Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29/03/2021, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
Minecraft Dungeons v1.0-v1.5.0.exe
Resource
win7v20201028
General
-
Target
Minecraft Dungeons v1.0-v1.5.0.exe
-
Size
1.3MB
-
MD5
7500541e652d09f6be348ceb12b890ec
-
SHA1
dabc37870b4a050c440f69daab481c49b5910148
-
SHA256
d40f5e1c9a29042f8414cf2aedce4624df56a434880dcb6fbc7e25b4601ed4b1
-
SHA512
b4432c5f882e1a0d54d3c2cd5b4cd904b09668aa7e1d4f75f512062ca91e190e6c9c246ed2225554c7781022c7b41e1864439a1b5781c67ec929b42ef4c206c9
Malware Config
Signatures
-
r77 rootkit payload 2 IoCs
Detects the payload of the r77 rootkit.
resource yara_rule behavioral2/files/0x000200000001ab8f-3.dat r77_payload behavioral2/files/0x000200000001ab8f-4.dat r77_payload -
Executes dropped EXE 2 IoCs
pid Process 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 416 update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1180 416 WerFault.exe 76 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe Token: SeDebugPrivilege 416 update.exe Token: SeSecurityPrivilege 2236 msiexec.exe Token: SeDebugPrivilege 1180 WerFault.exe Token: SeDebugPrivilege 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3640 Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 412 wrote to memory of 3640 412 Minecraft Dungeons v1.0-v1.5.0.exe 75 PID 412 wrote to memory of 3640 412 Minecraft Dungeons v1.0-v1.5.0.exe 75 PID 412 wrote to memory of 416 412 Minecraft Dungeons v1.0-v1.5.0.exe 76 PID 412 wrote to memory of 416 412 Minecraft Dungeons v1.0-v1.5.0.exe 76 PID 416 wrote to memory of 1764 416 update.exe 81 PID 416 wrote to memory of 1764 416 update.exe 81 PID 1764 wrote to memory of 3240 1764 cmd.exe 82 PID 1764 wrote to memory of 3240 1764 cmd.exe 82 PID 1764 wrote to memory of 2296 1764 cmd.exe 83 PID 1764 wrote to memory of 2296 1764 cmd.exe 83 PID 1764 wrote to memory of 2992 1764 cmd.exe 84 PID 1764 wrote to memory of 2992 1764 cmd.exe 84 PID 416 wrote to memory of 3404 416 update.exe 86 PID 416 wrote to memory of 3404 416 update.exe 86 PID 3404 wrote to memory of 3544 3404 cmd.exe 88 PID 3404 wrote to memory of 3544 3404 cmd.exe 88 PID 3404 wrote to memory of 1948 3404 cmd.exe 89 PID 3404 wrote to memory of 1948 3404 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3240
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵PID:2296
-
-
C:\Windows\system32\findstr.exefindstr All4⤵PID:2992
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3544
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵PID:1948
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 416 -s 30603⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236