmd.exe 32 PID 2316 wrote to memory of 1508 2316 cmd.exe 32 PID 2316 wrote to memory of 2816 2316 cmd.exe 33 PID 2316 wrote to memory of 2816 2316 cmd.exe 33 PID 2316 wrote to memory of 2816 2316 cmd.exe 33 PID 2316 wrote to memory of 2072 2316 cmd.exe 34 PID 2316 wrote to memory of 2072 2316 cmd.exe 34 PID 2316 wrote to memory of 2072 2316 cmd.exe 34 PID 2072 wrote to memory of 2952 2072 upx.exe 35 PID 2072 wrote to memory of 2952 2072 upx.exe 35 PID 2072 wrote to memory of 2952 2072 upx.exe 35 PID 2816 wrote to memory of 1604 2816 rundll32.exe 36 PID 2816 wrote to memory of 1604 2816 rundll32.exe 36 PID 2816 wrote to memory of 1604 2816 rundll32.exe 36 PID 2816 wrote to memory of 1604 2816 rundll32.exe 36
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\start.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\mode.commode con: cols=100 lines=302⤵PID:1508
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\main.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\main.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
-
C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\utils\upx.exesrc/utils/upx2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\Cphn-MultiTool\src\utils\upx.exesrc/utils/upx3⤵
- Loads dropped DLL
PID:2952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD569d4f13fbaeee9b551c2d9a4a94d4458
SHA169540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA5128e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378
-
Filesize
3KB
MD56ab1b5cd55caf4367357c6b40ee9ea3e
SHA139564d6b37b24e2d8acc541516149a3191ffd8ec
SHA256cabb1f363de1f6253b55b2eaaad46b6feab3de0a5046ed6dde814c7b31828cf7
SHA5125f674722766ec9b2f7afc0d9d01cddd0278abfe1736b22b83e9de06106c1eca3c40101a7e23bb533852809f8511c876212b029f7e7a279c556c461b60d2f8905