Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2022, 15:17
Static task
static1
Behavioral task
behavioral1
Sample
setup/rpg-eve.exe
Resource
win7-20221111-en
General
-
Target
setup/rpg-eve.exe
-
Size
44.3MB
-
MD5
1b8ab65ba110efe944cc87e8785f451f
-
SHA1
aea4e61cf59aeed4a73a097d2b177113f76c997e
-
SHA256
a7554d4a26ab500231d81d452eaf4a3a2209720da96f0f1401d2accc008fa1a6
-
SHA512
c1d062a59a340386854226b2dc180e49a4853572a580b44d502b23cda5282adaaa40eb3ed5c3251b5853ecb14a05d91e559eca41ac6ca6ecf5625d1ee0a8b96e
-
SSDEEP
786432:hx7blFrUB+quAZrY6XGk2NX7ljLmGc16WU:hRblBDqlJJ2F5RcgWU
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe rpg-eve.exe -
Loads dropped DLL 3 IoCs
pid Process 2276 rpg-eve.exe 2276 rpg-eve.exe 2276 rpg-eve.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2572 tasklist.exe 5104 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2276 rpg-eve.exe 2276 rpg-eve.exe 2276 rpg-eve.exe 2276 rpg-eve.exe 2276 rpg-eve.exe 2276 rpg-eve.exe 4156 powershell.exe 4156 powershell.exe 1492 powershell.exe 1492 powershell.exe 856 powershell.exe 856 powershell.exe 396 powershell.exe 396 powershell.exe 1164 powershell.exe 1164 powershell.exe 3948 powershell.exe 3948 powershell.exe 4664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2572 tasklist.exe Token: SeDebugPrivilege 5104 tasklist.exe Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 3948 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1312 2276 rpg-eve.exe 85 PID 2276 wrote to memory of 1312 2276 rpg-eve.exe 85 PID 1312 wrote to memory of 2572 1312 cmd.exe 86 PID 1312 wrote to memory of 2572 1312 cmd.exe 86 PID 2276 wrote to memory of 4672 2276 rpg-eve.exe 90 PID 2276 wrote to memory of 4672 2276 rpg-eve.exe 90 PID 4672 wrote to memory of 5104 4672 cmd.exe 91 PID 4672 wrote to memory of 5104 4672 cmd.exe 91 PID 2276 wrote to memory of 4208 2276 rpg-eve.exe 98 PID 2276 wrote to memory of 4208 2276 rpg-eve.exe 98 PID 4208 wrote to memory of 4156 4208 cmd.exe 99 PID 4208 wrote to memory of 4156 4208 cmd.exe 99 PID 2276 wrote to memory of 4924 2276 rpg-eve.exe 100 PID 2276 wrote to memory of 4924 2276 rpg-eve.exe 100 PID 4924 wrote to memory of 1492 4924 cmd.exe 101 PID 4924 wrote to memory of 1492 4924 cmd.exe 101 PID 2276 wrote to memory of 4680 2276 rpg-eve.exe 102 PID 2276 wrote to memory of 4680 2276 rpg-eve.exe 102 PID 4680 wrote to memory of 856 4680 cmd.exe 103 PID 4680 wrote to memory of 856 4680 cmd.exe 103 PID 2276 wrote to memory of 2972 2276 rpg-eve.exe 104 PID 2276 wrote to memory of 2972 2276 rpg-eve.exe 104 PID 2972 wrote to memory of 396 2972 cmd.exe 105 PID 2972 wrote to memory of 396 2972 cmd.exe 105 PID 2276 wrote to memory of 2148 2276 rpg-eve.exe 106 PID 2276 wrote to memory of 2148 2276 rpg-eve.exe 106 PID 2148 wrote to memory of 1164 2148 cmd.exe 107 PID 2148 wrote to memory of 1164 2148 cmd.exe 107 PID 2276 wrote to memory of 3912 2276 rpg-eve.exe 108 PID 2276 wrote to memory of 3912 2276 rpg-eve.exe 108 PID 3912 wrote to memory of 3948 3912 cmd.exe 109 PID 3912 wrote to memory of 3948 3912 cmd.exe 109 PID 2276 wrote to memory of 1980 2276 rpg-eve.exe 110 PID 2276 wrote to memory of 1980 2276 rpg-eve.exe 110 PID 1980 wrote to memory of 4664 1980 cmd.exe 111 PID 1980 wrote to memory of 4664 1980 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup\rpg-eve.exe"C:\Users\Admin\AppData\Local\Temp\setup\rpg-eve.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2592
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2116
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58740e7db6a0d290c198447b1f16d5281
SHA1ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\pkg\16ca1bac8591f9b2326054e83faac5b8f0c57163341263cfaaa5b847c2d0348d\better-sqlite3\build\Release\better_sqlite3.node
Filesize2.6MB
MD51463ec162e00833855779827f9276fbf
SHA19a20d75ffa767923396b851c12da4ac028bbf6b0
SHA25616ca1bac8591f9b2326054e83faac5b8f0c57163341263cfaaa5b847c2d0348d
SHA512664f5d188d92884526089f813ae27e8b1ab66d37d03d70d08db888abaa61fbc238797ec3ef739f404af1eb979eefc71bbc55b0a3121efd2326034135ff76a4da
-
C:\Users\Admin\AppData\Local\Temp\pkg\b3981e7cce893609eb1a837ab536127cbd23395047b6178d3b8b18ce13702b52\node-hide-console-window\build\Release\node-hide-console-window.node
Filesize95KB
MD52873ec20ad4eebe99abde5a3d6b35b26
SHA1ff06ff7dcb2f5a009700d7fcf9532fa5748cefa2
SHA256b3981e7cce893609eb1a837ab536127cbd23395047b6178d3b8b18ce13702b52
SHA512355633622cccc8ab59b664ba6087f6743641fefc6b5d6048c090410b101831435e1a11fd55ace255498c7cecb15aba38a9164079591838df2c38774c8ba670b9
-
C:\Users\Admin\AppData\Local\Temp\pkg\eac1aa3c18345304c6de5bcf0de47bcc0051e99f25d7650e1f81a0f036cada04\win-dpapi\build\Release\node-dpapi.node
Filesize141KB
MD5c279382001a65a0b24755f92bea0cb69
SHA1ecd7737c211cabc22bdda4eeb572641ea4940133
SHA256eac1aa3c18345304c6de5bcf0de47bcc0051e99f25d7650e1f81a0f036cada04
SHA512b25f839494044f5aa870eaa07fb88150254c3f03d13d525fbd1a65fa5b343e15b286c366c15422b09f27c6e4593f75ccd508a85b4f0d1b47bcbbacc2ec541171