Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29/03/2021, 13:52

General

  • Target

    Minecraft Dungeons v1.0-v1.5.0.exe

  • Size

    1.3MB

  • MD5

    7500541e652d09f6be348ceb12b890ec

  • SHA1

    dabc37870b4a050c440f69daab481c49b5910148

  • SHA256

    d40f5e1c9a29042f8414cf2aedce4624df56a434880dcb6fbc7e25b4601ed4b1

  • SHA512

    b4432c5f882e1a0d54d3c2cd5b4cd904b09668aa7e1d4f75f512062ca91e190e6c9c246ed2225554c7781022c7b41e1864439a1b5781c67ec929b42ef4c206c9

Malware Config

Signatures

  • r77

    r77 is an open-source, userland rootkit.

  • r77 rootkit payload 2 IoCs

    Detects the payload of the r77 rootkit.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
      "C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3640
    • C:\Users\Admin\AppData\Local\Temp\update.exe
      "C:\Users\Admin\AppData\Local\Temp\update.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:416
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3240
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2296
            • C:\Windows\system32\findstr.exe
              findstr All
              4⤵
                PID:2992
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3404
              • C:\Windows\system32\chcp.com
                chcp 65001
                4⤵
                  PID:3544
                • C:\Windows\system32\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:1948
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 416 -s 3060
                  3⤵
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1180
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2236

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/416-18-0x0000000001070000-0x0000000001071000-memory.dmp

              Filesize

              4KB

            • memory/416-9-0x00007FF8030F0000-0x00007FF803ADC000-memory.dmp

              Filesize

              9.9MB

            • memory/416-11-0x0000000000840000-0x0000000000841000-memory.dmp

              Filesize

              4KB

            • memory/416-14-0x0000000001100000-0x000000000116F000-memory.dmp

              Filesize

              444KB

            • memory/416-19-0x000000001C2E0000-0x000000001C2E2000-memory.dmp

              Filesize

              8KB

            • memory/1180-30-0x0000028FAD710000-0x0000028FAD711000-memory.dmp

              Filesize

              4KB

            • memory/3640-16-0x000001B5F78C3000-0x000001B5F78C5000-memory.dmp

              Filesize

              8KB

            • memory/3640-22-0x000001B5F78CA000-0x000001B5F78CF000-memory.dmp

              Filesize

              20KB

            • memory/3640-21-0x000001B5F78C8000-0x000001B5F78CA000-memory.dmp

              Filesize

              8KB

            • memory/3640-20-0x000001B5F78C7000-0x000001B5F78C8000-memory.dmp

              Filesize

              4KB

            • memory/3640-17-0x000001B5F78C6000-0x000001B5F78C7000-memory.dmp

              Filesize

              4KB

            • memory/3640-15-0x000001B5F78C0000-0x000001B5F78C2000-memory.dmp

              Filesize

              8KB

            • memory/3640-10-0x000001B5F6DC0000-0x000001B5F6DED000-memory.dmp

              Filesize

              180KB

            • memory/3640-7-0x00007FF8030F0000-0x00007FF803ADC000-memory.dmp

              Filesize

              9.9MB